Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567892 Chapter 1: Information Technology Law Learning agenda: Information Technology Act Definitions, Important terms under Information Technology Legislation Digital Signatures Electronic Records Certifying Authority Digital Signature Certificate Cyber Regulation Appellate Tribunal Offences & Penalties Introduction: UNCITRAL Model Law on E-Commerce; January 30, 1997 Information Technology Act, 2000; October 17, 2000 IT Act, 2008; made applicable on October 27, 2009 Extends to whole of India, and applies to any contravention committed outside India by any person Does not apply to: ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Objectives of the Act: To give legal recognition to: Any transaction which is done electronically or use of internet Digital signature for accepting any agreement via computer Keeping books of accounts by bankers and other companies in electronic form Storage of data in electronic form by companies To stop:Computer crime and protect privacy of internet users To empower:SEBI, RBI & Indian Evidence Act for restricting electronic crime To facilitate:Online filing of documents in school admission or registration in employment exchange Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567893 Important definitions under the Act: 2(1)(a) Access 2(1)(b) Addressee 2(1)(c) Adjudicating Officer 2(1)(d) Affixing digital signature 2(1)(e) Appropriate Government 2(1)(f) Asymmetric crypto system 2(1)(g) Certifying Authority 2(1)(h) Certification practice statement 2(1)(i) Computer 2(1)(j) Computer network 2(1)(l) Computer system 2(1)(o) Data 2(1)(p) Digital signature Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567894 2(1)(r) Electronic form 2(1)(w) Intermediary 2(1)(x) Key pair 2(1)(Za) Originator 2(1)(Zc) Private Key 2(1)(zd) Public key 2(1)(ze) Secure system 2(1)(zh) Verify 2(t) Electronic Record Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567895 Digital Signature Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567896 ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Provisions relating to Digital Signature & Electronic Signature Aspersection3ofInformationTechnologyAct,2000asamended,anysubscribermayauthenticatean electronicrecordbyaffixinghisdigitalsignature.Suchauthenticationshallbedonebyuseofasymmetric cryptosystemandhashfunction,whichenvelopsandtransformtheelectronicrecordsintoanother electronic record.Anypersonbyuseofpublickeyofthesubscribercanverifytheelectronicrecord.Theprivatekeyandthe public key are unique to the subscriber and constitute a functioning key pair. Certification Authorities (CA) in India maintains the public key infrastructure (PKI).What is the difference between a digital signature and an electronic signature? Adigitalsignatureoftenreferredtoasadvancedorstandardelectronicsignature,fallsintoasub-groupof electronic signatures that provides the highest levels of security and universal acceptance.Digital signatures are based on Public Key Infrastructure (PKI) technology, and guarantee signer identity and intent, data integrity, and the non-repudiation of signed documents. The digital signature cannot be copied, tampered with or altered. In addition, because digital signatures are based on standard PKI technology, they can be validated by anyone without the need for proprietary verification software.Ontheotherhand,anelectronicsignatureisaproprietaryformat(thereisnostandardforelectronic signatures)thatmaybeadigitizedimageofahandwrittensignature,asymbol,voiceprint,etc.,usedto identify the author(s) of an electronic message. An electronic signature is vulnerable to copying and tampering, and invites forgery. Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567897 Electronic Record AsperSection2(t)ofInformationTechnologyAct,2000asamended,Electronicrecordmeansdata,recordordata generated,imageorsoundstored,receivedorsentinanelectronicformormicrofilmorcomputergeneratedmicro fiche, Authentication of Electronic Records: As per Section 3 of IT Act, 2000 as amended, any subscriber may authenticate an electronic record by affixing his digital signature.Theauthenticationofanelectronicrecordiseffectedbytheuseofasymmetriccryptosystemandhash function, which envelop and transform the initial electronic record into another electronic record. Hash function means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as hash result.Legal Recognition to Electronic Records: Section4ofITAct,2000asamendedprovideslegalrecognitiontoElectronicRecords.AsperSection4ofsaidAct, Whereanylawprovidesthatinformationoranyothermattershallbeinwritingorinthetypewrittenorprintedform, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such informationormatterisrenderedormadeavailableinanelectronicform,andaccessiblesoastobeusablefora subsequent reference. Writing Material for Chapter One ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567898 Use of Electronic Records: As per Section 6 of IT Act, 2000 as amended, where any law provides for the filing of any form application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government. Retention of Electronic Records: Section 7 of the IT Act, 2000 as amended, provides for retention of records in electronic format.It provides that where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, if - (a) The information contained therein remains accessible so as to be usable for a subsequent reference, (b)Theelectronicrecordisretainedintheformatinwhichitwasoriginallygenerated,sentorreceivedorinaformat which can be demonstrated to represent accurately the information originally generated, sent or received, (c) The details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record: Provided that this clause does not apply to any information, which is automatically generated solely for the purpose of enabling an electronic record to be dispatched or received. Audit of Electronic Records is allowed by virtue of section _______. Validity of contracts formed through electronic means:___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 567899 Information Technology Act, 2000 (as amended) Chapter I Preliminary o1. Short title, extent, commencement and application. - o2. Definitions. - Chapter II Digital Signature o3. Authentication of electronic records. - Chapter III Electronic Governance o4. Legal recognition of electronic records - o5. Legal recognition of digital signatures. - o6. Use of electronic records and digital signatures in Government and its agencies. (1) Where any law provides for- o7. Retention of electronic records.- o8. Publication of rule, regulation, etc., in Electronic Gazette. - o9. Section 6, 7 and 8 not to confer right to insist document should be accepted in electronic form.- o10. Power to make rules by Central Government in respect of digital signature.- Chapter IV Attribution, Acknowledgement and Dispatch of Electronic records o11. Attribution of electronic records.- o12. Acknowledge of receipt.- o13. Time and place of dispatch and receipt of electronic record. - Chapter V Secure Electronic records and secure digital signatures o14. Secure electronic record.- o15. Secure digital signature.- o16. Security procedure.- Chapter VI Regulation of Certifying Authorities o17. Appointment of Controller and other officers. - o18. Functions of Controller. - o19. Recognition of foreign Certifying Authorities. - o20. Controller to act as repository. - o21. License tissue Digital Signature Certificates. - o22. Application for license. - o23. Renewal of license - o24. Procedure for grant or rejection of license.- o25. Suspension of license. - o26. Notice of suspension revocation of license.- o27. Power to delegate - o28. Power to investigate contraventions. - o29. Access to computers and data. - o30. Certifying Authority to follow certain procedures.- o31. Certifying Authority to ensure compliance of the Act, etc.- o32. Display of license.- o33. Surrender of license. - o34. Disclosure. - Chapter VII Digital Signature Certificates o35. Certifying authority to issue Digital Signature Certificate. - o36. Representations upon issuance Digital Signature Certificate. - o37. Suspension of Digital Signature Certificate. - o38. Revocation of Digital Signature Certificate. - o39. Notice of suspension or revocation. - Chapter VIII Duties of Subscribers o40. Generating key pair.- o41. Acceptance of Digital Signature Certificate. - o42. Control of private key. - Chapter IX Penalties and Adjudication o43. Penalty for damage to computer, computer system, etc.- o44. Penalty for failure to furnish information, return, etc.- o45. Residuary penalty.- o46. Power to adjudicate. - o47. Factors to be taken into account by the adjudicating officer. - Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678910 Chapter X The Cyber Regulations Appellate Tribunal o48. Establishment of Cyber Appellate Tribunal. - o49. Composition of Cyber Appellate Tribunal.- o50. Qualifications for appointment as Presiding Officer of the Cyber Appellate Tribunal. - o51. Term of office. - o52. Salary, allowance and other terms conditions of service of Presiding Officer.- o53. Filling up of vacancies. - o54. Resignation and removal. - o55. Orders constituting Appellate Tribunal to be final and not to invalidate its proceedings. - o56. Staff of the Cyber Appellate Tribunal. - o57. Appeal to Cyber Regulations Appellate Tribunal. - o58. Procedure and powers of the Cyber Appellate Tribunal. - o59. Right to legal representation. - o60. Limitation. - o61. Civil court not to have jurisdiction. - o62. Appeals to High Court. - o63. Compounding of contraventions. - o64. Recovery of penalty. - Chapter XI Offences o65. Tampering with computer source documents. - o66. Hacking with Computer System. - o66A Punishment for sending offensive messages through communication service, etc. o66B Punishment for dishonestly receiving stolen computer resource or communication device (ITA 08) o66C Punishment for identity theft. (Inserted Vide ITA 2008) o66D Punishment for cheating by personation by using computer resource (Inserted Vide ITA 2008) o66E Punishment for violation of privacy. (Inserted Vide ITA 2008) o67. Publishing of information, which is obscene in electronic form. o68. Power of the Controller to give directions. o69. Directions of Controller to a subscriber to extend facilities to decrypt information. o70. Protected system.- o71. Penalty for misrepresentation.- o72. Breach of confidentiality and privacy.- o73. Penalty for publishing Digital Signature Certificate false in certain particulars. - o74. Publication for fraudulent purpose. - o75. Act to apply for offence or contravention committed outside India. - o76. Confiscation. - o77. Penalties and confiscation not to interfere with other punishments. - o78. Power to investigate offence. - Chapter XII Network service providers not to be liable in certain cases o79. Network service providers not to be liable in certain cases. - Chapter XIII Miscellaneous o80. Power of police officer and other officers to enter, search, etc. - o81. Act to have overriding effect. - o82. Controller, Deputy Controller and Assistant Controllers to be public servants. - o83. Power to give directions.- o84. Protection of action taken in good faith. - o85. Offences by companies. - o86. Removal of difficulties. - o87. Power of Central Government to make rules. - o88. Constitution of Advisory Committee. - o89. Power of Controller to make regulations. - o90. Power of State Government to make rules. - o91. Amendment of Act 45 of 1860.- o92. Amendment of Act 1 of 1872. - o93. Amendment of Act 18 of 1891.- o94. Amendment of Act 2 of 1934.- oTHE FIRST SCHEDULE oTHE SECOND SCHEDULE oTHE THIRD SCHEDULE oTHE FOURTH SCHEDULE Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678911 Section 11: Attribution of Electronic records An electronic record shall be attributed to the originator: (a) if it was sent by the originator himself; (b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or (c) by an information system programmed by or on behalf of the originator to operate automatically. Section 12: Acknowledgement of receipt of an electronic record When is an electronic record to be treated as sent or not? Here three different conditions exist: Where the originator has not agreed with the addressee that the acknowledgement of receipt of electronic record be given in a particular form or by a particular method, an acknowledgement may be given by: (a) Any communication by the addressee, automated or otherwise (b) Any conduct of the addressee Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgement, then Unless acknowledgement has been so received, the electronic record shall be deemed to have been never sent by the originator. Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the acknowledgement has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then: The originator may give notice to the addressee stating that no acknowledgement has been received by him and specifying a reasonable time by which he acknowledgement must be received by him and if no acknowledgement is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as tough it has never been sent. Section 13: Time & place of dispatch and receipt of electronic record: -Iftheaddresseehasnotdesignatedacomputerresourcealongwithspecifiedtimings;receiptoccurswhenthe electronic record enters the computer resource of the addressee. - Unless otherwise agreed between the originator and the addressee, the dispatch of an electronic record occurs when itentersacomputerresourceoutsidethecontroloforiginatorandthetimeofreceiptshallbeatthetimewhenthe electronic record enters the designated computer resource. Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678912 Certifying Authority (CA) A Certifying Authority is a trusted body whose central responsibility is to issue, revoke, renew and provide directories of DigitalCertificates.Inrealmeaning,thefunctionofaCertifyingAuthorityisequivalenttothatofthepassportissuing officeintheGovernment.Apassportisacitizen'ssecuredocument(a"paperidentity"),issuedbyanappropriate authority,certifyingthatthecitizeniswhoheorsheclaimstobe.Anyothercountrytrustingtheauthorityofthat country's Government passport Office will trust the citizen's passport. Similartoapassport,auser'scertificateisissuedandsignedbyaCertifyingAuthorityandactsasaproof.Anyone trusting the Certifying Authority can also trust the user's certificate. Accordingtosection24underInformationTechnologyAct2000"CertifyingAuthority"meansapersonwhohasbeen granted a licence to issue Digital Signature Certificates. Application for becoming Certifying Authority TheITAct2000givesdetailsofwhocanactasaCA.AccordinglyaprospectiveCAhastoestablishtherequired infrastructure,getitauditedbytheauditorsappointedbytheofficeofControllerofCertifyingAuthorities,andonly based on complete compliance of the requirements, a license to operate as a Certifying Authority can be obtained. The license is issued by the Controller of Certifying Authority, Ministry of Information Technology, Government of India. AnypersonwhoisfulfillingtherequirementsofCentralGovernment,canapplyforalicensetoissueElectronic Signature Certificates. A license granted is valid for 5 years and is neither transferable nor heritable. Fees for application is _____________________. Renewal of license A CA can apply for renewal of license not less than forty-five days before the date of expiry of the period of validity of licenseandcomplyallrulesofafreshapplication.Authoritiescanrejectnoapplicationunlesstheapplicanthasbeen given a reasonable opportunity of presenting his case. Suspension/Revocation of license of a Certifying Authority Controller of Certifying Authorities can revoke license If he is satisfied after inquiry of the allegations That CA has made incorrect statement in material particularsAND/OR Has failed to comply with license conditions AND/OR Failed to maintain standards as per the Act AND/OR Contravened any provisions of the Act During the process of inquiry; CCA may suspend license of CA after giving reasonable opportunity to show cause For not more than 10 days; during which CA can issue no DSC/ESC Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678913 Disclosures by Certifying Authority -- Electronic Signature -- Certification Practice Statement -- Any notice of revocation of its CA certificate -- Any other material fact that affects the reliability of Digital Signature Certificate -- Any material event that may affect the integrity of its computer system should be notified to any person who is likely to be affected by such occurrence. Functions of Controller of CA FunctionKeyword Function Description Supervision Certifying Standard Employees Business Advertisements Form & Content AccountsAuditors Establishment Dealings Conflict Duties Disclosure Record Public Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678914 Recognition of Foreign Certifying Authorities Recognition of foreign CA: done by CCA With prior approval of Central Government Fulfillment of prescribed conditions and restrictions IfForeignCAcontravenesanyconditionsandrestrictions;thensuchrecognitionmayberevokedbyCCAaftertaking reasons for contravention in writing & publishing in official gazette. Digital Signature Certificates Certifying authority to issue Digital Signature Certificate Certifying Authority will issue Electronic Signature Certificate on an application by a person in the form prescribed by the Central government. The application should be accompanied by a fee not exceeding _______________ and a certificate practice statement. Onreceiptofanapplication,theCertifyingAuthoritymay,afterconsiderationofthecertificationpracticestatementor theotherprescribedstatementandaftermakingsuchenquiriesasitmaydeemfit,granttheelectronicSignature Certificate or for reasons to be recorded in writing, reject the application: Provided that no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection. Representations upon issuance Digital Signature Certificate A Certifying Authority While issuing a Digital Signature Certificate shall certify that - (a) It has complied with the provisions of this Act(b) It has published the Digital Signature Certificate and the subscriber has accepted it; (c) The subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate, (ca) The subscriber holds a private key which is capable of creating a digital signature: (cb) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the subscriber (d) The subscribers public key and private key constitute a functioning key pair, (e) The information contained in the Digital Signature Certificate is accurate, and (f) It has no knowledge of any material fact, which would adversely affect the reliability of the DSC Suspension of Digital Signature Certificate Section 37 of the Act provides that the Certifying Authority may suspend such Digital Signature Certificate, (a) On receipt of a request from - (i) the subscriber, or (ii) any person duly authorised to act on behalf of that subscriber, (b) If it is of opinion that the Digital Signature Certificate should be suspended in public interest ADigitalSignatureCertificateshallnotbesuspendedforaperiodexceedingfifteendaysunlessthesubscriberhas been given an OOBH in the matter. On suspension of a DSC, the CA shall communicate to the subscriber. Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678915 Revocation of Digital Signature Certificate -- Under Section 38; A Certifying Authority may revoke a Digital Signature Certificate issued by it - (a) where the subscriber or any other person authorised by him makes a request to that effect, or (b) upon the death of the subscriber, or (c)upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company. -- Certifying Authority may revoke a Digital Signature Certificate which has been issued by it, if it is of opinion that - (a) a material fact represented in the Digital Signature Certificate is false or has been concealed, (b) a requirement for issuance of the Digital Signature Certificate was not satisfied, (c) the Certifying Authoritys private key was compromised, materially affecting the DSCs reliability, (d)thesubscriberhasbeendeclaredinsolventordeadorwhereasubscriberisafirmoracompany,whichhasbeen dissolved, wound-up or otherwise ceased to exist -- A Digital Signature Certificate shall not be revoked unless the subscriber has been given an OOBH in the matter. --OnrevocationofaDigitalSignatureCertificateunderthissection,theCertifyingAuthorityshallcommunicatethe same to the subscriber. Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678916 Cyber Appellate Tribunal ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Composition of cyber appellate tribunal ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Qualification for appointment at presiding officer of CAT ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Term of office of presiding officer: ________________________________________________________ Resignation and removal ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ ___________________________________________________________________________________________________________ Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678917 Staff of Cyber Appellate Tribunal -- Central Government shall provide employees to CAT as it thinks fit. -- The officers & employees of CAT shall function under Presiding officer. -- The salary, allowances & other conditions shall be prescribed by the Central Government. Appeal to CAT Any person aggrieved by an order of CCA/AO may appeal to CAT within 45 days from the order of the CCA/AO. ___________________________________________________________________________________________________________ Procedures and powers of CAT The CAT shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 but shall be guided by the principlesofnaturaljustice.TheCATshallhavepowerstoregulateitsownprocedureincludingtheplaceatwhichit shall have its sitting. The CAT shall have, for the purposes of discharging its functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, in respect of the following matters, namely: (a) summoning and enforcing the attendance of any person and examining him on oath, (b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits; (d) issuing commissions for the examination of witnesses of documents, (e) reviewing its decisions, (f) dismissing an application for default or deciding it ex parte, (g) any other matter which may be prescribed. Every proceeding before the CATshall be deemed to be a judicial and the CAT shall be deemed to be a civil court. Civil courts not to have jurisdiction Nocourtshallhavejurisdictionstoentertainanysuitorproceedinginrespectofanymatterwhichanadjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered.No injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. Appeal to High Court AnypersonaggrievedbyanydecisionororderoftheCyberAppellateTribunalmayfileanappealtotheHighCourt within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order: Provided that the High Court may, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within 45 days, it may allow it to be filed within a further period not exceeding sixty days. Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678918 Offences & Penalties under IT Act, 2000 (as amended) Penalties for Contraventions under the Act Penalty u/s ContraventionAmount of Penalty 43 44 45 Penalties for offences under the Act SectionOffence (If any person, intentionally, dishonestly or fraudulently does any act referred to in following sections) Penalty 65 66 66A 66B 66C 66D Prudential EducationSiddharth S Jain Information Technology & Systems Audit+91 97540 5678919 66E 66F 67 67A 67B 67C 68 69 69A 69B 71 72 73 74 72A