UNIT–I: CYBERCRIME

 Cybercrime and information security

 Cybercriminals
 Classifications of cybercrimes
 Need for Cyberlaws in Indian context
 Legal perspectives of cybercrime
 Indian perspective of cybercrimes
 Cybercrime and the Indian ITA 2000
 Positive aspects and weak areas of ITA 2000
 Amendments made in Indian ITA 2000 for admissibility of
e-records
 Amendments to the Indian IT Act
 Global perspective on cybercrimes
 Intellectual property in cyberspace
 Ethical dimension of cybercrimes.
 Introduction
• Internet has opened a new way of exploitation
known as cybercrime.
• These activities involve the use of computers, the
internet, cyberspace and the WWW.
• Total of 3286 Indian websites were hacked in 5
months- between Jan and June 2009.
 Definition
• A crime conducted in which a computer was directly and
significantly instrumental.
• Alternative definitions:
• Any illegal act where a special knowledge of computer technology
is essential for its perpetration(to commit), investigation or
prosecution.
• Any traditional crime that has acquired a new dimension or order
of magnitude through the aid of a computer, and abuses that have
come into being because of computers.
• Any financial dishonesty that takes place in computer environment.
• Any threats to computer itself, such as theft of hardware or
software, sabotage(damage) and demands for ransom.
• Cybercrime is any illegal behavior, directed by means of electronic
operations, that targets the security of computer systems and the
data processed by them.
 Origin
• The term cybercrime has evolved over the past few years since the adoption
of internet connection on a global scale with hundreds of millions of users.
• Two types of attacks are prevalent:
• Techno crime:
– A premeditated act against a system or systems, with the intent of copy,
steal, prevent access, corrupt or otherwise deface or damage parts of the
complete computer system.
– The 24X7 connection to the internet makes this type of cybercrime a real
possibility of engineer from anywhere in the world, leaving few, if any,
“finger prints”
• Techno-vandalism:
– These acts of “brainless” defacement of websites and/or other activities,
such as copying files and publicizing their contents publicly, are usually
opportunistic in nature.
– Tight internal security, allied to strong technical safeguards, should
prevent the vast majority of such incidents.
 Cybercrime and Information Security
• Lack of information security gives rise to cybercrimes.
• Cyber crime is any criminal act dealing with computers and
networks.
• Information security, sometimes shortened to InfoSec, is the
practice of preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or destruction
of information.
• From the Indian perspective, the new version of the Act (ITA 2008)
provides a new focus on information security in India.
• Cyber security means protecting information, equipment, devices,
computer, computer resource, communication device and
information stored there in from unauthorized access, use,
disclosure, disruption, modification, or destruction.
 Who are Cybercriminals
• Type I: Cybercriminals-hungry for recognition
– Hobby hackers
– IT professionals (Social engineering is one of the biggest
threat);
– Politically motivated hackers
– Terrorist organizations.
• Type II: Cybercriminals-not interested in recognition
– Psychological perverts
– Financially motivated hackers(corporate espionage);
– Stage-sponsered hacking(national espionage, sabotage);
– Organized criminals
• Type III: Cybercriminals-the insiders
– Disgruntled or former employees seeking revenge
– Competing companies using employees to gain economic
advantage through damage and/or theft.
 Classifications of Cybercrimes
• Cybercrime against individual
– Email spoofing and other online frauds, phishing, spear phishing,
vishing, smishing, spamming, cyberdefamation, cyberstalking and
harasment, computer sabotage, pornographic offenses, password
sniffing.
• Cybercrime against property
– Credit card frauds, Intellectual Property(IP) crimes, Internet time theft
• Cybercrime against organization
– Unauthorized accessing of computer, password sniffing, Denail-of –
service attacks, virus attacks, E-mail bombing, salami attack, logic
bomb, trojan horse, data diddling, crimes emanating from Usenet
news group, industrial spying,computer network intrusions, software
piracy.
• Cybercrime against Society
• Crimes emanating from Usenet newsgroup
• Cybercrime against Society
– Forgery
– Cyberterrorism
– Web jacking
• Someone forcefully takes control of a website.
• Crimes emanating from Usenet newsgroup
– By its nature, Usenet groups may carry very offensive,
harmful, inaccurate or otherwise inappropriate
material.
• Distributed/sale of pornographic material
• Distribution/sale of pirated software packages
• Distribution of hacking software
• Sale of stolen credit card numbers
• Sale of stolen data/stolen property.
 Cybercrime against individual
• E-mail spoofing:
– A spoofed email is one that appears to originate from one
source but actually has been sent from another source.
• Phishing
– Is a type of deception designed to steal your identity.
– In phishing schemes, the phisher tries to get the user to
disclose valuable personal data-such as credit card
numbers, passwords, account data or other information.
• Spear phishing
– Is a method of sending a phishing message to a particular
organization to gain organizational information.
– Spear phishing describes any highly targeted attack.
• Vishing :
– Vishing is the criminal practice of using social engineering
over telephone system, most often using features
facilitated by VoIP, to gain access to personal and financial
information from the public for the purpose of financial
reward.
– The most profitable uses of the information gained
through a Vishing attack include:
• ID theft
• Purchasing luxury goods and services
• Monitoring the victims bank accounts
• Making applications for loans and credit cards
• Smishing :
– Uses a cell phone text messages to deliver a lure message
to get the victim to reveal his/her Personal Information.
• Spamming: People who create electronic spam are called spammers.
• Spam is the abuse of electronic messaging systems.
– Example: e-mail spam, instant messaging spam, usenet newsgroup
spam, web search engine spam, spam in blogs,wiki spam, online
classified ads spam, mobile phone messaging spam, Internet forum
spam, junk fax transmissions, social networking spam, file sharing
network spam etc.
• Spamming is alteration or creation of document with the intent to deceive
an electronic catalog or filling system.
• Hacking:
– Greed
– Power
– Publicity
– Revenge
– Adventure
– Desire to access forbidden information
– Destructive mind set.
• Software piracy
• Computer network intrusions.
Cyber crime: the legal perspectives
• Any illegal act for which knowledge of computer technology is
essential for a successful prosecution.
• Cyber crime is the outcome of globalization.
• Globalized information systems accommodate an increasing
number of transformational offenses.
• This problem can be resolved in two ways:
– Divide the information systems into segments bordered by
state boundaries.
– Incorporate the legal system into an integrated entity
destroying these state boundaries.
• In a globally connected world, information systems become the
unique empire without tangible territory.
Cybercrimes: An Indian Perspective
• India has fourth highest number of internet users
in the world.
• 45 million Internet users in India
• 37% uses cyber cafes
• 57% users are 18-35
• 46% were related to incidents of cyber
pornography followed by hacking.
 Cybercrime and Indian ITA 2000
• First step towards the law relating to E-Commerce
Cybercrimes are punishable under two categories:
• ITA ACT 2000 and
• IPC
Sec 43 damage to computer system 1 crore

Sec 66 hacking 2 lacs and three years

Sec 67 Publication of absence material in 1 lac and 5 years
electronic form
Sec 68 Not complying with directions of 2 lacs and 3 years
controllers
Sec 70 Attempting or secure access to a 10 years
computer of another person
without his knowledge
Sec 72 For breaking confidentiality of the 1 lac 2 years
information of computer
Sec 73 Publishing false digital signatures, 1 lac 2 years or both
false in certain particulars
Sec 74 Publication of digital signatures for 1 lac 2 years
fraudulentpurpose
 A Global Perspective on Cybercrimes
• (Counsil of Europes) Cybercrime is used as an umbrella term to
refer to an array of criminal activity including offenses against
computer data and systems, computer related offenses,
content offenses and copyright offenses.
• About 30 countries have enacted some form of anti spam
legislation.
• August 4, 2006 Announcement: the US Senete ratifies CoE
Convention on Cyber crime.
• The convention targets
– hackers,
– those spreading destructive computer viruses,
• Those using the Internet for sexual exploitation of children or
Distribution of racist material and terrorists attempting to attack
infrastructure facilities or financial institutions.
• In august 18, 2006, there was a news article
published “ISPs wary About ‘drastic Obligations’
on web site Blocking.
• CoE Cyber Crime Convention (1997-2001) was the
first international treaty seeking to address
Internet Crimes by harmonizing national laws,
improving investigative techniques and increasing
cooperation among nations.
• More than 40 countries have ratified the
convention to date.
 Syllabus
• Introduction, Cyber Crime and the legal
landscape around the world, Cyber Laws in
Indian Context, The Indian IT Act, Challenges
to Indian Law and Cyber Crime Scenario in
India, Consequences of not addressing the
weakness in IT Act, Digital Signature and the
Indian IT Act, Cyber Crime and Punishment,
Cyberlaw, Technology and Students in India
scenario.
• Introduction
• Cyber Crime and the legal landscape around the world
– A Broad view on cybercrime Law scenario in the Asia-Pacific Region
– Online safety and Cybercrime Laws: Detailed Perspective on the
current Asia-Pacific Scenario.
• Computer Security Laws
• Data privacy and protection
• Spam laws
• Online protection for children
– Anti-Spam Laws in Canada
• Senate Bill S-220
• Parliamentary Bill C-27
– Cybercrime and federal Laws in the US
– The EU Legal Framework for Information Privacy to Prevent
Cybercrime.
– Cybercrime Legislation in the African Region
• Cyber Laws in Indian Context
• The Indian IT Act
– Admissibility of Electronic Records: Amendments made in
the Indian ITA 2000
• The Second Schedule of the Indian ITA 2000: Amendment to the
Indian Evidence Act
• Admissibility of Electronic Records
• The Third Schedule of Indian IT Act 2000: Amendment to the
Bankers Books Evidence Act
• The Fourth Schedule of the Indian IT Act 2000: Amendment to the
Reserve Bank of India Act.
– Positive Aspects of the ITA 2000
– Weak Areas of the ITA 2000
• Challenges to Indian Law and Cyber Crime Scenario in
India
• Consequences of not addressing the weakness in IT Act
• Digital Signature and the Indian IT Act
– Public-Key Certificate
– Representation of Digital Signatures in ITA 2000
– Impact of Oversights in ITA 2000 Regarding Digital
Signatures
– Implications for certifying authorities
• Section 3A: Electronic Signature.
– The current Scenario Regarding Digital Signatures under
the Indian IT Act.
– Cryptographic perspective on the indian IT Act.
• Cyber Crime and Punishment
• Cyberlaw, Technology and Students in India scenario.
 Introduction
• It is said that cybercrime is the largest illegal industry.
• Cyber crime involves massive, coordinated attacks
against the information infrastructure of a country.
• In this chapter, we want to bring forth the point that
knowledge of cyber laws is essential for people who
may directly or indirectly interact with networked
services either over the internet or other proprietary
networks of businesses and enterprises of any other
types-banks, stock brokers, intra-company and inter-
company information exchange systems, etc.
• Although the Indian legislations are important
for people in India, we must not loose sight of
the world scenario-it is important for global
businesses,
• There fore, while maintaining focus on the
Indian ITA 2000 and subsequent amendments
in year 2008.
• Cybercrime and the legal landscape around
the world.
– A Broad View on Cybercrime law scenario in the
Asia-Pacific Region.
– Online safety and cybercrime laws: Detailed
Perspective on the current Asia-Pacific Scenario
– Anti – Spam Laws in Canada
– Cybercrime and federal laws in the US
– The EU(European Union) Legal Framework for
Information Privacy to prevent Cybercrime
– Cybercrime Legislation in the African Region
Cybercrime and the legal landscape
around the world
• World scenario considering the following countries:
The US, Europe, Canada, Asia-Pacifica and Africa.
• One of the preconditions for development of the
information society is for users to have confidence or
the “trust” in the reliability, security and integrity of
electronic communications systems and computerized
information processing systems.
• If there is no trust individuals will tend to either not
disclose personal information or provide false
information.
• Therefore, one critical component of the trust
framework is privacy protection- the provision
of assurance by means of law, technology
design and industry practice that personal
information is collected, exchanged and used
fairly.
 A Broad View on Cybercrime law
scenario in the Asia-Pacific Region
• Challenges involved in the Asia-Pacific region:
– Lack of awareness of information security issues.
– The rapidly evolving complexity
– Capacity and reach of ICT
– The anonymity afforded by these technologies
and the transnational nature of communication
networks.
– Capacity to use information security technologies.
– Protect against, detect and respond effectively to
cybercrime.
• Information privacy or data protection in this context is
not about keeping personal information secret: rather,
it is about creating a trusted framework for collection,
exchange and use of personal data in commercial and
governmental contexts.
• Data protection laws permit, and even facilitate, the
commercial and governmental use of personal data
while providing to individuals.
– Control over what to disclose.
– Awareness of how their personal data will be used.
– Rights to insists that data are accurate and up to date, and
– Protection when personal information is used to make
decisions about a person.
• Now let us consider the Australian cyber crime
ACT 2001.
• This Act introduces the following new offenses
• The serious offenses under Division 477 are as
follows:
– Section 477.1: unauthorized access, modification
or impairment with intent to commit a serious
offence.
– Section 477.2: unauthorized modification of data
to cause impairment.
– Section 477.3: unauthorized impairment of
electronic communication.
• The other offenses under Division 478 are as
follows:
– Section 478.1 : unauthorized access to, or
modifications of, restricted data.
– Section 478.2 : unauthorized impairment of data
in a computer disk, etc.
– Section 478.3: possession or control of data with
intent to commit a computer offense.
– Section 478.4: producing, supplying or obtaining
data with intent to commit a computer offence.
• The new powers granted by the Australian
Cybercrime Act.
– Now power to remove “ a thing” to another place for
the purpose of examination or processing to
determine whether it may be seized under a warrant,
if it is more practical, or there are reasonable grounds
that the “ thing” includes or is an evidence.

– The power to “ operate electronic equipment” at the

warrant premises in order to access data( including
data not held at the premises) if the police believe
that the data (may) contains evidentiary material.
• The power to require a person “to provide any
information or assistance” that is considered
reasonable and is necessary in order to allow
the officer to make a copy of data from
equipment that might contain evidential
material.
• The power to require a “person with
knowledge of a computer system to assist
access”, etc.
 Online Safety and cyber crime laws: Detailed
perspective on the current, Asia- Pacific Scenario
• In this we discuss about legislation position in
Asia-Pasific countries with regard to data privacy,
Spam, and online child safety.
• Our objective in this section is to gain an
understanding of how the laws of different
jurisdictions compare against a single benchmark.
• The council of Europe’s( CoE’s) convention on
cyber crime serves as the bench mark legislation.
• Computer security Laws
• Asia-pacific region: Alignment of the countries
enacted legislation with regard to the
benchmark legislation.
Favorable Moderate Weak Alignment
Alignment Alignment
Australia China India
New Zealand Hong kong Indonesia
Singapore Japan
Taiwan Malaysia
Thailand Philippines
South Korea
Vietnam
• In India, although the ITA 2000 prohibits many of
the activities that constitute core offenses under
the convention, the IT Act does not, criminalize
these activities.
• In India, amendment on ITA 2000 was proposed
on in the year 2006, in september 2007, the
standing committee on IT submitted report on
the IT Amendment Bill to address a number of
substantive recommendations in respect of the
bill. This resulted in the ITA 2008.
• The degree of alignment varies due to the range
of Convention offenses covered by the enacted
legislation and the restrictive way in which some
of the convention offenses are implemented.
• Data privacy and Data Protection
– The Microsoft-drafted Model privacy bill serves as
the benchmark legislation in data privacy arena.
– As per the Federal Information Processing
Standard (FIPS), the organizations must provide a
“privacy notice” before collecting “personally
identifiable information(PII)”.
– Privacy notice is a statement made to a data
subject that describes how organization collects,
uses, retains, and discloses personal information.
– Privacy notice is also known as privacy statement
or privacy policy.
• The privacy regulated organization must obtain a prior consent
(permission or agreement) of the data subject- either explicit; Opt-
Out or implied depending on the several factors related to the
privacy risk involved.
• An opt-in is a form of consent given by web users, acknowledging
interest in a product or service and authorizing a third party to
contact them with further information.
• Opt-In: is a process in which personal information will be processed
only if the data subject indicates it should be so.
– An Opt-In is considered to be an explicit consent.
• The term opt-out refers to several methods by which individuals
can avoid receiving unsolicited product or service information. This
option is usually associated with direct marketing campaigns such
as e-mail marketing or direct mail.
• Opt-Out: is process in which personal information will be processed
unless the data subject indicates it should be otherwise.
– An Opt-out considered to be an “implicit’ consent.
The opt-in method of gathering data on those visitors that sign up is when the
visitor actively has to chose to receive more information. The default option is
not to get any more correspondence from your business.
John Lewis is an example of a sign up page that uses the opt-in method:
• Opt-Out:
• The opt-out method means that the default setting is for visitors to be
subscribed to your mailing list – they have to uncheck a box that has been
pre-ticked, or check a box that says they do not want to receive any
further correspondence from you.
• An example of each below from Boohoo.com and Argos respectively:
• From privacy perspective, there are two kinds
of information about individuals:
– Aggregated information
• Ex: demo graphs, website traffic, number of visitors to a
particular internet site
– PII
• Ex: SSN,PAN, name E-mail, address, phone number.
Favorable Alignment Moderate Alignment Weak Alignment

------ Australia India

------ Hong kong Indonesia
------ Japan Malaysia
------ New Zealand Philippines
------ Singapore
------ South Korea
------ Taiwan
------ Thailand
------ Vietnam
• Spam Laws
– The checklist drafted by Microsoft contains features of effective
anti-spam legislation.
– It is considered as the benchmark legislation for this part of the
discussion.
– The Microsoft checklist envisages on “Opt-Out” anti spam
regime to address commercial electronic messages.
– However, the checklist mentions that transactional or
relationship messages ( such as messages sent to customers
with regard to products or services purchased from the sender)
should be excluded from the scope of regulation, as it should
contain incidental commercial purpose.
– The Microsoft checklist contains the usual restrictions on
transmitting electronic messages of commercial nature- without
an unsubscribe facility or accurate sender and header
information.
– l
• India and Anti-Spam Legislation
– Spam legislation is non-existent in India.
– The ITA 2000 does not discuss the issue of spamming at all.
– The Delhi High Court acknowledged the absence of appropriate
legislation concerning spam in a recent case wherein Tata Sons
Ltd and its subsidiary panatone Finwest Ltd filed a suit against
McCoy Infosystems Pvt Ltd for transmission of Spam.
• Spam is harmful because for a number of reasons as
follows.
– Content: commercial messages, porn material, harmful
embedded code.
– Internet resources consumed: network bandwidth, memory,
storage space, time for reading, deleting ,filtering and blocking
spam.
– Threat to internet security: frequently tap into SMTP servers
and direct them to send copies of a message to a long list of
recipients.
• The legal methods to deal with the spamming risk are
prohibition, enforcement of anti spam policies, Opt-Out
clause, statutory provisions and enforcement mechanism.

• Although there are legal methods to deal with spam, there

is a considerable debate whether we need to prohibit or
restrict spam?

• Civil liberties advocates say that there are constitutional

issues to consider which could trickle down to other types
of speech over the internet.

• The supreme court has held commercial advertising to be

an inalienable part of freedom of speech which is
enshrined in article 19 of the constitution.
• With this reason some legislators and
advocates argue that the anti-spam legislation
has to be very specific.

• Consumer protection laws exist to protect the

consumer from fraudulent and deceptive
advertising.

• Legislation prohibiting pornography already

exists.
• Asia-pacific region: Alignment of the countries
enacted legislation with regard to anti-spam laws
(Microsoft checklist)
Favorable Moderate Weak Alignment
Alignment Alignment
Hong kong Australia India
China Indonesia
New Zealand Malaysia
Singapore Philippines
South Korea Taiwan
Thailand
Vietnam
• Online protection for children
– ICMEC ( International Centre for Missing and Exploited
Children) model child pornography legislation serve
as the benchmark instrument for this part of analysis.
– In ICMEC’s view, effective child pornography
legislation must specifically apply to child
pornography and not just pornography in general.
– Therefore, the legislation must include a definition of
child pornography-where a child is a person under the
age of eighteen(18) irrespective of age at consent to
sexual relationships.
– In an effective child pornography, legislation should
also expressly criminalize the possession of child
pornography regardless of the intent to distribute, and
require ISPs to bring to the notice of relevant
authorities all suspected child pornography matters
• Australia, Hong-Kong Japan, South Korea and
Tiwan enacted legislation to specifically address
child pornography.
• Only Australia and Hong-Kong criminalize mere
possession of child pornography.
• There is no legislation in India, Indonesia,
Malaysia, Philippines, Singapore and Vietnam to
specifically address child pornography.
( provision of control pornographic content).
• Currently Philippines, India, Indonesia, and
Japanese legislatures are considering online child
safety laws.
• ITA 2008 addresses child pornography.
• Table below shows alignment position of Asia-
Pacific countries with regard to online child
safety legislation.
Favorable Moderate Weak Alignment
Alignment Alignment
Australia Hong kong India
Japan Indonesia
South Korea Malaysia
Taiwan Philippines
Singapore
Thailand
Vietnam
 Why Do We Need Cyberlaws: The
Indian Context
• Cyberlaw is a framework created to give legal
recognition to all risks arising out of the usage of
computers and computer networks.
• Under the purview of cyberlaw, there are several
aspects, such as, intellectual property, data
protection and privacy, freedom of expression
and crimes committed using computers.
• The Indian parliament passed its first cyberlaw,
the ITA 2000, aimed at providing the legal
infrastructure for E-commerce in India.
• Then ITA 2000 is updated as ITA 2008.
• The reasons for enactment of cyberlaws in India
are summarized below.
• Although India possesses a very well-defined
legal system, covering all possible situations and
cases but the country lacks in many aspects when
it comes to newly developed Internet technology.
• It is essential to address this gap through a
suitable law given the increasing use of Internet
and other computer technologies in India.
• There is a need to have some legal recognition
to the Internet as it is one of the most
dominating sources of carrying out business in
today’s world.
• With the growth of the Internet, a new
concept called cyberterrorism came into
existence.
• Keeping all these factors into consideration,
Indian parliament passed the Information
Technology Bill.
 The Indian ITA 2000
Chapter Number Chapter Title Name of the Sections in the
Chapter
CHAPTER I Preliminary 1. Short title, extent, commencement and
applications
2. Definitions of key terms mentioned in the
Act

CHAPTER II Digital Signature and 3. Authentication of electronics records.

Electronic Signature
CHAPTER III Electronic Governance 4. Legal recognition of electronic records
5. Legal recognition of electronic signatures
6. Use of electronic records and digital
signatures in government and its agencies.
7. Retention of electronic records
8. Publication of rule regulation etc, in
Electronic Gazette.
9. Sections 6, 7, 8 and not to confer right to
insist documents should be accepted in an
electronic form
10. Power to make rules by Central
Governemnt in respect to digital signature
Chapter Number Chapter Title Name of the Sections in the
Chapter

CHAPTER IV Attribution, 11. Attribution of electronic records.

12. Acknowledgement of receipt
Acknowledgement and 13. Time and place of dispatch and receipt of
Dispatch of electronic electronic record.
Records
CHAPTER V Secure Electronic Records 14. Secure electronic record
15. Secure digital signature
and Secure Electronic 16. Security procedures and practices.
Signature
Chapter Number Chapter Title Name of the Sections in the
Chapter

CHAPTER VI Regulation of Certifying 17. Appointment of controller and other

officers.
Authorities 18. Functions of Controller
19. Recognition of foreign Certifying
Authorities.
20. Controller to act as repositories.
21. License to issue Digital Signature certificates
22. Application for license
23. Renewal of license
24. Procedure for grant or rejection of license
25. Suspension of license
26. Notice of suspension or revocation of
license
27. Power to delegate
28. Power to investigate contraventions
29. Access to computer and data
30. Certifying authority to follow certain
procedures
31. Certifying authority to ensure compliance of
the Act, etc.
32. Display of license
33. Surrender of license
34. disclosure.
Chapter Number Chapter Title Name of the Sections in the
Chapter
CHAPTER VII Electronic Signature 35. Certifying Authority to issue Digital
Signature Certificate.
Certificates 36. Representations upon issuance of Digital
Signature Certificate.
37. Suspension of Digital Signature Certificate
38. Revocation of Digital Signature Certificate.
39. Notice of suspension or revocation

CHAPTER VIII Duties of Subscribers 40. Generating key pairs

41. Acceptance of Digital Signature Certificate
42. Control of private key

CHAPTER IX Penalties, composition 43. Penalty for damage to computer, computer

system, etc.
and adjudication 44. Penalty for failure to furnish information
return, etc
45. Residuary penalty
46. Power to adjudicate
47. Factors to be taken into account by the
adjudicating officer.
Chapter Number Chapter Title Name of the Sections in the
Chapter
CHAPTER X The Cyber Regulations 48. Establishment of Cyber Appellate Tribunal
49. Composition of Cyber Appellate Tribunal
Appellate Tribunal 50. Qualifications for appointment
51. Term of office, conditions of services, etc.
52. Salary, allowances and other terms and
condition of service of presiding officer
53. Filling up of vacancies
54. Resignation and removal
55. Orders constituting Appellate Tribunal
56. Staff of the cyber Appellate tribunal
57. Appeal to cyber Appellate tribunal
58. Procedures and powers of the Cyber
Appellate tribunal
59. Right to legal representation
60. Limitation
61. Civil court not to have jurisdiction
62. Appeal to high court
63. Compounding to contraventions
64. Recovery of penalty or compensation
Chapter Number Chapter Title Name of the Sections in the
Chapter
CHAPTER XI Offences 65. Tampering with computer source
documents.
66A. Punishment for offensive
66. Computer-related offences
messages
67. Punishment for publishing, transmitting
66B. Punishment for dishonestly obscene material in electronic from
receiving stolen computers 68. Power of controller to give directions
66C. Punishment for ID theft 69. Power to issue directions for inception or
66D. Punishment for cheating by monitoring or decryption of information.
personating with the use of 70. Protected system
computers. 71. Penalty for misrepresentation
66E. Punishment for privacy 72. Penalty for breach of confidentiality and
violation privacy
66F. Punishment for cyber 73. Penalty for publishing Digital signature
terrorism. certificate false in certain particulars.
74. Publication for fraudulent purpose
75. Act to reply for offence or contravention
committed outside India
76. Confiscation
77. Compensation, penalties or confiscation not
to interface with other punishments.
78. Power to investigate offences
Chapter Number Chapter Title Name of the Sections in the
Chapter
CHAPTER XI Intermediaries not to be liable in 79. Exception from liability of intermediary in
certain Cases certain cases.

CHAPTER XIII Miscellaneous 80. Power of police officer and other officers to
enter and search, etc
81. Act to overriding effect
82. Chairperson, Members, officers and
employees to be public servants.
83. Power to give directions
84. Protection of action taken in good faith
85. Offences by companies
86. Removal of difficulties
87. Power of central government to make rules.
88. Constitution of advisory committee
89. Power of controller to make regulations
90. Power of state government to make rules.
• Sections 65, 66, 67, 71, 72,73 and 74 in CHAPTER XI
(offences) of the Indian ITA 2000 are relevant to the
discussion of cybercrime in legal context. The relevant
portion from that is follows:
• Section 65: Tampering with computer source
documents.
• Whoever knowingly or intentionally conceals, destroys
or alters or intentionally or knowingly causes another
to conceal, destroy or alter any computer source code
used for a computer, computer programme, computer
system or computer networks, when the computer
source code is required to be kept or maintained by
law for the time being in force, shall be punishable
with
• 3 years imprisonment or fine-200000 or both
• Section 66: Computer-related offences
• Whoever with the intent to cause or knowing
that he is likely to cause wrongful loss or
damage to the public or any person destroys
or deletes or alters any information residing in
a computer resources or diminishes its value
or utility or affects it injuriously by any means,
commits hack.
• 3 years imprisonment or fine-500000 or both
• Section 67: punishment for publishing or
transmitting obscene material in electronic from.
• Whoever publishes or transmits or causes to be
published in the electronic form, any material
which is lascivious or appeals to the prurient
interest or if its effect is such as to tend to
deprave and corrupt person who are likely, having
regard to all relevant circumstances, to read, see
or hear the matter contained or embodied in it,
shall be punished
• 3 years imprisonment or fine-500000 or both
• Section 71: penalty for misrepresentation
• Whoever makes any misrepresentation to, or
suppresses any material fact from, the
controller or the certifying authority for
obtaining any license or digital Signature
Certificate, as the case may be, shall be
punished with imprisonment for a term which
may extend to 2 years, or with fine which may
extend to 1 lakh rupees.
• Section 72: penalty for breach of
confidentiality and privacy.
• Access to any electronic record, book, register,
correspondence, information, document or
other material without the consent of the
person concerned discloses such electronic
record, book, register, correspondence,
information, document or other material to
any other person shall be:
• 2 years imprisonment or fine-100000 or both
• Section 73: Penalty for publishing Digital
Signature Certificate false in certain particulars
• No person shall publish a Digital Signature
Certificate or otherwise make it available to any
other person with knowledge that:
– The certifying authority listed in the certificate has not
issued it or
– The subscriber listed in the certificate has not
accepted it.
– The certificate has been revoked or suspended, unless
such publication is for the purpose of verifying a
digital signature created prior to such suspension or
revocation.
• 2 years or 1 lakh or both.
• Section 74: publication for fraudulent purpose
• Whoever,
• Knowingly creates, publishes or otherwise
makes available a Digital Signature Certificate
for any fraudulent or unlawful purpose-
• 2 years or 1 lakh.
 Summary of changes to Indian act
2000
Section No Changes Made

1 Section 1(4) list of excluded documents removed. To be notified by gazette.

2 2(d) modified, and the term "Digital Signature" replaced with "Electronic Signature" in the Act

Section 2(ha) added to define "Communication Device"

In 2(j) "Computer Systems" and "Communication Devices", "Wire" "Wireless" added

In 2(k) "Communication Device" added

2 (na) introduced to define the term "Cyber Cafe"

2(nb) introduced to define the term "Cyber Security"

2(ta) and 2(tb) introduces the term of "Electronic Signature" and "Electronic Signature Certificate"

2(ua) defines "Indian Computer Emergency Response Team"

2(v)-"Message" included in the definition of "Information"

2(w) "Intermediary" defined

Section No Changes Made

3 New Section 3A introduced to define Electronic Signature

6 New Section 6A introduced to provide for appointment of Service Providers in e-Governance

services.
New Section 6A introduced to enable delivery of services by private service providers
7 New Section 7A introduced to make audit of Electronic documents mandatory wherever the legacy
physical records were subject to audit.
10 New Section 10A specifies that contract formation is possible with offer and acceptance being in
electronic form.
15-16 Defines "Secured Electronic Signature" and redefines "Security Procedure"

20 Section deleted

22, 23 The amount of specified upper limit on the fees deleted

No change in 28. In Section 29, the powers have been restricted to contraventions under this
28,29
chapter.
30 Consequential Changes with introduction of Electronic Signatures

35 Sub section (4) modified

36 Additional points to be added in the certificate indicated

Section No Changes Made

40 No change in 40. New Section 40A introduced to cover Electronic signature

Two new contraventions added -contraventions corresponding to Sections 65 and 66 added for civil
liability.
compensation limit removed.
43
New Section 43 A included for "Data Protection" need.-specifies liability for a body corporate
handling sensitive data, introduces concept of "reasonable security practices" and sensitive personal
data. No limit for compensation
The powers of the judge limited for claims upto RS 5 crores. Civil Court's authority introduced for
46
claims beyond Rs 5 crores
48 Changes name of Cyber Regulations Appellate Tribunal to Cyber Appellate Tribunal.
Cyber Appellate Tribunal (CAT) is made a multi member entity. Provision for benches introduced, non
49
judicial members can be members of the Tribunal.
50 Specifies qualifications for appointment of Chairperson and Members of the CAT.
Specifies terms and other conditions of appointment of Chairman and Members of CAT
51,52 New Sections 52 A, B C and D introduced defining powers of the Chairperson of CAT for conduct of
business.
Amended to accommodate jurisdiction of Civil Courts for disputes involving claims of over RS 5
61
crores.
Section No Changes Made

The clause has been re written with significant changes. Applies to all contraventions listed in Section
66
43. Fine increased to Rs 5 lakhs
New Sections added under 66A, 66B,66 C,66D, 66E and 66 F to cover new offences.

66A: Sending offensive Messages

66B: Receiving a Stolen Computer Resource

66C: Identity Theft

66D: Cheating by personation

66E: Violation of Privacy

66F: Cyber Terrorism

Fine increased to Rs 5 lakhs for first instance and Rs 10 lakhs for subsequent instance. Imprisonment
67
reduced to three years for first instance and 5 years for subsequent instance.
New Section 67A introduced to cover material containing "Sexually Explicit Act" Increased
imprisonment and fine compared to Sec 67.
New Section 67B introduced to cover Child Pornography with stringent punishment. Imprisonment 5
or 7 years and fine RS 5 or 10 lakhs for first and subsequent instances respectively. Also covers
"grooming" and self abuse
67C: This is a new section introduced requiring Intermediaries to preserve and retain certain records
for a stated period.
Section No Changes Made

Refers to the powers of the Controller to direct Certifying Authorities for compliance. No significant
68
change. Penal powers to be applicable only on intentional violation
Scope extended from decryption to interception, monitoring also. Control will be on a designated
69
officer and not the Controller.
69A: New Section introduced to enable blocking of websites.

69B: New section that provides powers for monitoring and collecting traffic data etc.
Critical Infrastructure System defined and section restricted to only such systems. Security practices
70
to be notified.
70A: New Section added to define National Nodal Agency for Critical Information Infrastructure
protection.
70B Indian Computer Emergency Response Team to be the nodal agency for incident response.

72 72 A: New Section introduced for Data Protection purpose

77 77A; New Section introduced to provide for Compounding of offences with punishment upto 3 years.
77B: New Section introduced to consider all offences with 3 years imprisonment under the Act as
"Cognizable" and bailable.
Section No Changes Made

78 Power to investigate any cognizable offence vested with Inspectors instead of DSPs
Modified to slightly shift the onus of proving liability on the prosecution. Otherwise no significant
79
change.
79 A: New Section introduced to provide for the Government to designate any government body as
an Examiner of Electronic Evidence
80 The powers earlier available to DSP is now made available to Inspectors

81 Amended to keep the primacy of Copyright and Patent acts above ITA 2000

84 84 A: New Section introduced to enable the Government to prescribe encryption methods

84 B: New Section introduced to make "abetment" punishable as the offence itself

84 C: New Section introduced to make an "attempt to commit an offence" punishable with half of
the punishment meant for the offence.
91-94 Omitted
Admissibility of Electronic Records: Amendments made
in the Indian ITA 2000.

• Discuss about how the three acts namely,

• The Indian Evidence Act 1872,
• The Bankers Books Evidence Act 1891
• The Reserve Bank of India Act 1934 have
been amended.
• The second schedule of the Indian ITA 2000:
Amendment to the Indian Evidence Act.
• 1. In section 3,—
– (a)in the definition of "Evidence", for the words "all
documents produced for the inspection of the Court", the
words "all documents including electronic records
produced for the inspection of the Court" shall be
substituted;
– (b)after the definition of "India", the following shall be
inserted, namely:— 'the expressions "Certifying
Authority", "digital signature", "Digital Signature
Certificate", "electronic form", "electronic records",
"information", "secure electronic record", "secure digital
signature" and "subscriber" shall have the meanings
respectively assigned to them in the Information
Technology Act, 2000.'.
• 2. In section 17, for the words "oral or
documentary,", the words "oral or
documentary or contained in electronic form"
shall be substituted.
• 3. After section 22, the following section shall
be inserted, namely: —
– When oral admission as to contents of electronic
records are relevant.
– "22A. Oral admissions as to the contents of
electronic records are not relevant, unless the
genuineness of the electronic record produced is
in question.".
• 4.In section 34, for the words "Entries in the books of account", the
words "Entries in the books of account, including those maintained
in an electronic form" shall be substituted.
• 5.In section 35, for the word "record", in both the places where it
occurs, the words "record or an electronic record" shall be
substituted.
• 6.For section 39, the following section shall be substituted, namely:
—
• What evidence to be given when statement forms part of a
conversation, document, electronic record, book or series of
letters or papers.
• "39. When any statement of which evidence is given, forms part of
a longer statement, or of a conversation or pan of an isolated
document, or is contained in a document which forms part of a
book, or is contained in part of electronic record or of a connected
series of letters or papers, evidence shall be given of so much and
no more of the statement, conversation, document, electronic
record, book or series of letters or papers as the Court considers
necessary in that particular case to the full understanding of the
nature and effect of the statement, and of the circumstances under
which it was made.".
• 7. After section 47, the following section shall be inserted,
namely: —
– Opinion as to digital signature where relevant.
– "47A. When the Court has to form an opinion as to the digital
signature of any person, the opinion of the Certifying Authority
which has issued the Digital Signature Certificate is a relevant
fact.".
• 8. In section 59, for the words "contents of documents" the
words "contents of documents or electronic records" shall
be substituted.
• 9. After section 65, the following sections shall be inserted,
namely: —
– Special provisions as to evidence relating to electronic record.
– '65A. The contents of electronic records may be proved in
accordance with the provisions of section 65B.
• Admissibility of Electronic Records
• 65B.
• (1) Notwithstanding anything contained in this
Act, any information contained in an electronic
record which is printed on a paper, stored,
recorded or copied in optical or magnetic media
produced by a computer (hereinafter referred to
as the computer output) shall be deemed to be
also a document, if the conditions mentioned in
this section are satisfied in relation to the
information and computer.
• (2)The conditions referred to in sub-section (1) in respect of
a computer output shall be the following, namely: —
– (a)the computer output containing the information was
produced by the computer during the period over which the
computer was used regularly to store or process information for
the purposes of any activities regularly carried on over that
period by the person having lawful control over the use of the
computer;
– (b)during the said period, information of the kind contained in
the electronic record or of the kind from which the information
so contained is derived was regularly fed into the computer in
the ordinary course of the said activities;
– (c)throughout the material part of the said period, the computer
was operating properly or, if not, then in respect of any period
in which it was not operating properly or was out of operation
during that part of the period, was not such as to affect the
electronic record or the accuracy of its contents; and
– (d)the information contained in the electronic record
reproduces or is derived from such information fed into the
computer in the ordinary course of the said activities.
• (3)Where over any period, the function of storing or
processing information for the purposes of any activities
regularly carried on over that period as mentioned in
clause (a) of sub-section (2) was regularly performed by
computers, whether—
– (a)by a combination of computers operating over that period; or
– (b)by different computers operating in succession over that
period; or
– c)by different combinations of computers operating in
succession over that period; or
– (d)in any other manner involving the successive operation over
that period, in whatever order, of one or more computers and
one or more combinations of computers, all the computers used
for that purpose during that period shall be treated for the
purposes of this section as constituting a single computer; and
references in this section to a computer shall be construed
accordingly.
• (4)In any proceedings where it is desired to give a
statement in evidence by virtue of this section, a certificate
doing any of the following things, that is to say, —
– (a) identifying the electronic record containing the statement
and describing the manner in which it was produced;
– (b) giving such particulars of any device involved in the
production of that electronic record as may be appropriate for
the purpose of showing that the electronic record was produced
by a computer;
– (c) dealing with any of the matters to which the conditions
mentioned in subsection (2) relate, and purporting to be signed
by a person occupying a responsible official position in relation
to the operation of the relevant device or the management of
the relevant activities (whichever is appropriate) shall be
evidence of any matter stated in the certificate; and for the
purposes of this sub-section it shall be sufficient for a matter to
be stated to the best of the knowledge and belief of the person
stating it.
• (5)For the purposes of this section, —
– (a)information shall be taken to be supplied to a computer if it is
supplied thereto in any appropriate form and whether it is so
supplied directly or (with or without human intervention) by
means of any appropriate equipment;
– (b)whether in the course of activities carried on by any official,
information is supplied with a view to its being stored or
processed for the purposes of those activities by a computer
operated otherwise than in the course of those activities, that
information, if duly supplied to that computer, shall be taken to
be supplied to it in the course of those activities;
– (c)a computer output shall be taken to have been produced by a
computer whether it was produced by it directly or (with or
without human intervention) by means of any appropriate
equipment.
• Explanation.—For the purposes of this section any
reference to information being derived from other
information shall be a reference to its being derived there
from by calculation, comparison or any other process.
• 10. After section 67, the following section shall be inserted, namely:
— Proof as to digital signature.
– "67A. Except in the case of a secure digital signature, if the digital
signature of any subscriber is alleged to have been affixed to an
electronic record the fact that such digital signature is the digital
signature of the subscriber must be proved.".
• 11. After section 73, the following section shall be inserted, namely:
— Proof as to verification of digital signature.
– '73A. In order to ascertain whether a digital signature is that of the
person by whom it purports to have been affixed, the Court may
direct—
– (a)that person or the Controller or the Certifying Authority to produce
the Digital Signature Certificate;
– (b)any other person to apply the public key listed in the Digital
Signature Certificate and verify the digital signature purported to have
been affixed by that person.
• Explanation.—For the purposes of this section, "Controller" means
the Controller appointed under sub-section (1) of section 17 of the
Information Technology Act, 2000'.
• 12. Presumption as to Gazettes in electronic forms.
• After section 81, the following section shall be
inserted, namely: —
• "81 A. The Court shall presume the genuineness of
every electronic record purporting to be the Official
Gazette, or purporting to be electronic record directed
by any law to be kept by any person, if such electronic
record is kept substantially in the form required by law
and is produced from proper custody.".
• 13. Presumption as to electronic agreements.
• After section 85, the following sections shall be
inserted, namely: —
– "85A. The Court shall presume that every electronic record
purporting to be an agreement containing the digital
signatures of the parties was so concluded by affixing the
digital signature of the parties.
• 14.Presumption as to electronic records and digital
signatures.
• 85B. (1) In any proceedings involving a secure
electronic record, the Court shall presume unless
contrary is proved, that the secure electronic record
has not been altered since the specific point of time to
which the secure status relates.
• (2)In any proceedings, involving secure digital
signature, the Court shall presume unless the contrary
is proved that—
– (a) the secure digital signature is affixed by subscriber with
the intention of signing or approving the electronic record;
– (b) except in the case of a secure electronic record or a
secure digital signature, nothing in this section shall create
any presumption relating to authenticity and integrity of
the electronic record or any digital signature.
• 15.Presumption as to Digital Signature Certificates.
• 85C. The Court shall presume, unless contrary is proved, that the
information listed in a Digital Signature Certificate is correct, except
for information specified as subscriber information which has not
been verified, if the certificate was accepted by the subscriber.".
• 16. Presumption as to electronic messages.
• After section 88, the following section shall be inserted, namely: —
'88A. The Court may presume that an electronic message
forwarded by the originator through an electronic mail server to the
addressee to whom the message purports to be addressed
corresponds with the message as fed into his computer for
transmission; but the Court shall not make any presumption as to
the person by whom such message was sent.
• Explanation.—For the purposes of this section, the expressions
"addressee" and "originator" shall have the same meanings
respectively assigned to them in clauses (b) and (za) of sub-section
(1) of section 2 of the Information Technology Act, 2000.'.
• 15. Presumption as to electronic records five years old.
• After section 90, the following section shall be inserted,
namely: —
• "90A. Where any electronic record, purporting or proved to
be five years old, is produced from any custody which the
Court in the particular case considers proper, the Court may
presume that the digital signature which purports to be the
digital signature of any particular person was so affixed by
him or any person authorized by him in this behalf.
• Explanation.—Electronic records are said to be in proper
custody if they are in the place in which, and under the
care of the person with whom, they naturally be; but no
custody is improper if it is proved to have had a legitimate
origin, or the circumstances of the particular case are such
as to render such an origin probable.
• This Explanation applies also to section 81A.".
• 16. For section 131, the following section shall
be substituted, namely: —
• Production of documents or electronic records
which another person, having possession, could
refuse to produce.
• "131. No one shall be compelled to produce
documents in his possession or electronic records
under his control, which any other person would
be entitled to refuse to produce if they were in
his possession or control, unless such last-
mentioned person consents to their production.".
 AMENDMENTS TO THE BANKERS'
BOOKS EVIDENCE ACT ' 891
• 1. In section 2—
• (a) for clause (3), the following clause shall be
substituted, namely:— '(3) "bankers' books"
include ledgers, day-books, cash-books,
account-books and all other books used in the
ordinary business of a bank whether kept in
the written form or as printouts of data stored
in a floppy, disc, tape or any other form of
electro-magnetic data storage device;
• (b) for clause (8), the following clause shall be substituted, namely:
— '(8) "certified copy" means when the books of a bank,—
• (a)are maintained in written form, a copy of any entry in such books
together with a certificate written; the foot of such copy that it is a
true copy of such entry, that such entry is contained in one of the
ordinary books of the bank and was made in the usual and ordinary
course of business and that such book is still in the custody of the
bank, and where the copy was obtained by a mechanical or other
process which in itself ensured the accuracy of the copy, a further
certificate to that effect, but where the book from which such copy
was prepared has been destroyed in the usual course of the bank's
business after the date on which the copy had been so prepared, a
further certificate to that effect, each such certificate being dated
and subscribed by the principal accountant or manager of the bank
with his name and official title; and
• (b)consist of printouts of data stored in a floppy, disc, tape or any
other electro-magnetic data storage device, a printout of such entry
or a copy of such printout together with such statements certified
in accordance with the provisions of section 2A.'.
• 2. After section 2, the following section shall be inserted, namely: —
• Conditions in the printout.
• "2A. A printout of entry or a copy of printout referred to in sub-section (8) of section 2 shall
be accompanied by the following, namely: —
• (a) a certificate to the effect that it is a printout of such entry or a copy of such printout by
the principal accountant or branch manager; and
• (b) a certificate by a person in-charge of computer system containing a brief description of
the computer system and the particulars of—
– (A) the safeguards adopted by the system to ensure that data is entered or any other
operation performed only by authorised persons;
– (B) the safeguards adopted to prevent and detect unauthorised change of data;
– (C) the safeguards available to retrieve data that is lost due to systemic failure or any other
reasons;
– (D) the manner in which data is transferred from the system to removable media like floppies,
discs, tapes or other electro-magnetic data storage devices;
– (E) the mode of verification in order to ensure that data has been accurately transferred to
such removable media;
– (F} the mode of identification of such data storage devices;
– (G) the arrangements for the storage and custody of such storage devices;
– (H) the safeguards to prevent and detect any tampering with the system; and
– (I)any other factor which will vouch for the integrity and accuracy of the system.
• (c) a further certificate from the person in-
charge of the computer system to the effect
that to the best of his knowledge and belief,
such computer system operated properly at
the material time, he was provided with all
the relevant data and the printout in question
represents correctly, or is appropriately
derived from, the relevant data."
The fourth schedule of the Indian Act
2000:Amendment to the reserve Bank of India
Act
• In the Reserve Bank of IndiaAct, 1934, in section
58, in sub-section (2), after clause (p), the
following clause shall be inserted, namely:—
– “ the regulation of fund transfer through electronic
means between the banks or between the banks and
other financial institutions referred to in clause (c) of
section 45-1, including the laying down of the
conditions subject to which banks and other financial
institutions shall participate in such fund transfers, the
manner of such fund transfers and the rights and
obligations of the participants in such fund transfers;"
 Positive Aspects of the ITA 2000
• Prior to the enactment of the IT Act, 2000 even an email
was not accepted under the prevailing statutes of India as
an accepted legal form of communication and as evidence
in a court of law. But the IT Act, 2000 changed this scenario
by legal recognition of the electronic format. Indeed, the IT
Act, 2000 is a step forward.
• From the perspective of the corporate sector, companies
shall be able to carry out electronic commerce using the
legal infrastructure provided by the IT Act, 2000. Till the
coming into effect of the Indian cyber law, the growth of
electronic commerce was impeded in our country basically
because there was no legal infrastructure to regulate
commercial transactions online.
• Corporate will now be able to use digital signatures to carry
out their transactions online. These digital signatures have
been given legal validity and sanction under the ITA 2000.
• In today’s scenario, information is stored by the companies
on their respective computer system, apart from
maintaining a back-up. Under the IT Act, 2000, it shall now
be possible for corporate to have a statutory remedy if
anyone breaks into their computer systems or networks
and causes damages or copies data. The remedy provided
by the IT Act, 2000 is in the form of monetary damages, by
the way of compensation, not exceeding Rs 1,00,00,000.
• The IT Act, 2000 has defined various cyber crimes which
includes hacking and damage to the computer code. Prior
to the coming into effect of the Indian cyber law, the
corporate were helpless as there was no legal redress for
such issues. But the IT Act, 2000 changed the scene
altogether.
• Negative aspects of the IT Act, 2000
• The IT Act, 2000 is likely to cause a conflict of jurisdiction.
• Electronic commerce is based on the system of domain
names.
– The IT Act, 2000 does not even touch the issues relating to
domain names.
– Even domain names have not been defined and the rights and
liabilities of domain name owners do not find any mention in
the law.
• The IT Act, 2000 does not deal with any issues concerning
the protection of intellectual property rights in the context
of the online environment.
– very important issues concerning online copyrights, trade marks
and patents have been left untouched by the law, thereby
leaving many loopholes.
• The IT Act, 2000 does not cover various kinds
of cyber crimes and internet-related crimes.
These include:
– (a) Theft of internet hours
– (b) Cyber theft
– (c) Cyber stalking
– (d) Cyber harassment
– (e) Cyber defamation
– (f) Cyber fraud
– (g) Misuse of credit card numbers
– (h) Chat room abuse
• The IT Act, 2000 has not tackled several issues
pertaining to e-commerce sphere like privacy
and content regulation to name a few.
• IT Act does not touch upon antitrust Issues.
• The IT act stays silent over the regulation of
electronic payments gateway
– This may have major effect on the growth of E-
Commerce in India.
• The most serious concern about the Indian
Cyberlaw relates to its implementation.
 Challenges to Indian Law and
Cybercrime Scenario in India
• Chapter XI entitled Offences in which cybercrimes have been declared as
penal offenses punishable with imprisonment and fine.
• The offenses covered under CHAPTER XI of the Indian ITA 2000 include:
– Tampering with the computer source code or computer source documents.
– Un-authorized access to computer.
– Publishing, transmitting or causing to be published any information in the electronic
form which is lascivious or which appeals to the prurient interest.
– Securing access or attempting to secure access to a protected system.
– Misrepresentation while obtaining, any license to act as a Certifying Authority (CA) or a
digital signature certificate.
– Breach of confidentiality and privacy
– Publication of digital signature certificates which are false in certain particulars.
– Publication of digital signature certificates for fraudulent purposes.
• Challenges:
– Most Indians not to report cyber crimes to the law
enforcement agencies because they fear it might invite a
lot of harassment.
– Their awareness on cybercrime is relatively on the lower
side.
– Law enforcement agencies in India neither well equipped
nor knowledgeable enough about cybercrime.
– Not all cities have cybercrime cells.
– Lack of dedicated cybercrimes courts in the country where
expertise in cybercrime can be utilized.
– Current law enforcement machinery is not yet well
equipped to deal with Cyberlaw offenses and
contraventions.
– Crying need for cyber–savvy judges.
• How to overcome:
– A sound Cyberlaw training to the judges and lawyers will
go a long way in effective enforcement of cyber laws.
– Uniform guidelines on cyber forensics tools and strategies
should be circulated among investigating officers of
cybercrime in the country.
– Need expedite cybercrime trials.
– People need to be encouraged to report the matter to the
law enforcement agencies with full confidence and trust
and without the fear of being harassed.
– The law enforcement agencies dealing with cyber crime
need to come up with an extremely tech-savvy and
friendly image.
– Require apt laws and a proactive approach of the law
enforcement agencies to effectively deal with the menace
of cybercrime.
 Consequences of not addressing the
weakness in the IT Act
• India outsourcing sector may be impacted.
• There are many news about overseas customer worrying
about data breaches and data leakages in India.
• This can result in breaking the India's IT business leadership
in international outsourcing market.
• If India wishes to maintain its strong position in the global
outsourcing market, there should be quick and intelligent
steps taken on address the current weakness in ITA Act.
• If this is not addressed in the near future, then the dream
of India ruling the worlds outsourcing market may not
come true.
Digital Signature and the Indian IT Act
• In this section, some potential problems
regarding the terms digital signatures and
electronic signatures and following are
discussed.
• Public-key certificate and the role of public-
key infrastructure(PKI) .
• Impact of oversights in ITA 2000 regarding
digital signatures.
 Public –key Certificate
• A public-key certificate is digitally signed statement from one entity,
saying that the public key of another entity has some specific value.
• A digital signature is a type of electronic signature that is used to
guarantee the integrity of the data.
• When linked to the identity of the signer using a security token such
as x.509 certificates- a digital signature can be used for non-
repudiation, since it links the signer with the signed document.
• An x.509 certificate contains information about the certificate
subject and the certificate issuer.
• A certificate is encoded in Abstract Syntax Notation one (ASN.1), a
standard syntax for describing messages that can be sent or
received on a network. The role of a certificate is to associate an
identity with public key value.
• A certificate include:
– X.509 version information
– A serial number that uniquely identifies the
certificate.
– A common name that identifies the subject
– The public key associated with the common name.
– The name of the user who created the certificate,
known as the subject name
– Information about certificate issuer;
– Signature of the issuer
– Information about the algorithm used to sign the
certificate.
– Some optional X.509 version 3 extensions.
• X.509 certificates are used in web browsers
(Netscape Navigator and Microsoft Internet
Explorer) that support SSL protocol (which
provides privacy and authentication).
• Other technologies that rely on X.509 certificate
include:
– Code-signing schemes, such as Java Archives and
Microsoft Authentication Code.
– Secure E-Mail standards, such as privacy-enhanced
mail (PEM) and secure/multipurpose Internet mail
Extensions(S/MIME)
– E-Commerce protocols, such as secure electronic
transactions.
Representation of Digital Signatures in
the ITA 2000
• ITA 2000 had prescribed digital signatures based
on Asymmetric cryptosystem and Hash system as
the only acceptable form of authentication of
electronic documents recognized as equivalent to
“ signatures” in papers form.
• One of the major deficiencies in the bill, which
could hinder implementation, is the provisions
regarding the role and function of the CAs as well
as the processes of issuing digital certificates.
 ITA 2000 Oversight(failure to Notice)
• Licensing of certifying authorities(CAs)
– According to section 21, the applicant for such a
license should fulfill the requirements of
“qualifications”, “expertise”, “manpower”, “financial
resources” and “other infrastructure facilities” which
are necessary to issue digital certificates as may be
prescribed by the Central Government.
– The license may be valid for such period as may be
prescribed by the Central government and would not
be transferable or heritable.
– Initial licensing period should be at least 5 years and
no restrictions be placed on the transferability of the
ownership of the company that is granted the license.
• Licensing of foreign CAs:
– In view of the enormous preparations required to set up the CAs
business, Indian CAs will take some time to come up with their
services. Until such time, the market has to be supported by the
foreign CAs.
– As per the bill, certificates will not be valid unless the issuing
authority is approved by the controller. For a foreign CA to get
the approval, he has to open a physical office in India where he
has to display the license.
– There are many users in India who have obtained individual or
secured server digital certificates from foreign CAs such as
Verisign. Now, if for argument sake, verisign does not get the
licence as a CA from the controller in india; the existing
certificates issued by them will not be valid under the indian
law.
• It is therefore, appropriate if the validity of certificates from
any CA already approved in other countries is automatically
extended to India.
 Impact of oversights in ITA 2000
Regarding Digital Signatures
• If the provisions discussed above display only the ignorance of the
law makers, the reading of Clause 35 leaves on wondering how such
blatant errors have gone un-noticed to become law.
• To keep the situation under control, the ministry of Information and
Technology had to urgently establish a task force to assist them in
the drafting of the rules.
• The task force consisted of experts in the field.
• The information technology Amendment bill 2006 was drafted on
the basis of the recommendations of an “ Expert Committee”.
• The committee took into consideration a recommendation from
technical community that
• The PKI based system made the law dependent on a single authentication
technology.
• There was a need to make the law Technology Neutral.
 Implications of Certifying authorities
• As per the Information Technology Act 2008, section 3
defines about digital signature, and section 3A defines
about electronic signature.
• As the result, the CAs regulations also need to be
accommodated for both digital signature as well as
electronic signature.
• Section 3A : Electronic Signature
– A subscriber may authenticate any electronic record by
such electronic signature or electronic authentication that
• Is considered reliable
• May be specified in the second schedule.
• Any electronic signature or the electronic
authentication technique shall be considered
reliable if
– The signature creation data or the authentication data
are, with in the context in which they are used, linked
to the signatory or authenticator.
– The signature creation data or the authentication data
were, at the time of signing, under the control of
signatory or authenticator.
– Any alteration to the electronic signature made after
affixing such signature is detectable.
– Any alteration to the information made after its
authentication by electronic signature is detectable.
• The central Government may prescribe the
procedure for the purpose of ascertaining
whether electronic signature is that of the person
by whom it is purported to have been affixed or
authenticated.
• The central government may, by the notification
of gazette, add to or omit any electronic signature
or electronic authentication technique and the
procedure for affixing such signature from the
second schedule.
– Provided that no electronic signature or
authentication technique shall be specified in the
second schedule unless such signature or technique is
reliable.
 The current scenario Regarding digital
Signatures under the indian act.
• Digital signature is electronically generated and can be
used to make sure the veracity and legitimacy of data.
• Section 3 of IT Act, made the provision for it as:
Authentication of electronic records.-
• (1) Subject to the provisions of this section, any
subscriber may authenticate an electronic record by
affixing his digital signature.
• “ Affixing Electronic Signature” means adoption of any
methodology or procedure by a person for the purpose
of authenticating an electronic record by means of
Electronic Signature”.
• Digital Signature Vs. Digital Certificate
– Digital signatures are based on three pointers for
authentication – Privacy, Non repudiation and
Integrity in the virtual world.

– the objectives of digital certificate are the

authentication of documents, and bind the person
who is putting the digital signature.

– digital signature is an electronic process of signing an

electronic document

– Digital Certificate is a computer based record which is

the identification of certifying agency or the identity
of subscriber.
• Digital Signature Vs. Electronic Signature
– The Information Technology Amendment Bill 2006,
replaces the word “Digital” with the word “Electronic” at
several places in the principal act, which creates a slight
difference between the two, electronic signature is wide in
nature, while the digital signature is one of the many kinds
of electronic signature.
– Digital signatures includes in sections 2(p),2(q), 37,38,39.
– Electronic signatures meant in sections 37A, 38A, and 39A.
– Therefore, when, procedures for electronic signatures
were introduced, several sections needed to undergo
changes. This has been another major amendment to the
ACT.
– Some of these difficulties could have been avoided by
replacing the word “digital signature” by the words “ digital
signature and electronic signature where relevant ” in
clause 2 of the IT Amendment Bill 2006.
 Cryptographic perspectives on the
Indian IT Act
• Non repudiation is very important in E-Commerce and
electronic messaging systems.
• There are two definitions for the non repudiation:
• Def 1: the intent to accept one’s obligation under a
contract and be bound for its performance.
• Def 2: the intent to accept responsibility of submitting
or receiving a electronic message and to be bound by
its substance.
– Non repudiation protects a sender against the false
assertion of the receiver that message has not been
received and a receiver against the false assertion of the
sender that the message has been sent.
• There is a definitional distinction between the
legal use of the term “ non-repudiation and its
crypto technical use.”
• First consider the legal use of the term.
• The basis for a repudiation of a traditional
signature may include:
– The signature is a forgery
– The signature is not a forgery, but was obtained
via,
• Unconscionable conduct by a party to a transaction
• Fraud instigated by a third party.
• Undue influence excreted by a third party.
• Consider the crypto-technical meaning:
• In general terms, it means
– In authentication, a service that provides proof of the
integrity and origin of the data, both in an unforgeable
relationship, which can be verified by any third party
at any time.
– In authentication, an authentication that with high
assurance can be asserted to be genuine and that
cannot subsequently be refuted.
• PKI has been over touted as the solution to many
network security problems.
• But, It is known that there are problems that are
beyond PKI’s ability to solve.
 Cybercrime and Punishment
• When it comes to the punishing the cybercriminals, one
other problem is non-uniform treatment of cyber crimes
across the world:
• Crimes are not treated uniformly even in the countries that
have got updated legislation for cybercrime and this creates
another problem.
• Conclude about punishments to cybercriminals by
summarizing the following points.
– Reliance on terrestrial laws may not be a reliable approach
– Weak penalties limit deterrence
– Self protection remains the first line of defense
– A global patchwork of laws creates little certainty
– A model approach is needed.
• Reliance on terrestrial laws may not be a
reliable approach
– Despite the progress being made in many ways
countries, most countries still rely on standard
terrestrial law to prosecute cybercrime. A majority
of countries are relying on archaic statutes that
predate the birth of cyberspace and have not
been tested in court.
• Weak penalties limit deterrence
– The weak penalties inmost updated criminal
statutes provide limited deterrence for crimes that
can have large scale economic and social effects.
• Self protection remains the first line of defense
– The general weakness of statutes increases the
importance of private sector efforts to develop and
adopt strong and efficient technical solutions and
management practices for information security.
• A global patchwork of laws creates little certainty
– Little consensus exists among countries regarding
exactly which crimes need to be legislated against.
– In networked world, no Island is an Island unless
crimes are defined in a similar manner across
jurisdictions, coordinated efforts by law enforcement
officials to combat cybercrime will be complicated.
• A model approach is needed:
– Most countries, particularly those in the developing
world, seeking a model to follow. These countries
recognize the importance of banning malicious
computer-related acts in a timely manner to promote
a secure environment for e- commerce.
– But a few have the legal and technical resources
necessary to address the complexities of adapting
terrestrial criminal statutes to cyberspace.
– A coordinated public-private partnership to produce a
model approach can help eliminate the potential
danger from the inadvertent creation of cybercrime
havens.
 Cyberlaw, Technology and Students:
Indian Scenario
• India has a peculiar scenario given the current educational system.
• Most technology students have either nil or low exposure to law
and most law students have only limited exposure to information
technology.
• A computer science stream student in a college is taught how to
develop programs that can automatically transmit data across the
Internet riding on a TCP/IP packets, without alerting him on
cybercrimes such as hacking or virus introduction.
• The topic of secure coding is not included in most syllabi.
• The Law students should be taught about Trade
Marks and Copyrights without recognizing their
implications on the electronic documents.
• As the result, neither the technologist nor the lawyer
is trained in his formative years to understand
cyberlaw.
• There is a strong need for techno-legal experts to
demystify cyberlaw and make it possible for a large
section of society to take up study of cyberlaw.
-END-