Information Technology Act

2000

Information Act 2000

1
 IT Act, 2000
 Enacted on 17th May 2000- India is 12th
nation in the world to adopt cyber laws
 IT Act is based on Model law on e-
commerce adopted by UNCITRAL(The
United Nations Commission on
International Trade Law)

2
 Objectives of the IT Act
To provide legal recognition for transactions:-
 Carried out by means of electronic data interchange, and
other means of electronic communication, commonly
referred to as "electronic commerce“
 To facilitate electronic filing of documents with
Government agencies and E-Payments
 To amend the Indian Penal Code, Indian Evidence
Act,1872, the Banker’s Books Evidence Act 1891,Reserve
Bank of India Act ,1934
 Aims to provide for the legal framework so that legal
sanctity is accorded to all electronic records and other
activities carried out by electronic means.

3
 Legal Recognition for E-Commerce
Digital Signatures and Regulatory Regime
Electronic Documents at par with paper documents
E-Governance
Electronic Filing of Documents
Amend certain Acts
Define Civil wrongs, Offences, punishments
Investigation, Adjudication
Appellate Regime

4
 Definitions
A total of 34 definition given in bare act
Categorized into
Digital Infrastructure
Authorizing agency
Documentation

5
 Definitions ( section 2)
 "computer" means electronic, magnetic, optical or other high-
speed date processing device or system which performs
logical, arithmetic and memory functions by manipulations of
electronic, magnetic or optical impulses, and includes all
input, output, processing, storage, computer software or
communication facilities which are connected or relates to the
computer in a computer system or computer network;
 "computer network" means the inter-connection of one or
more computers through-
(i) the use of satellite, microwave, terrestrial lime or other
communication media; and
(ii) terminals or a complex consisting of two or more
interconnected computers whether or not the
interconnection is continuously maintained;

6
  "computer system" means a device or collection of devices,
including input and output support devices and excluding
calculators which are not programmable and capable being
used in conjunction with external files which contain
computer programmes, electronic instructions, input data and
output data that performs logic, arithmetic, data storage and
retrieval, communication control and other functions;
 "data" means a representation of information, knowledge,
facts, concepts or instruction which are being prepared or have
been prepared in a formalised manner, and is intended to be
processed, is being processed or has been processed in a
computer system or computer network, and may be in any
form (including computer printouts magnetic or optical
storage media, punched cards, punched tapes) or stored
internally in the memory of the computer.

7
 "electronic record" means date, record or date generated, image
or sound stored, received or sent in an electronic form or micro
film or computer generated micro fiche;
 “secure system” means computer hardware, software, and
procedure that- 
(a)    are reasonably secure from unauthorized access and misuse;
(b)   provide a reasonable level of reliability and correct
operation;
(c)    are reasonably suited to performing the intended function;
and
(d) adhere to generally accepted security procedures
 “security procedure” means the security procedure prescribed by
the Central Government under the IT Act, 2000.
 secure electronic record – where any security procedure has been
applied to an electronic record at a specific point of time, then
such record shall be deemed to be a secure electronic record from
such point of time to the time of verification

8
  "Certifying Authority" means a person who has been
granted a licence to issue a Digital Signature Certificate
 "Controller" means the Controller of Certifying Authorities
appointed under sub-section (l) of section 17
 "Cyber Appellate Tribunal" means the Cyber Regulations
Appellate Tribunal established under sub-section (1) of
section 48
 "Electronic Gazette" means the Official Gazette published
in the electronic form;
 "originator" means a person who sends, generates, stores or
transmits any electronic message or causes any electronic
message to be sent, generated, stored or transmitted to any
other person but does not include an intermediary;
 "subscriber" means a person in whose name the Digital
Signature Certificate is issued;
9
  "Act'' means the Information Technology Act, 2000; (21 of
2000);
 "Agent" means a person duly authorised by a party to present
an application or reply on its behalf before the Tribunal;
 "Application" means an application made to the Tribunal under
section 57;
 "Legal practitioner" shall have the same meaning as is
assigned to it in the Advocates Act, 1961 (25 of 1971):
 "Presiding OfficerRegistrar" means the R" means the Presiding
Officer of the Tribunal;
 “Registrar of the Tribunal” and includes any officer to whom
the powers and functions of the Registrar may be delegated;
 "Registry" means the Registry of the Tribunal;
 "Section" means a section of the Act;

10
  "affixing digital signature" means adoption of any methodology
or procedure by a person for the purpose of authenticating an
electronic record by means of digital signature;
 "digital signature" means authentication of any electronic
record by a subscriber by means of an electronic method or
procedure ;
 "Digital Signature Certificate" means a Digital Signature
Certificate issued under subsection (4) of section 35;
 "electronic form" with reference to information means any
information generated, sent, received or stored in media,
magnetic, optical, computer memory, micro film, computer
generated micro fiche or similar device;
 "key pair", in an asymmetric crypto system, means a private key
and its mathematically related public key, which are so related
that the public key can verify a digital signature created by the
11
private key;
 Issue addressed
Legal Recognition of Electronic Documents
Legal recognition of Electronic Transaction / Record
Legal recognition of digital signature is at par with the
handwritten signature
Electronic Communication by means of reliable
electronic record

12
 Issue addressed
Legal Recognition of Digital Signatures
Acceptance of contract expressed by electronic means
 e-Commerce and Electronic Data interchange
 e-Governance
 Electronic filing of documents
 Retention of documents in electronic form
 Uniformity of rules, regulations and standards regarding the
authentication and integrity of electronic records or documents
 Publication of official gazette in the electronic form
 Interception of any message transmitted in the electronic or
encrypted form

13
 Secure Digital Signature-S.15
If by application of a security procedure, agreed by the
parties concerned, it can be verified that a digital
signature, at the time it was affixed, was:
(a)     unique to the subscriber affixing it;
(b)     capable of identifying such subscriber;
(c)   created in a manner or using a means under the
exclusive control of the subscriber and is linked to the
electronic record to which it relates in such a manner that
if the electronic record was altered the digital signature
would be invalidated,
then such digital signature shall be deemed to be a secure
digital signature

14
 Section 12- Acknowledgement of Receipt
If Originator has not specified particular method- Any
communication automated or otherwise or conduct to
indicate the receipt
If specified that the receipt is necessary- Then unless
acknowledgement has been received Electronic Record
shall be deemed to have been never sent
Where ack. not received within time specified or
within reasonable time the originator may give notice
to treat the Electronic record as though never sent

15
 Section 13- Dispatch of Electronic record
Unless otherwise agreed dispatch occurs when ER enters
resource outside the control of originator
If addressee has a designated computer resource , receipt
occurs at time ER enters the designated computer, if
electronic record is sent to a computer resource of
addressee that is not designated , receipt occurs when ER
is retrieved by addressee
If no Computer Resource designated- when ER enters
Computer Resource of Addressee.
Shall be deemed to be dispatched and received where
originator has their principal place of business otherwise
at his usual place of residence

16
 Digital Signature Certificate
Any person may make an application to the Certifying
Authority for issue of Digital Signature Certificate. The
Certifying Authority while issuing such certificate shall
certify that it has complied with the provisions of the Act.
The Certifying Authority has to ensure that the subscriber
(i.e., a person in whose name the Digital Signature
Certificate is issued) holds the private key corresponding
to the public key listed in the Digital Signature Certificate
and such public and private keys constitute a functioning
key pair. The Certifying Authority has the power to
suspend or revoke Digital Signature Certificate.

17
 Regulation of Certifying Authorities
 The Central Government may appoint a Controller of
Certifying Authority who shall exercise supervision over the
activities of Certifying Authorities.
 Certifying Authority means a person who has been granted a
licence to issue a Digital Signature Certificate. The Controller
of Certifying Authority shall have powers to lay down rules,
regulations, duties, responsibilities and functions of the
Certifying Authority issuing Digital Signature Certificates. The
Certifying Authority empowered to issue a Digital Signature
Certificate shall have to procure a license from the Controller
of Certifying Authority to issue Digital Signature Certificates.
The Controller of Certifying Authority has prescribed detailed
rules and regulations in the Act, as to the application for
license, suspension of license and procedure for grant or
rejection of license.

18
 Essential steps of the digital signature process
 STEP 1 The signatory is the authorized holder a unique cryptographic key pair;
 STEP 2 The signatory prepares a data message (for example, in the form of an
electronic mail message) on a computer;
 STEP 3 The signatory prepares a “message digest”, using a secure hash
algorithm. Digital signature creation uses a hash result derived from and unique
to the signed message;
 STEP 4 The signatory encrypts the message digest with the private key. The
private key is applied to the message digest text using a mathematical
algorithm. The digital signature consists of the encrypted message digest,
 STEP 5 The signatory typically attaches or appends its digital signature to the
message;
 STEP 6 The signatory sends the digital signature and the (unencrypted or
encrypted) message to the relying party electronically;

19
 Essential steps of the digital signature process
 STEP 7 The relying party uses the signatory’s public key to verify the
signatory’s digital signature. Verification using the signatory’s public key
provides a level of technical assurance that the message came exclusively
from the signatory;
 STEP 8 The relying party also creates a “message digest” of the message,
using the same secure hash algorithm;
 STEP 9 The relying party compares the two message digests. If they are the
same, then the relying party knows that the message has not been altered
after it was signed. Even if one bit in the message has been altered after the
message has been digitally signed, the message digest created by the relying
party will be different from the message digest created by the signatory;
 STEP 10 Where the certification process is resorted to, the relying party
obtains a certificate from the certification service provider (including
through the signatory or otherwise), which confirms the digital signature on
the signatory’s message. The certificate contains the public key and name of
the signatory (and possibly additional information), digitally signed by the
certification service provider.

20
 Section 4- Legal recognition of Electronic
Records
If any information is required in printed or written
form under any law the Information provided in
electronic form, which is accessible so as to be usable
for subsequent use, shall be deemed to satisfy the
requirement of presenting the document in writing or
printed form.

21
 Sections 5, 6 & 7
Legal recognition of Digital Signatures
Use of Electronic Records in Government & Its
Agencies

Publications of rules and regulations in the Electronic

Gazette.

Retention of Electronic Records

Accessibility of information, same format, particulars
of dispatch, origin, destination, time stamp ,etc

22
 Issue addressed
Offenses and Contraventions
 Prevention of Computer Crime, forged electronic
records, international alteration of electronic records
fraud, forgery or falsification in e-Commerce and
electronic transaction.

23
REGULATION OF CERTIFYING AUTHORITIES
J
U
Govt. Of India Supreme Court D
I
C
I
Controller of A
Certifying High Court L
Authorities

S
Cyber Regulations T
Deputy Controllers
Appellate Tribunal. R
U
C
T
Assistant U
Officer
Controllers R
E
24 Regulation Structure
 REGULATION OF CERTIFYING
AUTHORITIES
Appointment of Controller and other officers.
The Central Government may, appoint a Controller of
Certifying Authorities
The Deputy Controllers and Assistant Controllers shall
perform the functions assigned to them by the Controller

25
 REGULATION OF CERTIFYING
AUTHORITIES
Functions of Controller.
exercising supervision over the activities of the
Certifying Authorities
certifying public keys of the Certifying Authorities
specifying the contents of written, printed or visual
materials and advertisements that may be distributed or
used in respect of a Digital Signature Certificate and the
public key
resolving any conflict of interests between the Certifying
Authorities and the subscibers.

26
civil offences under the IT Act 2000
Sec Offence Punishment

43 Damage to Computer, Computer system etc. Compensation to the tune of Rs.1 crore to the affected person.

44(a) For failing to furnish any document, return on
report to the Controller or the Certifying
Authority.
44(b) For failing to file any return or furnish any
information or other document within the
prescribed time.
Penalty not exceeding one lakh and fifty thousand rupees for
each such failure.
Penalty not exceeding five thousand rupees for every day
during which such failure continues.

44(c) For not maintaining books of account or records.
45 Offences for which no penalty is separately
provided.
65 Tampering with computer source documents.
66 Hacking with computer system with the intent or
knowledge to cause wrongful loss.
66A For sending offensive messages through
communication service etc.
66B For dishonestly receiving stolen computer
resource or communication device.
27
Penalty not exceeding ten thousand rupees for every day
during which the failure continues.
Compensation not exceeding twenty five thousand rupees to
the affected person or a penalty not exceeding twenty five
thousand rupees.
Imprisonment upto three years, or with fine which may extend
upto two lakh rupees, or with both.
Imprisonment upto three years, or with fine which may extend
upto two lakh rupees, or with both.
Imprisonment for a term which may extend to three years and
with fine.
Imprisonment of either description for a term which may
extend to three years or with fine which may extend to rupees
one lakh or with both.
Sec Offence Punishment
66D For cheating by personation by using computer Imprisonment of either description for a term which may extend
resource. to three years and shall also be liable to fine which may extend
to one lakh rupees.
66D For cheating by personation by using computer Imprisonment of either description for a term which may extend
resource. to three years and shall also be liable to fine which may extend
to one lakh rupees.
66E. For violation of privacy Imprisonment which may extend to three years or with fine not
exceeding two lakh rupees, or with both.
66F For cyber terrorism Imprisonment which may extend to imprisonment for life.
67 Publication of obscene material in an electronic Imprisonment upto 5 years and with fine which may extend to
form. one lakh rupees on first conviction and its double punishment
for second and subsequent convictions.
67A For publishing or transmitting of material Imprisonment upto 5 years and with fine which may extend to
containing sexually explicit act etc. in electronic ten lakh rupees and in the event of second or subsequent
form. conviction with imprisonment of either description for a term
which may extend to seven years and also with fine which may
extend to ten lakh rupees.
67B For publishing or transmitting of material Imprisonment upto five years and with fine which may extend to
depicting children in sexually explicit act etc. in ten lakh rupees and in the event of second or subsequent
electronic form. conviction with imprisonment of seven years and also with fine
which may extend to ten lakh rupees.
67C For preserving and retention of information by Imprisonment upto three years and also liable to fine.
Intermediaries.
68 For failing to comply with the directions of the Imprisonment upto 3 years and fine upto two lakhs, or both.
Controller.

28
Sec Offence Punishment
69 For failing to extend facilities to decrypt Imprisonment which may extend to seven years.
information which is against the interest
of sovereignty or integrity of India.
70 Securing or attempting to secure access Imprisonment which may extend to 10 years and fine.
to a protected system.
71 For misrepresentation or suppression of Imprisonment upto 2 years, or fine upto rupees one lakh or with
any material fact from the Controller or both.
the Certifying Authority.
72 For break of confidentiality and privacy Imprisonment upto two years or fine upto rupees one lakh, or
with both.
72A For disclosure of information in breach of Imprisonment upto three years or with fine upto five lakh rupees
lawful contract. or with both.
73 For publishing digital signature certificate Imprisonment upto two years or with fine which may extend to
false in certain particulars. one lakh rupees or with both.
74. Publication of Digital Signature Certificate Imprisonment upto two years or fine upto rupees one lakh.
for any fraudulent or unlawful purpose.
76 Any computer, computer system, floppies, Liable to confiscation.
compact disks, tape drives or any other
accessories related thereto used for
contravention of this Act, rules, orders or
regulations made thereunder.

29
 Civil offences under the IT Act 2000
• Unauthorised copying, extracting and downloading of any data,
database
• Unauthorised access to computer, computer system or computer
network
• Introduction of virus
• Damage to computer System and Computer Network
• Disruption of Computer, computer network
• Denial of access to authorised person to computer
• Providing assistance to any person to facilitate unauthorised access
to a computer
• Charging the service availed by a person to an account of another
person by tampering and manipulation of other computer Section 44
of the IT Act provides for penalty on failure to furnish information,
return etc. to the Controller by Certifying Authorities.

30
 Criminal offences
• Tampering with computer source documents
• Hacking with computer system
• Electronic forgery I.e. affixing of false digital signature, making false
electronic record
• Electronic forgery for the purpose of cheating
• Electronic forgery for the purpose of harming reputation
• Using a forged electronic record
• Publication of digital signature certificate for fraudulent purpose
• Offences and contravention by companies
• Unauthorised access to protected system
• Confiscation of computer, network, etc.
• Publication of information which is obscene in electronic form
• Misrepresentation or suppressing of material facts for obtaining Digital
Signature Certificates
• Breach of confidentiality and Privacy
• Publishing false Digital Signature Certificate

31
 Checklist Information security manager
 Establish information security forum
 Define scope of Management Information System
 Risk assessment
 Division of threats of Information within centralized
and distributed systems

32
 Checklist Information Security Manager
 IT security policy
Formulate mission and goal
Alignment to IT requirement
Alignment to organizational policy
Compliance with regulations and standards
 Security procedure & std of performance
Formalize steps
Standard operating procedure
Define hierarchy of security and level of authority

33
  Practice
Operationalize policy through execution of procedure
Endpoint security problem
IT security training
Support for internal control ( behavioral, technical)
 Monitor system, enforcement of saction (rewards,
penalties)

34
 Civil Wrongs under IT Act
 Chapter IX of IT Act, Section 43
 Whoever without permission of owner of the computer
Secures access to the private information of owner
Not necessarily through a network
Downloads, copies, extracts any data
Introduces or causes to be introduced any viruses or
contaminant
Damages or causes to be damaged any computer resource
Destroy, alter, delete, add, modify or rearrange
Change the format of a file
Disrupts or causes disruption of any computer resource
Preventing normal continuance of computer
35
 Denies or causes denial of access by any means
Denial of service attacks
Assists any person to do any thing above
Rogue Websites, Search Engines, Insiders providing
vulnerabilities
Charges the services availed by a person to the account of
another person by tampering or manipulating any computer
resource
Credit card frauds, Internet time thefts
Liable to pay damages not exceeding Rs. One crore to the
affected party
Investigation by
ADJUDICATING OFFICER
36 Powers of a civil court
 Data diddling: changing data prior or during input into a computer

 Section 66 and 43(d) of the I.T. Act covers the offence of data
diddling
 Penalty: Not exceeding Rs. 1 crore
Case in point :
NDMC Electricity Billing Fraud Case: A private contractor
who was to deal with receipt and accounting of electricity bills
by the NDMC, Delhi. Collection of money, computerized
accounting, record maintenance and remittance in his bank
who misappropriated huge amount of funds by manipulating
data files to show less receipt and bank remittance.

37
 Section 46 IT Act
 Section 46 of the IT Act states that an adjudicating officer
shall be adjudging whether a person has committed a
contravention of any of the provisions of the said Act, by holding
an inquiry. Principles of Audi alterum partum and natural justice
are enshrined in the said section which stipulates that a
reasonable opportunity of making a representation shall be granted
to the concerned person who is alleged to have violated
the provisions of the IT Act. The said Act stipulates that the
inquiry will be carried out in the manner as prescribed by the
Central Government

 All proceedings before him are deemed to be judicial proceedings,

every Adjudicating Officer has all powers conferred on civil courts

 Appeal to cyber Appellate Tribunal- from decision of Controller,

Adjudicating Officer {section 57 IT Act}
38
 Section 47, IT Act
 Section 47 of the Act lays down that while adjudging the
quantum of compensation under this Act, the adjudicating
officer shall have due regard to the following factors,
namely-

 (a) the amount of gain of unfair advantage, wherever

quantifiable, made as a result of the default;

 (b) the amount of loss caused to any person as a result of

the default;

 (c) the repetitive nature of the default

39
 Cybercrime provisions under IT
Act,2000
Offences & Relevant Sections under IT Act

Tampering with Computer source documents Sec.65

Hacking with Computer systems, Data alteration Sec.66
Publishing obscene information Sec.67
Un-authorized access to protected system Sec.70

Breach of Confidentiality and Privacy

Sec.72
Publishing false digital signature certificates Sec.73

40
 TYPES OF CYBER CRIMES
 Cyber terrorism
 Cyber pornography
 Defamation
 Cyber stalking (section 509 IPC)
 Sale of illegal articles-narcotics,
weapons, wildlife
 Online gambling
 Intellectual Property crimes- software
piracy, copyright infringement,
trademarks violations, theft of computer
source code
 Email spoofing
 Forgery
41  Phising