it act

The Information Technology Act,
2000
and
The Information Technology
(amendment) Act, 2008
A Comparative analysis
By Prashanth Gowda.B.S

Birth of Cyber Laws
• The United Nations General Assembly have
adopted the Model Law on Electronic Commerce on
30th January 1997.
• It is referred to as the “UNCITRAL Model Law on
E-Commerce”.

Birth of Cyber Laws
• India passed the Information Technology Act,
2000 on 17th October, 2000.
• Amended on 27th October 2009.
Amended Act is known as -
The Information Technology (amendment) Act,
2008.

Also amended
Indian
Penal
Code
Indian
Eviden
ce Act
Banker
s'
Books
Eviden
ce Act

Electronic authentication
• The IT Act, 2000
specified “digital
signatures” as the means
of electronic
authentication.
• This approach was not a
technology neutral
approach and the law was
bound by a specific
technology.

Electronic authentication
• The IT Act, 2008 introduces the concept of
“electronic signatures” in addition to digital
signatures.
• Electronic signatures is the wider term covering
digital signatures, biometric authentication, etc.
• It has a technology neutral approach and not
bound by any specific technology.

Types of electronic signatures
• Passwords, personal
identification numbers
(PINs)
i.e. based on the
knowledge of the user.

• Biometric
authentication -
i.e. method based on the
physical features or
personal trait of the user

• Scanned handwritten
signatures.
• Signature by means of
a digital pen.
• “OK” or “I accept”
boxes.
• Secure Sockets Layer
(SSL) certificates.

Civil Provisions
• Section 43 - Unauthorised Access
– U/ the IT Act, 2008 no limit on
amount of compensation for
offences under Section 43
– U/ the IT Act , 2000 it was Rs. 1
Crore

Section 43
If any person
without
permission of
the owner or
incharge of a
computer -
Accesses
or secures
access to a
computer
Downloa
ds, copies
or
extracts
data
Introduce
s
computer
contamin
ant or
virus
Damages
computer
Disrupts
computer
or
network
Provides
assistance
to facilitate
illegal
access
Charges the
services availed
of by a person
to the account
of another
person

Civil Provisions
• Section 43(A) – new
provision
– Corporate bodies handling
sensitive personal
information in a computer
resource are under an
obligation to ensure
adoption of reasonable
security practices to
maintain its secrecy.

Civil Provisions
– Even mobile companies to respect privacy of
customers u/ Sec. 43(A).(Rutuja Tawade v/s
Vodafone)
– Nadeem Kashmiri’s case (credit card fraud)
– Liability on call centers, BPOs

Adjudication of Civil offences
– Under the IT Act, 2008 the “Adjudicating Officers” to try cases
where the claim is upto Rs. 5 crore.
– Above that the case will have to be filed before the “Civil
Courts”.
– Under the IT Act, 2000 civil courts did not have jurisdiction to
try civil suits.

Criminal Provisions
Section 66
• Provision has been significantly changed.
• Under IT Act, 2008 all the acts referred under
section 43, are also covered u/Sec. 66 if they are
done “dishonestly” or “fraudulently”.
• Many cybercrimes on which there were no express
provisions made in the IT Act, 2000 are now
included in the IT Act, 2008.

Section 66(A)
• Sending of offensive or false
messages - new provision
– Also known as “Cyber
Stalking”
– Covers sending of menacing,
offensive or false messages via
SMS/EMAIL/MMS
– Punishment – imprisonment
upto 3 years and fine

Section 66(B)
• Dishonestly receiving stolen
computer resource or
communication device - new
provision
– Also covers use of stolen
Computers, mobile phones,
SIM Cards, etc
– Punishment – imprisonment
upto 3 years or fine upto Rs. 1
lakh or both

Section 66(C)
• Identity theft - new provision
– Fraudulently or dishonestly
using someone else’s electronic
signature, password or any
other unique identification
feature
– Punishment - imprisonment
upto 3 years and fine upto Rs. 1
lakh

Section 66(D)
• Cheating by personation - new provision
– Cheating by pretending to be some other person
– Punishment – imprisonment upto 3 years and fine upto Rs.
1 lakh

Section 66(E)
• Violation of privacy - new provision
– Popularly known as Voyeurism
– Pune spy cam incident where a 58-year old man was
arrested for installing spy cameras in his house to
‘snoop’ on his young lady tenants
– Covers acts like hiding cameras in changing rooms,
hotel rooms, etc
– Punishment –imprisonment upto 3 years or fine upto
Rs. 2 lakh or both

Section 66(F)
• Cyber terrorism - new provision
– Whoever uses cyberspace with
intent to threaten the unity,
integrity, security or sovereignty
of India or to strike terror in the
people
– Punishment - Imprisonment
which may extent to life
imprisonment

Preservation of information by
intermediaries
• Section 67(C) – new provision
– Intermediary shall preserve and retain such
information as may be specified for such
duration and in such manner and format as
the Central Government may prescribe.

Government’s power to intercept
• Section 69 – new provision
– Government to intercept, monitor or decrypt any
information generated through any computer resource if it
thinks to do so in the interest of the sovereignty or integrity
of India.

Government’s power to intercept
– Punishment for refusing to hand over
passwords to an authorized official of the
Central or State Government
– Punishment – imprisonment upto 7 years and
fine

Liability of Intermediary not to
disclose any personal information
• Section 72(A) - new provision
– Intermediary to act as per the terms of its lawful contract
and not beyond it.
– Punishment – imprisonment upto 3 years or fine upto 5
lakh or both

Liability of Intermediary
• Section 79
– An intermediary not to be liable for any third
party information, data, or communication link
made available or hosted by him.

Liability of Intermediary
• Intermediary need to prove that he didn’t –
– Initiate the transmission,
– Select the receiver of the transmission, and
– Select or modify the information contained in the
transmission and
– The intermediary observes due diligence while
discharging his duties under the Act.

Abetment
• Section 84(B) – new provision
– Abetting to commit an offence is punishable
– Punishment – Same punishment provided for the
offence under the Act

Attempt
• Section 84(C) – new provision
– Attempt to commit an offence is punishable
– Punishment – Imprisonment which may extend
to one-half of the longest term of imprisonment
provided for that offence

Investigation Powers
• Section 78 – new provision
– As per the IT Act, 2008 Cyber crime cases can be
investigated by the “Inspector” rank police
officers.
– U/ the IT Act, 2000 such powers were with the
“DYSP/ACP”.

Compounding of Offences
• Section 77 (A) – new provision
– Compounding – “Out of court settlement”
– Offences
“for which less than three years imprisonment
has been provided”
can be compounded.

Compounding of Offences
– Such offence should not affect the socio
economic conditions of the country or
– has been committed against a child below the age
of 18 years or a woman.

Halifax May 10, 2006Electronic Contracts - NJI 34
Overview
 Law generally has no form rule for contracts
 Law of contracts is media-neutral
 Question of enforceability comes down to a
question of the presence of consent, proof
of consent, validity of consent:
– These are traditional, basic contract concepts
• Legislation has supported these conclusions
• Consider examples

Halifax May 10, 2006 Electronic Contracts - NJI 35
Legislation
• United Nations – Canada and US (etc)
– All jurisdictions in Canada have something (exc NWT)
– MB’s key parts not in force – so does it matter?
– Application is subject to some exceptions
• General principle: non-discrimination
• Writing, signature, original, record-retention rules
• Consent to use is key security feature
• Legal standard vs prudent standard
• E-records do not have to be more reliable than paper

Legislation
• “Functional equivalents”:
– Writing: “accessible so as to be usable for subsequent
reference”
• Accessible to whom: techie or newbie? “subsequent?”
• Not necessarily looking like print e.g. voice recognition
– Provision: “capable of being retained” (Ont. exception)
– Originals: “reliable assurance of integrity”
– Signature: “information in electronic form that a person
has created or adopted in order to sign a document and
that is in, attached to or associated with the document”

Legislation
• Contract rules
– Electronic form does not prevent validity
– Contracts may be formed by clicking on icons, touching
screens, talking to a computer, etc
– Contracts may be made in dealing with “electronic agents”
i.e. software robots
– Mistakes in dealing with electronic agents may be
corrected if program does not allow verification of contract
before completion
– Time and place rules, but no mailbox rule
– Current issue: presumed receipt in the face of spam and
virus filters

Forms of consent
• Shrinkwrap: terms (of licence) inside box, notice outside
– Systemshops v King in Canada (1980s case)
– Zeidenberg v ProCD in US
• Click-through/clickwrap: terms are shown, buyer clicks “I
agree” or “OK”
– Rudder v Microsoft - an easier case than shrink-wrap
• Consider examples from web
• Some limits: Zhu v. Merrill Lynch, Robet v Versus Brokerage
Services: experts knew web messages were not always
reliable, duty to check before acting on them.
– Note: these were cases about one-on-one messages, NOT someone
dealing with an impersonal web site, as are almost all of the others.

Forms of consent
• “Browsewrap”: implied consent from mere use of or
access to web site
• Ticket cases etc as parallel in paper world
• Questions go to notice of terms, accessibility of
terms, and fairness
• Consider examples (inc. Zhu v Merrill Lynch)
• Enforcement has largely been where people are
doing something prohibited by terms that they
should have know was bad anyway, e.g.
– Canada: CREA v. Sutton
– US: Ticketmaster, Register.com, Cairo

Forms of consent
• Unilateral Modification: implied or express consent
• Right to change is widely claimed in web terms
• Economic model understandable – adhesion
contracts
• Rogers v Kanitz – high-water mark (trial court only)
– “that’s how business is done on the Net”
• Aspencer1 v Paysystems
– Not so fast – at least in Quebec (with doubtful dicta)
• Consumer Protection Act, 2002 (Ontario)
– Reverses Kanitz on arbitration and class actions, i.e. not in
general about modifications

Authentication
• of consent
– herein of signatures (very briefly)
• form and intent
– Singapore: e-mail headers as signatures (lease)
– England: e-mail headers as not signatures (guarantee)
• of parties
– reliability of attribution – question of proof
– seldom litigated – but in age of identity theft?
• of text
– how does the signer know what he/she is signing?

Jurisdiction
• General principles and tests
– Interactivity, targeting, etc
• Rudder – click-through choice of forum upheld
• Specht – obscure choice of forum and process denied
• May involve choice of law, choice of forum
• Consumers - special rules
– Quebec Civil Code
– Uniform Law policy
– EU policies – Rome treaties
• Hague Convention on Choice of Court (2005)

Substance of contract
• Unconscionability defences are media- neutral
• Some applications in the cases:
– arbitration clauses
– class action clauses (overlaps with preceding, not the same)
– some special rules e.g. Quebec in Dell (to SCC)
– jurisdiction – choice of lax/business-friendly/inaccessible places?
• French cases as examples of analysis - AOL.FR and its progeny
(at least 4 French ISPs have suffered the same fate now)
– “standard” North American clauses held illegal, unconscionable

Open questions
• Errors in contracts – facts of Dell, etc
• Attempts to protect other interests
– Notably intersection with copyright
• Digital rights management, technical protection measures
• No reverse engineering
• Licences vs sales (“the age of access” but “access to knowledge”)
• Illegal contracts: e.g. gaming, etc - use of
intermediaries to block or enforce (e.g. role of credit
card companies, PayPal etc)
– Civil and criminal processes may overlap

Other legal principles may apply
• The usual contract rules apply, e.g.:
– meeting of minds
– certainty of object
– consideration
– AND contracts as to form (legislation does not cure them)
• The usual contracting legislation applies, e.g.:
– Consumer Protection Act
– Internet Sales Harmonization template (as adopted)
• Other legislation may apply, as to form or content
– UECA yields to contrary intention

Internet Sales Harmonization Template
• The template was adopted by the FPT
Consumer Measures Committee in 2001.
• It is in force in several provinces.
• Its main terms:
• Mandatory disclosure of information (& timing rules)
– seller’s identity, location, applicable law
– description of product, price, terms, remedies
• Receipts needed
• Cancellation rights for non-disclosure, non-delivery

Conclusion
• “What’s old is new again” in the
electronic age
–Was there a meeting of the minds?
–Was the transaction affirmed by the
user/consumer?
–Was the transaction fair?
–AND questions of form, questions of proof

•is a type of asymmetric cryptography used to simulate the security
properties of a signature in digital, rather than written, form. Digital
signature schemes normally give two algorithms, one for signing which
involves the user's secret or private key, and one for verifying signatures
which involves the user's public key. The output of the signature process
is called the "digital signature.“
•is an electronic signature that can be used to authenticate the identity
of the sender of a message or the signer of a document, and possibly to
ensure that the original content of the message or document that has
been sent is unchanged. Digital signatures are easily transportable,
cannot be imitated by someone else, and can be automatically time-
stamped. The ability to ensure that the original signed message arrived
means that the sender cannot easily repudiate it later.
What is a digital signature?

How it works
• The use of digital signatures usually involves two processes,
one performed by the signer and the other by the receiver of
the digital signature:
• Digital signature creation uses a hash result derived from and
unique to both the signed message and a given private key.
For the hash result to be secure, there must be only a
negligible possibility that the same digital signature could be
created by the combination of any other message or private
key.
• Digital signature verification is the process of checking the
digital signature by reference to the original message and a
given public key, thereby determining whether the digital
signature was created for that same message using the
private key that corresponds to the referenced public key.

Example
• Assume you were going to send the draft of a contract to your lawyer in
another town. You want to give your lawyer the assurance that it was
unchanged from what you sent and that it is really from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical
summary) of the contract.
3. You then use a private key that you have previously obtained from a
public-private key authority to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note
that it will be different each time you send a message.)
• At the other end, your lawyer receives the message.
1. To make sure it's intact and from you, your lawyer makes a hash of the
received message.
2. Your lawyer then uses your public key to decrypt the message hash or
summary.
3. If the hashes match, the received message is valid.

Benefits of digital signatures
These are common reasons for applying a digital signature to communications:
• Authentication
Although messages may often include information about the entity sending a
message, that information may not be accurate. Digital signatures can be used to
authenticate the source of messages. When ownership of a digital signature secret
key is bound to a specific user, a valid signature shows that the message was sent
by that user. The importance of high confidence in sender authenticity is especially
obvious in a financial context. For example, suppose a bank's branch office sends
instructions to the central office requesting a change in the balance of an account.
If the central office is not convinced that such a message is truly sent from an
authorized source, acting on such a request could be a grave mistake.
• Integrity
In many scenarios, the sender and receiver of a message may have a need for
confidence that the message has not been altered during transmission. Although
encryption hides the contents of a message, it may be possible to change an
encrypted message without understanding it. (Some encryption algorithms, known
as nonmalleable ones, prevent this, but others do not.) However, if a message is
digitally signed, any change in the message will invalidate the signature.
Furthermore, there is no efficient way to modify a message and its signature to
produce a new message with a valid signature, because this is still considered to
be computationally infeasible by most cryptographic hash functions.

Drawbacks of digital signatures
Despite their usefulness, digital signatures do not alone solve all the
problems we might wish them to.
Non-repudiation
In a cryptographic context, the word repudiation refers to the act of
disclaiming responsibility for a message. A message's recipient may
insist the sender attach a signature in order to make later repudiation
more difficult, since the recipient can show the signed message to a
third party (eg, a court) to reinforce a claim as to its signatories and
integrity. However, loss of control over a user's private key will mean
that all digital signatures using that key, and so ostensibly 'from' that
user, are suspect. Nonetheless, a user cannot repudiate a signed
message without repudiating their signature key.

Main Questions?
1. In the digital signature who use the private key and who
use the public key?
2. What are the benefits of digital signatures?

it act

More Related Content

What's hot

Viewers also liked

Similar to it act

More from 9535814851

Recently uploaded

it act