IyTRODUCTION * Business has been the biggest beneficiary of developments in internet technology. By making global communication inexpensive, information technology has greatly influ- enced the business practices. It has paved the way for electronic commerce popularly known as E-Commerce. Itinvolves the exchange of goods and/or services for value on the internet. Business transactions are conducted over computer networks. Some of such commercial activities conducted electronically include: on line trading of goods and services, electronic fund transfers, electronic data exchanges between and within compa- nies, etc. NEED FOR LEGISLATION / The law of information technology is that tion storage, processing and communicat t branch of cyber law which regulates informa- tion. The gap between law and technology has highlighted the need for formulating specific legislation applicable to the field of electronic commerce. It encompasses business conducted on the internet besides addressing security concerns. The paper based documents relating to contract are made in writing and contain signatures of the contracting parties. The contract is executed onstamp paper of appropriate value. All these requirements are not satisfied in a paperless regime of electronic trade. The requirement as to writing is met by “electronic data”. This informa- tion is accessible and usable for subsequent reference. Since the information is in writing, 229_—-tnrormaTION TECHNOLOGY Act, 2000 The Information Technology Act is broadly based on UNCITRAL (United Nations Com- mission on International Trade Law) Model Law on e-commerce. The Act aims to facilitate the development of a secure signature regulatory environment for e-commerce. Legal, provisions have been made to govern electronic contracting. It has provided for the integrity of electronic transactions, use of digital signatures and other issues relating to e-commerce. It accords uniform treatment to paper as well as electronic documents and signatures as regards their evidentiary value. Issues relating to integrity and authentica- tion of secure electronic records and electronic signatures have also been dealt with. To attain this objective, appropriate modifications have been made in the Evidence Act. Electronic contracting and use of electronic records and electronic signatures by govern- ment entities have been given legal recognition. Civil and criminal penalties have been prescribed for fraudulent falsification of computer records, circumvention of control unauthorised use or access into computer system and unauthorised alteration or destru tion of computer data or system.Main Opsectives oF THE Act \_"_- The Act has been designed to achieve the following objectives: (i To grant legal recognition to transactions carried out by means of electronic data interchange and other means of electronic communication commonly referred to as “electronic commerce” in place of paper based methods of communication. (i Togive legal recognition to digital signatures for authentication of any information or matter which requires authentication under any law. (iii) To facilitate electronic filing of documents with the government departments. (i) To facilitate electronic stroage of data. (¥) To facilitate and to give legal sanction to electronics transfers of funds between banks and financial institutions. (09 To recognize the keeping of books of account by bankers in electronic form. (vif) To create civil and criminal liabilities for contravention of provisions of the Act.<4 Asymmetric Crypto System [Section 2(1)(f)] : “It is a system of secure key pair Consisting of a private key for creating a digital signature and a public key to verify the digital signature”. In it, only one party needs to know the private key. The knowledge of public key by a third party does not compromise security. Asymmetric Crypto System is another name for digital signature technology. This system is also known as ‘public key encryption’, It involves the use of two mathematically related numbers (called ‘keys’). Onekey is used for creating digital signature. It transforms data into seemingly unintelligible form, The another ‘key is for verifying the digital signature or returning the message to its original form. The computer equipment and software using these two keys is often collectively called “asymmetric crypto system”. Every person using the system has two keys namely a private key which only the owner knows. The public key is the other key which anyone can know. Public key encrypts the message and private keydecrypts or vice versa. The encrypting key is made public but decrypting key is kept secret. The two keys provide a way of authenticating the parties involved in a digitally signed document.cp» Dierrat Sienature Meaning and Definition In simple terms, “digital signature” represents electronic signature to which some defined technical process is applied. Section 2(1)(p) of Information Technology Act, 2000 has(CH, 24: DIGITAL SIGNATURE, i fined “digital signature as” authe, ntication of an electronic record by means F e 1s of an electronic method or procedure me f in accordance with the provision of section 3” under Section 2(1)(zg) a subscriber means enifcate is issued”, Adigital signature is technically a “messagi ‘4 person in whose name the Digital Signature H il : ¢ digest’ created by processing a message's contents using special algorithm. In other words, it involves the transformation of a message into a message-digest by a technical process called ‘hash function’, encoding it (encryption) and sending it with the message which is also encoded. Digital signature are considered at par with paper signatures. Like paper signature, it can beused as proof of agreement or ownership of the contents of a document. Thereceiver can authenticate the sender of message and verify the integrity of the signed message. He does so by using the encrypting key (private key) that corresponds to the decrypting key (public key). Thus digital signature is a data item that accompanies a digitally encoded message and which can be used to ascertain both the originator of the message and the integrity of message. Difference between Digital Signature and Electronic Signature | Digital Signature Electronic Signature 1. Itmeans electronic signature to | 1. Itmeansanidentifier such as|etters, charac- which some defined technical pro- ters, numbers or other symbols in digital cess has been applied. form attached to an electronic record exe- cuted with the intention of authenticating or approving the electronic records. | 2. Itisan electronic identifier that has | 2. It involves the association of a writing with | used information security measure electronic signing. called ‘cryptography’ to ensure in- tegrity, authenticity and non-repu- diation. 3. Itisthe result of applying defined technical processes to electronic signatures, 3. It may consist of diverse kind of markings | such as digitised images of paper signatures, notations or addressing notations such as electronic mail, organisation headers. AutHentication Creation and Verification of Digital Signature Koco, 7 ‘i 1, 2000 “the authentication of electronic record shall be | grins to Section aa crypt system ad has function eich envelop and yy the use of asym rd ii ther electronic record,” trang “aitial electronic record into ano em mentioned in section 3(2) is known as ‘public-key encryp- veally related numbers called *key pair" [Section 2(1)(x)} “asymmetric crypto system ft ‘on’. It employs two mathemat ge eee238 PART IV : INFORMATION TECHNOLOGY ACT, 2000 One number (private key) is used for creating digital signature ie. transforming data into seemingly unintelligible form [Section 2(1)(zc)}. The other number (public key) is used to verify the signature ie. returning the message to its original form [Section 2(1)(zd)) Section 2(1)(0) has defined asymmetric crypto system to mean ‘a system of a secure key pair consisting of a private key for creating adigital signature and ‘a public key to verify the digital signature’ These keys which are not identical are created by the user. These are like very large passwords. The private key remains with the owner and it is used to decrypt or vice versa. The encrypting key is made public. It is not possible to derive the private key from the public key. Process of creation and verification of digital signature 1, Delimiting the message : The signer has to first delimit the border of the message contained therein. N Forming digital signature : The digital signature is formed by computing a value known as ‘hash function’. The Explanation to Section 3(2) has defined ‘hash function’ to mean “an algorithm mapping or translating one sequence of bits into another’. Generally, an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible: (9 to derive or reconstruct the original electronic record from the hash result produced by the algorithm, (i) that two electronic records can produce the same hash result using the algorithm, An algorithm is a set of mathematical instructions that help calculate an answer to a mathematical problem. It may also be defined as a finite set of instructions that accomplish a particular task. The “hash function” translates the message to smaller length known as “hash value or result." It is not possible to derive the message from the hash result. Again, itis not possible to provide the same hash result by two different messages by using the same hash function. Hae Thus with the help of a special algorithm, the message contents are processed t yield a value (hash result). It effectively makes digital finger prints of the message known as “message digest.” The digest represents the signature, Encryption : The signature thus formed is then encrypted by using a private k ‘The encrypted message digest becomes digital signature which is unique, Verification : The receiver computes the hash result by function as was used tocreate the digital signature to the or by him. He thus recreates the message digest from th: receiver then decrypts the digital signature by compares whether newly computed hash resi result. If the answer is in the affirmative i. w a applying the same hash riginal message received le message received. The using sender's public key. He then ult matches with the original hash . the signatures are identical, theCH. 24: DIGITAL SIGNATURE 239 signature stands verified. Any tampering with the contents of electronic record will immediately invalidate the digital signature. Legal significance of creation and verification of Digital Signature wk we It attributes the message to the signer. It identifies the signed message. It proves that signer has signed the message knowingly. It authenticates to the receiver that the sign is genuinely that of the signer. It forms part of the document and it is not possible for an unscrupulous person to move the signature to a different document. 6. The signed document becomes unalterable. N It cannot be repudiated. It be noted that the digital signature regimen operates in online, software beter nace Both the sender and the person receiving must havea digital signature software at their respective ends.\=—Diermat Signature Cerriricate The Certifying Authority verifies and authenticates the identity of the subscriber. The Digital Signature Certificate is issued in the name of subscriber. The certificate contains the name of subscriber, his public key information, the name of the Certifying Authority which issued the certificate and the validity period. The certificates are stored in an online publicly accessible repository maintained by the Certifying Authority.The Act has envisaged the imposition of penalty by way of damages in case of a damage caused to any computer or computer network by the introduction of virus or unauthorized access or some other mischief, sections 43 to 47 provide for the following penalties : 1. Penalty for damage caused to computer, computer system or computer network [Section 43]: Any person who does any of the following forbidden activities to the computer, system or network shall be liable to pay damages of one crore rupees to the person affected. The following are the forbidden activities: ( Unauthorised access : The gaining of unauthorised access to a computer system or network by infringing the security measures is illegal and it shall renders the person liable to pay compensation. The access must have been made witha view tolook at the information or inst, or, to use or, to change them. (i) Unauthorised downloading, copyin, loading, copying or extracting of di; illegal. “Data” is defined in section 2(1)(e) as ‘representation of information, knowl- edge, facts, concepts or instructions which are prepared in a formalised manner and is intended to be processedina computer system. It may be inany form or stored initially in the memory of a computer . 7 Explanation to Section 43 defines ‘database’ as “the collection of data or 4 theme and which is usedas a coherent whole tosatisfy a varienyof usersand/ or processing requirements." 7 ‘Information’, according to Section 2(1)(v), is “the processed data and in- cludes text, images, sound, codes, computer programmes, software and database.” ructions contained therein '§ Or extracting : Any unauthorised down- ‘ata, computer database or information is Thus reproduction of data, computer database with intent to procurean unlawful gain ortocai are liable to imposition of penalty. 260 orinformation without right, use harm to the holder of rightCH, 30: PENAL’ ES AND ADJUDICATION 261 (iid) Introduction of computer contaminant or virus , This is done to damage, destroy, oradversely affect the computer programme. Itisakindefsaborng done with the intention of hindering the Functionin jc : i f 1g of acomputer. Explana- tion (i) to Section 43 provides that contamination is done to usurp the normal operation of the computer by any means. The function of a ‘virus’ as per Explanation (iii) to section 43 is to destroy, damage, degrade, or adversely affect the performance of a computer resource, or to attach itself to another computer resource and to operate when a programme, data or instruction is executed. (iv) Damage to computer data : Causing destruction, alteration, erasure or suppression of computer data or computer programme without aright, is an offence. Similarly, disruption or causing disruption to any computer is an offence. (v) Denial of access : Unauthorised interception of communication to and from and within a computer system or network, resulting in denial of access to the authorised person, is an offence. wi Facilitating access in contravention of the Act : Rendering assistance to access a computer so as to facilitate commission of an offence in contraven- tion of the provisions of the Act is an offence. (vit) Charging services to the account of another :If a person, without permission, charges the services availed of by a person to the account of another person by tampering or manipulating the computer is liable to pay damages to the affected person. 2 Penalty for Failure to Furnish Information and Return [Section 44] (i Penalty for failure to furnish any document, return or report to the Control- ler or the Certifying Authority is punishable with a fine of Rs. One lakh five thousand. (i) Failure to file return or furnish information in time is a continuing nen for which a penalty of Rs.5000 per day is charged for every day during whic! such failure continues. i - records is Rs. 10000 for (iii) Penalty for failure to maintain books of account or records is Rs. 10000 for every day during which the failure continues. The liability to pay penalty does not arise merely on the proof ef ee, nae imposition is discretionary which must be exercised judicially on a consie NN allrelevant facts and circumstances. t will not be imposed unless the pars TT tohaveacted deliberately, in defiance of law or in conscious disregard of OTS oe 2 contraven- Penalty for contravention of rules and regulations [Section 45] a he ; a So tion of any rules or regulations under this Act for which no ie MY haan Prescribed shall entail the payment of compensation of Wenty Tupees to the person affected by such contravention262 PART IV : INFORMATION TECHNOLOGY ACT, 2000 4. Power to Adjudicate [Section 46] :In order to adjudicate whether a person has made any contravention, the Central Government may appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of Central Government to act as adjudicating officer. But no person shall be so appointed unless he possesses experience in the field of Information Technology or legal or judicial experience as may be prescribed by the Central Government. The Officer so appointed may impose penalty or award compensation as he thinks fit after (i) holding inquiry and (ii giving the person a reasonable opportunity for making representation, and (ii) on being honestly satisfied of the contravention. Powers of Adjudicating Officer : For the purpose of holding an inquiry, the adjudicating officer shall have the powers of a civil court under sections 345 and 346 of the Code of Civil Procedure, 1908 while trying a suit such as summoning and enforcing the attendance of any person, examining a person on oath, production of documents, receiving evidence on affidavit, issuing commission for examination of witnesses, dismissing an application and so on. All proceedings before the adjudi- cating officer are deemed to be judicial proceedings within the meaning of Sections 193 and 228 of Indian Penal Code, 1860. w Factors to be taken into account by the Adjudicating officer for determining the quantum of compensation (Section 47) :In determining the quantum of compen- sation, the adjudicating officer shall take the following factors into account: @ the amount of gain or unfair advantage, wherever quantifiable, made as a result of default. (ii the amount of loss caused to any person as a result of the default, (iii) the repetitive nature of the default.MEANING OF ‘OFFENCE’ Offence is an act punishable by law. It may also consist of anillegal ommission depending on the words of a provision which declares an act or omission as illegal. The Information Technology Act, 2000 has provided for the following two types of sanctions for violation of its provisions, namely civil sanctions and criminal sanctions: 1. Civil sanctions : It secures damages to the affected party so as to render the contravention unprofitable. These sanctions are aimed at protecting the propri- 266CH. 32 : OFFENCES 267 etary or privacy rights and interests of a person. Chapter IX of the Act Provides for civil sanctions. Damages are neither prosecution nor punishment for an offence. 2 Criminal sanctions :Itis a prosecution which results in fine and/or imprisonment. Its object is deterrence and thereby to discourage repetition of the offence. The above two remedies are not mutually exclusive. These are co-extensive and differ in content and consequences. various PUNISHABLE OFFENCES UNDER THE ACT The following offences are punishable under the Information Technology Act, 2000. 1, Tampering with computer source documents (Section 65) : Whoever knowingly conceals, destroys or alters or intentionally causes another to do these to the computer source code used for a computer, computer programme or computer system or network if such computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with three years of imprisonment, or a fine of two lakh rupees or with both. According to Explanation to Section 65, the term “computer source code” means thelisting of programmes, computer commands, design and layout and programme analysis of the computer source in any form. Following are the ingredients of the offence of tampering with source code: (i) There must be concealing, destroying, altering of the computer source code. (i) The above mentioned must be done ‘knowingly’ or ‘intentionally’ ie., con- sciously and deliberately such as transmitting an information code or command with intent to damage a computer etc. (ii) The acts, contemplated in this section may be done by any person, whether artificial or natural. Ifthe offence falls within the fourwalls of this section, it shall be punishable with the Prescribed penalties. The court does not have the discretion to award punishment. N Hacking with computer system (Section 66) A person commits hacking if he intentionally ( causes or is likely to cause wrongful loss or damage to the public or any person (i destroys, deletes or alters any information (4) residing on a computer resource, (b) diminishes its value or utility, or (© affects the computer resource injuriously by any means, eh The punishment for hackingis imprisonment upto three years, ora fine of wes Tupees, or both.268 PART IV : INFORMATION TECHNOLOGY ACT, 2000 3. Publication of obscene information in electronic form [Section 67]: The offence under Section 67 consists of publishing, or transmitting or causing to be published in electronic form the material which: (0 is lascivious ie, lustful, or evoking lust (a desire for sexual activity), (ii) appeals to prurient interest ie, c1 tes or encourages unhealthy obsession with sexual matters, or (iii) tends to deprave/or corrupt persons who are likely to read, sce or hear the matter contained or embodied in it. It is the transmission or dissemination of obscene information which is an offence. Mere possession of obscene information in the privacy of one’s home is not an offence under the Act. What is prohibited is the dissemination of obscene material through a mode of transmission or its publication in electronic form. The first conviction for such offence is punishable with imprisonment of a term upto five years and with fine upto one lakh rupees. Second or subsequent conviction is punishable with imprisonment of either description for a term upto ten years or with fine upto two lakh rupees. The recurrence of disobedience or non-compliance amounts to continuance of the offence of obscenity. 4. Failure to comply with orders given by the Controller (Section 68) : The Controller may direct the certifying authority to take such measures or cease to carry on such activities as may be specified to ensure compliance with the provisions of the Act, or rules and regulations made thereunder. Failure to comply with the order is punishable with imprisonment upto three years and/or fine upto two lakh rupees. 5. Failure to assist the agency of Government in descryption of information [Section 69]: The Controller can direct all agencies of the government to intercept any information transmitted through any computer resource if he is satisfied for reasons to be recorded in writing that such interception is necessary and expedient in the interest of: (i sovereignity and integrity of India, (i security of state, (iii) friendly relations with foreign states, (iv) public order, (v) preventing incitement to the commission of any cognizable offence. The agency of the government may requir any subscriber or person in a computer resource system to provide it facilities or technical a: the information. The failure to render assistance to the gov punishable with imprisonment upto seven years, -charge of pt ance tod rnment agencyCH, 32: OFPENCES, she requirement of ‘recording reasons in writing’ is a safeguard against ‘ory and arbitrary exercise of power by the controller. ing: unauthorised access to protected system (Section 70) The gov: clare by notification in the Official Gazette any computer, comput work as a protected system and may authorise persons in writ access to it. Any person who secures or attempts to secure unauth’ shall be punishable with imprisonment upto ten years and also be liable to fi 1 Misrepresentation or suppression (nondisclosure) of material fact (Section * 71) :Making misrepresentation or suppressing any material fact from the Control- ror Certifying Authority for obtaining a licence or digital signature certifi «hall be punishable with imprisonment and or fine upto one lakh rupees or with both Disclosure of incorrect fact is misrepresentation whereas non-disclosure of required factsis suppression. Both of these must be done knowingly or deliberately. 3 Breach of confidentiality (Section 72), The-object of Section 72 is to prohibit unauthorised disclosure of contents of electronic record. It prohibits disclosure of information received by a person in pursuance of powers conferred under this Act. Such disclosure is punishable with imprisonment upto two years and/or fine upto one lakh rupees. However, disclosure to law enforcing agencies or pursuant to proper authorisation by the Controller or’ with the consent of the concerned person is permissible. 9 Publication of digital certificate which is not valid (Section 73): There is prohibition on publishing or otherwise making available to any person a digital certificate which is not valid for the following reasons : (9 it has not been issued by the certifying authority, (i) ithas not been accepted by the subscriber, (ii it is not in operation in the sense that it has been revoked or suspended. The contravention this provision is punishable with imprisonment foraperiod upto two years or with fine upto one lakh rupees or with both. Publishing Digital Signature Certificate for fraudulent purpose (Section 74 Knowingly creating, publishing or making available a Digital Signature Certificate for any fraudulent or unlawful purpose is an offence punishable with imprison Ment upto two years and fine upto one lakh rupees. Confiscation of articles involved in contravention (Section 76) : Any computer, Computer system, floppies, compact disks, tape drives or any other accessories in espect of which there is contravention of any provision of the Act, rul rorders made thereunder, shall be liable to confiscation. The adjusticatis May not, however, order confiscation if it is satisfied that the concerned person is ot responsible for the contravention, It may pass any other order instead of Confiscation, The acquittal of aperson may not absolve him from cont scat" vit ‘Mticles by means of which or in relation to which the offence ommitted 10, 4, has been &