CYBER LAW(Coverage)

• Information technology law(Related to

computers and internet)
• Communications Law(Related to
telecommunications and broadcasting, radio,
television, telephony and cable)
The Indian telegraph act, 1885, Wireless
Telegraphy act, 1933 and Cable television
Network Regulation act, 1995
 Information Technology Act, 2000

• The Preamble to the Act states that it aims at

providing legal recognition for transactions carried
out by means of electronic data interchange and
other means of electronic communication,
commonly referred to as "electronic commerce",
which involve the use of alternatives to paper-
based methods of communication and storage of
information and aims at facilitating electronic filing
of documents with the Government agencies.
 Information Technology Act, 2000

• This Act was amended by Information Technology

Amendment Bill, 2008 which was passed in Lok Sabha on
22nd December, 2008 and in Rajya Sabha on 23rd December,
2008. It received the assent of the President on 5th February
2009 and was notified with effect from 27/10/2009
• The IT Act, 2000 consists of 90 sections spread over 13
chapters [Sections 91, 92, 93 and 94 of the principal Act
were omitted by the Information Technology (Amendment)
Act 2008 and has 2 schedules.[ Schedules III and IV were
omitted by the Information Technology (Amendment) Act
2008].
 Objectives of IT act 2000/Features
• It is first Cyber Law in India
• It is based on the UNCITRAL Model Law
• Equal legal treatment of users of electronic
communication and paper based communication
• To encourage use of electronic commerce, e-transactions
• Electronic governance
• Regulatory framework to supervise the Certifying
Authorities
• The Act also sought to foster security practices within
India that would serve the country in a global context
 Exceptions to IT Act, 2000
• Execution of a Negotiable instrument(Other than
cheque ) under Negotiable instruments act, 1881
• Execution of Power of Attorney
• Creation of a trust
• Execution of A Will under the Indian Succession Act,
1925
• Execution into a contract for sale or conveyance of
immovable property
• Execution of such class of documents or transactions as
notified by Central government
 Digital Signature
• Digital signatures enable the replacement of slow
and expensive paper-based approval processes
with fast, low-cost, and fully digital ones.
• Instead of using pen and paper, a digital signature
uses digital keys (public-key cryptography)
• Digital signatures are easily transportable, cannot
be imitated by someone else and can be
automatically time-stamped
Why Digital Signature
 Features of Digital Signature
The success of electronic transactions depends on
“the trust that the transacting parties place in the
security of the transmission and content of their
communications”
• Authentication-Ownership of digital signature
• Integrity-No alteration during transmission through
cryptographic message digest function
• Non Repudiation-Can not be copied
• Confidentiality
 Features of Digital
Signature(Continued)Confidentiality
• Identical keys are used for encryption and
decryption
• Requires both parties to a digital conversation
to know the key
 Features of Digital Signature(Continued)

• Sender applies a hash function i.e. a

mathematical formula or algorithm , in the
form of a computer software, on the message
to encrypt using addressee’s public key which
gives out a ‘hash result’ i.e. a unique
mathematical value. This ‘hash result’ is also
called the ‘message digest’
 Digital Signature
• Section 2(1)(p)- “Authentication of any
electronic record by a subscriber, i.e. a person
in whose name the Digital Signature
Certificate is issued by means of an electronic
record”
 Terminology
• Private Key-It means the key of a key pair used
to create a digital signature
• Public Key-It means the key of a key pair used to
verify a digital signature and listed in the digital
signature certificate
• Asymmetric crypto system-It means a system of
a secure key pair consisting of a private key for
creating a digital signature and a public key to
verify the digital signature
 Procedure to obtain Digital Signature
• Certifying Authority with necessary documents
• Verification of documents
• Issue of digital certificate and public and private key
• Public and private key are used
• Preparation of message by sender
• Application of hash function(mathematical function), Message digest
• Encrypt message digest with private key by sender
• Attach digital signature to the message
• Sending of encrypted message or unencrypted message to the recipient
• Recipient uses the sender’s public key to verify the message
• Creation of message digest by recipient using the same hash algorithm
• If message digest is same as received from sender, no alteration has been made to
original message. The recipient can read the message by decrypting it with his
‘private key’
 Authentication of electronic records by
affixing digital signature
• Step 1:-Electronic records are converted into
message digest by using a mathematical
function known as Hash function
• Step2:-The identity of the person affixing the
digital signature is authenticated through the
use of private key which attaches itself to the
message digest which can be verified by
anybody who has the public key corresponding
to such private key
 HASH FUNCTION
• 'Hash function' means an algorithm mapping or
translation of one sequence of bits into another,
generally smaller, set known as "Hash Result" such that
an electronic record yields the same hash result every
time the algorithm is executed with the same electronic
record as its input making it computationally infeasible
to derive or reconstruct the original electronic record
from the hash result produced by the algorithm; that
two electronic records can produce the same hash
result using the algorithm.
 Electronic Governance
• It refers to the application of information
technology to the processes of Government
functioning in order to bring about Simple,
Moral, Accountable, Responsive and
Transparent(SMART) governance.
• It involves electronic filling of e-governance
 Provisions to facilitate e-Governance
• Legal Recognition of Electronic Records
• Legal Recognition of Digital Signatures
• Use of Electronic Records and Digital Signature in
Government and its agencies
• Retention of Electronic Records
• Publication of Rules, Regulation in Electronic Gazettee
• No right to insist that the document should be accepted
in Electronic form
• Central government empowered to make rules in respect
of digital signature
 E GOVERNANCE APPLICATION
MCA21 – a Mission Mode project under NeGP
(National e-governance plan) which is one of
the first few e-Governance projects under
NeGP to successfully implement Digital
Signatures in their project
Income Tax e-filing
Indian Railway Catering and Tourism
Corporation (IRCTC)
Director General of Foreign Trade (DGFT)
RBI Applications (SFMS : structured Financial
 Attribution of Electronic Records
An electronic record shall be attributed to
the originator, if it was sent:
• Originator(Does not include intermediary)
himself
• By an authorized person
• By the information system programmed by or
on behalf of the originator to operate
automatically
 Acknowledgement of Receipt
• No agreement
• Stipulation by the originator
• No stipulation by the originator
 Time and Place of Dispatch and Receipt of
Electronic Record(Sec 13)
• If the addressee has designated a computer
resource for the purpose of receiving electronic
records:
i. Receipt occurs at the time when the electronic
record enters the designated computer resource
ii. If the electronic record is sent to a computer
resource of the addressee that is not the
designated computer resource, receipt occurs at
the time when the electronic record is retrieved by
the addressee
 Time and Place of Dispatch and Receipt of
Electronic Record(Sec 13)
• If the addressee has not designated a
computer resource along with specified
timings, if any receipt occurs when the
electronic record enters the computer
resource of the addressee
 Time and Place of Dispatch and Receipt of
Electronic Record(Sec 13)
• If the originator or the addressee has more than
one place of business, the principal place of
business, shall be the place of business
• If the originator or addressee does not have a
place of business, his usual place of residence
shall be deemed to be the place of business
• Usual place of residence in relation to a body
corporate means the place where it is
registered
 Regulations of Certifying Authority

• A Certifying Authority is a trusted body whose

central responsibility is to issue, revoke, renew
and provide directories of Digital Certificates.
Certifying Authority means a person who has
been granted a license to issue an Electronic
Signature Certificate under section 24
Controller of Certifying Authorities (CCA)

• The IT Act provides for the Controller of Certifying

Authorities (CCA) to license and regulate the working
of Certifying Authorities.

• "Controller" means Controller of Certifying Authorities

appointed under sub-section (1) of Section 17 of the
Act

• The Certifying Authorities (CAs) issue digital signature

certificates for electronic authentication of users.
 Controller of Certifying
Authorities(Continued)
• The Controller of Certifying Authorities (CCA)
has established the Root Certifying Authority
of India (RCAI) under section 18(b) of the
IT Act to digitally sign the public keys of
Certifying Authorities (CA) in the country. The
RCAI is operated as per the standards laid
down under the IT Act.
 Controller of Certifying Authorities (CCA)
[Appointment]
• Central government by notification in Official Gazette
appoint a Controller, Deputy Controllers & Assistant
Controllers
• The Controller shall discharge functions under the
directions of Central Government
• Deputy Controller and Assistant Controller shall perform
functions under the control of Controller
• Qualifications, experience and terms of conditions
• Head office and branch office
• Seal of the office of the Controller
 Functions of Controller
• Supervision
• Certification of public key
• Laying standards to be maintained by the Certifying
authority
• Qualifications and experience of employees of certifying
authorities
• Conditions to certifying authorities
• Contents of written, printed or visual materials and
advertisements in respect of a digital signature
certificate and public key
 Functions of Controller(Continued)
• Forms and signature of digital signature certificate
and the key
• Accounts of certifying authority
• Appointment of auditors
• Facilitate the establishment of electronic system
by A CA solely or jointly
• Resolving conflict of interest between certifying
authorities and subscribers
• Database of certifying authority
 Recognition of Foreign Certifying
authorities(Section 19)
• With the approval of central government and
by notification in official Gazette
• Revocation of Recognition
Controller to act as Repository(Section 20)

• To make use of secure hardware, software and

procedures
• Observe standards prescribed by central
government
 Grant of license to Certifying authority to
issue digital signature certificate
• Application Form
• Eligibility Criteria
• Supporting Documents
Company Profile/Experience of Individuals
 Supporting Documents

• An undertaking to submit Performance Bond

or
• Banker’s Guarantee valid for six years from a
scheduled bank for an amount not less than
Rs. 50 lakhs in accordance with Rule 10(ii)(h)
of the IT(CA) Rules.
• Certified true copies of the company’s
incorporation, articles of association etc
• Original business profile report with certification
from Registrar of Companies
• Audited accounts for the past 3 years (if applicable)
• The CA’s Certification Practice Statement (CPS)-This
statement specifies a set of rules and requirements
which are to be followed by certifying authority
• Technical specifications of the CA system and CA
security policies
 Licensing of certifying authority(Eligibility
Criteria)
• An individual, being a citizen of India and
having a capital of five crores of rupees or
more in his business or profession
• a company having—
• (i) paid-up capital of not less than five crores
of rupees
• (ii) net worth of not less than fifty crores of
rupees
 Licensing of certifying authority(Eligibility
Criteria)
• a firm having— (i)capital subscribed by all
partners of not less than five crores of rupees
(ii)net worth of not less than fifty crores of
rupees
 Overview of the process followed by
controller in granting certificate to CA
1. Check completeness of application and availability of
all supporting documents
2. Ensure that Eligibility Criteria are met by the CA
3. Examine the Certification Practice Statement (CPS)
submitted by the CA applicant as per the framework
provided
4. Appointment of empanelled Auditor by CCA for Audit
of CA infrastructure (technical, physical and procedural)
5. Examination of Audit report submitted to CCA by the
Auditor
 Overview of the process followed by
controller in granting certificate to CA
6. Grant of “in-principle” approval by CCA if audit
report found satisfactory
7. Submission of Bank Guarantee, Undertaking and
Certificate Signing Request to CCA by CA applicant
8. Issuance of Public Key Certificate to the CA
applicant by CCA
9. Issuance of Paper Licence to CA.
10. Publishing of CA details on the web-site of CCA
 Circumstances for Suspension & revocation
of License
• Licences can be suspended by the CCA under Section 25 of IT
Act. The CCA shall suspend a Licence if the CCA believes that
the CA has ,
• made a statement in the application for the issue or renewal
of the licence, which is incorrect or false in material particulars
• failed to comply with the terms and conditions subject to
which the licence was granted
• contravened any provisions of the IT Act, Rule, Regulation or
orders
• Failed to maintain the procedures and standards specified in
section 30 of IT Act
 Revocation of License
• Licence issued by the CCA can remain
suspended for a maximum period of ten
working days
• Publish notice for suspension
 Renewal of licence before expiry

• The application for renewal of Certifying

Authority's licence shall be submitted before
45 days of expiry of licence
• The process for the renewal of Licence will be
similar to fresh licence in respect of audit and
supporting documents
 Digital Signature Certificates

The purpose of a digital signature certificate is to

authenticate the identity of an individual
It ensures that sender is the person who sent the
message
It is signed digitally by the Certifying Authority
 Digital Signature Certificates

Certifying authority to issue digital signature

certificate(Section 35)
Application-
Fee not exceeding 25000
Certification Practice Statement
If Certifying authority is satisfied with all details
provided can issue digital signature certificate
 Digital Signature Certificates
No Digital Signature Certificate shall be granted unless the Certifying
Authority is satisfied that –
The applicant holds the private key corresponding to the public
key to be listed in the Digital Signature Certificate.
The applicant holds a private key, which is capable of creating a
digital signature.
The public key to be listed in the certificate can be used to verify
a digital signature affixed by the private key held by the applicant:
Provided further that no application shall be rejected unless the
applicant has been given a reasonable opportunity of showing
cause against the proposed rejection.
 Digital Signature Certificates
Representation upon issuance of Digital Signature Certificate(Section 36)
A Certifying Authority while issuing a Digital Signature Certificate shall certify
that--
•it has complied with the provisions of this Act and the rules and regulations made
there under.
•it has published the Digital Signature Certificate or otherwise made it available to
such person relying on it and the subscriber has accepted it.
•the subscriber holds the private key corresponding to the public key, listed in the
Digital Signature Certificate.
•the subscriber's public key and private key constitute a functioning key pair.
•the information contained in the Digital Signature Certificate is accurate
•it has no knowledge of any material fact, which if it had been included in the
Digital Signature Certificate would adversely affect the reliability of the
representations made
 Digital Signature Certificates

Suspension of Digital Signature Certificate(Section 37)

• The Certifying Authority which has issued a Digital Signature Certificate may
suspend such Digital Signature Certificate -
– on receipt of a request to that effect from -
• the subscriber listed in the Digital Signature Certificate, or
• any person duly authorised to act on behalf of that subscriber
– if it is of opinion that the Digital Signature Certificate should be suspended in public
interest
• A Digital Signature Certificate shall not be suspended for a period exceeding
fifteen days unless the subscriber has been given an opportunity of being
heard in the matter.
• On suspension of a Digital Signature Certificate under this section, the
Certifying Authority shall communicate the same to the subscriber.
 Digital Signature Certificates

Revocation of Digital Signature Certificate(Section 38)

Request by subscriber or person authorised
Death, dissolution or winding of the firm
Material fact is false
Security system was compromised
Insolvency
Note: A digital signature certificate shall not be revoked
unless the subscriber has been given opportunity to
heard
 Digital Signature Certificates
Notice of suspension or revocation(Section 39)
Where a Digital Signature Certificate is
suspended or revoked under section 37 or
section 38, the Certifying Authority shall
publish a notice of such suspension or
revocation, as the case may be, in the
repository specified in the Digital Signature
Certificate for publication of such notice
Section CRAT(CYBER REGULATIONS APPELLATE TRIBUNAL)-Section 58
48 Establishment By notification of Central Government
49 Composition Presiding Officer
Judge of High Court
Member of the Indian Legal Service
50 Qualifications
Holding or has held a post in Grade 1 of that service for at
least three years
 Five years
51 Term of office until the age of 65 years of Presiding officer whichever is
earlier
52 Salary  Prescribed by Central government
53 Filling up of vacancies  Central government
 By central government
54 Resignation and removal
Continue to hold office till the expiry of three months
Orders constituting Appellate
55
Tribunal to be final  Not to invalidate its proceedings
 Appointed by Central government
56 Staff Functions under general superintendence of the Presiding
Officer
Appeal to Cyber Regulations Appellate Tribunal

• Who can appeal?

Aggrieved parties by an order made by controller or
an Adjudicating Officer
• Period allowed for appeal
45 days with fee from date of receiving order made
by controller or Adjudicating Officer
• Order by Cyber Appellate Tribunal
Dispose of appeal within six months
Send copy of order to the parties to appeal,
Controller, Adjudicating officer
 Powers of the Cyber Appellate Tribunal(Section 58)

Same power as are vested in civil court under the Code of

Civil Procedure, 1908
(a) summoning and enforcing the attendance of any person
and examining him on oath;
(b) requiring the discovery and production of documents or
other electronic records;
(c) receiving evidence on affidavits;
(d) issuing commissions for the examination of witnesses or
documents;
(e) reviewing its decisions;
(f) dismissing an application for default or deciding it ex parte;
(g) any other matter which may be prescribed.
 Cyber Appellate Tribunal

Appeal to High Court(Sec. 62)

Any person aggrieved by any decision of the Tribunal
can file an appeal to high court within 60 days from
the date of receiving the order
Compounding of Contraventions(Sec. 63)
Compounded sum can not exceed the amount of
penalty imposed under this act
The provision shall not apply to a person who
commits the same or similar contravention within a
period of three years from the date on which the
contravention was previously compounded
 Penalties and Adjudication
• Penalty is imposed by way of damages to be
paid as compensation to the affected party for
damage caused to any computer, computer
network etc.
 Offences(Criminal Penalty)(Sec 65-76)
65.Tampering with computer source document
With imprisonment up to three years, or with fine which may extend up
to two lakh rupees, or with both
66. Hacking with computer system.
Whoever commits hacking shall be punished with imprisonment up to
three years, or with fine which may extend upto two lakh rupees, or with
both
67. Publishing of information which is obscene in electronic form
Imprisonment of either description for a term which may extend to five
years and with fine which may extend to one lakh rupees and in the
event of a second or subsequent conviction with imprisonment of either
description for a term which may extend to ten years and also with fine
which may extend to two lakh rupees
 Offences(Criminal Penalty)(Sec 65-76)
68. Power of Controller to give directions
Any person who fails to comply with any order u shall be guilty of an offence
and shall be liable on conviction to imprisonment for a term not exceeding
three years or to a Fine not exceeding two lakh rupees or to both
69. Directions of Controller to a subscriber to extend facilities to decrypt
information
The subscriber or any person who fails to assist the agency shall be punished
with an imprisonment for a term which may extend to seven years
70. Protected system
Any person who secures access or attempts to secure access to a protected
system in contravention of the provisions of this section shall be punished
with imprisonment of either description for a term which may extend to ten
years and shall also be liable to fine
Offences(Criminal Penalty)(Sec 65-76)
71. Penalty for misrepresentation
shall be punished with imprisonment for a term
which may extend to two years, or with fine which
may extend to one lakh rupees, or with both.
72. Penalty for breach of confidentiality and
privacy
shall be punished with imprisonment for a term
which may extend to two years, or with fine which
may extend to one lakh rupees, or with both
 Offences(Criminal Penalty)(Sec 65-76)
73. Penalty for publishing digital signature certificate false
in certain particulars
Shall be punished with imprisonment for a term which
may extend to two years, or with fine which may extend
to one lakh rupees, or with both
74.Publication for Fraudulent Purpose(section 74)
Shall be punished with imprisonment for a term
which may extend to two years, or with fine which
may extend to one lakh rupees, or with both
 Offences(Criminal Penalty)(Sec 65-76)

75.Act to Apply for offence or Contravention

Committed outside India
76. Confiscation
78. Power to investigate Offences
A police officer not below the rank of Deputy Superintendent
of Police is empowered to investigate any offence under this
act
79. Network Service providers not to be liable in certain cases
 Offences

• Offences by Companies(Section 85)

• Constitution of Advisory Committee(Section 88)
 Constitution of Advisory Committee(Section 88)

(1) The Central Government shall, as soon as may be after the commencement of this
Act, constitute a Committee called the Cyber
Regulations Advisory Committee.
(2) The Cyber Regulations Advisory Committee shall consist of a Chairperson and such
number of other official and non-official
members representing the interests principally affected or having special knowledge
of the subject-matter as the Central Government
may deem fit.
(3) The Cyber Regulations Advisory Committee shall advise -
(a) the Central Government either generally as regards any rules or for any other
purpose connected with this Act;
(b) the Controller in framing the regulations under this Act.
(4) There shall be paid to the non-official members of such Committee such travelling
and other allowances as the Central
Government may fix.
 Power of Controller to make
regulations(Section 89)
The controller after consultation with the Cyber
Regulation Advisory Committee and with the
previous approval of central government by
notification in the official Gazette, make regulations
consistent with the act.
 Duties of Subscribers

Subscriber is the person who have obtained digital

signature certificate from some Certifying Authority
1. Generating key pair(Section 40)
Where any Digital Signature Certificate, the public
key of which corresponds to the private key of that
subscriber which is to be listed in the Digital
Signature Certificate has been accepted by a
subscriber, then, the subscriber shall generate the
key pair by applying the security procedure
 Duties of Subscribers
2. Acceptance of Digital Signature Certificate(Sec. 41)
A subscriber deemed to have accepted digital
signature certificate if he publishes or authorises its
publications:
• To one or more persons
• In a repository , or otherwise demonstrates his
approval of the Digital Signature Certificate in any
manner.
 Duties of Subscribers
Control of Private Key(section 42)
Every subscriber shall exercise reasonable care to retain
control of the private key corresponding to the public
key listed in his Digital Signature Certificate and take all
steps to prevent its disclosure to a person not authorised
to affix the digital signature of the subscriber.
Note- For the removal of doubts, it is hereby declared
that the subscriber shall be liable till he has informed the
Certifying Authority that the private key has been
compromised
 Duties of Subscribers
National Repository of Digital Signature Certificate-:
The Controller of certifying authorities operates the
NRDC
Copies of all digital signature certificates and
corresponding Cerificate revocation list issued by all
licensed certifying authorities‘ are maintained in
NRDC
 References
• https://meity.gov.in/content/offences
• https://www.itlaw.in/section-88-constitution-of-advisory-committee/?upm_export
=pdf
• https://meity.gov.in/content/ministry-law-justice-and-company-affairs-legislative-d
epartment-0
• https://www.advocatekhoj.com/library/bareacts/informationtechnology/58.php?T
itle=Information%20Technology%20Act,%202000&STitle=Procedure%20and%20po
wers%20of%20the%20Cyber%20Appellate%20Tribunal
• https://meity.gov.in/content/ministry-law-justice-and-company-affairs
• https://meity.gov.in/content/digital-signature-certificates