Global CN

Introduction We begin our discussion with the key words underlying the concept of information technology (IT), namely,
information and technology; before tracing the growth of law related thereto.
What is Information Technology? Information technology, literally speaking, is the technology designed to be applied with respect to information. When the legal system got equipped with mechanisms to protect the content of information it was a great legal feat accomplished. However, soon it appeared that the technology which could make the information travel in a faster and confidential manner was no less important either. Telecommunication technologies were the ones who did this miracle and were protected in turn by the governments concerned. But the best (or the worst, depending on the way we use) was yet to happen. The technology that enabled the world to make information travel safe and fast both (rather the fastest and the safest so far) through electronic machines brought with it a sort of revolution (called information revolution) not seen hitherto fore. The technology which thus revolutionised the world was termed as information technology (IT). The information technology (IT) is. therefore, the technology that ensures the information travels fast while keeping its privacy intact. Thus Information T is a tool to ensure safety of the information while it travels through, or stored in, or retrieved from an electronic source or device. The international networking which has connected the people and nations of the world is termed as the internet or, sometimes simply net. This has brought in to reference a virtual world that is the world run and regulated by electronic machines: the cyber world or the cyber space.
Global Consciousness to Cyber World International law is a primary concern of the United Nations. The mandate for the activities in this field emanates from the Charter of the United Nations which, in its Preamble, sets the goal 'to establish conditions under which justice and respect for the obligations arising from treaties and other sources of international law can be maintained'. The International Court of Justice, located in The Hague (Netherlands), is one of the six major organs of the United Nations. The Court, in existence since 1946, serves as the successor to the Permanent Court of International Justice established by the League of Nations; and derives its authority from a statute which forms
1
an integral part of the Charter of the United Nations. The Court has two functions : to render judgements on disputes submitted to it by states, and to furnish advisory opinions on questions referred to it by authorized bodies. The International Law Commission was established by the United Nations General Assembly resolution1 of November 21, 1947. Its primary objective is the 'promotion of progressive development of international law and its codification'. 2 The statute has been amended by the General Assembly a number of times the updated text of which is available online. The commission meets in one annual session in Geneva and reports to the General Assembly. The United Nations Commission on International Trade Law (UNCITRAL) was established by the General Assembly resolution3 of December 17, 1966. Sections I and II of the resolution define the powers and functions of the Commission. Its primary objective is the 'promotion of the progressive harmonization and unification of the law of the international trade'. 4 The Commission meets in one annual session, convened alternately in New York (even years) and Vienna (odd years), and reports to the General Assembly. Amidst growing concern for regulation of electronic commerce and to evolve standards which could be adopted as guidelines by the states concerned in framing domestic laws on the subject, the UNCITRAL adopted a resolution on 'Legal Value of Computer Records', which was approved through a resolution on December 11, 1985 by the United Nations General Assembly. This was followed by the 'Model Law on Electronic Commerce' which was accepted by the United Nations General Assembly through a resolution on January 30, 1997. The resolution obliges the member nations to give proper consideration to the provisions of the model law while framing or revising (as the case may be) their law with a view to achieve uniformity of law on this point. Moving further in this direction, the UNCITRAL adopted a 'Model Law on Electronic Signatures' which was adopted through a resolution by the United Nations General Assembly on December 12, 2001. A brief outline of these developments is presented below.
1 2 3 4
Resolution 174 (II) of Nov 21 1947. Article 1 of the Statute. Resolution 2205 (XXI) of December 17, 1966. See, Section I of the resolution.
2
UNCITRAL on 'Legal Value of Computer Records' (1985) The UNCITRAL, at its eighteenth session in 1985, considered a report prepared by the Secretariat entitled 'Legal Value of Computer Records' which noted that while on the global scale there were fewer problems in the use of data stored in computers, a major obstacle to use of computers and computer-to-computer telecommunication in international trade arose out of the requirement that documents had to be signed or be in paper form.
Having considered the report, the Commission noted, inter alia, that the automatic data processing was about to become firmly established through out the world, that legal rules based upon pre-ADP5 paper-based means of documenting international trade might create obstacles to such use of ADP by reason of being regarded insecure, and that the developments in the use of ADP were creating the need for adaptation of existing legal rules. It, therefore, recommended to the governments, among other things, to review the legal rules affecting the use of computer records as evidence in litigation; legal requirements that certain trade transaction be in writing; and legal requirements of hand-written signature or other paper-based method of authentication on trade related documents with a view to permitting, where appropriate, the use of electronic means of authentication.
It also recommended to international organisations elaborating legal texts related to trade to take note of the aforementioned observations. The UN General Assembly adopted the said recommendation by resolution on December 11, 1985; and called upon the governments and international organizations to 'take action, where appropriate, in conformity with the Commission's recommendation so as to ensure legal security in the widest possible use of automated data processing in international trade'. Considering the possible risk of divergent legislative approaches being adopted by various nations, the Commission felt the need for uniform legislative provisions with a view to achieve legal harmony as well as technical inter-operability.
UNCITRAL Model Law on Electronic Commerce (1996)
Automated Data Processing.

3
While the electronic commerce does not render the conventional law obsolete, it does create a few problems such as the classification of what is termed as 'virtual goods'; and new types of contract like web hosting and web serving. It also requires an adaptation of conventional concepts to suit the new situations because they were either based on existence of some tangible medium of transaction e.g. instrument, document, original, signature etc; or based on geographical locations, e.g. delivery, receipt, dispatch, surrender etc. This, however, is not to deny the fact that the essence of business transactions is always the same, irrespective of the medium of transaction. For example, there is no essential difference between, say, an online contract and an offline contract except the medium through which they have come in to existence, namely, the electronic and the physical (or, paper based). The model law aims to facilitate rather than regulate the electronic commerce, to adapt existing legal requirements, and to provide legal validity and certainty to business transactions carried out through electronic medium in the same way as given to those carried out through conventional medium. The basic principles underlying the model law are functional equivalence, media or technology neutrality, and party autonomy. Functional equivalence is brought about by analysing the principles and functions of paper-based requirements like instruments, record, signature, original etc; and considering the criteria necessary to replicate these functions and giving electronic data the same level of recognition as information on paper. Similarly, the media-neutrality and technology-neutrality are ensured by equal treatment of paper based and electronic transactions, and of different technologies like Electronic Data Interchange (EDI), e-mail, internet, telegram, telex, fax etc. Party autonomy is ascertained by providing primacy of party agreement on whether and how to choose electronic commerce techniques, and freedom to parties to choose security level appropriate for their transaction. The model law is in two parts, the first dealing with electronic commerce in general and the second the electronic commerce in specific areas. This is supplemented with a Guide on the Model Law on Electronic Commerce, which explains the object, underlying principles and articles of the Model Law. Part One has 15(1-15) articles distributed over four chapters, while Part Two has two articles (16-17) contained in one chapter. Depending on emerging needs in other specific areas related to business through electronic means, Part Two may have more
provisions in future as it is an open ended instrument. Part One also includes article 5 bis as adopted in 1998. The core provisions of the model law are contained in article 5 (legal recognition), 6 article 5 bis (incorporation by reference),7 article 6 (writing),8 article 7 (signature),9 article 8 (original),10
Article 5. Legal recognition of data messages: Information shall not be denied legal effect, validity or enforceability solely on the grounds that it is in the form of a data message.
Article 5 bis. Incorporation by reference : (as adopted by the Commission at its thirtyfirst session, in June 1998)Information shall not be denied legal effect, validity or enforceability solely on the grounds that it is not contained in the data message purporting to give rise to such legal effect, but is merely referred to in that data message.
Article 6 Writing : (1) Where the law requires information to be in writing, that requirement is met if a data message if the information contained therein is accessible so as to be usable for a subsequent reference. (2) Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for information not being in writing. (3) The provisions of this article do not apply to the following: [....].
Article 7. Signature : (1) Where the law requires a signature of a person, that requirement is met in relation to a data message if : (a) a method is used to identify that person and to indicate that person's approval of the information contained in the data message; and (b) that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement. (2) Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature. (3) The provisions of this article do not apply to the following : [...].
10
Article 8. Original : (1) Where the law requires information to be presented or retained in its original form, that requirement is met by a data message if : (a) there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form, as a data message or otherwise; and (b) where it is required that
5
article 9 (evidence),11 article 11 (use of data message in contract.formation),12 article 12 (nonrepudiation),13 article 13 (attribution of data message),14 article 14 (acknowledgement of
information be presented, that information is capable of being displayed to the person to whom it is to be presented. (2) Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the information not being presented or retained in its original form. (3) For the purposes of subparagraph (a) of paragraph (1) : (a) the criteria for assessing integrity shall be whether the information has remained complete and unaltered, apart from the addition of any endorsement and any change which arises in the normal course of communication, storage and display; and (b) the standard of reliability required shall be assessed in the light of the purpose for which the information was generated and in the light of all the relevant circumstances. (4) The provisions of this article do not apply to the following : [...]. 11 Article 9. Admissibility and evidential weight of data messages : (1) In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to deny the admissibility of a data message in evidence : (a) on the sole ground that it is a data message; or, (b) if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that it is not in its original form. (2) Information in the form of a data message shall be given due evidential weight. In assessing the evidential weight of a data message, regard shall be had to the reliability of the manner in which the data message was generated, stored or communicated, to the reliability of the manner in which the integrity of the information was maintained, to the manner in which its originator was identified, and to any other relevant factor. 12 Article 11. Formation and validity of contracts : (1) In the context of contract formation, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be expressed by means of data messages. Where a data message is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that a data message was used for that purpose. (2) The provisions of this article do not apply to the following : [...].
6
13
Article 12. Recognition by parties of data messages : (1) As between the originator and the addressee of a data message, a declaration of will or other statement shall not be denied legal effect, validity or enforceability solely on the grounds that it is in the form of a data message. (2) The provisions of this article do not apply to the following :
14
Article 13. Attribution of data messages : (1) A data message is that of the originator if it was sent by the originator itself. (2) As between the originator and the addressee, a data message is deemed to be that of the originator if it was sent : (a) by a person who had the authority to act on behalf of the originator in respect of that data message; or (b) by an information system programmed by, or. on behalf of, the originator to operate automatically. (3) As between the originator and the addressee, an addressee is entitled to regard a data message as being that of the originator, and to act on that assumption, if: (a) in order to ascertain whether the data message was that of the originator, the addressee properly applied a procedure previously agreed to by the originator for that purpose; or (b) the data message as received by the addressee resulted from the actions of a person whose relationship with the originator or with any agent of the originator enabled that person to gain access to a method used by the originator to identify data messages as its own. (4) Paragraph (3) does not apply : (a) as of the time when the addressee has both received notice from the originator that the data message is not that of the originator, and had reasonable time to act accordingly; or (b) in a case within paragraph (3)(b), at any time when the addressee knew or should have known, had it exercised reasonable care or used any agreed procedure, that the data message was not that of the originator. (5) Where a data message is that of the originator or is deemed to be that of the originator, or the addressee is entitled to act on that assumption, then, as between the originator and the addressee, the addressee is entitled to regard the data message as received as being what the originator intended to send, and to act on that assumption. The addressee is not so entitled when it knew or should have known, had it exercised reasonable care or used any agreed procedure, that the transmission resulted in any error in the data message as received. (6) The addressee is entitled to regard each data message received as a separate data message and to act on that assumption, except to the extent that it duplicates another
7
receipt),15 article 15 (time and place of dispatch of receipt),16 article 16 (actions related to contracts of carriage of goods),17 and article 17 (transport documents).18
data message and the addressee knew or should have known, had it exercised reasonable care or used any agreed procedure, that the data message was a duplicate. 15 Article 14. Acknowledgement of receipt : (1) Paragraphs (2) to (4) of this article apply where, on or before sending a data message, or by means of that data message, the originator has requested or has agreed with the addressee that receipt of the data message be acknowledged. (2) Where the originator has not agreed with the addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by (a) any communication by the addressee, automated or otherwise, or (b) any conduct of the addressee, sufficient to indicate to the originator that the data message has been received. (3) Where the originator has stated that the data message is conditional on receipt of the acknowledgement, the data message is treated as though it has never been sent, until the acknowledgement is received. (4) Where the originator has not stated that the data message is conditional on receipt of the acknowledgement, and the acknowledgement has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed, within a reasonable time, the originator : (a) may give notice to the addressee stating that no acknowledgement has been received and specifying a reasonable time by which the acknowledgement must be received; and (b) if the acknowledgement is not received within the time specified in subparagraph (a), may, upon notice to the addressee, treat the data message as though it had never been sent, or exercise any other rights it may have. (5) Where the originator receives the addressee's acknowledgement of receipt, it is presumed that the related data message was received by the addressee. That presumption does not imply that the data message corresponds to the message received. (6) Where the received acknowledgement states that the related data message met technical requirements, either agreed upon or set forth in applicable standards, it is presumed that those requirements have been met. (7) Except in so far as it relates to the sending or receipt of the data message, this article is not intended to deal with the legal
8
consequences that may flow either from that data message or from the acknowledgement of its receipt. 16 Article 15. Time and place of dispatch and receipt of data messages : (1) Unless otherwise agreed between the originator and the addressee, the dispatch c: i message occurs when it enters an information system outside the control of the or.pn or of the person who sent the data message on behalf of the originator. (2) Unless otherwise agreed between the originator and the addressee, the time of receipt of a data message is determined as follows : (a) if the addressee has designated an info ?CM system for the purpose of receiving data messages, receipt occurs : (i) at the time * the data message enters the designated information system; or (ii) if the data messi= ; sent to an information system of the addressee that is not the designated inforr.: a system, at the time when the data message is retrieved by the addressee; (b) if ta addressee has not designated an information system, receipt occurs when the dsu. message enters an information system of the addressee. (3) Paragraph (2) apples notwithstanding that the place where the information system is located may be differed from the place where the data message is deemed to be received under paragraph (4). 4 Unless otherwise agreed between the originator and the addressee, a data message 1= deemed to be dispatched at the place where the originator has its place of business, and is deemed to be received at the place where the addressee has its place of business. For the purposes of this paragraph : (a) if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction or, where there is no underlying transaction, the principal place of business; (b) if the originator or the addressee does not have a place of business, reference is to be made to its habitual residence. (5) The provisions of this article do nor apply to the following : [...]. 17 Article 16. Actions related to contracts of carriage of goods : Without derogating from the provisions of part one of this Law, this chapter applies to any action in connection with, or in pursuance of, a contract of carriage of goods, including but not limited to : (a) (i) furnishing the marks, number, quantity or weight of goods; (ii) stating or declaring the nature or value of goods; (iii) issuing a receipt for goods; (iv) confirming that goods have been loaded; (b) (i) notifying a person of terms and conditions of the contract; (ii) giving
9
instructions to a carrier; (c) (i) claiming delivery of goods; (ii; authorizing release of goods; (iii) giving notice of loss of, or damage to, goods; (d) giving any other notice or statement in connection with the performance of the contract: e undertaking to deliver goods to a named person or a person authorized to claim delivery: (f) granting, acquiring, renouncing, surrendering, transferring or negotiating rights in goods; (g) acquiring or transferring rights and obligations under the contract.
18
Article 17. Transport documents : (1) Subject to paragraph (3), where the law requires that any action referred to in article 16 be carried out in writing or by using a paper document, that requirement is met if the action is carried out by using one or more data messages. (2) Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for failing either to carry cu: the action in writing or to use a paper document. (3) If a right is to be granted to, or an obligation is to be acquired by, one person and no other person, and if the law requires that, in order to effect this, the right or obligation must be conveyed to that person by the transfer, or use of, a paper document, that requirement is met if the right or obligation is conveyed by using one or more data messages, provided that a reliable method is used to render such data message or messages unique. (4) For the purposes of paragraph (3), the standard of reliability required shall be assessed in the light of the purpose for which the right or obligation was conveyed and in the light of all the circumstances, including any relevant agreement. (5) Where one or more data message; are used to effect any action in subparagraphs (f) and (g) of article 16, no paper document used to effect any such action is valid unless the use of data messages has been terminated and replaced by the use of paper documents. A paper document issued in these circumstances shall contain a statement of such termination. The replacement of data messages by paper documents shall not affect the rights or obligations of the parties involved. (6) If a rule of law is compulsorily applicable to a contract of carriage of goods which is in, or is evidenced by, a paper document, that rule shall not be inapplicable to such a contract of carriage of goods which is evidenced by one or more data messages by reason of the fact that the contract is evidenced by such data message or messages instead of by a paper document.
10
UNCITRAL Model Law on Electronic Signatures, (2001) As the paper based documents are being replaced by electronic documents, the hand written signature is being substituted by electronic authentication techniques for the purpose of business transactions through electronic media. There is a possibility that in the absence of some guiding principles and provisions there shall emerge a variety of such authentication techniques, otherwise known as electronic signatures. This, if anything, can only make the matters worse; because, shorn of uniformity, the various electronic authentication techniques could play havoc with the business prospects through electronic media. Having adopted model law on electronic commerce in 1996, the Commission decided to place the issues of digital signatures and certification authorities on its agenda. The Working Group formed for the purpose continued to present its report on uniform rules which was placed before the Commission every following year only to be further modified. This was principally so because the increased use of electronic media in business would present newer and newer problems making the job of the Working Group even more difficult. . The model law on electronic signatures prepared by the Working Group was further modified in view of the comments received from the governments and organizations, and, along with a guide prepared by the Secretariat, was adopted by the Commission on July 5, 2001. The Commission noted the great utility of new technologies used for personal identification in electronic commerce and commonly referred to as electronic signatures, expressed its conviction that legal certainty in electronic commerce will be enhanced by the harmonization of certain rules on the legal recognition of electronic signatures on a technology-neutral basis, and recommended that all states give favourable consideration to the model law on electronic signatures together with model law on electronic commerce. Adopting it through a resolution on December 12, 2001, the UN General Assembly also made similar recommendation to all the states stressing the need for 'uniformity of the law applicable to alternatives to paper-based forms of communication, storage and authentication of information'. The model law on electronic signatures is divided in to twelve articles. Principal provisions are contained in article 2 (definitions),19 article 3 (equal treatment of signature technologies),20
19
Article 2. Definitions : For the purposes of this Law : (a) "Electronic signature" means data in electronic form in, affixed to or logically associated with, a data message, which
11
article 5 (variation by agreement),21 article 6 (compliance with a requirement of a signature),22 article 8 (conduct of the signatory),23 article. 9 (conduct of the certification service provider),24
may be used to identify the signatory in relation to the data message and to indicate the signatory's approval of the information contained in the data message; (b) "Certificate" means a data message or other record confirming the link between a signatory and signature creation data; (c) "Data message" means information generated, sent, received or stored by electronic, optical or similar means including, but not limited to, electronic data interchange (EDI), electronic mail, telegram, telex or telecopy; and acts either on its own behalf or on behalf of the person it represents; (d) "Signatory" means a person that holds signature creation data and acts either on its own behalf or on behalf of the person it represents; (e) "Certification service provider" means a person that issues certificates and may provide other services related to electronic signatures; (f) "Relying party" means a person that may act on the basis of a certificate or an electronic signature. 20 Article 3. Equal treatment of signature technologies : Nothing in this Law, except article 5, shall be applied so as to exclude, restrict or deprive of legal effect any method of creating an electronic signature that satisfies the requirements referred to in article 6, paragraph 1, or otherwise meets the requirements of applicable law.
21
Article 5. Variation by agreement : The provisions of this Law may be derogated from or their effect may be varied by agreement, unless that agreement would not be valid or effective under applicable law.
22
Article 6. Compliance with a requirement for a signature: 1. Where the law requires a signature of a person, that requirement is met in relation to a data message if an electronic signature is used that is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement. 2. Paragraph 1 applies whether the requirement referred to therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature. 3. An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in paragraph 1 if : (a) The signature creation data are, within the context in which they are used, linked to the signatory and to
12
no other person; (b) The signature creation data were, at the time of signing, under the control of the signatory and of no other person; (c) Any alteration to the electronic signature, made after the time of signing, is detectable; and (d) Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable. 4. Paragraph 3 does not limit the ability of any person : (a) To establish in any other way, for the purpose of satisfying the requirement referred to in paragraph 1, the reliability of an electronic signature; or (b) To adduce evidence of the non-reliability of an electronic signature. 5. The provisions of this article do not apply to the following : [...]. 23 Article 8. Conduct of the signatory : 1. Where signature creation data can be used to create a signature that has legal effect, each signatory shall : (a) Exercise reasonable care to avoid unauthorized use of its signature creation data; (b) Without undue delay, utilize means made available by the certification service provider pursuant to article 9 of this Law, or otherwise use reasonable efforts, to notify any person that may reasonably be expected by the signatory to rely on or to provide services in support of the electronic signature if : (i) The signatory knows that the signature creation data have been compromised; or (ii) The circumstances known to the signatory give rise to a substantial risk that the signature creation data may have been compromised; (c) Where a certificate is used to support the electronic signature, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the signatory that are relevant to the certificate throughout its life cycle or that are to be included in the certificate. 2. A signatory shall bear the legal consequences of its failure to satisfy the requirements of paragraph 1. 24 Article 9. Conduct of the certification service provider : 1. Where a certification service provider provides services to support an electronic signature that may be used for legal effect as a signature, that certification service provider shall : (a) Act in accordance with representations made by it with respect to its policies and practices; (b) Exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the certificate throughout its life cycle or that are included
13
article 11 (conduct of the relying party),25 and article 12 (recognition of foreign certificates and electronic signatures).26 The Model Law is supplemented by a 'Guide to Enactments'.
in the certificate; (c) Provide reasonably accessible means that enable a relying party to ascertain from the certificate : (i) The identity of the certification service provider; (ii) That the signatory that is identified in the certificate had control of the signature creation data at the time when the certificate was issued; (iii) That signature creation data were valid at or before the time when the certificate was issued; (d) Provide reasonably accessible means that enable a relying party to ascertain, where relevant, from the certificate or otherwise : (i) The method used to identify the signatory; (ii) Any limitation on the purpose or value for which the signature creation data or the certificate may be used; (iii) That the signature creation data are valid and have not been compromised; (iv) Any limitation on the scope or extent of liability stipulated by the certification service provider; (v) Whether means exist for the signatory to give notice pursuant to article 8, paragraph 1 (b), of this Law; (vi) Whether a timely revocation service is offered; (e) Where services under subparagraph (d) (v) are offered, provide a means for a signatory to give notice pursuant to article 8, paragraph 1 (b), of this Law and, where services under subparagraph (d) (vi) are offered, ensure the availability of a timely revocation service; (f) Utilize trustworthy systems, procedures and human resources in performing its services. 2. A certification service provider shall bear the legal consequences of its failure to satisfy the requirements of para 1. 25 Article 11. Conduct of the relying party: A relying party shall bear the legal consequences of its failure : (a) To take reasonable steps to verify the reliability of an electronic signature; or (b) Where an electronic signature is supported by a certificate, to take reasonable steps : (i) To verify the validity, suspension or revocation of the certificate; and (ii) Tb observe any limitation with respect to the certificate. 26 Article 12. Recognition of foreign certificates and electronic signatures : 1. In determining whether, or to what extent, a certificate or an electronic signature is legally effective, no regard shall be had : (a) lb the geographic location where the certificate is issued or the electronic signature created or used; or (b) Tb the geographic location of the place of business of the issuer or signatory. 2. A certificate issued outside [the enacting
14
Indian Perspective Responding to the aforementioned initiative, India drafted her first law on electronic commerce : the Electronic Commerce Act, 1998 with Electronic Commerce Support Act, 1998. It recalled the rapid development of information and communication technologies revolutionising the business practices; the transactions accomplished through electronic means-collectively referred to as "electronic commerce"creating new legal issues; the shift from paper-based to electronic transactions raising questions concerning recognition, authenticity and enforceability of electronic documents and signatures; and the challenge before lawmakers of striking a balance between conflicting goals of safeguarding electronic commerce and encouraging technological development.
The Draft Electronic Commerce Act, 1998 The Electronic Commerce Act, 1998 aimed to 'facilitate the development of a secure regulatory environment for electronic commerce by providing a legal infrastructure governing electronic contracting, security and integrity of electronic transactions, the use of digital signatures and other issues related to electronic commerce'.27 Another draft known as Electronic Commerce
State] shall have the same legal effect in [the enacting State] as a certificate issued in [the enacting State] if it offers a substantially equivalent level of reliability. 3. An electronic signature created or used outside [the enacting State] shall have the same legal effect in [the enacting State] as an electronic signature created or used in [the enacting State] if it offers a substantially equivalent level of reliability. 4. In determining whether a certificate or an electronic signature offers a substantially equivalent level of reliability for the purposes of paragraph 2 or 3, regard shall be had to recognized international standards and to any other relevant factors. 5. Where, notwithstanding paragraphs 2, 3 and 4, parties agree, as between themselves, to the use of certain types of electronic signatures or certificates, that agreement shall be recognized as sufficient for the purposes of crossborder recognition, unless that agreement would not be valid or effective under applicable law. 27 For a complete overview of the
15
Electronic
Commerce
Act,
1998, see
Support Act, 1998 had eight sections which were mainly concerned with necessary amendments to other Acts to bring the latter in complete harmony with Electronic Commerce Act, 1998.28 The above drafts had been prepared by the Ministry of Commerce. Parallel drafts had also been prepared by the Department of Electronics. Out of these four drafts, the Law Ministry had to make a final Draft and to put it before Parliament.29 However, with the birth of the Ministry of Information Technology, the job was undertaken by it, and what came forth was the Information Technology Bill, 1999. The Bill was introduced in Parliament in December, 1999; was passed in May, 2000; and got the Presidential assent on June 09, 2000. It came in to effect from October 23, 2000.
Information Technology Act, 2000 $The Information Technology Act,' 2000 aimed to 'provide legal recognition for transactions carried out by means of electronic data exchange and other means of electronic communication, commonly referred to as 'electronic commerce', which involve the use of alternatives to paperbased methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies. To this end, it also had to amend the Indian Penal Code, the Indian Evidence Act, Banker's Books Act and the Reserve Bank of India Act. 30 The Act had 13 chapters spread over 94 sections; and four schedules. The IT Act, 2000 extends to whole of India and, in some cases, even outside India. Following the passage of Negotiable
http://www.naavi.org/naavi_comments_itaa/historical_perspective/ect_1998/ect_1998_ov erview.htm. The Act had 62 sections divided over fifteen parts. This Actas is clear from the drafts of Electronic Commerce Act, 1998 as well as that of Electronic Commerce Support Act, 1998was not to apply to the State of Jammu and Kashmir. 28 For the detail of this Act, see http://www.naavi.org/naavi_comments_itaa/historical_perspective/ect_1998/ec_support_ act_1998.htm. 29 For further detail, See http://www.naavi.org/naavi_comments_itaa/historical_
perspective/ect_1998/ecbgr.htm. 30 See, the preamble to the Act.

16
Instruments Amendment Act, 2002, the IT Act, 2000 underwent some major changes with effect from February 06, 2003.31 Information Technology Amendment Act, 2008 However, it was not enough. In the year 2001, the UNCITRAL had come out with its model law on electronic signature with an aim to make it technology-neutral. Like the model law on electronic commerce, this too had to be taken care of by concerned nations who were supposed to bring their information technology laws in tune with the model law on electronic signature. On the domestic front also, the problems had surfaced on a scale that had made the amendment to the IT Act, 2000 inevitable. New forms of cyber crimes had appeared on Indian scene posing a challenge before the lawmakers who were faced with two hard options, namely, either to drastically amend the existing law to give it some teeth or to helplessly see it being openly outraged and violated by the cyber criminals and others. At this critical juncture was brought the draft of the Information Technology Amendment Bill, 2006 which was introduced on December 15, 2006 in the Lower House of Parliament. It was scrutinised by an Expert Committee which suggested several changes. The gravity of the issue of emerging cyber crimes on national and global scales had worried the lawmakers so much so that they referred it to the Standing Committee of Parliament to finally suggest changes necessary to make the enactment more effective and in agreement with India's international obligations as an IT power.
31
For this purpose, section 81A was inserted which states that (1) the provisions of this Act shall apply to electronic cheques and truncated cheques subject to such modifications as may be ecessary for carrying out the purpose of Negotiable Instruments Act, 1881 by the Central Government, in consultation with the Reserve Bank of India, by notification in the Official Gazette; (2) every notification made by the Central Government shall be laid before each House of Parliament, while it is in session for a total period of sixty days and if both Houses agree in making any or no modification; the notification shall accordingly become effective provided that the acts done in accordance with the original notification shall not be affected by the said modification if any. Here the terms 'electronic cheque' and 'truncated cheque' shall have the same meaning as under section 6 of the Negotiable Instruments Act, 1881.
17
It took a couple of years before the amendments could see the light of the day. The Information Technology (Amendment) Bill, 2006 was further amended by the Information Technology (Amendment) Bill, 2008; and in the process, the underlying Act was renamed as the Information Technology Amendment Act, 2008 (ITAA, 2008). The Information Technology Amendment Act, 2008 was passed by the Lower House on December 22, 2008; and by the Upper House on the following day i.e. December 23, 2008. Salient features of the IT Act, 2000 As Amended by ITAA, The Act extends to whole of India. An important feature of the Act is that it extends to acts or omissions of a person even outside India and even if the said person is not an Indian national, provided that (i) the said acts or omissions constitute offences or contraventions provided for under the Information Technology Act, 2000; and (ii) the said acts or conducts constituting offence or contravention involve a computer network located in India.32 The changes necessitated by the ITAA, 2008 in the Indian Penal Code and the Indian Evidence Act have also been given along with the Act as respectively Part III and Part IV thereto. In order to provide for the cyber offences committed from outside India with respect to a computer source in India, electronic signatures and sundry other things, the sections 4, 40, 118, 119 and 464 of the Indian Penal Code have been suitably amended. Likewise, sections 3, 45A, 47A, 67A, 85A, 85B, 85C and 90A of the Indian Evidence Act have been amended to provide legal authenticity to electronic signatures in place of digital signatures, and electronic signature certificate in place of digital signature certificate. Section 45A, one of the newly inserted sections, reads as follows : "When in a proceeding, the Court has to form an opinion on any matter relating' to any information transmitted or stored in any computer resource or any other electronic or digital form, the opinion of the Examiner of Electronic Evidence referred to in section 79A of the Information Technology Act, 2000, is a relevant fact." It explains that for the purposes of section 45A, the Examiner of Electronic Evidence shall be (treated as) an expert.33 ITAA, 2008, has omitted several sections, substituted for some other sections, and amended still others while leaving rest of the sections intact. It has scrapped all the four schedules of the parent
32 33
Section 75. See, explanation to Section 45A, Indian Evidence Act, as amended by the ITAA, 2008.
18
Act and introduced two new schedules : one enumerating the items whereto the provisions of the Act shall not apply; and the other for the details of electronic signature procedures as prescribed by the Central Government.34 Among the vital changes introduced through ITAA, 2008, the ones meriting our attention are the provisions dealing with cyber terrorism(where the maximum punishment to be awarded is the imprisonment for life), child pornography and obscenity in cyber space, stricter control on intermediaries, a wider concept of electronic signature as against the digital signature, national nodal agency for critical information infrastructure protection, an incident response team and, the all important restructuring of Cyber Appellate Tribunal as a multi-member body (whose chief shall be appointed by the Central Government after consultation with the Chief Justice of India). For the sake of clarity, however, the Act will be discussed under the following heads : EGovernance, Control Mechanism, Offences and Remedies, and Miscellaneous Provisions.
34
Section 1(4) states that the Act will have no application in case of items listed in the First Schedule. This Schedule enumerates four items, namely, negotiable instrument other than a cheque (as defined under section 13 of the Negotiable Instruments Act, 1881), a power of attorney (as defined under section 1A of the Powers of Attorney Act, 1882), a trust (as defined under section 3 of the Indian Trusts Act), a will (as defined under clause (h) of section 2 of Indian Succession Act) including any testamentary document by whatever name called, any contract for the sale or conveyance of immovable property. The Central Government may, by notification in the Official Gazette, add or delete entries to the First Schedule. However, Section 1(5) requires that every such notification made under section 1(4) shall be laid before each House of Parliament.
19
E-Governance Electronic governance (e-governance, for short) presupposes the presence and application of an electronic device or a set thereof which makes the underlying communication feasible. Computers are the most widely used devices (next possibly to cellular phones only). Any electronic, magnetic, optical or other high speed data processing device or system which performs logical, arithmetic and memory functions by manipulation of electronic, magnetic or optical impulses fits the definition of a computer given under the Act. 35 It also includes all input, output, processing, storage, computer software, or communication facilities related to the computer in a computer system or a computer network. The Act defines 'data' as a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network. Such a data may be in any form (including computer print-outs, magnetic or optical storage media, punched cards, punched tapes etc) or stored internally in the memory of the computer. The term 'information' includes data, text, images, sound, voice, codes, computer programmes, software and data bases or micro-film or computer generated micro-fiche. By electronic form, with reference to information, is meant 'any information generated, sent, received or stored in media magnetic, optical, computer memory, micro-film, computer generated micro-fiche or similar device. An 'electronic record' means data, record or data generated, image or sound restored, received or sent in an electronic form or micro-film or computer generated micro-film. A subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which (i) is reliable, and (ii) may be specified in the Second Schedule.36 An electronic signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule, and includes a digital signature.37
35 36
Section 2 (i), ibid. Section 3A, inserted by the Information Technology Amendment Act, 2008 hereinafter referred to as ITAA, 2008.
37
Section 2(1) (ta), inserted by the ITAA, 2008.
20
By digital signature is meant an authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of Section 3 of the Act. For this purpose, a subscriber is a person who gets a digital signature certificate issued under Section 35 of the Act, from a Certifying Authority-a person who has been granted a licence to issue an electronic digital signature certificate-under Section 24 of the Act. A digital signature involves the use of a pair of keys. The first one, the private key, is used to create a digital signature whereas the second one, that is, public key is used to verify the digital signature. In other words, the public key is used by any person, other than the person affixing his digital signature, to verify the original record. In relation to a digital signature certificate, to verify an electronic record or a public key is to determine (i) whether the initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber; and (ii) whether the initial record is retained intact or has been altered since such electronic record was so affixed with the digital signature. The person who sits at the initial point of this electronic communication is termed as an originator. An originator means 'a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person.' However, the term 'originator' does not include an intermediary; because an intermediary is one who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message.
Section 3 states that a subscriber may authenticate an electronic record by affixing his digital signature. Such an authentication is effected by the use of 'asymmetric crypto system' and liash function', which envelop and transform the initial electronic record in to another electronic record. Here, the 'hash function' means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as liash result' such that an electronic record yields the same result every time the algorithm is executed with the same electronic record as its input. Thus, it is not possible to derive or reconstruct the original electronic record from the hash result (produced by algorithm) nor is there a chance that two records produce the same hash result (using the algorithm). In other words, a digital signature, like a manual signature in case of a paper document, establishes and ensures for posterity the uniqueness or the originality of the initial electronic record. This is so because the private key and the public key are unique to the
21
subscriber and constitute a functioning key pair. Section 10 empowers the Central Government to make rules for digital signature. For the purpose of governance through electronic means, the Act provides legal recognition to electronic records (section 4), electronic signatures (section 5), and the use of such records and signatures in government and its agencies (section 6) in a manner prescribed by the appropriate government. It also empowers the appropriate government to make rules in this regard. Section 84A, inserted by the ITAA, 2008 states that the Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. Section 6A38 empowers the appropriate government to authorize, for the efficient delivery of services to the public through electronic means, any service provider to set up, upgrade and maintain computerized facilities and to perform such services as are specified. It may also authorize a service provider to collect, retain and appropriate service charges in lieu of the said services; and a service provider to collect service charges under this section notwithstanding the fact that there is no express provision under this Act or the rules made there under. Further, it may prescribe different scales of service charges for different types of services. Where any law provides the retention of a document for a certain period of time, the same shall be deemed to have been satisfied if the said document is retained in the electronic form;39 where the audit of a document is provided for, such provision shall apply to documents processed and maintained in electronic form;40 or where the publication in the Official Gazette is required, the publication in either the Official Gazette or the Electronic Gazette will do; and if the publication has been made in both forms, the date of the publication of the earlier one shall be taken as the date of publication of the said law.41
However, these provisions do not confer a right upon any person to insist that a ministry etc of the Central or the State Government or any authority under these governments should accept,
38 39 40 41
Inserted by the ITAA, 2008. Section 7. Section 7A, inserted by ITAA 2008. Section 8.
22
issue, create, retain or preserve any document in electronic form or effect any monitory transaction in the electronic form.42
Electronic Signature Certificates Following the model law on electronic signature proposed by the United Nations Commission of International Trade Law (UNCITRAL) in the year 2001, the ITAA, 2008 has provided for electronic signature which includes digital signature. Affixing an electronic signature means 'adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of an electronic signature.43 An electronic signature certificate means 'an electronic signature certificate issued under section 35' and it 'includes digital signature certificate'.44 Accordingly, the name of the chapter has been changed from 'digital signature certificates' to 'electronic signature certificates'. A digital signature certificate means a digital signature certificate issued under sub-section (4) of section 35. The particulars of electronic signature or electronic authentication technique and procedure are yet to be notified, and, after such notification, shall form the content of the second schedule. The Act provides a procedure to get digital signature certificates. Any person can make an application, along with prescribed fee (not exceeding twenty five thousand rupees), and a certification practice statement (or any other statement prescribed by regulations), to the Certifying Authority who, after proper inquiries, may grant the digital signature certificate. 45 The Certifying Authority can not reject an application unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection. The Certifying Authority, while issuing the digital signature certificate, shall certify, among other things, that it has complied with the provisions of the Act or rules; that it has published the digital signature certificate or made it available to such person relying on it and the subscriber has accepted it; that the subscriber holds the private key corresponding to the public key listed in the digital signature certificate; that the public key can be used to verify the signature created by
42 43 44 45
Section 9. Section 2 (1) (d). Section 2 (1) (tb), inserted by ITAA 2008. Section 35.
23
private key; and that the information contained in the digital signature certificate is accurate, to the best of its knowledge.46 A digital signature certificate can be suspended either on a request from the subscriber listed in the certificate or any person authorised to act on his behalf; or by the Certifying Authority itself in the public interest. However, in case of suspension exceeding 15 days, the subscriber shall be given a fair hearing; and on suspension of a digital signature certificate, the Certifying Authority shall communicate the same to the subscriber.47 A Certifying Authority may revoke the digital signature certificate issued by it (a) on the request of the subscriber or a person authorised by him; (b) upon the death of the subscriber; or, where the subscriber is a firm or a company, upon the dissolution of the firm or winding up of the company. If the Certifying Authority is of the opinion that a material fact represented in the digital signature certificate is false or has been concealed, or a requirement for the issuance of the certificate has not been satisfied; or the private key or the security has been compromised in a manner which mainly affects the reliability of the certificate; or the subscriber, as the case may be, has been declared insolvent or dissolved or wound up or otherwise has ceased to exist, it may revoke the certificate after, where it is possible, the subscriber has been given a fair opportunity to be heard.48 In case of revocation or suspension of a certificate, the authority shall publish a notice of such suspension etc in the repository (or, in case of there being more than one, in all the repositories) of the digital signature certificate for publication of such notice.49 If a person publishes an electronic signature certificate or otherwise makes it available to any other person with the knowledge that certain particulars are not true, he shall be punished with imprisonment for a term which may extend to two years and fine which may extend to one lac rupees or both; unless such publication is for the purpose of verifying a digital signature created prior to suspension or revocation of the certificate.50 For example, if the said publisher knows
46 47 48 49 50
Section 36. Section 37. Section 38. Section 39. Section 73.
24
that the Certifying Authority listed in the certificate has not issued it, or the subscriber listed in the certificate has not accepted it, or the certificate has been revoked or suspended; the provisions of this section shall be attracted. The Act stipulates the same punishment in case of publication of an electronic signature certificate for fraudulent purposes.51 Section 10, as modified by ITAA, 2008, empowers the Central Government to make rules prescribing the type of electronic signature; the manner of affixing the electronic signature; control processes to ensure integrity, security and confidentiality of electronic records; and any other matter to give legal effect to electronic signature. Section 10A52 grants validity to contracts formed through means of electronic records. Duties of Subscribers Upon acceptance of the certificate, it is the duty of the subscriber to generate a key pair applying the security procedure.53 In case of an electronic signature certificate, the subscriber shall perform such duties as may be prescribed.54 A subscriber shall be deemed to have accepted a digital signature certificate if he publishes or authorises the publication of a digital signature certificate to one or more persons, or demonstrates his approval in any other manner. By accepting the digital signature certificate, the subscriber certifies to all who reasonably rely on the information contained in the digital signature certificate that he holds the private key corresponding to the public key listed in the certificate and is entitled to hold the same; and that all representations made by him to the authority and all information in the digital signature certificate are correct to the best of his knowledge.55 Every subscriber shall exercise a reasonable care to retain control of the private key corresponding to the public key and take all steps to prevent its disclosure to a person not authorised to affixing the digital signature of the subscriber. Also, the subscriber shall, without any delay, inform the certifying authority in case the private key has been compromised. The
51 52 53 54 55
Section 74. Inserted by ITAA, 2008. Section 40. Section 40A, inserted by ITAA, 2008. Section 41.
25
subscriber shall be liable for any consequence for the period extending from the point of time of the said compromise to the point of time when he has informed the certifying authority.56
Attribution of Electronic Records Much of the evidentiary value of a statement, inter alia, depends on the person who makes it and his locus in the entire episode under consideration. In fixing liability arisen out of reliance on an electronic record, therefore, it becomes of utmost importance to know who the said electronic record is attributable to. An electronic record shall be attributed to the originator if it has been sent either by the originator himself or a person authorised by him in this behalf or an information system programmed by the originator to operate automatically.57 Where the originator has not stipulated that the acknowledgement of receipt of electronic record be given in a particular form or by a particular method, any communication by or any conduct of the addressee will do if it is sufficient to indicate to the originator that the electronic record has been received. On the other hand, if the originator has stipulated that the record shall be binding only on the acknowledgement of the receipt of such electronic record by him, then in the absence of such a receipt, the electronic record shall be deemed to have been never sent by the originator. In case where no specific form is stipulated, but the addressee has not acknowledged the receipt of the record in any manner sufficient to inform the originator of the receipt; the originator may notify the addressee about it and ask him to send the acknowledgement within time specified by the originator failing which the record will be treated as though it had never been sent. 58 The dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator; and the receipt occurs at a time when (i) the dispatch enters the designated computer resource; or (ii) in case of it having been sent to the computer resource other than the designated one, when the dispatch is retrieved by the addressee. Moreover, if the addressee has not designated a computer resource along with specified timings, if any, the receipt occurs when the electronic record enters the computer resource of the addressee. In absence of an agreement to the contrary, an electronic record is deemed to have been dispatched at a place
56 57 58
Section 42. Section 11. Section 12, as modified by ITAA, 2008.

26
where the originator has his place of business, and is deemed to have been received at a place where the addressee has his place of business. In case of more than one places of business, the principal place of business (of the originator or the addressee, as the case may be) shall be taken to be the place of business; and in case of no such place (s), the usual place of residence shall be deemed to be the place of business. For a body corporate, the usual place of business is the place where it is registered.59 In M/s PR Transport Agency v. Union of India and others,60 the Allahabad High Court held that the contract completes at the point where the offer was accepted by the appellant. Because the appellant's place of business fell within the Court's jurisdiction, the Court had jurisdiction to hear the case and decide, notwithstanding anything contrary in the contract formed by the parties. By agreeing to the jurisdiction of some civil court of their choice, held the Court, the parties had actually expressed their own limitation rather than the Court's; because the parties could not oust the jurisdiction of a High Court conferred by the Article 226 of the Constitution. Here the agreement had been entered in to by E-mail. The Court held that since the contract was completed by the appellant and the money for delivery of coal had been received by the respondents; any further discovery on the part of respondent, that there was some higher bidder, would not undo the contract already completed with the appellant.
Secure Records and Signatures Where any security procedure has been applied to an electronic record at a specific point of time, such record shall be deemed to be a secure electronic record from such point of time to the point of reproduction.61 An electronic signature shall be deemed to be a secure electronic signature if the signature creation data at the time of affixing was under the exclusive control of signatory and nobody else; and that the signature creation data was stored and affixed in such exclusive
59 60 61
Section 13. Civil Misc Writ Petition No. 58468 of 2005. Decided on September 24, 2005. Section 14.
27
manner as may be prescribed. In case of a digital signature, the term 'signature creation data' means the private key of the subscriber.62 The Central Government has been empowered to prescribe the security procedure and practices having regard to the commercial circumstances prevailing at the time when the procedure was used.63
Intermediary Most of the electronic communications are made by individuals through the medium of what are termed as network service providers. In such a situation, the names of intermediaries also figure in every episode if the information or data transmitted with their help proves to be
in contravention of the Act or rules made there under, or offending to some other individual or company or the like. Crucial points to be decided in such cases are, inter alia, whether and, if yes, up to what extent the network service provider (s) may be held liable to be punished along with other culprits like, say, the originator of the information etc. Under the Information Technology Act, 2000, the said network service provider would mean an 'intermediary', the person transmitting the information etc the 'third party, and the information dealt with by the intermediary in this capacity the 'third party information'. Such intermediary would not be liable for any third party information, made available by him, if he could prove the offence had been committed without his knowledge or that he had exercised due diligence. Through ITAA, 2008, the noose has been tightened around the network service providers, probably in the light of increasing incidents of cyber crime wherein the role of intermediaries was found to be questionable. This is manifest in the definition of the term 'intermediary', and the provisions regarding their liability or, as the case may be, non-liability. As a result, the job of an intermediary has become very much akin to that of a tight-rope walker. Now, an intermediary, with respect to any particular electronic record, is any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet
62 63
Sections 15, substituted vide ITAA, 2008. Section 16, as amended by ITAA, 2008.
28
service providers, web hosting service providers, search engines, online payment sites, onlineauction sites, online market places and cyber cafes.64 An intermediary shall not be liable for any third party information, data, or communication link made or hosted by him,65 if (a) his function is limited to providing access to communication system over which the
information made available by the third party is transmitted or temporarily stored; or (b) he does not initiate the information, select the receiver of the transmission, and select or
modify the information contained in the transmission; or (c) he observes due diligence while discharging his duties under the Act and the guidelines prescribed by the Central Government.66 It is not an exaggeration of the fact that in great many cases the intermediaries play the roles far removed from what their name would have ever suggested. When, for example, the intermediaries commit, or conspire to commit, or aid or abet the causation of a cyber crime; they are certainly acting in a direction neither intended nor approved of by law. Thus the Supreme Court in Sanjay Kumar Kedia v. Narcotics Control Bureau and anr.,67 declined to grant bail to the appellant because it found, in the light of the evidence before it, that 'the appellant and his associates were not innocent intermediaries or network service providers as defined under section 79 of the Act (that is, IT Act, 2000)', but that their business was 'only a facade and camouflage for more sinister activity'. Here, the company headed by the appellant had designed, developed and hosted pharmaceutical websites; and, using these websites, had distributed huge quantity of psychotropic substances (phentermine and butalbital) in the United States of America with the help of his associates. This was an offence punishable with rigorous imprisonment for a term of ten years to twenty years and fine from one lac to two lac rupees, under section 24 of the Narcotic Drugs and Psychotropic Substances Act, 1985. The Court also made it clear that where the accused had violated the provisions of the Narcotic Drugs and Psychotropic Substances Act,
64 65 66 67
Section 2 (1) (w), substituted by ITAA, 2008. Section 79 (1), corrected by ITAA, 2008. Section 79 (2), inserted by ITAA, 2008. See : 2007(12) SCR 812; 2008 (2) SCC 294.
29
1985, section 79 of IT Act, 2000 would not grant him immunity from prosecution since section 79 could do so only with respect to offences under the IT Act, 2000. The present Act appears all set to hit hard such persons who, while indulging in committing crimes, try to use the garb of an intermediary as a shield to save their skin. An intermediary shall, therefore, be liable to be punished if (a) he has conspired or abetted or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act, or (b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.68 An intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.69 Any intermediary who intentionally or knowingly contravenes the aforesaid direction of the Central Government shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.70
Protected systems The appropriate government may, by notification, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure to be a protected system. 71
68
Section 79 (3), inserted by ITAA, 2008. For the purpose of section 79, adds an explanation at the end of the section, the expression 'third party information' means any information dealt with by an intermediary in his capacity as an intermediary.
69 70 71
Section 67C (1), inserted by ITAA,2008. Section 67C (2), inserted by ITAA,2008. Section 70 (1), substituted ITAA, 2008. For the purposes of this section, 'Critical Information Infrastructure' means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy public health or safety.
30
The appropriate Government may, by order in writing, authorise persons who are authorised to access such protected systems as are notified.72 Any person who accesses in an unauthorised way; or tries, without lawful authority, to get access to such protected system shall be punished with imprisonment up to ten years and fine.73 The Central Government shall prescribe the information security practices and procedures for protected systems.74 In respect of Critical Information Infrastructure Protection, the Central Government shall, by a notification in the Official Gazette, designate any organisation of the Government as the national nodal agency.75 The national nodal agency so designated shall be responsible for all measures including research and development relating to protection of Critical Information Infrastructure.76 The manner of performing functions and duties of the said agency shall be as may be prescribed.77
Control Mechanism The ITAA, 2008 has both enlarged and strengthened the control mechanism devised by the Information Technology Act, 2000. On the one hand, it has converted the Cyber Appellate Tribunal (Section 68) from a one member to a multi-member body, and amended the process of appointing its Chairperson (earlier known as Presiding Officer) by bringing in to picture none other than the Chief Justice of India who shall be consulted by the Central Government before appointing the Chairperson; and on the other, it has provided for the Indian Computer Emergency Response Team (Section 70B), Examiner of Electronic Evidence (Section 79A) and an Agency to monitor traffic data etc (Section 69B). Besides, it has drastically amended the provisions related to the Controller (Section 17), Certifying Authorities (Sections 30-34), the Cyber Appellate Tribunal (Section 68), Adjudicating Officer (Section 46-47) and Cyber Regulations Advisory Committee (Section 88).
72 73 74 75 76 77
Section 70 (2). Section 70 (3). Section 70 (4), inserted by ITAA, 2008. Section 70A (1), inserted by ITAA, 2008. Section 70A (2), inserted by ITAA, 2008. Section 70A (3), inserted by ITAA, 2008.
31
We shall have a look at the relevant provisions of the Act, not necessarily in the order mentioned above.
Controller The Central Government may appoint the Controller; and proper number of deputy controllers, assistant controllers, officers and employees. The Controller acts under the general superintendence of the Central Government. The deputy controllers and assistant controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. The qualifications, experience and terms and conditions of service of Controller, deputy controllers, assistant controllers, and other officers and employees shall be such as may be prescribed by the Central Government. The head office and the branch office of the office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit. There shall be a seal of the office of the Controller.78 (a) Functions of Controller The Controller supervises the activities of Certifying Authorities, lays down the standards to be maintained by Certifying Authorities, specifies the manner in which Certifying Authorities will conduct their business, lays down the duties of the Certifying Authorities and resolves the disputes between these authorities and their customers. Other functions of the Controller include specifying the conditions subject to which the authorities shall conduct their business; contents of written, printed or visual materials and advertisements that may be distributed or used in respect of an electronic signature certificate and the public key; terms and conditions for appointment of auditors; the form and content of an electronic signature certificate and the key; and, specifying the form and manner in which accounts will be maintained by the Certifying Authorities.79 Recognition to Foreign Certifying Authorities With the prior approval of the Central Government and subject to proper conditions and restrictions, the Controller may, by notification in the Official Gazette, recognize any Foreign
78 79
Section 17, as amended by ITAA, 2008. Section 18, as amended by ITAA, 2008.
32
Certifying Authority as a Certifying Authority for the purposes of the Act; and the digital signature certificate issued by such foreign Certifying Authorities shall be valid for the purposes of the Act. In case such foreign Certifying Authority contravenes any of the conditions under which it had been granted recognition, the Controller may, for reasons to be recorded in writing, by notification in the Official Gazette, revoke such recognition.80 Grant of licence to issue digital signature certificate The Act details the procedure following which one can get a licence to issue digital signature certificates. Any person can make an application to the Controller for a licence to issue digital signature certificates. For this, the applicant must fulfil the requirements prescribed by the Central Government with respect to qualification, expertise, manpower, financial resources and other infrastructural facilities necessary for issuance of digital signature certificates. A licence so granted is non-transferable and non-heritable, and remains valid for a period specified by the Central Government.81 An application for issuance of a digital signature certificate must be accompanied by a certification practice statement, a statement with respect to the identification of the applicant, prescribed fee (not exceeding twenty five thousand rupees), and any other document prescribed by the Central Government.82 At least five days before its expiry, the present licence may be renewed after an application for the same with prescribed fee (not exceeding five thousand rupees) is made to the Controller.83 The Controller may, after perusal of the application, grant the licence, or reject the application in which case he must provide the opportunity to the applicant to present his case.84 The Controller may, if he is satisfied after an inquiry, that a Certifying Authority has made an incorrect statement in relation to the issue or renewal of the licence, or failed to comply with the terms and conditions of the licence, or contravened the provisions of the Act or any rules made there under, revoke the licence. The Controller, if he has a reasonable cause to believe that there
80 81 82 83 84
33
is any ground for revoking a licence, may suspend the licence pending an inquiry. However, such suspension can not continue beyond a period of ten days without providing the Certifying Authority a reasonable opportunity of showing cause against the proposed action. When its licence is suspended, no Certifying Authority shall issue any digital signature certificate.85 When the licence of a Certifying Authority is revoked or cancelled, the Controller shall publish the notice to this effect in the data base maintained by him. The data base containing the said revocation or suspension will be accessible round the clock. Where one or more repositories are specified, the notice shall be published in all such repositories. 86 The Controller may delegate his powers to a Deputy Controller, Assistant Controller or any other officer.87
(b) Powers of Controller The Controller or any officer authorised by him in this behalf shall take up for investigation any contravention of the provisions of the Act. The Controller or, as the case may be, any officer authorised by him shall exercise all the powers which are conferred on Income Tax authorities under the Income Tax Act, 1961, and subject to limitations laid down there under.88
Power to access On a reasonable suspicion that any provision of the Act or any rule made there under has been contravened, the Controller or any officer authorised by him has the power of access to any computer system, any apparatus, any data or any other material connected with such system for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. For this purpose, Controller or any officer authorised by him may, by order, direct any person in charge of, or otherwise connected with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary.89
85 86 87 88 89
34
Power to make regulations After consultation with the Cyber Regulations Advisory Committee, and with prior approval of the Central Government, the Controller may make regulations to carry out the purposes of the Act.90 In particular, but without prejudice to the general powers in this regard, the regulations made by the Controller may provide for the following:91 (a) the particulars relating to maintenance of database containing the disclosure record of every Certifying Authority under clause (n) of section 18; (b) the conditions and restrictions subject to which the Controller may recognize any foreign Certifying Authority under section 19 (1); (c) the terms and conditions subject to which a licence may be granted under clause (c) of section 21(3); (d) (e) (f) other standards to be observed by a Certifying Authority under clause (d) of section 30; the manner of disclosure of information by a Certifying Authority under section 34 (1); particulars of statement accompanying an application to a Certifying Authority for grant of an electronic signature certificate under section 35 (3); (g) the manner in which a subscriber communicates the compromise of private key to the Certifying Authority under section 42 (2). Every regulation so made shall be placed before both Houses of Parliament while in session for sixty days; and shall be effective with or without modifications made by the Houses or, if the Houses so decide, shall be of no effect; provided that any such modification or annulment shall not adversely affect anything previously done under that regulation.92
Examiner of Electronic Evidence Compared to paper-based documents, there is a greater chance of distortion, tampering, manipulation or the like with an electronic document, which when produced before a court of law may have the tendency to adversely affect the process of administration of justice by misleading the Court. This may dwindle the chances of getting justice. The Act is vigilant to the
90 91 92
Section 89(1). Section 89(2). Section 89(3).

35
likelihood of such mischief being played by those concerned to tilt the scales of justice in their favour. It provides for appointment of an 'Examiner of Electronic Evidence'. For the purposes of providing expert opinion on electronic form of evidence before any court or other authority, the Central Government may specify through notification in Official Gazette any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.93 Here 'electronic form evidence' means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell-phones, digital fax machines etc. To this end, a new section94 has been inserted in the Indian Evidence Act which states that the Examiner of Electronic Evidence shall be treated as an 'expert', and his opinion on the electronic form evidence relevant, for purposes of the Indian Evidence Act.
Certifying Authorities and their duties A Certifying Authority is one who has applied for, and been granted the licence by the Controller to issue electronic signature certificates to the subscribers. There are certain obligations that the Act imposes on the Certifying Authorities. Every Certifying Authority shall make use of hardware, software and procedures that are secure from intrusion and misuse; provide a reasonable level of reliability in its services; adhere to security procedures to ensure that the security and privacy of electronic signatures are assured; publish information regarding its practices, electronic signature certificate and current status of such certificates; and observe such other standards as are specified by regulations.95 Every Certifying Authority shall ensure that every person employed or otherwise engaged by it, in the course of employment or engagement, complies with the provisions of the Act or rules etc made there under.96 Every Certifying Authority shall display its licence at a conspicuous place of the premises in which it carries on its business.97 Every Certifying Authority whose licence is
93 94 95 96 97
Section 79A, inserted by ITAA, 2008. Section 45A. Also, see 8.4 supra. Section 30, as amended by ITAA, 2008. Section 31. Section 32.
36
suspended or revoked shall, immediately after such suspension or revocation, surrender the licence to the Controller failing which the person, in whose favour the licence had been issued, shall be guilty of an offence punishable with an imprisonment of up to six months or a fine of up to ten thousand rupees or both.98 Every Certifying Authority shall disclose, in the manner specified by regulations, the following things:99 (a) (b) (c) (d) its electronic signature certificate; any certification practice statement relevant thereto; notice of the revocation or suspension of its Certifying Authority certificate, if any; and any other fact that materially and adversely affects either the reliability of a digital signature certificate which that Authority has dssued, or the Authority's ability to perform its services. If, in the opinion of the Certifying Authority, any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which a digital signature certificate was granted, then, the Certifying Authority shall (a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or (b) act in accordance with the procedure specified in its certification practice statement to deal with such event or situation. The Controller may issue direction to a Certifying Authority or any employee of such authority to take or not to take certain measures in order to ensure compliance of any provisions of the Act or rules or regulations made there under; and an intentional and deliberate non-compliance of such orders is punishable with imprisonment up to two years or fine up to one lac rupees, or both.100
98 99 100
Section 33. Section 34, as amended by ITAA, 2008. Section 68, as amended by ITAA, 2008.
37
The Cyber Appellate Tribunal The ITAA, 2008 has dropped the word 'regulations' from the name of the tribunal envisaged under the IT Act, 2000; and, therefore, this body will now be known as the Cyber Appellate Tribunal rather than as the Cyber Regulations Appellate Tribunal. The composition of the tribunal has also been changed making it a multi-member body with technical and judicial members. This is indeed a very significant improvement upon the erstwhile single member (who, under the IT Act, 2000, was designated as the Presiding Officer) body; and is certain to make the tribunal really meaningful as an appellate forum. The amended Act provides for establishment by Central Government of one or more appellate tribunals to be known as Cyber Appellate Tribunal (CAT). The Central Government shall also specify the matters and places in relation to which the Tribunal may exercise its jurisdiction.101
Constitution The Tribunal shall consist of chairperson and such number of other members as the Central Government may, by notification in the Official Gazette, appoint. However, the person appointed as the Presiding Officer of the cyber appellate tribunal under the provisions of this Act immediately before the commencement of ITAA, 2008 shall be deemed to have been appointed as the Chairperson of the said CAT under the provisions of this Act as amended by the ITAA, 2008. The President, exercising the powers of the Central Government under Section 49 of the IT Act, 2000, appointed on February 26, a retired Judge, Shri Rajesh Tandon as the Presiding Officer of the Cyber Regulations Appellate Tribunal for three years or till he attains the age of 65 years, whichever is earlier. Thus, Justice Tandon shall continue to work as the Chairperson of the Cyber Appellate Tribunal after coming into force of ITAA, 2008. The Central Government decides the number of staff and employees of the tribunal. The officers and employees of the tribunal shall discharge their functions under general superintendence of the Presiding Officer. The salaries etc of such officers and employees shall be such as prescribed by the Central Government.102
101 102
Section 48. Section 56.

38
The selection of the chairperson and members of the Cyber Appellate Tribunal shall be made by the Central Government in consultation with the Chief Justice of India. Subject to the provisions of the Act, the jurisdiction, powers and authority of the CAT may be exercisable by the benches thereof. Further, a bench may be constituted by the Chairperson of the Cyber Appellate Tribunal with one or more members of such Tribunal as the Chairperson may deem fit. The benches of the Cyber Appellate Tribunal shall sit at New Delhi and at such other places as the Central Government may, in consultation with the Chairperson of the Cyber Appellate Tribunal, by notification in the Official Gazette, specify. The Central Government shall, by notification in the Official Gazette, specify the areas in relation to which each bench of the Cyber Appellate Tribunal may exercise its jurisdiction. The Chairperson of the Cyber Appellate Tribunal may transfer a member of such tribunal from one bench to another bench. If at any stage of the hearing of any case or matter, it appears to the Chairperson or a member of the Cyber Appellate Tribunal that the case or matter is of such a nature that it ought to be heard by a bench consisting of more members, the case or matter may be transferred by the Chairperson to such bench as the Chairperson may deem fit.103 Qualifications A person shall be qualified for appointment as the Chairperson of a Cyber Appellate Tribunal if he is, or has been, or is qualified to be, a judge of a High Court. The members of the CAT, except the judicial member, shall be appointed by the Central Government from amongst persons having special knowledge of, and professional experience in, disciplines such as information technology, telecommunication, industry, management or consumer affairs. A person shall not be appointed as a Member, unless he is, or has been in the service of the Central Government or a State Government, and has held the post of additional secretary to the Government of India or any equivalent post in the (Central or a State) Government for a period of not less than one year or joint secretary to the Government of India or any equivalent post in the (Central or a State) Government for a period of not less than seven years. The Judicial Members of the Cyber Appellate Tribunal shall be appointed by the Central Government. A person shall not be appointed as a Judicial Member unless he is, or has been a member of the
103
Section 49, as amended by ITAA, 2008.

39
Indian Legal Service and has held a post of additional secretary for a period of not less than one year, or Grade I post of that service for a period of not less than five years.104 Service Conditions The Chairperson or Member of the CAT shall hold office for a term of five years from the date on which he enters upon his office, or until he attains the age of 65 years, whichever is earlier.105 The salary, allowances, and other terms and conditions of service of the Chairperson or Member shall be such as may be prescribed.106 Appointment of the Chairperson or Member can not be judicially reviewed. Similarly, no act or proceeding before a Cyber Appellate Tribunal shall be called in question in any manner on the ground merely of any defect in the constitution of a Cyber Appellate Board.107 The Chairperson or Member shall not be removed from office except by an order by the Central Government on the ground of proved misbehaviour or incapacity after an inquiry made by a judge of the Supreme Court in which the Chairperson or Member concerned has been informed of the charges against him and given a reasonable opportunity of being heard in respect of those charges.108 The Central Government may by rules regulate the procedure for the investigation of misbehaviour or incapacity of the aforesaid Chairperson or Member.109
Powers of the Chairperson The Chairperson of CAT shall have powers of general superintendence and direction in the conduct of affairs of the Tribunal, of distribution of business among benches (and also matters to be dealt with by each bench), and of transferring the cases from one bench to the other (on the application of any of the parties; and after notice to the parties, and after hearing them). If the members of a bench differ on a point, they shall state that point and make a reference to the Chairperson who shall hear it (himself, or along with some other members) and such point shall
104 105 106 107 108 109
Section 50, as amended by ITAA, 2008. Section 51, as amended by ITAA, 2008. Section 52, as amended by ITAA, 2008. Section 55. Section 54(2). Section 54(3).
40
be decided according to the opinion of the majority of the members who have heard the case, including those who first heard it.
Filling of vacancies In case of a vacancy, other than that caused by temporary absence of the Chairperson or Member, the Central Government shall appoint another person in accordance with provisions of the Act to fill the vacancy.110 The Chairperson or Member may resign by notice in writing under his hand addressed to the Central Government. If the Central Government does not permit him to relinquish forthwith, the Chairperson or Member shall continue to hold his office until the expiry of three months from the date of receipt of such notice or until a person duly appointed as his successor enters upon his office or until the expiry of the term of his office, whichever is the earliest.111 Procedure for appeal to the Tribunal Any person aggrieved by an order made by Controller or an Adjudicating Officer 112 may go in to appeal before the Tribunal within twenty five days and with prescribed fees and the Tribunal shall dispose of the appeal finally within six months. The Tribunal will provide both parties a reasonable opportunity of hearing and pass such orders as it thinks fit, modifying or quashing the order appealed against. The Tribunal can, if it is satisfied that there was sufficient cause for the delay, entertain an appeal even after the expiry of the said twenty five days period.
A copy of every order made by the Tribunal is sent to the parties to the appeal, and to the Controller or, as the case may be, the Adjudicating Officer.113 The Tribunal shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908; but shall be guided by the principles of natural justice. However, its proceedings shall be deemed to be judicial proceedings within the meaning of Sections 193, 228 and 196 of the Indian Penal Code, 1860; and it shall be
110 111 112
Section 53. Section 54(1). An Adjudicating Officer is appointed by the Central Government under s. 46 of the Act for deciding a dispute.
113
Section 57.
41
deemed to be a Civil Court for the purpose of Section 195 of the Code of Criminal Procedure, 1973.114 The appellant may either appear in person or authorize one or more legal practitioners or any of its officers to present his or its case before the Tribunal.115
Appeal from the decisions of the Tribunal Provisions of Limitation Act shall, so far as may be, apply to an appeal preferred to the Tribunal.116 No court shall have jurisdiction to entertain a suit or proceeding in respect of any matter which only Controller or the Adjudicating Officer is empowered to hear under the Act, except where the claim for injury or damage suffered exceeds the maximum which can be awarded under the Act.117 However, an appeal against the order of the Tribunal may be preferred before the High Court having jurisdiction within sixty days of the said order or, with the special permission of the High Court, even after that period within the next sixty days, but no later.118
Adjudicating Officer In order to ascertain whether a person has committed a contravention of any provision of the Act or rules made there under, the Central Government shall appoint as Adjudicating Officer, a person not below the rank of Director to the Government of India or an equivalent officer of a State Government, for holding an inquiry in the manner prescribed by the Central Government.119 The Adjudicating Officer so appointed shall exercise jurisdiction to adjudicate matters wherein the claim for injury or damage does not exceed rupees five crore, provided that the jurisdiction in respect of claim for injury or damage exceeding five crore rupees shall vest with the competent court.120 The Adjudicating Officer shall provide the person concerned a reasonable opportunity of hearing, and if, on such inquiry he is satisfied that the person has
114 115 116 117 118 119 120
Section 58. Section 59. Section 60. Section 61. Section 62. Section 46 (1), as amended by ITAA, 2008. Section 46(1A), inserted by ITAA, 2008.
42
committed contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of the Act.121 A person shall not be appointed as an Adjudicating Officer unless he possesses such experience in the field of Information Technology and legal and judicial experience as may be prescribed by the Central Government.122 Where more than one Adjudicating Officers are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction.123 Every Adjudicating Officer shall have the powers of a Civil Court which are conferred on the Cyber Appellate Tribunal under Section 58(2), and (a) all proceedings before it shall be deemed to be judicial proceedings within the meaning of Sections 193 and 228 of the Indian Penal Code; (b) shall be deemed to be a Civil Court for the purposes of Sections 345 and 346 of the Code of Criminal Procedure, 1973;124 and (c) shall be deemed to be a Civil Court for purposes of Order XXI of the Code of Civil Procedure, 1908.125 While adjudicating the quantum of compensation the Adjudicating Officer shall have due regard to the following factors, namely : (a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (b) (c) the amount of loss caused to any person as a result of the default; and the repetitive nature of the default.126
121 122 123 124 125 126
Section 46(2). Section 46 (3). Section 46 (4). Section 46 (5). Inserted by, ITAA, 2008. Section 47.
43
Indian Computer Emergency Response Team (ICERT) The Central Government shall, by notification in the Official Gazette, appoint an agency of the Government to be called the Indian Computer Emergency Response Team. 127 The Central Government shall provide the said agency with a Director General and such other officers and employees as may be prescribed.128 The salary, allowances, and, terms and conditions of the Director General and other officers and employees shall be such as may be prescribed.129 The ICERT shall serve as the national agency for performing the following functions in the area of cyber law :130 (a) (b) (c) (d) collection, analysis and dissemination of information on cyber incidents; forecast and alerts of cyber security incidents; coordination of cyber incidents response activities; issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; and (e) such other functions relating to cyber security as may be prescribed.
The manner of performing functions and duties of the said agency shall be as may be prescribed.131 In the course of performing its functions the ICERT may call for information and give direction to the service providers, intermediaries, data centres, body corporate and any other person.132 Any service provider, intermediaries, data centres, body corporate or person who fails to provide the information called for or comply with the direction, shall be punishable with imprisonment which may extend to one year or with fine which may extend to one lac rupees or both.133
127 128 129 130 131 132 133
Section 70B (1), inserted by ITAA, 2008. Section 70B (2), inserted by ITAA, 2008. Section 70B (3), inserted by ITAA, 2008. Section 70B (4), inserted by ITAA, 2008. Section 70B (5), inserted by ITAA, 2008. Section 70B (6), inserted by ITAA, 2008. Section 70B (7), inserted by ITAA, 2008.
44
No court shall take cognizance of any offence under this section except on a complaint made by an officer authorized in this behalf by the agency.134
Agency to Monitor Traffic Data etc. For enhancing cyber security; and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, the Central Government may, by notification in the Official Gazette, authorise any agency of the government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.135 The intermediary or any person in charge of the computer resource shall, when called upon so to do, provide all technical assistance to the agency authorised as aforementioned, to enable online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.136 The procedure and safeguards for monitoring and collecting traffic data or information shall be such as may be prescribed.137 Any intermediary who intentionally or knowingly fails to provide the said technical assistance shall be punished with an imprisonment extendable to seven years and shall also be liable to fine.138 Here a 'computer contaminant' shall have the same meaning as assigned to it in section 43.139 Accordingly, a 'computer contaminant' means any set of computer instructions that are designed (a) to modify, destroy, record or transmit data or programme residing within a computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system or computer network. 'Traffic data' means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is , or may be transmitted and includes communication's origin, destination, route, time, date, size, duration or type of underlying service or any other information.140
134 135 136 137 138 139 140
Section 70B (8), inserted by ITAA, 2008. Section 69B (1), inserted by ITAA, 2008. Section 69B (2), inserted by ITAA, 2008. Section 69B (3), inserted by ITAA, 2008. Section 69B (4), inserted by ITAA, 2008. See, explanation (i) to section 69B. See, explanation (Ii) to section 69B.
45
Cyber Regulations Advisory Committee The Act provides for setting up of an advisory body which will be known as Cyber Regulations Advisory Committee.141 The Central Government shall, as soon as may be after the commencement of this Act, constitute a Committee called the Cyber Regulations Advisory Committee.142 The Cyber Regulations Advisory Committee shall consist of a Chairperson and such number of other official and nonofficial members representing the interests principally affected or having special knowledge of the subject-matter as the Central Government may deem fit.143 The Cyber Regulations Advisory Committee shall advise (a) the Central Government either generally as regards any rules or for any other purpose connected with this Act; and (b) the Controller in framing the regulations under this Act.144 There shall be paid to the non-official members of the Committee such travelling and other allowances as the Central Government may fix.145
Offences and Remedies The statement of objects and reasons to the ITAA, 2006 was retained in the ITAA, 2008 which acknowledges that 'a rapid use of computer and internet has given rise to new forms of crimes like publishing sexually explicit materials in electronic form, video-voyeurism and breach of confidentiality and leakage of data by intermediary, e-commerce frauds like personation commonly known as phishing, identity theft and offensive messages through communication services'. The amended Act tries to deal with such offences with respect to a computer, computer system or computer network located in India, by a person residing in any part of the globe. How
141 142 143 144 145
Section 88. Section 88(1) Section 88(2). Section 88(3). Section 88(4).
46
it will become any more successful than its predecessor in prosecuting and bringing to book nonIndian offenders of cyber crime is, however, far from clear. 'Nigeria 419' is a case in point. 146
146
It derives its name from section 419, which was added to the Nigerian Penal Code in 1975 to deal with offences known as "Advance Fee Frauds". Later, it burgeoned in to an industry. The modus operandi is some what like this. A person, usually a young female, either a bachelor or a widow, contacts you through internet posing herself as an heir of some millionaire who, according to the story, had died intestate or, as the case may be, met an accidental death. The caller solicits your help in getting the money left by the deceased in a bank, and promising (or feigning that) she would give you a good part of that money in lieu of your help in bailing her out of the mesh that she is in. Your simple nod to help the lady means you are ready to fall in to trap prepared by her. She very shrewdly asks for some thing in cash or kind to be sent by you to a destination indicated by her. You oblige her only to do it many more times in future till you come to know that you have almost emptied your coffers in anticipation of your huge share in a capital that actually never existed anywhere except in the polite words of the lady on the net. At other times you may receive a mail from a person posing himself/herself as some bank official informing you of some dormant bank account having several million dollars/pounds, the real owner of the account being long gone and past. The person lures you to get a lion's share of that money by completing a few simple formalities. He/she assures you all help and promises that at the end of this successful deal he/she will take for him (her) self only a token amount. You agree to such an offer only to realize your folly at a stage where your greed to get huge money has damaged your financial health beyond repair. A report in the 'DATAQUEST dated August 08, 2008 by the Cyber News Service entitled 'India's first Nigeria 419 case registered' informs that a "Howrah (Kolkata) based businessman, is the first officially registered victim of Nigeria 419 scam in India and the West Bengal police is the first to register it." The case had been registered under section 420 of Indian Penal Code with section 75(2) of the Information Technology Act, 2000. For more details log on to http:dqindia.ciol.com/
content/nscam/10308080 l.asp.
47
Offences punishable with an imprisonment exceeding three years shall be cognizable and those punishable with an imprisonment up to three years bailable.147 A police officer not below the rank of an Inspector is authorised to investigate an offence under the Act.148 A police officer not below the rank of an Inspector, or any other officer of the Central Government, or of a State Government authorised by the Central Government in this behalf, may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed, or committing, or being about to commit any offence under the Act. Where any person is so arrested by an officer other than a police officer, the said officer shall, without unnecessary delay, take or send the person arrested before a Magistrate having jurisdiction in the case or before the officer in charge of a police station.149 A penalty imposed under the Act, if it is not paid, shall be recovered as an arrear of land revenue and the licence or the electronic signature certificate, as the case may be, shall be suspended till the penalty is paid.150 Any computer, computer system, floppies, compact discs etc in respect of which any provision of the Act or rules etc made there under has been or is being contravened, shall be liable to confiscation. However, if it is proved to the satisfaction of the Court adjudicating the confiscation that the person in whose possession any such computer etc is found is not responsible for the contravention of the said provisions of the Act; the Court may, instead of making an order for confiscation, make any other order authorised by the Act it deems fit.151 No compensation awarded or penalty imposed or confiscation made under the Act shall prevent the award of compensation or the imposition of any other penalty or punishment to which the person affected thereby is liable under any other law for the time being in force.152 In Sanjay
147 148
Section 77B, inserted by ITAA, 2003. Section 78, as amended by ITAA, 2008, replacing the term 'deputy superintendent of police' with 'Inspector'.
149 150 151 152
Section 80. Section 64. Section 76. Section 77.

48
Kumar Kedia v. Narcotics Control Bureau and anr.,153 the apex Court, accepting the arguments forwarded by the respondents, made these observations : "It has been pointed out that the appellant had been charged under sections 24 and 29 of the (Narcotic Drugs and Psychotropic Substances) Act (of 1985) which visualized that a person could be guilty without personally handling a psychotropic substance and the evidence so far collected showed that appellant was in fact a facilitator between buyers and certain pharmacies either owned or controlled by him or associated with the two companies (set up by him) and that section 79 of the Information Technology Act (of 2000) could not by any stretch of imagination guarantee immunity from prosecution under the provisions of the (Narcotic Drugs and Psychotropic Substances) Act (of 1985)".154
Compounding of Penalties and Offences The Act provides the norms of compounding of offences. Contraventions under the Act may be compounded, but subject to the condition that such sum shall not, in any case, exceed the maximum amount of penalty to be imposed under the Act. However, this shall not apply to a person who commits the same or similar contravention within a period of three years from the date on which the first contravention committed by him was compounded. For this purpose, any second or subsequent contravention committed after the expiry of a period of three years from the date on which the contravention was previously compounded shall be deemed to be a first contravention. Once a contravention has been compounded, no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded.155 A Court of competent jurisdiction may compound offences other than those for which an imprisonment for life or for a period exceeding three years has been provided under the Act. However, the Court shall not compound such offence where the accused is, by reason of his previous conviction, liable to either enhanced punishment or to a punishment of a different kind. Also, the Court shall not compound any offence where such offence affects the socio-economic
153 154 155
See : 2007(12) SCR 812; 2008 (2) SCC294. Para 6, Ibid. Words in brackets have been inserted by the author to make the sense clear. Section 63.
49
conditions of the country, or has been committed against a child below the age of 18 years, or a woman.156 The person accused of an offence under this Act may file an application for compounding in the Court in which offence is pending for trial and the provisions of sections 265B and 265C of Cr PC, 1973 shall apply.157
Compensations If a person, without the permission of the owner or the in charge of a computer or computer system or computer network or computer resource, accesses to such computer etc; downloads any data from such computer etc; introduces or causes to be introduced any computer contaminant or virus to the computer etc; damages or causes to be damaged any computer data in it; disrupts or causes disruption of any computer system; denies or causes denial of access to any person authorised for such access to a computer etc; provides any assistance to any person to facilitate access to a computer in contravention of this Act; charges the services availed of by a person to the account of another person by tampering with or manipulating any computer; destroys or deletes any information residing in a computer resource or diminishes its value or utility; or steals, conceals or alters any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the affected person (s).158 Here the term 'computer virus' means 'any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource'. A 'computer source code' means the listing of programmes, computer commands, designs and lay out and programme analysis of computer resource in any form. If one is working against the law in force for the time being, one has to undergo a punishment. However, on certain occasions one may be punished for failure to act according to law. Simply
156 157 158
Section 77A (1), inserted by ITAA, 2008. Section 77A (2), inserted by ITAA, 2008. Section 43, as amended by ITAA, 2008.
50
put, sometimes one is punished for action while at other times he is punished for his omission, that is, for not acting when required by law. Where a body corporate possessing any personal data in a computer resource which it owns or operates is negligent in implementing or maintaining reasonable security practices and thereby causes wrongful loss or gain to any person such body corporate shall be liable to pay damages by way of compensation to the person so affected.159 If a person, who is required under the Act or rules made there under to furnish any document to the Controller or the Certifying Authority, fails to furnish the same he shall be liable to a penalty not exceeding 1.5 lac rupees. Failure to furnish any information within the specified time may invite a maximum of five thousand rupees as fine for each day during which failure continues. Similarly, if one fails to maintain the books of accounts or records, he shall be liable to a penalty not exceeding ten thousand rupees for each day during which the failure continues. 160 If a person contravenes any rules or regulations under this Act, for which no penalty has been separately provided, he shall be liable to pay a compensation not exceeding twenty five thousand rupees to the sufferer, or pay a penalty not exceeding twenty five thousand rupees.161
Major offences Since the passage, and coming into force, of IT Act, 2000, the world in general and India in particular has witnessed a variety of offences committed through the internet, cellular phones, multimedia systems and the like. This, more than anything else, exposed the weakness of the Act in curbing cyber crimes. The Act, in its present form, tries to take note of these newer types of offences, defines these offences and provides punishment there for. To address the issue of terrorism being perpetrated through the media of computer, internet and other digital and electronic devices, the Act has preferred to define 'cyber terrorism' and stipulated punishments for the same.
159 160 161
Section 43A, inserted by ITAA, 2008. Section 44. Section 45.

51
(a) Cyber Terrorism The most horrific dimension of offences committed through the medium of internet and such other media has hitherto fore been the one marked by attempts aimed at jeopardising the safety and security of the state or its relations with other states or the peace and tranquillity of the common man or public safety or public order and morality; and at striking terror in society or a section there of, to name just a few. Terrorism perpetrated with the aid of facilities made handy by the cyber world is what may roughly be termed as cyber terrorism. By inserting section 66F, the ITAA, 2008 has tried to define this satanic term in an elaborate manner. According to this newly inserted section, if a person : (i) with intent to threatening the unity and integrity of India or to strike terror in the people or a section of the people causes the denial of access to an authorised person, accesses himself unauthorised, or introduces any computer
contaminant to a computer resource; and by such conduct causes death or injury to persons, or damage to property, or adversely affects the critical information infrastructure specified under section 70; or (ii) intentionally accesses a computer resource without authorization and by means of such conduct obtains access to information, data etc that is restricted for reasons of security of the state or foreign relations; or any restricted information etc with the reason to believe that such information etc so obtained may be used to cause injury to sovereignty and integrity of India, security of state, foreign relations or to the advantage of any foreign nation, group or individuals he commits cyber terrorism. Thus, in a nutshell, cyber terrorism is an act injuring the sovereignty of India, life of her people or their property, and foreign relations; by means of access to, denial of or contamination of information in a computer resource, and use of that information. Whosoever commits or conspires to commit cyber crime shall be punishable with imprisonment which may extend to imprisonment for life. This is probably because the cyber terrorism, as it has been defined in the Act, is likely to take in its net Indian and foreign nationals both; and international trends of late seem to suggest an avowed abhorrence for death penalty. Viewed thus, a provision of death sentence to cyber terrorists would only weaken the chances of its enforcement, particularly in case of those foreign nationals where the domestic laws do not approve of death penalty.
52
(b) Invasion of Privacy Violation of privacy of an individual is one potent cyber crime which becomes headlines almost every week, if not day. Surprisingly, it involves persons of all age groups which has turned it in to a menace for the common and uncommon man both; meaning thereby the average person and the celebrities both are falling in the net of this crime with equal ease, thanks to the advanced digital and electronic devices.162 Section 66 E takes not of such offences : Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with a fine not exceeding two lac rupees or with both. For the purpose of this section, to 'transmit' means to electronically send a visual image with the intent that it be viewed by a person or persons; to 'capture', with respect to an image, means to
162
One such offence became notoriously famous as multi media system porn case in 2004. A 17-year old schoolboy from New Delhi captured through his cell-phone camera his pictures in a compromising position with his female classmate, made a 3-minute video clip and transmitted the same to two of his friends wherefrom it reached to about fifty other students. A student from Indian Institute of Technology, Kharagpur, picked up the video clip from the IIT's Local Area Network and, with the help of an electronics firm of Kharagpur, posted the said clip on bazee.com from where eight people bought it. The police arrested the Chief Executive Officer of the site bazee.com for allowing his portal for the sale and publication of an obscene material. The IIT student was arrested for selling obscene material for monetary gain, and was later released on bail. The schoolboy was taken into police charge and was detained at an Observation Home for two days before he was granted bail. The CEO was sent to Tihar jail by the Lower Court and stayed there for four days before being granted bail by Delhi high Court. The case is still pending. For a detailed report of this, see the column 'The intricacies of cyber law' by R K Raghavan in Frontline Volume 22-Issue 01, January 01-14, 2005. Section 66E aims to deal specifically with such type of cyber offences.
53
videotape, photograph, film or record by any means; 'private area' means the naked or undergarment clad genitals, pubic area, buttocks or female breast; and to 'publish' means to reproduce in the printed or electronic form and make it available to public. Similarly, the phrase 'under the circumstances violating the privacy' means circumstances in which a person can have a reasonable expectation that(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or (ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.163 (c) Obscenity Obscenity as an offence has been dealt with in sections 292-94 of the Indian Penal Code. However, this Act is concerned with obscenity of cyber space. Whoever publishes or transmits in electronic form any material which is lascivious or appeals to the prurient interest; or the effect of which is such as to tend to deprave and corrupt persons who are likely to read it, shall be punished on first conviction with an imprisonment extendable to three years and fine up to five lac rupees; and in the event of a second and subsequent conviction with imprisonment up to five years and fine up to ten lac rupees.164 Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished, on first conviction, with imprisonment of either description for up to five years and fine up to ten lac rupees; and for second or subsequent conviction, with imprisonment of either description for up to seven years and fine up to ten lac rupees.165 Children happen to be an easy prey and are trapped in to the net of what may be termed as cyber pornography. If a person : (a) publishes or transmits or causes to be published or transmitted material in electronic form which depicts children engaged in sexually explicit act or conduct; or
163 164 165
See, explanations given under Section 66E. Section 67, as amended by ITAA, 2008. Section 67A, inserted by ITAA, 2008.
54
(b)
creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in electronic form depicting children in obscene or indecent or sexually explicit manner; or
(c)
cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer screen; or
(d) (e)
facilitates abusing children online; or records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,
he shall be punished on first conviction with an imprisonment of either description extendable up to five years and a fine up to ten lac rupees; and respectively seven years and ten lac rupees on second or subsequent conviction.166 The above provisions of section 67 (publication of obscene material in electronic form), section 67A (publication of material containing sexually explicit material in electronic form) and section 67B (publication of material depicting children in sexually explicit act in electronic form), however, do not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form(i) the publication of which is proved to be justified as being for public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art, or learning or other objects of general concern; or (ii) which is kept or used bona fide for religious purposes.
(d) Jeopardising the Sovereignty and Integrity of India For the interest of sovereignty or integrity of India; security of state, friendly relations with foreign states or public order or for preventing incitement to commission of a cognizable offence, the Central Government or a State Government or any officer authorised by any of these, subject to his satisfaction, may by order, direct any agency of Government to intercept, monitor or decrypt any information transmitted, received or stored through a computer resource.
166
Section 66B, inserted by ITAA, 2008.

55
The procedure and safeguards subject to which such interception and monitoring or decryption may be carried out shall be such as may be prescribed. The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency of the Government, in this regard, extend all facilities and technical assistance to decrypt the information. The subscriber or intermediary or any person who fails to assist the agency shall be punished with an imprisonment which may extend to seven years and shall also be liable to fine.167 Where the Central Government or any of its officers authorised in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign states, or public order, or for preventing incitement to the commission of any cognizable offence relating to above, it may, subject to the procedures and safeguards prescribed by the Central Government in this regard, by an order citing reasons, direct any agency of the Government or intermediary to block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource. The intermediary who fails to comply with these directions shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.168
Offences by Companies In case of an offence by a company, the man in charge or, as the case may be, any director, manager, secretary or any other officer whose consent or connivance or neglect is proved in the offence, shall be held liable.169 Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly. However, nothing shall
167 168 169
Section 69, as amended by ITAA, 2008. Section 69A, inserted by ITAA, 2008. Section 85.
56
render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.170 On the other hand, if a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.171 For the purposes of this section, a "company" means any body corporate and includes a firm or other association of individuals; and a "director", in relation to a firm, means a partner in the firm.
Other Offences Whereas the IT Act, 2000 defined, and provided punishment for hacking; the ITAA, 2008 has used a broader term 'computer related offences'. In its ambit have been brought all the acts and omissions which have been mentioned under section 43 as civil wrongs for which, penalties or, as the case may be, compensations may be awarded as provided under the section. Apart from the above, the Act also mentions a number of acts/omissions which contravene or have the tendency to contravene any provision of the Act or rules or regulations made there under. Accordingly, it has declared them as offences and provided punishment there for.
(a) Abetment and Attempt Now the Act provides punishment for abetment and attempt of offences; besides providing punishment for commission of offences under the Act. Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under the Act.172
170 171 172
Section 85 (1). Section 85 (2). Section 84B, inserted by ITAA, 2008, for this purpose, adds an explanation to the section: 'an act or offence is said to be committed in consequence of abetment, when it is
57
Whoever attempts to commit an offence punishable under the Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to onehalf of the longest term of imprisonment provided for that offence, with such fine as is provided for the offence or with both.173
(b) Tampering Section 65 takes note of tampering with computer source documents. Accordingly, a deliberate or intentional concealment, destruction or alteration of a computer source code (which is required to be kept and maintained by the law for the time being in force) is punishable with an imprisonment up to three years, or fine up to two lac rupees, or both. If a person does not do it himself but causes someone else to do, the provisions are equally applicable. In such a situation both the persons, that is, the person causing some other person to commit the offence as well as that other person (who actually commits the offence) shall be liable to be punished. (c) Computer Related Offences Section 66174 provides for punishment of up to three years imprisonment with or without a fine of up to five lac rupees for one who 'dishonestly or fraudulently' does any act defined in section 43. The Allahabad High Court, in ITC Limited and anr. v. State of UP and anr.,175 observed that if the accused was prima facie guilty under section 66 of IT Act, 2000 (dealing with hacking which, inter alia, included the deletion of information residing in a computer), criminal proceedings could not be quashed simply because the offences disclosed had been mis-described (here section 65 had been charged against the accused in place of section 66); because the trial
committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.' 173 174 175 Section 84C, inserted by ITAA, 2008. Substituted vide ITAA, 2008. Criminal Misc. Application No. 12986 of 2006. Decided on July 09, 2008.
58
court was empowered by section 216 of Cr PC, to suitably amend the charges and issue process against the accused. In this case, the complainant was convenor of the village Minaura (in Jalaun district of UP) "E-Chaupal" programme run by the ITC Limited. The complainant's duty was to distribute seeds to the concerned villagers at reasonable rates and provide information about the same. The said seeds were made available to the complainant by the local seed distributor of the company, the co-accused Anoop Kumar Mittal of Mittal Traders. Out of the said seeds, which were distributed by the company in July 2004, one variety of seeds, PU-35, supplied by the company through the distributor Mittal Traders, was found to be adulterated and of inferior quality. The farmers complained and the same was communicated by the complainant to the District Agriculture Officer as well as the higher officials of the company with a request that farmers be compensated immediately. Instead of taking note of this fact, the company, during his absence, took away his computercontaining some information, files and other electronic datawith the aid of Anoop Kumar Mittal. The complainant was thrown out of job without notice, and the data in his computer were destroyed. Later, defending themselves before District Consumer Forum, the accused conspired to shift the liability to the complainant by presenting an analysis report of altogether a different lot of seeds. His efforts to convince the District Agriculture Officer bore no fruit, and so did his efforts to get a response from the police, after which he filed an application with the Magistrate. The Magistrate treated it as a complaint and issued process against the accused, who had, then, moved the High Court. Partly allowing their application, the Court set aside the Trial Court's order issuing process against the President of ITC Limited till further evidence during the trial; and asked the Trial Court to proceed with the trial of other accused, amending the description of charges against the accused if required. (d) Sending Offensive Messages If any person sends by means of a computer resource or a communication device any information which is grossly offensive or false but sent in order to cause annoyance, criminal intimidation, insult, injury, enmity, hatred or ill will; or any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the
59
addressee or the recipient as to the origin of such messages shall be punished with imprisonment, for a term which may extend to three years, and with fine.176 (e) Dishonestly Receiving Stolen Computer Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lac or with both.177 (f) Identity Theft Whoever fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lac.178 (g) Cheating Whoever, by means of any communication device or computer resource, cheats by impersonation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lac.179 (h) Misrepresentation and Suppression of Facts Misrepresentation or suppression of facts while trying to get a licence from Controller or a digital signature certificate from a Certifying Authority is punishable with an imprisonment of up to two years or with fine up to one lac rupees or with both.180 (i) Breach of Confidentiality Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic
176 177 178 179 180
Section 66 A, inserted by ITAA, 2008. Section 66 B, inserted by ITAA, 2008. Section 66 C, inserted by ITAA, 2008. Section 66 D, inserted by ITAA, 2008. Section 71.
60
record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lac rupees, or with both.181 If a person including an intermediary who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without consent of that person, or in breach of a lawful contract, such material to any other person shall be punished with an imprisonment which may extend to three years or with fine up to five lac rupees or both.182
Miscellaneous The provisions of the Act shah have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force;183 provided that nothing contained in this Act shall restrict any person from exercising any right conferred under Copyright Act, 1957 or the Patents Act, 1970.184
Powers of the Central Government Central Government has got wide powers under the Act. Except in the appointment of the Chairperson to the Cyber Appellate Tribunal, wherein the consultation with the Chief Justice of India is compulsory, the Central Government has extensive powers to appoint, direct, and regulate the services of authorities and agencies created, recognized or appointed by it. Besides, the Central Government has powers to remove difficulties, if any, in the implementation of the
181 182 183 184
Section 72. Section 72A, inserted by ITAA, 2008. Section 81. Inserted by ITAA, 2008.
61
Act,185 as also to make rules to carry out the provisions of the Act.186 Central Government may give directions to any State Government for executing any provision of the Act.187 Without prejudice to the generality of the said rule-making power, the rules so made by the Central Government may include all or any of the following matters : (a) matters relating to electronic signatures and electronic signature certificates, security procedures and practices, services by service providers, form of applications and validity of licences; (b) qualifications and service conditions of Controller and other officers, salary and allowances of Chairperson and Members of CAT, qualifications etc of adjudicating officer, duties of subscribers, and fees to be paid to Certifying Authority; and (c) procedure of investigation of misbehaviour or incapacity of Chairperson and Members of CAT, powers and functions of the Chairperson and Members of CAT, form in which appeal may be filed, procedures and safeguards for interception, monitoring or decryption of information, procedures and safeguards for blocking for access by the public; and (d) the procedures and safeguards for monitoring and collecting traffic data or information, manner of performing functions and duties of the agency under section 70A(3), information security practices and procedures for protected system, officers and employees, the manner in which the functions and duties of the agency shall be performed under section 70B(5), guidelines to be observed by intermediaries, salaries and allowances and service conditions of the Director General and other officers and employees under section 70 B (3), and the modes or methods for encryption under section 84A for secure use of the electronic medium and for promotion of e-governance and e-commerce.
185 186 187
Section 86. Section 87. Section 83.

62
Power of State Government to make rules A State Government may, by notification in the Official Gazette, make rules to carry out the provisions of the Act.188 Such power, without prejudice to its generality, may include the power to make rules with respect to :189' (a) the electronic form in which filing, issue, grant, receipt or . payment shall be
effected under sub-section (1) of section 6; (b) matters specified in sub-section (2) of section 6.
Every rule so made shall, as soon as may be after it is made, be laid before the House(s) of the State Legislature.190 Chairperson etc to be Public Servants The Chairperson, Members and other officers and employees of a Cyber Appellate Tribunal, the Controller, the Deputy Controller and the Assistant Controllers shall be deemed to be public servants under the meaning of section 21 of the Indian Penal Code.191 Protection of actions taken in good faith Similarly, the actions taken in good faith by the Central Government, State Government, Controller or any officer acting on behalf of Presiding Officer, Adjudicating Officer and the staff of the Cyber Appellate Tribunal for the furtherance of the provisions of the Act are protected.192 Conclusion The Act appears to be in complete agreement with the UNCITRAL Model Laws on electronic commerce as well as electronic signatures. It also takes note of emerging cyber crimes and provides punishment there for. However, the Act still leaves much to be desired. Its silence on the issues related to intellectual property rights, domain name etc is a cause of concern. So is the question of its effectiveness so far as the foreign nationals are concerned. Despite its avowed objective to bring them in its net should they commit an offence with respect to a computer
188 189
Section 90(1). Section 90(2). Section 6, it may be noted, relates to the use of electronic records and electronic signature in Government and its agencies.
190 191 192
Section 90(3). Section 82, as amended by ITAA, 2008. Section 84.

63
resource located in India. Offences like 'Nigeria 419' which pose a great challenge before the systems of criminal justice administration all over the world have started taking roots on Indian soil as well.
In the wake of the spurt in IT enabled services such as e-governance, e-transactions, e-commerce etc, the protection of personal data and information and implementation of security practices and procedures relating to these applications of electronic communication had assumed greater importance and the amendment was needed to harmonise these developments to the IT Act, 2000.193 While trying to harmonise these emerging needs with the parent Act, the amended Act gives wide powers to the Central Government to make regulations for making the provisions work. Although a lot will depend on the nature of such regulations, yet it is very much evident that the ITAA, 2008 has set a stage to pierce the veil of privacy and the halo of individual dignity as far as one's actions and communications in the cyber world are concerned. It has been pointed out that the section 69 of the amended Act gives the government powers wider than what even the British Raj had allowed under the Indian Telegraph Act, 1885.194 This, however, is not to deny its significance, keeping the well-neigh nascent status of cyber law jurisprudence in India.
193
See, Statement of Objects and Reasons, which had been prepared for ITAA, 2006 and has been retained as such in the ITAA, 2008. See, Ravi V. Sharda Prasad : "Yes, Snooping's AllowedWhy does the new IT Act give the Centre powers the Raj never had"? The Indian Express, edit page, Lucknow Edition, February 06, 2009.
194
64

Global CN

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Global CN

Cargado por

Copyright:

Formatos disponibles

Introduction We begin our discussion with the key words underlying the concept of information technology (IT), namely,

UNCITRAL Model Law on Electronic Commerce (1996)

Automated Data Processing.

perspective/ect_1998/ecbgr.htm. 30 See, the preamble to the Act.

Section 2(1) (ta), inserted by the ITAA, 2008.

Section 42. Section 11. Section 12, as modified by ITAA, 2008.

Section 89(1). Section 89(2). Section 89(3).

Section 48. Section 56.

Section 49, as amended by ITAA, 2008.

104 105 106 107 108 109

110 111 112

114 115 116 117 118 119 120

121 122 123 124 125 126

127 128 129 130 131 132 133

134 135 136 137 138 139 140

141 142 143 144 145

149 150 151 152

Section 80. Section 64. Section 76. Section 77.

153 154 155

156 157 158

159 160 161

Section 43A, inserted by ITAA, 2008. Section 44. Section 45.

163 164 165

Section 66B, inserted by ITAA, 2008.

167 168 169

170 171 172

176 177 178 179 180

181 182 183 184

185 186 187

Section 86. Section 87. Section 83.

190 191 192

Section 90(3). Section 82, as amended by ITAA, 2008. Section 84.

También podría gustarte