Chapter 06   Information Technology Act 2000
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Chapter 06 Information Technology Act 2000

on

  • 10,199 views

 

Statistics

Views

Total Views
10,199
Views on SlideShare
10,199
Embed Views
0

Actions

Likes
0
Downloads
547
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Chapter 06 Information Technology Act 2000 Document Transcript

  • 1. CHAPTER 06 INFORMATION TECHNOLOGY ACT, 2000 6.1 INTRODUCTION Source of the Act  The first 17 Sections of the Act are largely based on Model Law on Electronic Commerce adopted by United Nations Commission on International Trade Law (UNCITRAL) recommended by the General Assembly of the United Nations on the 30th January, 1997 in drafting its new law. UNCITRAL - Model Law on Electronic Commerce  This Model Law provides for equal legal treatment of users of electronic communication and paper based communication. The General Assembly of United Nations by its Resolution No. 51/162 dated 30th January 1997 recommended that all States should give favourable considerations to the said Model Law when they enact or revise their laws.  The macro perspectives were: (a) to facilitate electronic commerce among and within nations, (b) to validate transactions entered into by means of new information technologies, (c) to promote and encourage the implementation of new information technologies, (d) to promote the uniformity of law: and (e) to support commercial practice.  The micro perspectives were: (a) to establish rules and norms that validate and recognise Contracts formed through electronic means, (b) to set default rules for contract formation and governance of electronic contract performance, (c) to define the characteristics of a valid electronic writing and an original document, (d) to provide for the acceptability of electronic signatures for legal and commercial purposes, and (e) to support the admission of computer evidence in courts and arbitration proceedings. Objectives of the IT Act, 2000 (a) To grant legal recognition for transactions carried out by means of Electronic Data Interchange and other means of electronic communication commonly referred to as “electronic commerce” in place of paper-based methods of communication. (b) To give legal recognition to Digital Signature for authentication of any information or matter which requires authentication under any law (c) To facilitate electronic filing of documents with Government departments (d) To facilitate electronic storage of data. (e) To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions. (f) To give legal recognition for keeping books of account by Bankers in electronic form. (g) Certifying authorities will be licensed to issue digital signature certificates and a regulatory regime will be established to supervise the certifying authorities who will not, themselves be a part of the bureaucracy.  The Act extends to the whole of India including the State of Jammu and Kashmir. It also applies to any offence or contravention committed under the Act outside India by any person. However, this is subject to certain conditions. Documents excluded from the purview of the Act and justification therefor  The Act does not apply to- 1. A Negotiable Instrument as defined in the Negotiable Instruments Act, 1881. 2. A Power of Attorney as defined in the Powers of Attorney Act, 1882. . 3. A trust as defined in the Indian Trusts Act, 1882. 4. Any contract for the sale or conveyance of immovable property or any interest in such property. Any such class of documents or transactions as may be notified by the Central Government in the Official Gazette. This is an enabling and residuary clause. CYBER SPACE – MEANING THEREOF  An Internet or network of computers can operate without constrains of space, state borders, etc. Though they are only a medium for storage and analysis and communication of information, they virtually create a world of their own – a medium in which business can be transacted without any of the inhibitions that the real world imposes.  The New Shorter Oxford Dictionary explains the expression “cyberspace” as follows: The notional environment within which electronic communication occurs, especially when represented as the inside of a computer system; space perceived as such by an observer but generated by a computer system, and having no real existence; the space of virtual reality”.  “Cyberspace” is computer-governed environment, which does not exist in reality but yet serves many of the
  • 2. IIPM 41 CH. – 6 INFORMATION TECH. ACT purposes that the visible, tangible world serves. The Act does not mention cyberspace but dubs the Appellate Tribunal for which it proves as “Cyber Tribunal” 6.2 AUTHENTICATION OF ELECTRONIC RECORDS USING DIGITAL SIGNATURES [SECTION 3] What is `Authentication`  A process used to confirm the identity of a person or to prove the integrity of information.  Message authentication involves determining its source and verifying that it has not been modified or replaced in transit.  Any subscriber may authenticate an electronic record by affixing his digital signature. The authentication shall be effected by the by use of asymmetric system and hash function which envelop and transform the initial electronic record into another electronic record. DIGITAL SIGNATURE  The digital signature is created in two distinct steps. (i) Firstly - the electronic record is converted into a message digest by using a mathematical function known as “hash function” which digitally freezes the electronic record thus ensuring the integrity of the content of the intended communication. (ii) Secondly, the identity of the person affixing the digital signature is authenticated through the use of a private key which attaches itself to the message digest and which can be verified by any person who has the public key according to such private key. This will enable any person to verify whether the electronic record is retained intact or has been tampered with. It will also enable a person who has a public key to identify the originator of the electronic message. 'Hash function' - an algorithm mapping or translation of one sequence of bits into another (generally smaller) set known as 'hash result' such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible: (a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm, and (b) that two electronic records can produce the same hash result using the algorithm. CONTENT OF HASH FUNCTION MESSAGE DIGEST AGREEMENT TO ALOGRITHM RUN BE SIGNED OVER AGREEMENT ELECTRONICALLY CONTENT MESSAGE DIGEST ENCRYPTED WITH PRIVATE KEY OF SENDER GENERATE DIGITAL SIGNATURE WHICH ARE EMBOSSED ON THE AGREEMENT RECEIVER AGAIN GENERATES THE MESSAE DIGEST BY RUNNING HASH FUNCTION ALOGRITH OVER THE AT RECEIVER DIIGTAL SIGNATURE ARE ORIGINAL CONTENT OF MESSAGE AND IF MESSAGE DECRYPTED WITH SENDER PUBLIC KEY AND DIGEST GENERATED AFTER DECRYPTING DIGITAL IT GENERTAE MESSAGE DIGEST SIGNATURE OF SENDER WITH SENDER PUBLIC KEY, IT PROVES THAT THE CONTENTS ARE NOT CHANGED AND SIGNATURE BELONGS TO THE SENDER DIGITAL CERTIFICATE  A Digital Certificate is a digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.  A Digital Certificate is a data structure used in a public key system to bind a particular, authenticated individual to a particular public key.  A Personal Digital Certificate serves as the digital identity of an individual. Just as a Driver's License can be used to identify someone who can legally drive in a particular country, a Digital Certificate can be presented electronically to prove an individual's identity or right to access information or services on the Internet.  Digital Certificates are used to secure information and assure the identities of their owners. They also providing a means of associating individuals with electronic documents similar to the manner in which handwritten signatures associate individuals with the paper documents.  For a Digital Certificate to be trusted, it needs to be endorsed a recognized third party that is empowered by the law to issue Digital Certificates. LECTURES BY PROF. S N GHOSH
  • 3. IIPM 42 CH. – 6 INFORMATION TECH. ACT Following steps are followed for obtaining Digital certificate: 1. Sender sends his public key to Certification Authority along with information specific to his identification and other relevant information. 2. The Certification Authority uses his information to verify sender and his public key, if every thing is OK, the Certification Authority returns the sender a Digital Certificate that confirms the validity of Sender Public Key. 3. Actually Certification Authority certifies public key by digitally signing the sender public key with authority private key and authority put this sign on Digital Certificate. And any user who wants to use some one's public key can verify its validity by applying the certification authority public key to the certificate. In this way user would get actual public key of sender and can tally this public key with the public key supplied by the sender.  Depending on the level of trustworthiness one wants to create towards the people he/she communicates with over the Net, the CA offers three classes of Personal Certificates: CLASS UTILITY PURPOSE Class- 1 Digitally sign email, Encrypt email; Authenticate to a Web Server to engage in secure communication. This protects all information such as credit card details that one sends to the Web Server. These certificates are not intended for, and shall not be relied upon, for commercial use where proof of identity is required. These Certificates are issued following a top down approach. Class –2 Issued as Managed Digital Certificates to employees/ partners/ affiliates/ customers of business and government organizations those are ready to assume the responsibility of verifying the accuracy of the information submitted by their employees/ partners/ affiliates/ customers. The organization is given a Digital Certificate signed by the CA to initiate the process of issuing Certificates to its employees/ partners/ affiliates/ customers. The entire organization is treated as a Sub-CA/RA. The Sub-CA/RA in turn requests the issue of Digital Certificates for employees/ partners/ affiliates/ customers of the organization from the CA. The verification of details supplied with the request for a Digital Certificate is done by the organization appointed as a Sub-CA/RA under the CA Trust Network Certificates are issued to individuals, companies and government organizations. They can be used both for personal and commercial purposes. Class - 3 They are typically used for electronic commerce applications such as electronic banking, electronic data interchange (EDI), and membership-based on-line services, where security is a major concern. The level of trust created by the Digital Certificate is based on the authentication procedures used by the CA to verify subscriber’s identity and the service guarantees offered by the CA to back up that authentication. Usually, the CA uses various procedures to obtain evidence of subscriber’s identity before issuing you the Class-3 Certificate. During verification, the subscriber will also need to be physically present before a Registration Authority (RA), qualified by the CA due to their neutrality and reliability. These validation procedures provide stronger assurances of an applicant's identity. Example – TCS has been granted licence as CA (Certifying Authority). Bombay Stock Exchange (BSE) is the RA (Registering Authority) for members of that stock exchange. Types of Digital Certificates  Generally, the CA offers Single Key Pair and Dual Key Pair support for Personal Digital Certificates, which can be used for Digital Signature and Encryption purposes.  A provision is also available to back-up the credentials the subscriber has used to receive encrypted messages/documents, so that the encrypted messages/documents can be recovered if he/she has lost the private key or if required in his/her absence, using the backed-up credentials. This can be of great help for organizations, wherein, it is necessary to recover the encrypted information received by an employee after he/she has left the organization.  The Signing Certificate is used for preparing the Digital Signature that provides Authenticity, Non-Repudiation and Integrity to electronic communication. The Signing Certificate can be used to digitally sign documents, messages, email and can also be used as an identification for the electronic application and in SSL communication with a Web Server.  Encryption key pairs that are generated at the CA end are made available to their respective owners (subscribers) in a secure manner through strong authentication procedures.  The Encryption Certificate is used for encrypting documents, messages and other forms of electronic communication that provide confidentiality. LECTURES BY PROF. S N GHOSH
  • 4. IIPM 43 CH. – 6 INFORMATION TECH. ACT  This type of Certificate is backed-up. To achieve this, the credentials (Key-pairs) are generated at the CA end unlike the other types of Certificates where the credentials (Key-pairs) are generated at the Subscriber's end. The CA backs-up the key-pair and sends a copy to the Subscriber in a highly secure manner. Types Utility purpose Single Key Pair In the Single Key pair option, Digital Certificates can be used for signing and/or encryption. The credentials used for encryption are not backed-up. Dual Key Pair In the Dual Key pair option, the credentials used for encryption are backed-up. The credentials used for Digital Signature are not backed-up as that would violate the notion of Authentication and Non-Repudiation. 6.3 SOME IMPORTANT LEGAL PROVISIONS ELECTRONIC GOVERNANCE [SECTIONS 4 TO 10]  The Act provides following legal protection for filing, retention, preservation, payment etc. in the electronic/digital modes: - 1) Legal recognition of electronic records – all documents that are required to be in writing or typewritten or printed form, can now be made available and subsequently accessible in an electronic form. 2) Legal recognition of digital signatures – all documents that require signature (manual) can now be authenticated by means of digital signature affixed. 3) Filing of applications, forms, fees payment to Govt. in prescribed electronic mode– all the applications, documents/information for grant of licence, permit, sanction, approval, receipt or payment of money may now be filed/made with Government or its agencies in the electronic mode. The Government has prescribed rules and forms for the purpose. 4) Retention and retrieval of electronic records – documents, records or information that required to be retained can now retained in the electronic form. Such information shall remain accessible and usable for a subsequent reference; retained in the format as was originally generated. The details facilitating the identification of the origin, destination date and time of despatch or receipt of such electronic record shall also be made available. 5) Publication of rule, regulation, etc., in Electronic Gazette - the Official Gazette shall also be published in the electronic mode. Such Gazette will be called `Electronic Gazette`. The date of publication shall be the date of the Gazette, which was first published in any form. 6) No right to insist acceptance, retention or preservation of document in electronic form – The Central or State Government or its agencies shall not insist that documents/information shall exclusively be in electronic form. 7) Power to make rules by Central Government in respect of digital signature - The Central Government has been authorized to prescribed rules of types, manner, format, control, integrity, security and confidentially of digital signatures and electronic records. ATIRIBUTION, ACKNOWLEDGEMENT AND DESPATCH OF ELECTRONIC RECORDS [SECTIONS 11 TO 16]  Attribution electronic records - an electronic record shall be attributed to the originator if it was sent by (i) him; (ii) any authorized person or (iii) an information system programmed by or on behalf of the originator to operate automatically.  Acknowledgement of receipt - the acknowledgement of receipt of electronic record may be sent by the address (i) in prescribed form or (ii) conduct sufficient to indicate its receipt by the addressee (iii) any automated communication by addressee  Circumstances where acknowledgement though not stipulated, not received after due Notice - Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgement and the acknowledgement has not been received by the originator within the specified time or within a reasonable time, then, the originator may give notice to the addressee stating that no acknowledgement has been received by him and specifying a reasonable time by which the acknowledgement must be received by him. If no acknowledgement is received within the aforesaid time limit, the originator may after giving notice to the addressee, treat the electronic record as though it has never been sent.  Time and place of despatch and receipt of electronic record -  The despatch of an electronic record - when it enters a computer resource outside the control of the originator;  The time of receipt of an electronic record – (i) the time when receipt occurs at the designated electronic record LECTURES BY PROF. S N GHOSH
  • 5. IIPM 44 CH. – 6 INFORMATION TECH. ACT resource or (ii) At the time when the electronic record is retrieved by the addressee;  Place of despatch - at the place where the originator has his usual place of business or residence.  THE CENTRAL GOVERNMENT HAS NOTIFIED RULES, REGULATIONS AND GUIDELINES FOR THE PURPOSE OF THIS ACT. REGULATION OF CERTIFYING AUTHORITIES [SECTIONS 17 TO 42] Appointment, functions and powers of Controller of Certifying Authorities  A Controller of Certifying Authorities may be appointed by the Central Government by notification in the Official Gazette. Deputy Controllers and Assistant Controllers may also be appointed as the Government may think fit.  The Central Government has prescribed qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers. There shall be a seal of the Office of the Controller.  The Controller may recognise any foreign Certifying Authority as a Certifying Authority. This shall however, be done with the previous approval of the Central Government and by notification in the Official Gazette,  Any person may make an application, in the prescribed form along with requisite documents/information and fees to the Controller for a licence to issue Digital Signature Certificates. The Controller on being satisfied may grant licence for a prescribed period subject to specified terms and conditions. The Controller may revoke the licence upon violation thereof by the Certifying Authority. The revocation be also publicized in the web page of the controller.  Every Certifying Authority shall follow prescribed procedures in respect of digital signatures.  By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that---- (a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same; (b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true; (c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.  Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate. He shall take all steps to prevent its disclosure to a person not authorised to affix the digital signature of the subscriber. Controller to act as repository  The Controller shall be repository of all Digital Signature Certificates.  Further to ensure that the secrecy and security of the digital signatures the Controller shall make use of appropriate hardware, software and procedures to prevent intrusion and misuse.  The Controller shall maintain a computerised database of all public keys and the same be available to any member of the public. PENALTIES AND ADJUDICATION [SECT IONS 43 TO 47] Penalty for damage to computer, computer system, etc.  A penalty not exceeding Rs. One Crore may be imposed as compensation for damages for doing or causing to do the following acts without permission of the owner or any other person who is in charge of a computer, computer system or computer network:- (i) Accesses or secures access: (ii) Downloads, copies or extracts any data, computer data base or information; (iii) Introduces introduce any virus; (iv) Damages any database or any other programmes; (v) Disrupts any computer, computer system or computer network; (vi) Denies access to any authorised person (vii) Provides any assistance to any person to facilitate access; (viii) Charges the services availed of by a person to the account of another person. Penalty for failure to furnish information, return, etc.  Failure to file requisite Returns, Information, maintain Books or records shall entail specified penalties. And where no penalty has been prescribed compensation damages not exceeding Rs. 25,000 may be imposed. Adjudicating Officer (not below the rank of Director) to adjudicate  The Adjudicating Officer not below the rank if Director shall hold enquiry to determine whether any violation under the Act or Rules or Regulations framed thereunder has been committed by any person. He shall have the powers of a Civil Court. CYBER REGULATIONS APPELLATE TRIBUNAL [SECTIONS 48 TO 64]  The Cyber Regulations Appellate Tribunal has been constituted. Appeals against the orders of the Adjudicating Officer may be preferred before this Tribunal.  The Civil Courts have been barred from entertaining any suit or proceedings in respect of any matter which an LECTURES BY PROF. S N GHOSH
  • 6. IIPM 45 CH. – 6 INFORMATION TECH. ACT adjudicating officer or Tribunal is empowered to handle.  An appeal shall lie to the High Court against an order or decision of the Cyber Appellate Tribunal. COMPUTER OFFENCES [SECTION 65 TO 68]  Penalties (pecuniary and imprisonment) have been provided under the Act for the following types of offences: (i) Tampering with Computer Source Documents (ii) Hacking with Computer System. (iii) Publication or obscene information in electronic form (iv) Misrepresentation (v) Breach of Confidentiality (vi) Publishing False Digital Signature Certificate (vii) Fraudulent Publication (viii) Offence Committed Outside India (ix) Confiscation  Further any police officer not below the rank of DSP or any other authorised person may enter any public place, search and arrest without warrant any person reasonably suspected or having committed any offence specified under the Act. LECTURES BY PROF. S N GHOSH