GAUTAM BUDDHA UNIVERSITY

Greater Noida, U.P., India

School of Law, Justice & Governance

Programme Name: B.A. LL.B. Year: IV Semester: VIII
Course Name: Cyber Law Course Code: LB404
Batch: 2018-23

Assignment work
Title: Power and Functions of Controller

Submitted by:
Archana Yadav
18/ILB/055
Section: ‘B’

Submitted to:
Ms. Kajal Gupta
Faculty, Cyber Law

1
 Acknowledgement
Presentation, inspiration and motivation have always played a key role in the success of any
venture.

I would like to express my gratitude to Ms. Kajal Gupta, Faculty of Law, School of Law,
Justice & Governance, Gautam Buddha University whose valuable guidance and kind
supervision throughout the project work shaped the present work as its show.

I am immensely obliged to my friends for their elevating inspiration, encouraging guidance

and kind supervision in completing my project.

Archana Yadav

2
 Table of Contents

1. Introduction……………………………………………………04
2. What is certifying authority?.....................................................05
3. Who is controller?......................................................................05
4. Appointment of Controller…………………………………....05
5. Functions of Controller………………………………………..06
6. Powers of Controller………………………………………….07
7. Conclusion…………………………………………………….10

3
 INTRODUCTION
The Controller of Certifying Authorities (CCA) is empowered by Sections 17 to 34 of the Act
to licence and control the activities of Certifying Authorities (CAs). CCA also ensures that
none of the Act's provisions are breached. In India, certifying authorities or electronic
signature infrastructure are governed by the following rules:

Controller of Certifying Authority (CCA). The IT Act of 2000 establishes the appointment,
responsibilities, powers, and duties of the CCA (India's apex regulating body for certifying
authority) and other personnel.

Certifying Authority (CAs). A certifying authority is a trusted third party or entity that
receives authorization from the controller and issues electronic signature certificates to e-
commerce users. These authorities will be supervised and controlled by the controller of
certifying authorities.

The Information Technology Act, 2000 empowers the Controller of Certifying Authorities
(CCA) to licence and regulate Certifying Authorities' operations. Digital signature certificates
are issued by Certifying Authorities (CAs) for electronic user authentication. Under Section
17 of the Act, the Controller of Certifying Authorities (CCA) is appointed with the help of
the Central Government to carry out the tasks of the IT Act. On November 1, 2000, the
Office of the Controller of Certifying Authorities (CCA) was established.

It aspires to promote the expansion of E-Commerce and E-Government by promoting the

widespread usage of virtual signatures. Under section 18(b) of the IT Act, the Controller of
Certifying Authorities (CCA) of India established the Root Certifying Authority (RCAI) of
India to digitally sign the general public keys of Certifying Authorities (CA) in the country.
The RCAI is run in accordance with the Act's requirements.

The CCA uses its own non-public key to certify the public keys of CAs, allowing clients in
our online world to verify that a certain certificate was issued by a licenced CA. The Root
Certifying Authority of India (RCAI) acts for this reason. The CCA also maintains the
Repository of Digital Certifications, which contains all of the certificates issued to the
country's CAs.

4
 WHAT IS CERTIFYING AUTHORITY?
Digital signature certificates are issued by Certifying Authorities (CAs) for electronic user
authentication.

As per the clause (g) of sub-section 1 of Section 2 of the IT Act, “certifying authority” means
a person who has been granted a licence to issue an [electronic certificate]1 under section 242.

WHO IS CONTROLLER?
Controller of Certifying Authority (CCA) is the authority that controls the certifying authority
and related issues. This terminology, i.e., “Controller” has been defined in the section 2(1)(m)
of the Information Technology Act, 2000.

For the purposes of the IT Act, the Central Government has appointed the Controller of
Certifying Authorities (CCA) under section 17 of the Act. On November 1, 2000, the Office
of the CCA was established.

The IT Act of 2000 establishes the appointment, responsibilities, powers, and duties of the
CCA (India's apex regulating body for certifying authority) and other personnel.

APPOINTMENT OF CONTROLLER (SECTION 17):

After informing the Official Gazette, the Central Government may appoint a Controller of
Certifying Authorities. They have the authority to appoint Deputy Controllers and
Assistant Controllers as well.
The Controller performs his duties under the general supervision and direction of the
Central Government.
Under the general supervision and control of the Controller, the Deputy Controllers and
Assistant Controllers will carry out the responsibilities given to them by the Controller.
The Central Government may prescribe the qualifications, experience, and terms and
conditions of service for the Controller, Deputy Controllers, and Assistant Controllers.

1
Substituted for “digital signature” by Information Technology (Amdt.) Act, 2008
2
Section 2(1)(g) of Information Technology Act, 2000

5
 The Controller's Head Office and Branch Office shall be located anywhere the Central
Government deems appropriate.
The Office of the Controller's seal shall be used.

FUNCTIONS OF THE CONTROLLER (SECTION 18):

A controller is responsible for one or more of the following tasks:

Supervise the Certifying Authorities' actions and certify their public keys.
Establish the standards that the Certifying Authorities must adhere to.
Indicate the following:
➢ qualifications and experience requirements for all Certifying Authorities' employees;
➢ the content of printed, written, and visual materials and advertisements relating to the
digital signature and the public key the form and content of a digital signature
certificate and the key the form and manner in which the Certifying Authorities
maintain accounts;
➢ terms and conditions for the hiring and remuneration of auditors;
Facilitate the establishment of an electronic system by the Certifying Authority, either
alone or in collaboration with other Certifying Authorities, and its regulation.
Describe how the Certifying Authorities interact with the subscribers.
There must be no conflicts of interest between the Certifying Authorities and the
subscribers.
Define the responsibilities of the Certifying Authorities.
Maintain a database holding each Certifying Authority's disclosure record, complete with
all required details. This database is also open to the general public.

6
 POWERS OF CONTROLLER:

Section 19: Recognition of Foreign Certifying Authority

▪ For the purposes of the IT Act, 2000, a Controller has the authority to recognise any
foreign certifying authority as a certifying authority. While this is subject to the
regulations' criteria and limitations, the Controller can recognise it with the Central
Government's prior permission and publication in the Official Gazette.
▪ If a controller recognises a Certifying Authority under sub-section I its digital
signature certificate is valid for the purposes of the Act as well.
▪ The controller has the ability to revoke recognition if he believes that any certifying
authority has violated any of the conditions or limits set forth in sub-section (i) He
must, however, write down the reason and publish it in the Official Gazette.

Section 20: Controller to act as a repository

▪ Under this Act, the Controller will serve as a repository for all digital signature
certifications.
▪ The Controller will:
➢ Employ secure hardware, software, and procedures.
➢ Follow the guidelines set forth by the federal government to maintain the
confidentiality and security of digital signatures.
➢ The Controller will keep track of all public keys in a digital database. He must also
ensure that the public keys and database are accessible to the general public.

Section 21: Power to issue Licence

(1) Any person may apply to the Controller for a licence to issue digital signature certificates,
subject to the provisions of subsection (2).

(2) A Controller may only grant a licence under subsection (1) if the applicant meets all of
the requirements. For the issue of digital signature certifications, the Central Government
establishes requirements in terms of qualification, knowledge, labour, financial resources, and
infrastructure facilities.

(3) A licence granted under this provision includes the following:

a) Valid for the time period specified by the Central Government.

7
b) Not inheritable or transferable.
c) Subject to the regulations' specific restrictions and limitations.

Section 27: Power to Delegate

The controller has the power to give written permission to the deputy, assistant controller,
or any official to use any of his powers except his quasi-judicial power to resolve any
dispute between the certifying authorities and subscribers.

Section 28: Power to investigate Contraventions

Any violation of the Act's provisions, rules, or regulations will be investigated by the
Controller or any other Officer that he authorises.
Power to use the following powers bestowed on Income Tax Authorities by Chapter
XIII of the Income Tax Act, 1961, either directly or through an authorised officer:
▪ Power to inspect, compel attendance, and question anyone under oath,
▪ Power to search and seize,
▪ Power over required accounting books
▪ Power to request information,
▪ Power to see and copy the register of members or debenture holders.
▪ Power to inquire.

Section 29: Power to access computers & data

The Controller has the power to access any computer system, any apparatus; data or any
material connected with such system if he reasonably suspects contraventions of the
provisions of the act and rules and regulations.

Section 68(1): Power to give directions

Power to direct a certifying authority or any of its employees to take such actions or
discontinue carrying out such activities as are required to ensure conformity with the
terms of the Act, rules, or regulations issued thereunder.

8
 Section 69(1): Power to issue directions for interceptions or monitoring or
decryption of any information through any computer resource.3
Power to direct any government agency to intercept any information transferred over any
computer resource if it is necessary in the interests of India's sovereignty or integrity,
state security, cordial relations with foreign states, etc.

Section 69A: In the situations described aforementioned, i.e., interests of India's

sovereignty or integrity, state security, cordial relations with foreign states, etc., the
Controller of Certifying authority shall issue directives prohibiting the public from
accessing any information via any computer resource.

Section 69B: For cyber security purposes, the Controller has the authority to monitor
and collect traffic data or information through any computer resource.

Section 89: Power to make regulations:

After consultation with the cyber regulatory advisory group and prior permission from the
Central Government, the power to enact regulations to carry out the purposes of this Act.
The rules could apply to the following:
• Particulars regarding maintenance of database containing disclosure of record of every
CA [Sec. 18(n)]
• Conditions and recognition of Foreign Certifying Authority [Sec. 19(1)].
• Terms and conditions for grant of licence to CA [Sec. 21(3)].
• Standards to be observed by CA [Sec. 30(d)].

3
Section 69(1) IT Act,2000

9
 CONCLUSION:
Controller of certifying authority plays a very vital role in the proper administration of the
certifying authorities as well as subscribers’ issues. The CCA has been established with the
vision to create trust in Electronic Transactions. CCA ensures reliability in the subscribers
and smoothens the process. The mission, behind the establishment of CCA, is authentication
of transactions performed in the electronic environment. Moreover, the objectives of the
ministry of Electronics & Information Technology of India, behind the establishment of the
Controller of certifying authority are firstly, implementation of authentication system in
electronic environment through Public Key Infrastructure (PKI) and to create awareness
about the authentication techniques in the PKI.4

************************************************

4
https://cca.gov.in/vision.html

10