INFORMATION

TECHNOLOGY LAW AND

CYBER CRIME
(HONOURS)
Presentation by: Himanshu Sekhar Muduli,
Asst. Professor (Law), SNIL
Genesis of Information Technology Act, 2000
UNGA Resolution:
A/RES/51/162
30.01.1997

Model Law on E-Commerce,

UNCITRAL

Facilitating International Alternative to Paper Based

Trade Methods
Objective of Information Technology Act, 2000

 An Act to provide legal recognition for transactions carried out by means of

electronic data interchange and other means of electronic communication,
commonly referred to as ―electronic commerce‖, which involve the use of
alternatives to paper-based methods of communication and storage of
information, to facilitate electronic filing of documents with the Government
agencies and further to amend the Indian Penal Code, the Indian Evidence
Act, 1872, the Banker’s Books Evidence Act, 1891 and the Reserve Bank of
India Act, 1934 and for matters connected therewith or incidental thereto.
Objective of Information Technology Act, 2000, Cont..

Legal Recognition

Alternatives to paper
Facilitate e-filings
based methods
Legislative Intent

Legislative Intent

Should not ignore the national or municipal perspective of

Information Technology.

International Perspective as advocated in the model

law.
Scope

Extraterritorial
Violator Any Person
Jurisdiction
One Wired
World Computer,
Computer System, Jurisdiction of
India
Computer IT Act, 2000
Network
Partwise Implementation

Appointmen C.G. notified IT Act, 2000 on 17 Oct

Central t of different
Govt. by dates for 2000.
Notification different IT (Amendment ) Act, 2002 has been
Provisions granted presidential Assent.
Notified on 5th February, 2009
Effectuated on 27th October, 2009.
Commencement:
Reference to the
commencement of
that provision
Exclusion of Application of the Act

Negotiable
Instruments

Any
Contract for Power of
the Sale or Attorney
Conveyance
IT Act,
2000

Will Trust
Electronic Data Interchange

Places the order

directly into system
Supplier’s
computer receives
Customer computer the P.O.
system creates and
sends the electronic
P.O.
Electronic Commerce

• Adopted and perfected by large companies.

Use of EDI • Costly proposition for small and medium
companies.

• Opened up EDI to a wider range of

Internet business opportunities.
• Way for internet-based electronic market
places.

• Beyond buyer supplier

E-Commerce relationship.
• Vertical as well as
horizontal market.
Kinds of E-commerce

Inventory
based model

Market place
based model

Models of E-
commerce
Securing of E-commerce
Fear of interception, transmission error, delays, deletion,
authenticity or verification of electronic message.

Protection of Message, not medium

Ensuring authenticity of sender, integrity and non-

repudiation

Call for digital signature

Electronic Signature
 Section 2(ta) ―electronic signature means authentication of any
electronic record by a subscriber by means of the electronic
technique specified in the Second Schedule and includes digital
signature.

 Section 2(tb) ―Electronic Signature Certificate means an

Electronic Signature Certificate issued under section 35 and
includes Digital Signature Certificate
Electronic Signature Cont.

Authentication of
Electronic
Records
Technology Neutrality:
Choice of Subscribers

By means of
Electronic
Technique

E-sign, E-authentication, E-KYC service: E- Electronic

Signature or E-authentication Technique Signature
and Procedural Rules, 2015
Digital Signature
 Section 2 (p), digital signature: Authentication of any electronic
record by a subscriber by means of an electronic method or
procedure in accordance with the provisions of section 3.

 Section 2 (q), Digital Signature Certificate: Digital Signature

Certificate issued under sub-section (4) of section 35.
 Digital Signature Cont.

Authentication of
Electronic
Records by
Subscribers
Transformation of an electronic
message using public key cryptography.
By means of
Electronic
method or
procedure

Digital Signature
Key Pair

Pvt. Key Public Key

Key Pair
(Create) (Verify)
S. 2(1)(x)
S. 2(1)(2c) 2(1)(2d)

Hash Function
(algorithm)

Section 2(1)(x) ―key pair in an asymmetric crypto system, means a

private key and its mathematically related public key, which are so
related that the public key can verify a digital signature created by the
private key.
Creation of Digital Signature

Computation of Hash Result by

Hash function through signer’s
Demarcation of information by
software i.e. unique to the
Sender Signer
message
(Message)
(digital fingerprint or message
digest)

Encryption of hash result into a

digital signature through Private Digital Signature is attached to
Key its message or stored or Verification by Recipient
transmitted with its message.
(digitally signed hash result: DS)
Verification of Digital Signature

Original Message Received Digital Signature Received

Computation of Hash result using Same

Application of signer’s public key on DS
Hash Function used by signer to DS

Message digest/digital fingerprint Message digest/digital fingerprint

Signature will be verified if and only if both the

message digests are identical to one another.
Statutory Provisions on Digital Signature
 Information Technology Act, 2000
 3. Authentication of electronic records:
(1) Subject to the provisions of this section any subscriber may authenticate an electronic
record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected by the use of asymmetric
crypto system and hash function which envelop and transform the initial electronic
record into another electronic record.
Explanation.–For the purposes of this sub-section, ―hash function‖ means an algorithm
mapping or translation of one sequence of bits into another, generally smaller, set known as
―hash result‖ such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it computationally
infeasible– (a) to derive or reconstruct the original electronic record from the hash result
produced by the algorithm; (b) that two electronic records can produce the same hash
result using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute a
functioning key pair.
Digital Signature Certificate

Trust

Certification DSC Security

Authentication
 Digital Signature Certificate: Procedure

CA verifies Subscriber
identity of digitally signs
subscribers and electronic
issue DSC message with Pvt.
Key

Subscriber CA forward DSC

applies to to repository
Certifying maintained by the
Authority controller.

Repository does the status

Relying Party receives
message, verifies DS with
public key.
Goes to repository to check
check on Subscriber's
on status and validity of
Certificate and informs
Subscriber’s Certificate
back to relying party.
Creation of Electronic Signature

Signer subscribes
the E-Sign

Electronic Key
held by Signer to
authenticate him

Signer affix the E-

Sign
Verification of Electronic Signature

Recipient receives
the E-Sign

Verifies the
integrity
electronically

Recipient accept
the same if no
alternation is
detected
 Statutory Provisions on Electronic Signature
3A. Electronic signature.—
(1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a
subscriber may authenticate any electronic record by such electronic signature or electronic authentication
technique which— (a) is considered reliable; and (b) may be specified in the Second Schedule.
(2) For the purposes of this section any electronic signature or electronic authentication technique shall be
considered reliable if—
(a) the signature creation data or the authentication data are, within the context in which they are used,
linked to the signatory or, as the case may be, the authenticator and to no other person;
(b) the signature creation data or the authentication data were, at the time of signing, under the control of
the signatory or, as the case may be, the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable;
(d) any alteration to the information made after its authentication by electronic signature is detectable;
and
(e) it fulfils such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic
signature is that of the person by whom it is purported to have been affixed or authenticated.
(4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic
signature or electronic authentication technique and the procedure for affixing such signature from the Second
Schedule: Provided that no electronic signature or authentication technique shall be specified in the Second
Schedule unless such signature or technique is reliable.
(5) Every notification issued under sub-section (4) shall be laid before each House of Parliament.]
Salient Features of E-Sign
Save Cost &
Time

Destruction Improve
of Key after User
usage Convenience

Biometric or
OTP based Legally
authenticatio E-Sign Recognized
n

E-KYC
Provided by
based
Licensed
Authenticati
CAs
on
Short
Validity
Certificates
Benefits of E-Sign

Facilitates legally Flexible & easy to

valid signatures implement

Easy & secure way to

digitally sign
information Reduced Costs
anywhere &
anytime.
Benefits
of E-Sign
Electronic Signature vs. Digital Signature
Electronic Signature Digital Signature

Technology Neutral Type Technology Specific Type

Can take many forms and permit broad

Use of Public Key Cryptography
range of e-signs

E.g. Name typed at the end of an e-mail,

E.g. Block of data at the end of an e-
digitized image of a handwritten
message that attests to the authenticity
signature, secret code or PIN, biometric
of the said message.
based identifier
 E-GOVERNANCE &
INFORMATION
TECHNOLOGY ACT, 2000
 E-Governance

• Window of opportunity
E-Governance • Convenient, transparent and dynamic interaction.

Use of
• By Government Agencies
technology

• With citizens,
To transform business and other
relations arms of government.
Transformation of Physical Governance to E-Governance

Physical
Governance

Information
Technology Functional equivalent approach
Act, 2000

E-governance
Electronic Form
Information generated

Electronic Form
Sent/received /stored
Section 2(1)(r)

Media, magnetic, optical,

computer memory, micro
film, computer generated
micro fiche or similar device.
Legal Recognition of E-Records (Section 4)

Legal Recognition of E-Records

Such required shall deemed to be satisfied if rendered or made available

in an electronic form & accessible so as to be usable for a subsequent
reference.

Law provides that information or any other matter shall be in writing

or typewritten or printed form.
Legal Recognition of E-Signatures (Section 5)

Legal Recognition of E-Signature

Such required shall deemed to be satisfied if such information is

authenticated by means of electronic signature affixed in such manner as
prescribed by central government.

Law provides that information or any other matter shall be

authenticated by affixing signature or any document shall be signed or
bear the signature of any person.
Usage of Electronic Records and Electronic Signature by Govt. & its agencies: Section 6

Ap
& prop
f or r i a
m t
Filing of any & at o e Go
Is s f f v
form, uin ilin t.: M
g
application or pa Man rec g ele , cre anne
ym n e o c r
any other en r o rds; tron ating
of t r ic
documents. ele , cre met
ct r a t i o h o d
on
i c n or o f
rec iss
ord ue
.

Can be Issue of any

effected by license,
Govt. & its
means of permit,
agencies
electronic sanction or
form. approval.

Receipt or
payment of
money.
 Delivery of Services by Service Provider (Section 6A)
Authorize, by order
to service provider to Authorize to collect,
Appropriate Govt. for set up, maintain and retain and
efficient delivery of upgrade the appropriate such
service to public computerized service charges as
through e-means facilities may be prescribed by
(notification in appropriate Govt.
Official Gazette)
Service Providers:
Individuals, private Authorize to collect,
agency, private Appropriate Govt.
retain and
company, shall by notification in
appropriate such
official gazette specify
partnership firm, service charges even if
the scale of service
proprietor firm or there is no express
charges which may be
any such other provision under the
charge or collected by
bodies or entities. Act, rule, regulation
service providers.
or notification.
National E-Governance Plan (NeGP)

PPP Concept

Foundation &
long term
growth of e-
governance
Vision: Accessibility, transparency,
reliability & affordability.
Creation of right
governance &
institutional
mechanism

Set-up of core
infrastructure
policies & 27
Mission Mode
Projects
E-Delivery of Services
Doorstep
delivery
of
Services

Home
Services
Delivery
at
nominal EDS of
Governan
Cost
ce

Mobile
Governan
ce
(UMAN
G)
Retention of Electronic Records
Accessibility so as
to be usable for
subsequent
reference

Retention in
Excludes
Originally
automated
generated/sent/rece
generated Conditions
ived form or can be
messages of
demonstrated to
dispatch or receipt
ensure accuracy

Details which will

facilitate
identification
(origin,
destination, date &
time of dispatch or
receipt.
Retention of Electronic Records
 7. Retention of electronic records.—

 (1) Where any law provides that documents, records or information shall be retained for any specific
period, then, that requirement shall be deemed to have been satisfied if such documents, records or
information are retained in the electronic form, if—

 (a) the information contained therein remains accessible so as to be usable for a subsequent reference;

 (b) the electronic record is retained in the format in which it was originally generated, sent or received or in
a format which can be demonstrated to represent accurately the information originally generated, sent or
received;

 (c) the details which will facilitate the identification of the origin, destination, date and time of dispatch or
receipt of such electronic record are available in the electronic record:

 Provided that this clause does not apply to any information which is automatically generated solely for the
purpose of enabling an electronic record to be dispatched or received.

 (2) Nothing in this section shall apply to any law that expressly provides for the retention of documents,
records or information in the form of electronic records.
DigiLocker System

Personalize
d digital
vault &
Extension of cloud
Aadhaar storage

Issuance &
verification
of
documents
&
certificates

DigiLocker
DigiLocker System Cont…

Issuer
Repository

Access
Gateway DigiLocker

ze Re
t i qu
DigiLocker Ci s sto e
Portal
n r
Benefits of DigiLocker
Accessibility
&
Convenience

Digitally Minimization
Signed (eSign of
Facility) Benefits administrative
Self overhead of
Attestation Govt.

Feasibility
(ensuring
validity of
document)
Audit of Documents Maintained in E-Form

 7A. Audit of documents, etc., maintained in electronic form.—Where in any

law for the time being in force, there is a provision for audit of documents,
records or information, that provision shall also be applicable for audit of
documents, records or information processed and maintained in the electronic
form.
Publication in Electronic Gazette

Law Provides for Publication in Official

Gazette.

Deemed to be satisfied if published in

Electronic Gazette.

Date of Publication = Date of Gazette

which was first published in any form.
Publication in Electronic Gazette Cont…
Section 8 (IT Act, 2000). Publication of rule, regulation, etc., in Electronic Gazette.—
Where any law provides that any rule, regulation, order, bye-law, notification or any
other matter shall be published in the Official Gazette, then, such requirement shall be
deemed to have been satisfied if such rule, regulation, order, bye-law, notification or
any other matter is published in the Official Gazette or Electronic Gazette:

Provided that where any rule, regulation, order, by-law, notification or any other matter
is published in the Official Gazette or Electronic Gazette, the date of publication shall
be deemed to be the date of the Gazette which was first published in any form.

Section 81A of Indian Evidence Act, 1872: Presumption as to Gazette in Electronic

Forms.
 Sections 6, 7 & 8: Not a mandate but a prerogative
Section 7
(Retention of
electronic
records)
Section 6 (Use Section 8
of electronic (Publication in
record & electronic
signatures) gazette)
Does not confer
any right on any
person to insist
government & its Not a mandate to accept, issue,
agencies for use create, retain and preserve any
of Electronic document in electronic form or
form.
to effect any monetary
(Section 9)
transactions in electronic form.
Sections 6, 7 & 8: Not a mandate but a prerogative
 Section 9. Sections 6, 7 and 8 not to confer right to insist document should be
accepted in electronic form.—Nothing contained in sections 6, 7 and 8 shall confer
a right upon any person to insist that any Ministry or Department of the Central
Government or the State Government or any authority or body established by or
under any law or controlled or funded by the Central or State Government should
accept, issue, create, retain and preserve any document in the form of electronic
records or effect any monetary transaction in the electronic form.
Power of Central Government to make rules in relation to e-signature

Type of e-
signature

Any other matter

which is
Manner & format
necessary to give
of affixing it.
legal effect to e-
signatures
Central
Government

Information Technology (Certifying

Authorities) Rules, 2000
Control processes
& procedure to Manner or
ensure adequate procedure to
integrity, security facilitate
& confidentiality identification of
of e-records or signer
payments
Power of Central Government to make rules in relation to e-signature

 10. Power to make rules by Central Government in respect of electronic signature.

—The Central Government may, for the purposes of this Act, by rules, prescribe
—

(a) the type of electronic signature;

(b) the manner and format in which the electronic signature shall be affixed;

(c) the manner or procedure which facilitates identification of the person affixing the
electronic signature;

(d) control processes and procedures to ensure adequate integrity, security and
confidentiality of electronic records or payments; and

(e) any other matter which is necessary to give legal effect to electronic signatures.
Validity of contracts formed through electronic means
Article 11 of UNCITRAL Model Law of E-
commerce, 1996: Formation & validity of
E-contract.
Contract Formation

Cannot be made
unenforceable Communication of
because of its Proposals
existence in e-form.

Or Revocation of Acceptance of
Proposals Proposals
Validity of contracts formed through electronic means

 Section 10A. Validity of contracts formed through electronic means.—Where in a

contract formation, the communication of proposals, the acceptance of proposals, the
revocation of proposals and acceptances, as the case may be, are expressed in
electronic form or by means of an electronic records, such contract shall not be deemed
to be unenforceable solely on the ground that such electronic form or means was used
for that purpose.
Regulation of Certifying Authorities
under the Information Technology
Act, 2000
Creation & Authentication of E-Signature

Certifying Authority

Subscriber Relying Party

Controller of Certifying Authorities (Section 17)

Central
Government

Controller of
Certifying
Authorities

Deputy Controller Deputy Controller Deputy Controller

(Technology) (Finance & Legal) (Investigation)

Assistant Assistant Assistant

Controller Controller Controller
(Technology) (Finance & Legal) (Investigation)
Controller of Certifying Authorities (Section 17)
 Section 17. Appointment of Controller and other officers.—(1) The Central
Government may, by notification in the Official Gazette, appoint a Controller of
Certifying Authorities for the purposes of this Act and may also by the same or
subsequent notification appoint such number of Deputy Controllers, Assistant
Controllers, other officers and employees as it deems fit.
(2) The Controller shall discharge his functions under this Act subject to the general control
and directions of the Central Government.
(3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to
them by the Controller under the general superintendence and control of the Controller.
(4) The qualifications, experience and terms and conditions of service of Controller, Deputy
Controllers, Assistant Controllers, other officers and employees shall be such as may be
prescribed by the Central Government.
(5) The Head Office and Branch Office of the office of the Controller shall be at such places
as the Central Government may specify, and these may be established at such places as the
Central Government may think fit.
(6) There shall be a seal of the Office of the Controller.
Functions of Controller
(Section 18)
Supervision
Maintaining
database of Certification
CA.

Duties of
Standardizatio
Certifying
n
Authortiess

Resolution of Qualification
Conflict of &
Interest. Experiences

Controller
Manner of
Conditions to
conduct while
Conduct
dealing with
Business
subscribers.
Contents of
written,
Establishment printed or
& regulation visual
of Electronic materials &
System. advertisement
Terms & .
Conditions for Form &
appointment & Form & Content of
remuneration Manner of ESC & Key
of auditors. Maintaining
Account
Functions of Controller (Section 18) Cont…
 Section 18. Functions of Controller.—The Controller may perform all or any of the
following functions, namely:–
(a) exercising supervision over the activities of the Certifying Authorities;
(b) certifying public keys of the Certifying Authorities;
(c) laying down the standards to be maintained by the Certifying Authorities;
(d) specifying the qualifications and experience which employees of the Certifying Authority
should possess;
(e) specifying the conditions subject to which the Certifying Authorities shall conduct their
business;
(f) specifying the contents of written, printed or visual materials and advertisements that may
be distributed or used in respect of a electronic signature Certificate and the public key;
(g) specifying the form and content of a electronic signature Certificate and the key;
(h) specifying the form and manner in which accounts shall be maintained by the Certifying
Authorities;
Functions of Controller (Section 18)Cont…
i) specifying the terms and conditions subject to which auditors may be appointed and the
remuneration to be paid to them;
j) facilitating the establishment of any electronic system by a Certifying Authority either
solely or jointly with other Certifying Authorities and regulation of such systems;
k) specifying the manner in which the Certifying Authorities shall conduct their dealings with
the subscribers;
l) resolving any conflict of interests between the Certifying Authorities and the subscribers;
m) laying down the duties of the Certifying Authorities;
n) maintaining a data base containing the disclosure record of every Certifying Authority
containing such particulars as may be specified by regulations, which shall be accessible to
public.
Recognition of a Foreign Certifying Authorities (Section 19)

Revocation of Recognition for contravention of Conditions &

Recognition

Indian Foreign
Certifyin
MOU/Controller with
previous approval of
Certifyi
g CG, notified in the ng
official gazette.
Authorit Authorit
ies ies

Valid Electronic Signature Certificate

Recognition of a Foreign Certifying Authorities (Section 19)

 Section 19. Recognition of foreign Certifying Authorities.—

(1) Subject to such conditions and restrictions as may be specified by regulations, the
Controller may with the previous approval of the Central Government, and by notification
in the Official Gazette, recognize any foreign Certifying Authority as a Certifying
Authority for the purposes of this Act.

(2) Where any Certifying Authority is recognized under sub-section (1), the electronic
signature Certificate issued by such Certifying Authority shall be valid for the purposes of
this Act.

(3) The Controller may, if he is satisfied that any Certifying Authority has contravened any of
the conditions and restrictions subject to which it was granted recognition under sub-
section (1) he may, for reasons to be recorded in writing, by notification in the Official
Gazette, revoke such recognition.
Controller as a Repository (Section 20) *Omitted by the Information Technology (Amendment) Act, 2008
(10 of 2009)

Make use of Hardware,

software & procedure that
are secured from
intrusion.
Root Certifying Authority of India

National Repository of Digital

Certificate
Controller to act as a
repository Controller

Maintain computerized
Observe other standards
database of all public keys
as prescribed by C.G. to
in such manner that the
ensure secrecy & security
same is available to the
of DS.
public.
License to Issue ESC (Section 21)

Applicant
fulfills
requirements:
qualification,
expertise,
Any person may Controller for
manpower, Issuance of
make an license to issue
financial License
Application ESC
sources & other
infrastructure
facilities as
prescribed by
CG

Validity Period: Five Years from date of Issue.

No transferable or heritable
Subject to terms & conditions as specified in the Regulation.
License to Issue ESC (Section 21) Cont…

 Section 21. Licence to issue electronic signature Certificates.—

(1) Subject to the provisions of sub-section (2), any person may make an application, to
the Controller, for a licence to issue electronic signature Certificates.

(2) No licence shall be issued under sub-section (1), unless the applicant fulfils such
requirements with respect to qualification, expertise, manpower, financial resources
and other infrastructure facilities, which are necessary to issue electronic signature
Certificates as may be prescribed by the Central Government.

(3) A licence granted under this section shall— (a) be valid for such period as may be
prescribed by the Central Government; (b) not be transferable or heritable; (c) be
subject to such terms and conditions as may be specified by the regulations.
Application for License (Section 22)
Certification
Practice
Statement

Identification
Other Form prescribed by Central
Procedure
Documents Government
Statement

Fees not
exceeding
Rs.25000/-
Application for License (Section 22)
 Section 22. Application for licence.—
(1) Every application for issue of a licence shall be in such form as may
be prescribed by the Central Government.
(2) Every application for issue of a licence shall be accompanied by—
(a) a certification practice statement;
(b) a statement including the procedures with respect to identification of
the applicant;
(c) payment of such fees, not exceeding twenty-five thousand rupees as
may be prescribed by the Central Government;
(d) such other documents, as may be prescribed by the Central
Government.
Renewal of License (Section 23)

Form

Fees (not exceeding

Rs.5000/-)

Shall be made not less than 45

days before the date of expiry.

Controller
Renewal of License (Section 23)

 Section 23. Renewal of licence.—

An application for renewal of a licence shall be—

(a) in such form;

(b) accompanied by such fees, not exceeding five thousand rupees,

as may be prescribed by the Central Government and shall be made not less than
forty-five days before the date of expiry of the period of validity of the licence.
Procedure for grant or rejection of License (Section 24)

Grant or Reject
(Rejection after giving a
reasonable opportunity of
Consider the documents hearing.)
accompanying application
& such other factors as he
Controller receive deems fit.
application under Section (within four weeks from
21 (1) the date of receipt.)
Procedure for grant or rejection of License (Section 24)
 Section 24. Procedure for grant or rejection of licence.—

The Controller may, on receipt of an application under sub-section (1) of section 21, after
considering the documents accompanying the application and such other factors, as he
deems fit, grant the licence or reject the application:

Provided that no application shall be rejected under this section unless the applicant has
been given a reasonable opportunity of presenting his case.
Suspension of License (Section 25)

Statement is incorrect or false in Vitiate the terms & conditions

material.

Controller make an
inquiry & traced
that:

Contravention of Act, rule, Failed to maintain procedures &

regulation or order made standards specified in section 30.
thereunder

Revocation of License (After providing reasonable

opportunity of hearing)
Suspension of License (Section 25) Cont.

Presence of
reasonable grounds
of revocation
During suspension no
ESC can be issued by
CA.
Controller by order
suspension of
license pending
enquiry.

No suspension
beyond 10 days
unless CA has been
given a reasonable
opportunity of
showing cause
against proposed
suspension.
 Suspension of License (Section 25) Cont.
 Section 25. Suspension of licence.—
(1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that a Certifying
Authority has—
(a) made a statement in, or in relation to, the application for the issue or renewal of the licence, which is
incorrect or false in material particulars;
(b) failed to comply with the terms and conditions subject to which the licence was granted;
(c) failed to maintain the procedures and standards specified in section 30;
(d) contravened any provisions of this Act, rule, regulation or order made thereunder, revoke the licence:
Provided that no licence shall be revoked unless the Certifying Authority has been given a reasonable
opportunity of showing cause against the proposed revocation.
(2) The Controller may, if he has reasonable cause to believe that there is any ground for revoking a licence
under sub-section (1), by order suspend such licence pending the completion of any enquiry ordered by him:
Provided that no licence shall be suspended for a period exceeding ten days unless the Certifying Authority
has been given a reasonable opportunity of showing cause against the proposed suspension.
(3) No Certifying Authority whose licence has been suspended shall issue any electronic signature Certificate
during such suspension.
Publication of Notice of Suspension or Revocation (Section 26)

Publication in Database
maintained by it.
Made available through
website, accessible
round the clock
Notice of Suspension
Controller Publish in Repositories
or Revocation

Publish the contents of

database in electronic
or other media.
Publication of Notice of Suspension or Revocation (Section 26) Cont.

 Section 26. Notice of suspension or revocation of licence.—

(1) Where the licence of the Certifying Authority is suspended or revoked, the Controller shall
publish notice of such suspension or revocation, as the case may be, in the data base maintained
by him.

(2) Where one or more repositories are specified, the Controller shall publish notices of such
suspension or revocation, as the case may be, in all such repositories:

Provided that the data base containing the notice of such suspension or revocation, as the case
may be, shall be made available through a web site which shall be accessible round the clock:

Provided further that the Controller may, if he considers necessary, publicise the contents of
data base in such electronic or other media, as he may consider appropriate.
Power to Delegate (Section 27)

Deputy
To exercise
In writing Controller, Asst.
Controller powers of
authorize Collector or any
controller.
other officer
Power to Delegate (Section 27) Cont…

 Section 27. Power to delegate.—

The Controller may, in writing, authorise the Deputy Controller, Assistant Controller
or any officer to exercise any of the powers of the Controller under this Chapter.
Power to investigate contraventions (Section 28)

For any
contravention
Take up
investigation
Controller or
authorized
officer
Exercise the powers conferred on income-tax authorities.
Power to investigate contraventions (Section 28)
 Section 28: Power to investigate contraventions.—

(1) The Controller or any officer authorized by him in this behalf shall take up for
investigation any contravention of the provisions of this Act, rules or regulations
made thereunder.

(2) The Controller or any officer authorized by him in this behalf shall exercise the
like powers which are conferred on Income-tax authorities under Chapter XIII of
the Income-tax Act, 1961 (43 of 1961), and shall exercise such powers, subject to
such limitations laid down under that Act.
Access to Computers & Data (Section 29)
Controller or Direct any person in-charge
authorized
person of or otherwise concerned
with to provide with
Has reasonable reasonable technical &
cause to other assistance.
suspect that
any
contravention
of provisions.
Access to any
computer
system, any
apparatus,
data or any
other material
connected with
system.
For searching
or cause a
search to be
made for
obtaining any
information.
Access to Computers & Data (Section 29)
 Section 29. Access to computers and data.—

(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any
person authorised by him shall, if he has reasonable cause to suspect that any contravention of the
provisions of this Chapter has been committed, have access to any computer system, any
apparatus, data or any other material connected with such system, for the purpose of searching or
causing a search to be made for obtaining any information or data contained in or available to such
computer system.

(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by
order, direct any person in charge of, or otherwise concerned with the operation of, the computer
system, data apparatus or material, to provide him with such reasonable technical and other
assistance as he may consider necessary.
Procedures to be followed by Certifying Authority (Section 30)

Procedure to
secure
intrusion

Observe
Reliability
other
in its service
standards

Certifying
Authority

Public info.
about
practices, Adherence
to security
ESCs & its
procedures
current
status.

Repository
of all ESCs
Procedures to be followed by Certifying Authority (Section 30)

 Section 30. Certifying Authority to follow certain procedures.—

Every Certifying Authority shall,—

(a) make use of hardware, software and procedures that are secure from intrusion and misuse;

(b) provide a reasonable level of reliability in its services which are reasonably suited to the
performance of intended functions;

(c) adhere to security procedures to ensure that the secrecy and privacy of the electronic
signatures are assured; (ca) be the repository of all electronic signature Certificates issued
under this Act; (cb) publish information regarding its practices, electronic signature Certificates
and current status of such certificates; and

(d) observe such other standards as may be specified by regulations.

Certifying Authority to ensure compliance of the Act, etc.
(Section 31)

Certifying
authority

Compliance to
the Act in the
course of
employment or
engagement.

Otherwise Its
engaged employer
Certifying Authority to ensure compliance of the Act, etc.
(Section 31)

 Section 31. Certifying Authority to ensure compliance of the Act, etc.—

Every Certifying Authority shall ensure that every person employed or otherwise engaged by it
complies, in the course of his employment or engagement, with the provisions of this Act, rules,
regulations and orders made thereunder.

Section 32. Display of license.—

Every Certifying Authority shall display its license at a conspicuous place of the premises in
which it carries on its business.
Section 33: Surrender of License
Controller

Suspended or Revoked License of

Certifying Authority

Surrender the License

If not surrender, then punishable with

imprisonment of maximum 6 months
or/and fine of maximum Rs.10,000/-
Section 33: Surrender of License
 Section 33. Surrender of licence.—

(1) Every Certifying Authority whose licence is suspended or revoked shall immediately after
such suspension or revocation, surrender the licence to the Controller.

(2) Where any Certifying Authority fails to surrender a licence under sub-section (1), the
person in whose favour a licence is issued, shall be guilty of an offence and shall be punished
with imprisonment which may extend up to six months or a fine which may extend up to ten
thousand rupees or with both.
Section 34: Disclosure
ESC

Certification
Other material Maintenance
Practice
fact of disclosure
Statement

Notice of
Revocation or
Suspension of
CA certificate
Section 34: Disclosure
 Section 34: Disclosure.–
(1) Every Certifying Authority shall disclose in the manner specified by regulations—
(a) its electronic signature Certificate;
(b) any certification practice statement relevant thereto;
(c) notice of the revocation or suspension of its Certifying Authority certificate, if any; and
(d) any other fact that materially and adversely affects either the reliability of a electronic
signature Certificate, which that Authority has issued, or the Authority's ability to perform its
services.
(2) Where in the opinion of the Certifying Authority any event has occurred or any situation
has arisen which may materially and adversely affect the integrity of its computer system or
the conditions subject to which a electronic signature Certificate was granted, then, the
Certifying Authority shall–
(a) use reasonable efforts to notify any person who is likely to be affected by that occurrence;
or
(b) act in accordance with the procedure specified in its certification practice statement to deal
with such event or situation.
DUTIES OF SUBSCRIBERS
How to become a subscriber?
Generating Key Pair [Section 40, Rule 19(2)]

Generate key Key pair with

pair in the key statistically
Subscriber
generation random key
system values.

Section 40. Generating key pair.–Where any Digital Signature Certificate, the public key of which
corresponds to the private key of that subscriber which is to be listed in the Digital Signature
Certificate has been accepted by a subscriber, the subscriber shall generate that key pair by
applying the security procedure.
Acceptance of Digital Signature Certificate by Subscriber [Section 41]

Publishes or
authorize the
publication to
one or more
persons or in a
repository.

Demonstrates
his approval
of DSC in any
manner

Acceptance of
DSC
Effects of Acceptance of Digital Signature Certificate by Subscriber [Section 41]

Pvt. Key corresponding to

public key listed in the
DSC is the digital
signature of subscriber.

All information in the

Certificate are true within Certificate has been
the knowledge of accepted & is operational.
subscriber.
Effects of Acceptance

All representations made

by subscriber to RA/LRA No Unauthorized access to
or CA regarding DSC’s subscriber’s private key.
information are true.
Acceptance of Digital Signature Certificate by Subscriber [Section 41]

 Section 41. Acceptance of Digital Signature Certificate.–

(1) A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or
authorises the publication of a Digital Signature Certificate– (a) to one or more persons; (b) in a
repository; or otherwise demonstrates his approval of the Digital Signature Certificate in any
manner.

(2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on
the information contained in the Digital Signature Certificate that– (a) the subscriber holds the
private key corresponding to the public key listed in the Digital Signature Certificate and is entitled
to hold the same; (b) all representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the Digital Signature Certificate are true; (c) all
information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.
Control of Private Key [Section 42]

Prevent it’s disclosure.
Shall immediately
inform certifying
authority without delay
if Pvt. Key has been
compromised.

Subscriber to take
reasonable care to retain
control of the Pvt. Key.

Till the time the subscriber inform to the certifying authority, he shall be
liable.
Control of Private Key [Section 42]

Prevent it’s disclosure.
Shall immediately
inform certifying
authority without delay
if Pvt. Key has been
compromised.

Subscriber to take
reasonable care to retain
control of the Pvt. Key.

Till the time the subscriber inform to the certifying authority, he shall be
liable.
Control of Private Key [Section 42]
 Section 42. Control of private key.–

 (1) Every subscriber shall exercise reasonable care to retain control of the private key
corresponding to the public key listed in his Digital Signature Certificate and take all
steps to prevent its disclosure.

 (2) If the private key corresponding to the public key listed in the Digital Signature
Certificate has been compromised, then, the subscriber shall communicate the same
without any delay to the Certifying Authority in such manner as may be specified by the
regulations.

 Explanation.–For the removal of doubts, it is hereby declared that the subscriber shall be
liable till he has informed the Certifying Authority that the private key has been
compromised.
 Duties of Subscribers (Sections 40-42)

Demonstrate Protecting Pvt. Key

acceptance of DSC in secure medium.

Using certificate only Notifying any change

for authorized in information in
purpose. DSC.

Notifying
Providing correct immediately any
information in the suspected or actual
application. compromise of the
Pvt. Key.

Generating key pair Terminating the use

Duties of Subscriber
in secure medium. of certificate.
Thank You !