INFORMATION TECHNOLOGY ACT, 2000
Source of the Act
The first 17 Sections of the Act are largely based on Model Law on Electronic Commerce adopted by United
Nations Commission on International Trade Law (UNCITRAL) recommended by the General Assembly of the
United Nations on the 30th January, 1997 in drafting its new law.
UNCITRAL - Model Law on Electronic Commerce
This Model Law provides for equal legal treatment of users of electronic communication and paper based
communication. The General Assembly of United Nations by its Resolution No. 51/162 dated 30th January 1997
recommended that all States should give favourable considerations to the said Model Law when they enact or
revise their laws.
The macro perspectives were:
(a) to facilitate electronic commerce among and within nations,
(b) to validate transactions entered into by means of new information technologies,
(c) to promote and encourage the implementation of new information technologies,
(d) to promote the uniformity of law: and
(e) to support commercial practice.
The micro perspectives were:
(a) to establish rules and norms that validate and recognise Contracts formed through electronic means,
(b) to set default rules for contract formation and governance of electronic contract performance,
(c) to define the characteristics of a valid electronic writing and an original document,
(d) to provide for the acceptability of electronic signatures for legal and commercial purposes, and
(e) to support the admission of computer evidence in courts and arbitration proceedings.
Objectives of the IT Act, 2000
(a) To grant legal recognition for transactions carried out by means of Electronic Data Interchange and other
means of electronic communication commonly referred to as “electronic commerce” in place of paper-based
methods of communication.
(b) To give legal recognition to Digital Signature for authentication of any information or matter which requires
authentication under any law
(c) To facilitate electronic filing of documents with Government departments
(d) To facilitate electronic storage of data.
(e) To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions.
(f) To give legal recognition for keeping books of account by Bankers in electronic form.
(g) Certifying authorities will be licensed to issue digital signature certificates and a regulatory regime will be
established to supervise the certifying authorities who will not, themselves be a part of the bureaucracy.
The Act extends to the whole of India including the State of Jammu and Kashmir. It also applies to any offence or
contravention committed under the Act outside India by any person. However, this is subject to certain
Documents excluded from the purview of the Act and justification therefor
The Act does not apply to-
1. A Negotiable Instrument as defined in the Negotiable Instruments Act, 1881.
2. A Power of Attorney as defined in the Powers of Attorney Act, 1882. .
3. A trust as defined in the Indian Trusts Act, 1882.
4. Any contract for the sale or conveyance of immovable property or any interest in such property. Any
such class of documents or transactions as may be notified by the Central Government in the Official
Gazette. This is an enabling and residuary clause.
CYBER SPACE – MEANING THEREOF
An Internet or network of computers can operate without constrains of space, state borders, etc. Though they are
only a medium for storage and analysis and communication of information, they virtually create a world of their
own – a medium in which business can be transacted without any of the inhibitions that the real world imposes.
The New Shorter Oxford Dictionary explains the expression “cyberspace” as follows:
The notional environment within which electronic communication occurs, especially when represented as the
inside of a computer system; space perceived as such by an observer but generated by a computer system,
and having no real existence; the space of virtual reality”.
“Cyberspace” is computer-governed environment, which does not exist in reality but yet serves many of the
IIPM 41 CH. – 6 INFORMATION TECH. ACT
purposes that the visible, tangible world serves. The Act does not mention cyberspace but dubs the Appellate
Tribunal for which it proves as “Cyber Tribunal”
6.2 AUTHENTICATION OF ELECTRONIC RECORDS USING DIGITAL SIGNATURES
What is `Authentication`
A process used to confirm the identity of a person or to prove the integrity of information.
Message authentication involves determining its source and verifying that it has not been modified or replaced in
Any subscriber may authenticate an electronic record by affixing his digital signature. The authentication shall be
effected by the by use of asymmetric system and hash function which envelop and transform the initial electronic
record into another electronic record.
The digital signature is created in two distinct steps.
(i) Firstly - the electronic record is converted into a message digest by using a mathematical function known
as “hash function” which digitally freezes the electronic record thus ensuring the integrity of the content
of the intended communication.
(ii) Secondly, the identity of the person affixing the digital signature is authenticated through the use of a
private key which attaches itself to the message digest and which can be verified by any person who has
the public key according to such private key. This will enable any person to verify whether the electronic
record is retained intact or has been tampered with. It will also enable a person who has a public key to
identify the originator of the electronic message.
'Hash function' - an algorithm mapping or translation of one sequence of bits into another (generally smaller) set
known as 'hash result' such that an electronic record yields the same hash result every time the algorithm is executed
with the same electronic record as its input making it computationally infeasible:
(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm, and
(b) that two electronic records can produce the same hash result using the algorithm.
CONTENT OF HASH FUNCTION MESSAGE DIGEST
AGREEMENT TO ALOGRITHM RUN
BE SIGNED OVER AGREEMENT
MESSAGE DIGEST ENCRYPTED WITH
PRIVATE KEY OF SENDER GENERATE
DIGITAL SIGNATURE WHICH ARE
EMBOSSED ON THE AGREEMENT
RECEIVER AGAIN GENERATES THE MESSAE DIGEST
BY RUNNING HASH FUNCTION ALOGRITH OVER THE AT RECEIVER DIIGTAL SIGNATURE ARE
ORIGINAL CONTENT OF MESSAGE AND IF MESSAGE DECRYPTED WITH SENDER PUBLIC KEY AND
DIGEST GENERATED AFTER DECRYPTING DIGITAL IT GENERTAE MESSAGE DIGEST
SIGNATURE OF SENDER WITH SENDER PUBLIC KEY,
IT PROVES THAT THE CONTENTS ARE NOT CHANGED
AND SIGNATURE BELONGS TO THE SENDER
A Digital Certificate is a digital representation of information which at least
(1) identifies the certification authority issuing it,
(2) names or identifies its Subscriber,
(3) contains the Subscriber's public key,
(4) identifies its operational period, and
(5) is digitally signed by the certification authority issuing it.
A Digital Certificate is a data structure used in a public key system to bind a particular, authenticated individual to
a particular public key.
A Personal Digital Certificate serves as the digital identity of an individual. Just as a Driver's License can be
used to identify someone who can legally drive in a particular country, a Digital Certificate can be presented
electronically to prove an individual's identity or right to access information or services on the Internet.
Digital Certificates are used to secure information and assure the identities of their owners. They also providing a
means of associating individuals with electronic documents similar to the manner in which handwritten signatures
associate individuals with the paper documents.
For a Digital Certificate to be trusted, it needs to be endorsed a recognized third party that is empowered by the
law to issue Digital Certificates.
LECTURES BY PROF. S N GHOSH
IIPM 42 CH. – 6 INFORMATION TECH. ACT
Following steps are followed for obtaining Digital certificate:
1. Sender sends his public key to Certification Authority along with information specific to his identification and
other relevant information.
2. The Certification Authority uses his information to verify sender and his public key, if every thing is OK, the
Certification Authority returns the sender a Digital Certificate that confirms the validity of Sender Public Key.
3. Actually Certification Authority certifies public key by digitally signing the sender public key with authority
private key and authority put this sign on Digital Certificate. And any user who wants to use some one's public
key can verify its validity by applying the certification authority public key to the certificate. In this way user
would get actual public key of sender and can tally this public key with the public key supplied by the sender.
Depending on the level of trustworthiness one wants to create towards the people he/she communicates with
over the Net, the CA offers three classes of Personal Certificates:
CLASS UTILITY PURPOSE
Class- 1 Digitally sign email, Encrypt email; Authenticate to a Web Server to engage in secure communication.
This protects all information such as credit card details that one sends to the Web Server.
These certificates are not intended for, and shall not be relied upon, for commercial use where proof of
identity is required.
These Certificates are issued following a top down approach.
Class –2 Issued as Managed Digital Certificates to employees/ partners/ affiliates/ customers of business and
government organizations those are ready to assume the responsibility of verifying the accuracy of the
information submitted by their employees/ partners/ affiliates/ customers.
The organization is given a Digital Certificate signed by the CA to initiate the process of issuing
Certificates to its employees/ partners/ affiliates/ customers.
The entire organization is treated as a Sub-CA/RA.
The Sub-CA/RA in turn requests the issue of Digital Certificates for employees/ partners/ affiliates/
customers of the organization from the CA.
The verification of details supplied with the request for a Digital Certificate is done by the organization
appointed as a Sub-CA/RA under the CA Trust Network
Certificates are issued to individuals, companies and government organizations. They can be used
both for personal and commercial purposes.
Class - 3 They are typically used for electronic commerce applications such as electronic banking, electronic
data interchange (EDI), and membership-based on-line services, where security is a major concern.
The level of trust created by the Digital Certificate is based on the authentication procedures used by
the CA to verify subscriber’s identity and the service guarantees offered by the CA to back up that
Usually, the CA uses various procedures to obtain evidence of subscriber’s identity before issuing you
the Class-3 Certificate. During verification, the subscriber will also need to be physically present before
a Registration Authority (RA), qualified by the CA due to their neutrality and reliability. These validation
procedures provide stronger assurances of an applicant's identity.
Example – TCS has been granted licence as CA (Certifying Authority). Bombay Stock Exchange
(BSE) is the RA (Registering Authority) for members of that stock exchange.
Types of Digital Certificates
Generally, the CA offers Single Key Pair and Dual Key Pair support for Personal Digital Certificates, which can be
used for Digital Signature and Encryption purposes.
A provision is also available to back-up the credentials the subscriber has used to receive encrypted
messages/documents, so that the encrypted messages/documents can be recovered if he/she has lost the
private key or if required in his/her absence, using the backed-up credentials. This can be of great help for
organizations, wherein, it is necessary to recover the encrypted information received by an employee after he/she
has left the organization.
The Signing Certificate is used for preparing the Digital Signature that provides Authenticity, Non-Repudiation and
Integrity to electronic communication. The Signing Certificate can be used to digitally sign documents, messages,
email and can also be used as an identification for the electronic application and in SSL communication with a
Encryption key pairs that are generated at the CA end are made available to their respective owners (subscribers)
in a secure manner through strong authentication procedures.
The Encryption Certificate is used for encrypting documents, messages and other forms of electronic
communication that provide confidentiality.
LECTURES BY PROF. S N GHOSH
IIPM 43 CH. – 6 INFORMATION TECH. ACT
This type of Certificate is backed-up. To achieve this, the credentials (Key-pairs) are generated at the CA end
unlike the other types of Certificates where the credentials (Key-pairs) are generated at the Subscriber's end. The
CA backs-up the key-pair and sends a copy to the Subscriber in a highly secure manner.
Types Utility purpose
Single Key Pair In the Single Key pair option, Digital Certificates can be
used for signing and/or encryption. The credentials used
for encryption are not backed-up.
Dual Key Pair In the Dual Key pair option, the credentials used for
encryption are backed-up. The credentials used for
Digital Signature are not backed-up as that would violate
the notion of Authentication and Non-Repudiation.
6.3 SOME IMPORTANT LEGAL PROVISIONS
ELECTRONIC GOVERNANCE [SECTIONS 4 TO 10]
The Act provides following legal protection for filing, retention, preservation, payment etc. in the electronic/digital
1) Legal recognition of electronic records – all documents that are required to be in writing or typewritten or
printed form, can now be made available and subsequently accessible in an electronic form.
2) Legal recognition of digital signatures – all documents that require signature (manual) can now be
authenticated by means of digital signature affixed.
3) Filing of applications, forms, fees payment to Govt. in prescribed electronic mode– all the applications,
documents/information for grant of licence, permit, sanction, approval, receipt or payment of money may now be
filed/made with Government or its agencies in the electronic mode. The Government has prescribed rules and
forms for the purpose.
4) Retention and retrieval of electronic records – documents, records or information that required to be retained
can now retained in the electronic form. Such information shall remain accessible and usable for a subsequent
reference; retained in the format as was originally generated. The details facilitating the identification of the origin,
destination date and time of despatch or receipt of such electronic record shall also be made available.
5) Publication of rule, regulation, etc., in Electronic Gazette - the Official Gazette shall also be published in the
electronic mode. Such Gazette will be called `Electronic Gazette`. The date of publication shall be the date of the
Gazette, which was first published in any form.
6) No right to insist acceptance, retention or preservation of document in electronic form – The Central or
State Government or its agencies shall not insist that documents/information shall exclusively be in electronic
7) Power to make rules by Central Government in respect of digital signature - The Central Government has
been authorized to prescribed rules of types, manner, format, control, integrity, security and confidentially of
digital signatures and electronic records.
ATIRIBUTION, ACKNOWLEDGEMENT AND DESPATCH OF ELECTRONIC RECORDS [SECTIONS
11 TO 16]
Attribution electronic records - an electronic record shall be attributed to the originator if it was sent by
(ii) any authorized person or
(iii) an information system programmed by or on behalf of the originator to operate automatically.
Acknowledgement of receipt - the acknowledgement of receipt of electronic record may be sent by the address
(i) in prescribed form or
(ii) conduct sufficient to indicate its receipt by the addressee
(iii) any automated communication by addressee
Circumstances where acknowledgement though not stipulated, not received after due Notice - Where the
originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgement
and the acknowledgement has not been received by the originator within the specified time or within a reasonable
time, then, the originator may give notice to the addressee stating that no acknowledgement has been received
by him and specifying a reasonable time by which the acknowledgement must be received by him. If no
acknowledgement is received within the aforesaid time limit, the originator may after giving notice to the
addressee, treat the electronic record as though it has never been sent.
Time and place of despatch and receipt of electronic record -
The despatch of an electronic record - when it enters a computer resource outside the control of the originator;
The time of receipt of an electronic record – (i) the time when receipt occurs at the designated electronic record
LECTURES BY PROF. S N GHOSH
IIPM 44 CH. – 6 INFORMATION TECH. ACT
resource or (ii) At the time when the electronic record is retrieved by the addressee;
Place of despatch - at the place where the originator has his usual place of business or residence.
THE CENTRAL GOVERNMENT HAS NOTIFIED RULES, REGULATIONS AND GUIDELINES FOR THE
PURPOSE OF THIS ACT.
REGULATION OF CERTIFYING AUTHORITIES [SECTIONS 17 TO 42]
Appointment, functions and powers of Controller of Certifying Authorities
A Controller of Certifying Authorities may be appointed by the Central Government by notification in the Official
Gazette. Deputy Controllers and Assistant Controllers may also be appointed as the Government may think fit.
The Central Government has prescribed qualifications, experience and terms and conditions of service of
Controller, Deputy Controllers and Assistant Controllers. There shall be a seal of the Office of the Controller.
The Controller may recognise any foreign Certifying Authority as a Certifying Authority. This shall however, be
done with the previous approval of the Central Government and by notification in the Official Gazette,
Any person may make an application, in the prescribed form along with requisite documents/information and fees
to the Controller for a licence to issue Digital Signature Certificates. The Controller on being satisfied may grant
licence for a prescribed period subject to specified terms and conditions. The Controller may revoke the licence
upon violation thereof by the Certifying Authority. The revocation be also publicized in the web page of the
Every Certifying Authority shall follow prescribed procedures in respect of digital signatures.
By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information
contained in the Digital Signature Certificate that----
(a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate
and is entitled to hold the same;
(b) all representations made by the subscriber to the Certifying Authority and all material relevant to the
information contained in the Digital Signature Certificate are true;
(c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.
Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public
key listed in his Digital Signature Certificate. He shall take all steps to prevent its disclosure to a person not
authorised to affix the digital signature of the subscriber.
Controller to act as repository
The Controller shall be repository of all Digital Signature Certificates.
Further to ensure that the secrecy and security of the digital signatures the Controller shall make use of
appropriate hardware, software and procedures to prevent intrusion and misuse.
The Controller shall maintain a computerised database of all public keys and the same be available to any
member of the public.
PENALTIES AND ADJUDICATION [SECT IONS 43 TO 47]
Penalty for damage to computer, computer system, etc.
A penalty not exceeding Rs. One Crore may be imposed as compensation for damages for doing or causing to
do the following acts without permission of the owner or any other person who is in charge of a computer,
computer system or computer network:-
(i) Accesses or secures access:
(ii) Downloads, copies or extracts any data, computer data base or information;
(iii) Introduces introduce any virus;
(iv) Damages any database or any other programmes;
(v) Disrupts any computer, computer system or computer network;
(vi) Denies access to any authorised person
(vii) Provides any assistance to any person to facilitate access;
(viii) Charges the services availed of by a person to the account of another person.
Penalty for failure to furnish information, return, etc.
Failure to file requisite Returns, Information, maintain Books or records shall entail specified penalties. And where
no penalty has been prescribed compensation damages not exceeding Rs. 25,000 may be imposed.
Adjudicating Officer (not below the rank of Director) to adjudicate
The Adjudicating Officer not below the rank if Director shall hold enquiry to determine whether any violation under
the Act or Rules or Regulations framed thereunder has been committed by any person. He shall have the powers
of a Civil Court.
CYBER REGULATIONS APPELLATE TRIBUNAL [SECTIONS 48 TO 64]
The Cyber Regulations Appellate Tribunal has been constituted. Appeals against the orders of the Adjudicating
Officer may be preferred before this Tribunal.
The Civil Courts have been barred from entertaining any suit or proceedings in respect of any matter which an
LECTURES BY PROF. S N GHOSH
IIPM 45 CH. – 6 INFORMATION TECH. ACT
adjudicating officer or Tribunal is empowered to handle.
An appeal shall lie to the High Court against an order or decision of the Cyber Appellate Tribunal.
COMPUTER OFFENCES [SECTION 65 TO 68]
Penalties (pecuniary and imprisonment) have been provided under the Act for the following types of offences:
(i) Tampering with Computer Source Documents
(ii) Hacking with Computer System.
(iii) Publication or obscene information in electronic form
(v) Breach of Confidentiality
(vi) Publishing False Digital Signature Certificate
(vii) Fraudulent Publication
(viii) Offence Committed Outside India
Further any police officer not below the rank of DSP or any other authorised person may enter any public place,
search and arrest without warrant any person reasonably suspected or having committed any offence specified
under the Act.
LECTURES BY PROF. S N GHOSH