The Information Technology Act 2000

The Information Technology Act 2000

SAINTGITS

INFORMATION TECHNOLOGY ACT, 2000 The law relating to ‘information technology’ is contained in the Information Technology (IT) Act, 2000 which came into force on 17th October, 2000. It is the first first Cyber Cyber Law in India. India. It is mainly mainly based on the UNCITRA UNCITRAL L Model Law. The United Nations Commission on International Trade Law (UNCITRAL) adopted the Model Law on Electronic Commerce in 1996. This Model Law provides for equal lega legall trea treatm tmen entt of us user ers s of elec electr tron onic ic comm commun unic icat atio ion n and and pape paperr base based d communication.

OBJECTS OF THE ACT The Information Technology Act, 2000 seeks to achieve the following objects. 1. To grant grant legal legal recogniti recognition on to electronic electronic records records.. 2. To gran grantt lega legall recog recognit nitio ion n to Digit Digital al Signa Signatu ture re for for auth authen entic ticat ation ion of lie lie inform informati ation on or matter matters s requir requiring ing authen authentic ticati ation on under under any law of the country 3. To permit permit retent retention ion of inform informati ation, on, documen documents ts and record records s in electroni electronic c form where any law requires such retention for a specific period. 4. To foster foster use and accept acceptance ance of electron electronic ic records records and digital digital Signatures Signatures in the Government offices and its agencies 5. To prev prevent ent the poss possibl ible e misu misuse se aris arising ing out of tran transa sact ction ions s and and oilie oilierr dealings concluded over the electronic medium. 6. To prev prevent ent and arrest arrest offenc offences es as well well as deter deter abus abuse e of Inform Informat ation ion Technology. 7. To deal with with civil and and criminal criminal liabilities liabilities arising arising out of of contravent contravention ion of the provisions of the law. 8. To provide provide for necessar necessary y changes changes in the variou various s provis provision ions, s, which which deal deal with offences relating to documents and paper-based transactions. 9. To facilit facilitate ate electroni electronic c fund fund transf transfers ers between between the financia financiall ins instit tituti utions ons and banks. 10.To give legal sanctity for books of account maintained in the electronic form by the banks.

Documents (or Transactions) excluded from the scope of Information Technology Act a. A nego negoti tiab able le ins instr trum ument ent as defi define ned d in sect sectio ion n 13 of the the Nego Negoti tiab able le Instrument Act, 1881. b. A power-of-att power-of-attorney orney as defined defined in Sectio Section n 1 A of the Powers Powers of Attorney Attorney Act, 1882

Page 1

[email protected]


SAINTGITS

c. A trust trust as defined defined in section section 3 of of the Indian Trusts Trusts Act, Act, 1882 d. A will as defined defined in in section section 2 (h) of the Indian Indian Succes Succession sion Act Act 1925 e. Any contract contract for for the sale or convey conveyance ance of immova immovable ble property property or any interest in such property f. Any such such class class of docume documents nts or trans transact action ions s as may be notifie notified d by the Central Government in the Official Gazette.

DEFINITIONS Access [Sec. 2 (1) (a)) “Acces “Access” s” means means gainin gaining g entry entry into, into, ins instru tructi cting ng or commun communica icating ting with with the logical, arithmetical, or memory functions resources of a computer, computer system or computer network.

Affixing digital signature [Sec. (1) (d)) Affixing digital signature means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature.

Asymmetric Crypto System [Sec. 2(1) (f)] “Asymmetric crypto system” means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.

Computer [Sec. 2(1) (i)1 “Compu “Computer ter” ” means means by electro electronic nic magnet magnetic, ic, optica opticall or other other high high speed speed data data processing processing device device or system which performs performs logical, logical, arithmetic arithmetic

and memory memory

functi functions ons by manipu manipulat lation ions s of electro electronic nic,, magnet magnetic, ic, or optica opticall impuls impulses, es, and incl includ udes es

all all

inpu input, t, outp outpos ost, t,

proc proces essi sing ng,,

stor storag age, e,

comp comput uter er

soft softwa ware re,,

or

commun communica icatio tions ns facilit facilities ies which which are connec connected ted related related to the comput computer er in a computer system or computer network.

Computer System [Sec. 2(1) (h)i “Computer system” means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capabl capable e of being being used used in conjunc conjunctio tion n with with externa externall files, files, which which contai contain n computer programmes,

electronic instructions, input data, and output data,

that that perfor performs ms logic, logic, arithm arithmetic etic,, data data storag storage e and retriev retrieval, al, commun communica icatio tion n control and other functions

Data [Sec. 2(1) (o)J “Data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised

Page 2

[email protected]


SAINTGITS

manner and it is intended to be processed, is being processed or has been processed in computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored Internally in the memory of the computer.

Digital Signature [Sec. 2(1) (p)J “Digital signature” means authentication of any electronic record by a subscriber by mean means s of an elec electr tron onic ic meth method od or proc proced edur ure e in acco accord rdan ance ce with with the the provisions of section 3.

Electronic Form (Sec. 2(1) (r)J “Ele “Elect ctro roni nic c

form form” ”

with with refe refere renc nce e

to info inform rmat atio ion n

mean means s any any

info inform rmat atio ion n

genera generated ted,, sent, sent, receive received d or stored stored in media, media, magnet magnetic, ic, optica optical, l, comput computer, er, memory, micro film, computer generated micro fiche or similar device.

Electronic Record [Sec. 2(1) (t)J “Elect “Electron ronic ic record record” ” means means data, data, record record or data data generat generated, ed, image image or sound sound stor stored ed,, rece receiv ived ed or sent sent in an elec electr tron onic ic form form or micro icrofi film lm or Comp Comput uter er generated micro fiche-,

Information [Sec. (1) (v)) “Inf “Infor orma mati tion on” ”

incl includ udes es data data,, text text,, imag images es,, soun sound d voic voice e

codes codes comp comput uter er

progra programm mmes, es, softwa software re and databa databases ses or micro micro film film or comput computer er ci1cra ci1crated ted microfiche.

“Originator” means a person who sends, generates, stores or transmits any electro electronic nic messag message e or cause cause any electr electroni onic c messag message e to be sent, sent, generat generated ed stored or transmitted to any other person, but does not include an intermediary. [Section 2 (1) (za)]

Key pair: In an asymmetric crypto system, ‘key pair’ means a private key and its mathematically-related public key, which are so related that the public key can verify a digital signature created by the private key. [Sec. 2(l)(x)].

Private key: It means the key of a key pair used to create a digital signature. [Sec. 2(l)(zc)].

Public key: It means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate. [Sec. 2(l)(zd)J.

Subscriber: It means a person in whose name the Digital Signature Certificate is issued, [Sec. 2(l)(zg)].

Secure System [Sec. 2(l) (ze)1 “Secure system” means computer hardware, software, and procedure that

Page 3

[email protected]


SAINTGITS

a. are reasonably reasonably secure secure from unautho unauthorised rised access access and and misuse; misuse; b. provide provide a reasonable reasonable level level of reliabilit reliability y and correct correct operatio operation-, n-, c.

are reasonably reasonably suited suited to performing performing the the intended intended function functions, s, and

d. adhere to generally generally accepted accepted security security procedures; procedures;

Hash function [Sec. 3(2)1 Hash function means an algorithm mapping or translation of one sequence of bits into another generally smaller, set known as ‘hash result’ such that an elec electr tron onic ic recor record d yield yields s the the same same hash hash resu result lt every every time time the the algo algori rith thm m is executed with the same electronic record as its input making it computationally infeasible (a) to derive or reconstruct the original electronic record from the hash result produced by the, algorithm (b) that two electronic records can produce the same hash result using the algorithm.

DIGITAL SIGNATURE Digital signature is authentication of an electronic record by a subscriber by means of an electronic method or procedure. Digital signature is created in two distinct steps: First, First, electroni electronic c record record is conver converted ted into into a messa message ge digest digest by usi using ng a mathem mathemati atical cal functi function on known known as ‘hash ‘hash functi function’ on’ which which digita digitally lly freezes freezes the electro electronic nic record record thus thus ensuri ensuring ng the integr integrity ity of the conten contentt of the intend intended ed communication contained in the electronic record. Seco Second nd,, the the iden identi tity ty of the the pers person on affi affixi xing ng the the digi digita tall sign signat atur ure e is authent authentica icated ted throug through h the use of a privat private e key which attach attaches es its itself elf to the message digest and which can be verified by any person who has the public key corresponding to such private key. This will enable any person to verify whether the electronic record is retained intact or has been tampered with. Any subsc subscribe riberr may authen authentic ticate ate an electro electronic nic record record by affixi affixing ng his digital signature. The authentication of the electronic record shall be effected by the use of asymm asymmetr etric ic crypto crypto system system and hash functi function on which which envelo envelop p and transform the initial electronic record into another electronic record. Any person by the use of a public key of the subscriber can verify the elec electr tron onic ic reco record rd.. The The priv privat ate e key key and and the the publ public ic key key are are uniq unique ue to the the subscriber and constitute a functioning key pair.

ELECTRONIC GOVERNANCE Legal recognition of electronic records [Sec. 41]

Page 4

[email protected]


SAINTGITS

Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then such requirement shall be deemed to have been satisfied if such information or matter is— (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference. Legal recognition of digital signature [Sec. 51] Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person then, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital sign signat atur ure e affi affix xed in su such ch mann manner er as may may be pres prescr crib ibed ed by the the Cent Centra rall Government. Use of electronic records and digital signatures in Government (Sec. 6) Where any law provides for (a) the filling of any form, application or any other other docu docume ment nt (b) (b) the the issu issue e or gran grantt of any any licen licence ce,, permi permit, t, sanc sancti tion on or approv approval al (c) the receip receiptt or paymen paymentt of money money in a partic particular ular manner, manner, such such requirement shall be deemed to have been satisfied if such filling, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate government. Retention of electronic records [Sec. 71] Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if they are retained in the electronic form and if (a) the inform informati ation on contai contained ned therein therein remains remains access accessible ible so as to be usable for a subsequent reference; (b) the electronic record is retained in the format in which it was originally gener generat ated ed,, sent sent or receiv received ed or in a form format at whic which h can can be demon demonst stra rated ted to represent accurately the information originally generated, sent or received; (c) (c) the the deta detail ils s whic which h will will faci facili lita tate te the the iden identi tifi fica cati tion on of the the orig origin in,, destination, date and time of despatch or receipt of such electronic record are available in the electronic record. Publication of rules, regulation, etc., in Electronic Gazette [Sec. 8] Any rule, regulation; order, bye-law, notification or any other matter shall be published in the Official Gazette or Electronic Gazette, if it is so required by law and the date of publication shall be deemed to be the date of the Gazette in which it was first published.

Page 5

[email protected]


SAINTGITS

Power to make rules by Central Government in respect of digital signature (Sec. 10) The Central Government may by rules, prescribe (a) the type of digital signature; (b) the manner and format in which the digital signature shall be affixed, (c) the manner or procedure which facilitates identification of the person affixing the digital signature; (d) contro controll proces processes ses and proced procedure ures s to ensure ensure adequa adequate te intergr intergrity ity,, security and confidentiality of electronic records or payments, and (e) any other other matter matter which is necess necessary ary to give give legal legal effect effect fo digita digitall signatures.

ATTRIB ATTRIBUTI UTION, ON, ACKNO ACKNOWL WLED EDGEM GEMENT ENT AND DESPAT DESPATCH CH OF ELECTR ELECTRONI ONIC C RECORDS Attribution of electronic records (Sec. 11] An electronic record shall be attributed to the originator (a) if it was sent by the originator himself (b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or (c) by an information system programmed by or on behalf of the originator to operate automatically. Acknowledgement of receipt [Sec. 121] Wher Where e the the orig origin inat ator or has has not not agre agreed ed with with the the addr addres esse see e that that the the acknowledgement of receipt of electronic record be given in a particular form or by a particular method, an acknowledgement may be given by (a) any communication by the addressee, automated or otherwise; or (b) any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgement, then if acknowledgement has not been so received, the electronic record shall be deemed to have not been sent ent

by the origi rigina nato tor. r. Where here the the

orig origin inat ato or

has has

not not

stipu tipula late ted, d, su suc ch

acknowledgement, and the acknowledgement has not been received, then the originator may give notice to the addressee specilring a reasonable time by whic which h the the ackn acknow owled ledgem gemen entt must must be receiv received. ed. If no ackno acknowl wled edgem gement ent is

Page 6

[email protected]


SAINTGITS

received within the aforesaid time he may after giving notice to the addressee, treat the electronic record as though it has never been sent Time and place of despatch and receipt of electronic record [Sec.131] (1) The despat despatch ch of an electr electronic onic record record occurs occurs when when it enters enters a comput computer er resource outside the control of the originator. (2) The time of receipt of an electronic record shall be determined as follows: (a) if the addressee has designated a computer resource for the purpose of receiving electronic records, (i) receipt occurs at the time when the electronic electronic record enters the designated computer resource, or (ii) if the electronic record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at the time when the electronic record is retrieved by the addressee; (b) if the addressee has not designated a computer resource along with specified timings, receipt occurs when the electronic record enters the computing resource of the addressee. (3) An electronic record is deemed to be despatched despatched from the place of business of the originator. The electronic record is deemed to be received at the place where the addressee has his place of business. If the originator or the addressee has more than one place of business the principal place of business, shall be the place of business, if the originator or the addressee addressee does not, have a place of business, business, his usual place of residence shall be deemed to be the place of business;

SECURITY OF ELECTRONIC RECORDS AND DIGITAL SIGNATURES Secure Electronic Record [Sec. 141] Where any security procedure has been applied to an electronic record at a sp spec ecif ific ic poin pointt of time time,, then then su such ch recor record d sh shall all be deem deemed ed to be a secu secure re electronic record from such point of time to the time of verification. Secure digital signature [Sec. 151] Digital signature shall be deemed to be a secure digital signature if at the time it was affixed, was (a) unique to the subscriber affixing it, (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber

Page 7

[email protected]


SAINTGITS

(d) linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated. Security procedure [Sec. 161] While prescribing rules for the security procedure, the Central Government shall have regard to commercial commercial circumsta circumstances nces prevailing at the time when the procedure was used, including (a) the nature nature of the transaction; transaction; (b) (b) the the level level of soph sophis isti tica cati tion on of the the part parties ies with with refe referen rence ce to their their technological capacity-, (c) the volume of similar transactions engaged in by other parties; (d) the availability of alternatives offered to but rejected by any party; (e) the cost of alternative procedures; and (f) (f) the the proc proced edur ures es in gene genera rall us use e for for simi simila larr type types s of tran transa sact ction ions s or communications.

REGULATION OF CERTIFYING AUTHORITIES Certifying Authority is a person who has been granted a licence to issue a digit digital al sign signat atur ure. e. The The cert certif ifyi ying ng auth author orit itie ies s are are unde underr the the su super pervi visi sion on of Controller Controller of Certifying Certifying Authorities including Deputy Controllers Controllers and Assi Assistant stant Controllers.

Appointment Appointment of Controller Certifying Authorities (Sec. 17) (1) The Central Government may, by notification in the Official Gazette appo appoin intt a Cont Contro roll ller er of Certi Certify fyin ing g Au Auth thor orit itie ies s and and su such ch numbe numberr of Depu Deputy ty Controllers and Assistant Controllers as it deems fit. (2) The Contro Controller ller shall shall dis discha charge rge his functi functions ons subject subject to the genera generall control and directions of the Central Government while the Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller. (3) (3) The The Cont Contro rolle llerr may, may, in writ writin ing, g, auth author oris ise e the the Deput Deputy y Cont Contro rolle ller, r, Assistant Controller or any officer to exercise any of his powers (Sec. 27) (4) There shall be a seal of the Office of the Controller (Sec. 17 (b)J. Power to investigate contravention and making access to computers The The Contro Controller ller or any officer officer author authorise ised d by him shall invest investiga igate te any contra contraven ventio tion n of the provis provision ions s of this this Act, Act, rules rules or regulat regulation ions s made made there there under. Those officers in such cases, shall have access access to any computer computer system, system, data data or any any other other mater materia iall conne connect cted ed with with su such ch syst system em for for the the purp purpos ose e of

Page 8

[email protected]


SAINTGITS

search searching ing for obtain obtaining ing any inform informati ation on or data data contai contained ned in such such comput computer er system (Sec. 28).

Functions of Controller [Sec. 18] The Controller may perform all or any of the following functions •

exercising supervision over the activities of the Certifying Authorities;

•

certifying public keys of the Certifying Authorities;

•

laying down the standards to be maintained by the Certifying Authorities;

•

specif specifyin ying g the qualif qualifica icatio tions ns and experi experienc ence e which which employ employees ees of the Certifying authorities should possess;

•

specifying the conditions subject to which the Certifying Authorities shall conduct their business;

•

spec sp ecif ifyi ying ng the the cont conten ents ts of writ written ten,, print printed ed or visu visual al mate materia rials ls and and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key

•

specifying specifying the form and content of a Digital Digital Signature Signature Certificate Certificate and the key;

•

specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;

•

specif specifyin ying g the terms terms and condit condition ions s su subjec bjectt to which which audito auditors rs may be appointed and the remuneration to be paid to them;

•

facilit facilitati ating ng the establi establishm shment ent of any electr electroni onic c system system by a Certify Certifying ing Author Authority ity either either solely solely or jointl jointly y with with other other Certify Certifying ing Author Authoriti ities es and regulation of such systems;

•

specifying the manner in which the certifying Authorities shall conduct their dealings with the subscribers;

•

resolving any conflict of interests between the Certifying Authorities and the subscribers;

•

laying down the duties of the Certifying Authorities,

•

Main Mainta tain inin ing g a data databa base se cont contai aini ning ng the the disc disclo losu sure re reco record rd of ever every y Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public.

Procedures which Certifying Authority Authority has to follow [Sec. 30] Every Certifying authority shall (a) make use of hardware, software, and procedures that are secure from intrusIon and misuse;

Page 9

[email protected]


SAINTGITS

(b) (b) prov provid ide e a reas reason onab able le level level of relia reliabi bilit lity y in its its serv servic ices es whic which h are are reasonably suited to the performance of intended functions, (c) adhere to security procedures to ensure that the secrecy and privacy of the digital signatures are assured; (d) observe such other standards as may be specified by regulations.

Recognition of Foreign Certifying Authorities [Sec. 19] The controller may with the previous approval of the Central Government, and by notifi notificat cation ion in the Officia Officiall Gazett Gazette, e, recogn recognise ise any Foreign Foreign Certif Certifyin ying g Authority as a Certifying Authority for the purposes of this Act Where any such Certify Certifying ing Author Authority ity is recogn recognised ised,, the Digita Digitall Signat Signature ure Certif Certifica icate te iss issued ued by such Certifying Authority shall be valid for the purposes of this Act.

LICENCE TO ISSUE DIGITAL SIGNATURE CERTIFICATES [SEC. 21] Any person can make an application, to the Controller, for a licence to issue Digital Signature Certificates. No licence shall be issued to such applicants unless unless the applic applicant ants s fulfil fulfil such such require requiremen ments ts with with respec respectt to qualif qualifica icatio tion, n, expert expertise ise,, manpow manpower, er, financ financial ial resour resources ces and other other infras infrastru tructu cture re facilit facilities ies,, which are necessary to issue Digital Signature Certificates as may be prescribed by the Central Government. A licence granted under this section shall (a) be valid for such period as may may be pres prescr crib ibed ed by the the Cent Centra rall Gove Govern rnme ment nt;; (b) (b) not not be tran transf sfera erabl ble e or heritable; (c) be subject to such terms and conditions as may be specified by the regulations. Application for licence [Sec. 221] (1) Every application for the issue of a licence shall be in such form as maybe prescribed by the Central Government (2) Every application for issue of a licence shall be accompanied by (a) a certification practice statement; (b) a statement including the procedures with respect to identification of the applicant; (c) payment of such fees, not exceeding twenty-five twenty-five thousand thousand rupees as may be prescribed prescribed by the Central Government Government;; (d) such other documents, as may be prescribed pre scribed by the Central Government. Renewal of licence [Sec. 231] An appl applic icat atio ion n for for rene renewa wall of a lice licenc nce e sh shal alll be in su such ch form form and and accomp accompanie anied d by such such fees, fees, not exceedi exceeding ng five five thousa thousand nd rupees, rupees, as may be prescribed by the Central Government and shall be made not less than forty-five days before the date of expiry of the period of validity of the licence.

Page 10

[email protected]


SAINTGITS

Procedure for grant or rejection of licence [Sec. 24] The Controller may, on receipt of an application after considering the documents accompanying the application and such other factors, as he deems fit, grant the licenc licence e or reject reject the applica applicatio tion; n; Howeve However, r, no applic applicati ation on shall shall be rejecte rejected d without giving the applicant a reasonable opportunity for presenting his case. Suspension of licence [Sec. 251] (i) The controller may revoke the licence, if he is satisfied after making such inquiry, as he may think fit, that a Certifying Authority has, (a) made an incorrect or false statement in the application for the issue or renewal of the licence. (b) failed to comply with the terms and conditions subject to which the licence was granted; (c) failed to maintain the standards specified in Sec. 20 (2) (b). (d) contravened contravened any provisions provisions of this Act, rule, regulation or order made there under. However, no licence shall be revoked unless the Certifying Authority has been giv given a reas reason onab able le oppo opport rtun unit ity y of sh show owin ing g caus cause e agai agains nstt the the prop propos osed ed revocation. (ii) The controller may, if he has reasonable cause tc believe that there is any grou ground nd for for revo revokin king g a licenc licence, e, by orde orderr su susp spend end su such ch licen licence ce pend pendin ing g the the completion of any inquiry ordered by him: However no licence shall be suspended for a period exceeding ten days unless unless the Certify Certifying ing Author Authority ity has been been given given a reason reasonable able opport opportuni unity ty of showing cause against the proposed suspension. (iii) No Certifying Authority whose licence has been suspended shall issue any Digital Signature Certificate during such suspension. Notice of suspension or revocation of licence [Sec. 261] Where the licence of the Certifying Authority is suspended or revoked, the controller shall publish notice of such suspension or revocation, as the case may be, in the database maintained by him. However, that the database containing the notice of such suspension suspension or revocation, revocation, as the case may be, shall be made available through web site which shall be accessible round the clock. Display of licence [Sec. 32] Every Certifying Authority shall display its licence at a conspicuous place of the premises in which it carries on its business. Surrender of licence [Sec. 33]

Page 11

[email protected]


SAINTGITS

Every Certifying Authority whose licence is suspended or revoked shall immediately after such suspension or revocation, surrender the licence to the Controller. If he fails to surrender the licence, he shall be guilty of an offence and shall be punishable. Disclosure

Every Certifying Authority shall disclose (Sec. 34) (a) (a) its its Digi Digita tall Sign Signat atur ure e Cert Certif ific icat ate e whic which h cont contai ains ns the the publ public ic,, key key corresponding to the private key used by that Certifying Authority to digitally sign another Digital Signature Certificate (b) (b) noti notice ce of the the revoc revocat ation ion or su susp spen ensi sion on of its its Certi Certify fyin ing g Au Auth thor orit ity y Certificate, (c) any other fact that materially and adversely affects the reliability of a Digital Signature Certificate.

DIGITAL SIGNATLURE CERTIFICATES Issue of Digital Signature Certificate [Sec. 35 and Sec. 361] Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed. Every such application shall be accompanied. by such fee (not exceeding twenty-five thousand rupees) as may be prescribed by the Central Government, to be paid to the Certifying Authority. However, different fees may be prescribed for different classes of applicants. Every such application shall be accompanied. by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. On rece receip iptt of an appl applic icat atio ion, n, the the Cert Certif ifyi ying ng Au Auth thor orit ity y may, may, afte afterr consid considera eratio tion n of the certif certifica icatio tion n practi practice ce statem statement ent and after after making making such such enquiries it may deem fit, (a) grant the Digital Signature Certificate or (b) for reasons to be recorded in writing reject the application: However, no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that (a) the applicant holds the private key corresponding, to the public key to be listed in the Digital Signature Certificate; (b) the applicant holds a private key, which is capable of creating a digital signature, (c) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant; However, no

Page 12

[email protected]


SAINTGITS

application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection. Representation upon issuance of Digital Signature Certificate (Sec. 36) A certifying authority while issuing a Digital Signature Certificate shall certify that (a) (a) it has has com complie plied d with with the prov provis isio ions ns of this his Ac Actt and and the the rule rules s and and regulations made there under; (b) it has published the Digital Signature Certificate or made it available to such person relying on it and the subscriber has accepted it. (c) the subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate; (d) the subscriber’s public key and private key constitute a functioning key pair, (e) the information contained in the Digital Signature Certificate is accurate, and Suspension of Digital Signature Certificate [Sec. 371] The Certifying Authority which has issued a Digital Signature Certificate may suspend such Certificate •

on receipt of a request to that effect from the subscriber or any person authorised by him.

•

If it is of opinion that the Certificate should be suspendedin the public interest.

•

The The cert certif ifyi ying ng Au Auth thor orit ity y sh shall all comm commun unic icat ate e the the su susp spen ensi sion on to the the subscriber.

•

A digital Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in this matter.

Revocation of Digital Signature Certificate [Sec. 381] A Certifying Authority may revoke a Digital Signature Certificate issued by it o

where the subscriber or any other person authorised by him makes a request to that effect; or

o

upon the death of the subscriber, or

o

upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company.

A Certifying Authority may revoke a Digital Signature certificate which has been issued by it at any time, if it is of opinion that

Page 13

[email protected]




SAINTGITS

a material fact represented in the Digital Signature Certificate is false or has been concealed;



a requirement for issuance of the Digital Signature Certificate was not satisfied;



the Certifying Authority’s private key or security system was compromised in a mann manner er mate materia rially lly affe affect ctin ing g the the Digi Digita tall Sign Signat atur ure e Certi Certifi fica cate te’s ’s reliability;



the subscriber subscriber has been declared insolvent insolvent or dead or where a subscriber subscriber is a firm or a company, company, which has been dissolved, dissolved, wound up or otherwise ceased to exist.

A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter. The Certifying authority shall communicate, the revocation to the subscriber. Where a Digital Signature Certificate is suspended or revoked, the Certifying Authority shall publish a notice of such suspension or revocation [Sec. 39].

DUTIES OF SUBSCRIBERS SUBSCRIBERS Where the public key of any Digital Signature Certificate corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certi Certifi fica cate te has has been been acce accept pted ed by the the su subs bscr cribe iber, r, then then the the su subs bscr crib iber er sh shal alll generate the key pair by applying the security procedure [Sec. 40]. While accepting a Digital Signature Certificate, a subscriber shall publish or authorise the publication of a Digital Signature Certificate By accepting a Digital Signature Certificate the subscriber certifies to all who who reas reason onab ably ly rely rely on the the info inform rmat atio ion n cont contai aine ned d in the the Digit Digital al Sign Signat atur ure e Certificate that: 

the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same



all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true;



all all info inform rmat atio ion n in the the Digi Digita tall Sign Signat atur ure e Cert Certif ific icat ate e that that is with within in the the knowledge of the subscriber is true [Sec. 41(2)].

Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key and take all steps to prevent its disclosure to

Page 14

[email protected]


SAINTGITS

a person not authorised to affix the Digital Signature of the subscriber. If the key has been compromised, then the subscriber shall communicate the same without any delay to the Certifying Authority [Sec. 42]

PENALTIES AND ADJUDICATION Penalty for damage to computer, computer system etc [Sec. 31] If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network: 

acce access sses es or secu secures res acce access ss to su such ch comp comput uter, er, comp comput uter er syst system em or computer network;



downloads, copies or extracts any data, computer database or information from such computer, computer, computer system or computer computer network network including including information or data held or stored in any removable storage medium;



introd introduce uces s or causes causes to be introd introduce uced d any comput computer er contam contamina inant nt br comp comput uter er viru virus s into into any any comp comput uter er,, comp comput uter er syst system em or comp comput uter er network;



damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;



disr disrup upts ts or caus causes es disr disrup upti tion on of any any comp comput uter er,, comp comput uter er syst system em or computer network;



denies or causes the denial of access to any person authorised to access any computer or computer system or computer network by any means;



provides provides any assistance assistance to any person to facilitate facilitate access to a computer, computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under,



charges the services availed of by a person to the account of another pers person on by tamp tamperi ering ng with with or mani manipu pula latin ting g any any comp comput uter, er, comp comput uter er system, or computer network, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

Penalty for failure to furnish information, return, etc. [Sec. 441] If any person who is required under this Act or any rule or regulations made there under to

furnish any document, return or report to the Controller or the Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure

Page 15

[email protected]




SAINTGITS

file an’ return or furnish any information, books or other documents, within the time specified therefore in the regulations fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for everyday during which such failure continues;



Maintain books of account or records fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues.

Residuary penalty [Sec. 451] Whoever contravenes any rules or regulations made under this Act, for the contravent contravention ion of which no penalty penalty has been separately separately provided, shall be liable liable to pay a compensation not exceeding twenty five thousand rupees to the person affected by such contravention. Power to adjudication [Sec. 46] 

For the purpos purpose e of adjudic adjudicati ation on whether whether any person has conuni conunitte tted d a contravention, of any of the provisions of this Act, the Central Government shall hall appo appoin intt any any offi offic cer not not below elow the the rank rank of a Direc irecttor to the the Government of India or an equivalent officer of a State Government to be an Adjudicating Officer for holding an inquiry in the manner prescribed by the Central Government.



The The adjud adjudic icat atin ing g offi office cerr if on inqu inquiry iry,, satis satisfi fied ed that that the the pers person on has has committed the contravention, he may impose such penalty or award such compensation as he thinks fit



No pers person on sh shal alll be appo appoin inte ted d as an adju adjudi dica cati ting ng offi office cerr unle unless ss he possesses such experinece in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government.



Every adjudicating adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal.



While adjudicating the quantum of compensation, the adjudicating officer shall have due regard to the amount of gain of unfair advantage as well as the amount of loss caused to any person as a result of the default and the repetitive nature of the default [Sec. 47]

CYBER REGULATIONS APPELLATE TRIBUNAL Cyber Appellate Tribunal The The Centra Centrall governm government ent shall, shall, by notifi notificat cation ion,, establ establish ish one or more more appellate tribunals to be known as the Cyber Regulations Appellate Tribunals and

Page 16

[email protected]


SAINTGITS

specify in the notification, the matters and places in relation to which the Cyber appellate Tribunal may exercise jurisdiction [Sec. 48]. A Cyber Appellate Tribunal shall consist of one person only referred to as the Presiding Officer, appointed by the Central Government [Sec. 49] Appeal to Cyber Regulations Appellate Tribunal (Sec. 57) Any person aggrieved by an order made by Controller or an adjudicating officer under this Act may prefer an appeal to a Cyber Appellate Tribunal within a period of forty-five days from the date on which a copy of the order made by the Controller or the adjudicating officer is received by the person aggrieved and it shall be in such form and be accompanied by such fee as may be prescribed. On rece receip iptt of an appe appeal al,, Trib Tribun unal al may may afte afterr givi giving ng the the part partie ies s an opportunity opportunity of being heard, pass such orders thereon as it thinks fit, confirming confirming modify modifying ing or settin setting g aside aside the order order appeal appealed ed agains againstt The Cyber Cyber Appella Appellate te Tribunal shall send a copy of every order made by it to the parties to the appeal and to the concerned Controller or adjudicating officer, The Cyber Appellate Tribunal shall be guided by the principles of natural justice and subject to the other provisions of this Act. The Tribunal shall have the same powers as are vested in a civil court under the Code of Civil Procedure (Sec. 58). The appellant appellant may either appear in person person or authorise authorise one or more legal practitioners or any of its officers to present the case before the Cyber Appellate Tribunal (Sec. 59). The provisions of the Limitation Act, 1963 shall apply to an appeal made to the Cyber Appellate Tribunal. (Sec. 60) No court have jurisdiction to entertain any suit or proceeding in respect of any matter matter which which an adjudi adjudicat cating ing office officerr or the Cyber Cyber Appella Appellate te Tribun Tribunal al is empowered by this Act to determine. No injunction shall be granted by any court in respect of these matters (Sec. 61). Any person aggrieved by any decision or order of the Cyber Appellate Tribunal Tribunal may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal. (Sec. 62) Compounding of contraventions (Sec. 63) Any contravention may either before or after the institution of adjudication proceedings, be compounded by the Controller or such other officer as may be specially authorised by him in this behalf or by the adjudicating officer, as the case may be, subject to such Conditions as the Controller or such other officer or the adjudicating officer may specify:

Page 17

[email protected]


SAINTGITS

Provided that such sum shall not, in any case, exceed the maximum amount of the penalty penalty which which may be impose imposed d under under this this Act for the contrave contraventi ntion on so compounded Nothin Nothing g in above

shall shall apply to a person person who commit commits s the same or

similar similar contravention contravention within a period of three years from the date on which the, first contravention, committed by him, was compounded. Where any contravention has been compounded under sub-section (1), no proceeding or further proceeding, as the case may be, shall be taken against the the pers person on guilt guilty y of su such ch cont contra rave vent ntion ion in resp respec ectt of the the cont contra rave vent ntion ion so compounded Recovery of Penalty (Sec. 64) A penalty imposed under this Act, if it is not paid, shall be recovered as an arrear of land revenue and the licence or the Digital Signature Certificate, as the case may be, shall be suspended till the penalty is paid.

OFFENCES Tampering with computer source documents (Sec. 65) Whoe Whoeve verr know knowin ingl gly y or inte intent ntio iona nall lly y conc concea eals ls dest destro roys ys or alte alters rs or intent intentio iona nally lly or know knowin ingl gly y caus causes es anot anothe herr to conc concea eal, l, dest destro roy y or alte alterr any any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. Hacking with Computer System (Sec. 66) Whoever with the intent, to cause or knowing that he is likely to cause wrongful loss, or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affect affects s it injurio injuriousl usly y by any means, means, commit commits s hackin hacking. g. Whoeve Whoeverr commit commits s hacking shall be punished with Imprisonment up to three years or with fine which may extend upto two lakh rupees or with both. Publishing of information which is obscene in electronic form (Sec. 67) Whoever publishes or transmits or causes to be published in the electronic form, any material which is obscene or if its effect is to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear hear the the matt matter er cont contain ained ed or embo embodi died ed in it, it, sh shal alll be punis punishe hed d on firs firstt conviction with imprisonment of either description for a term which may extend

Page 18

[email protected]


SAINTGITS

to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees. Securing access to protected system contravened (Sec. 70) Any An y pers person on who who secu secures res acce access ss to a prot protec ecte ted d comp comput uter er syst system em in contr ontrav aven enttion ion

of the the prov provis isio ions ns of this this sect ection ion shall hall be pun punishe ished d with with

imprisonment imprisonment for a term which may extend to ten years and shall also be liable to fine. Misrepresentation (Sec. 71) Whoever makes any misrepresentation to or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any licence or Digital Signature Certificate shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both (Sec. 71). Breach of confidentiality and privacy (Sec. 72) Any person commits breach of confidentiality and privacy of electronic information or documents shall be punished with imprisonment for a term which may extend to two years or with fine which may extend to one lakh rupees, or with both. Publishing Digital Signature Certificate, false in certain particulars (Sec. 73) Any person who publishes a Digital Signature Certificate false in certain particulars shall be punished with imprisonment for a term which• may extend to two years, or with fine which may extend to one lakh rupees, or with both. Publication for fraudulent purpose (Sec. 74) Whoever Whoever knowin knowingly gly create creates, s, publis publishes hes or otherwi otherwise se makes makes availa available ble a Digita Digitall Signat Signature ure Certifi Certificat cate e for any fraudu fraudulent lent or unlawf unlawful ul purpos purpose e shall shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Confiscation (Sec. 76) Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, or orders made there under has been contravened, shall be liable to confiscation. Network Service providers not to be liable in certain cases (Sec. 79)

Page 19

[email protected]


SAINTGITS

No person providing any services as a network service provider shall be liable under this Act, rules of regulations made there under for any third party info inform rmat atio ion n or data data made made avail availab able le by him him if he prove proves s that that the the offe offenc nce e or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the conmiission of such offence or contravention

MISCELLANEOUS Power to investigate offences (Sec. 78) A police officer not below the rank of Deputy Superintendent of Police shall investigate any offence under this Act. Power of police officer and other officers to enter, search, etc. (Sec. 80) Any police police officer officer,, not below the rank rank of a Deputy Deputy Superint Superintend endent ent of Police, or any other officer of the Central Government or a State Government authorised by the Central Government in this behalf may enter any public place and and sear search ch and and arre arrest st with withou outt warr warran antt any any pers person on foun found d ther therei ein n who who is reasonably suspected or having committed or committing or of being about to commit any offence under this Act Offences by Companies (Sec. 85) Where a person, committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under, is a company, every person who, at the time the contravention was Committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly, Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that exercised all diligence to prevent such contravention. Where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other other officer officer of the compan company, y, such such direct director, or, manager manager,, secret secretary ary or other other officer officer shall also be deemed to be guilty of the contravention contravention and shall be liable to be proceeded against and punished accordingly. Power of Central Government to make rules (Sec. 87)

Page 20

[email protected]


SAINTGITS

The Central Government may, by notification in the Official Gazette and in the Electronic Gazette make rules to carry out the provisions of this Act. Such rules may provide for all or any of the following matters, 

the manner in which any information or matter may be authenticated by means of digital signature



the the elec electr tron onic ic form form in whic which h filin filing, g, issu issue, e, gran grantt or paym payment ent sh shal alll be effected



the manner and format in which electronic records shall be flied, or issued



the matters relating to the type of digital signature, manner and format in which it may be affixed



the security procedure for the purpose of creating secure electronic record and secure digital signature



the qualif qualifica icatio tions, ns, experi experienc ence e and terms terms and condit condition ions s of servic service e of Controller, Deputy Controllers and Assistant Controllers



other standards to be observed by the Controller



the requirements which an applicant must fulfil



the period of validity of licence granted



the form in which an application for licence may be made



the amount of fees payable under Sec. 22 (2) (c)



such other documents which shall accompany an application for licence



the form and the fee for renewal of a licence and the fee payable thereof V



the amount of late fee payable under the provision to section 23; (0) the form in which application application for issue issue of Digital signature signature Certificate Certificate maybe maybe made



the the fee fee to be paid paid to the the Cert Certif ifyi ying ng Au Auth thor orit ity y for for issu issue e of a Digi Digita tall Signature Certificate V



the manner in which the adjudicating officer shall hold inquiry



the the quali qualifi fica cati tion on and and expe experi rienc ence e whic which h the the adju adjudic dicat ating ing offi office cerr sh shal alll possess



the salary, allowances and the other terms and conditions of service of the Presiding Officer



the the proc procedu edure re for for inve invest stig igat atio ion n of misb misbeh ehav avio iour ur or incap incapac acit ity y of the the Presiding officers



the salary and allowances and other conditions of service of other officers and employees

Page 21

[email protected]




SAINTGITS

the form in which appeal may be filed and the fee (w) any other power of a civi civill cour courtt requ requir ired ed to be pres prescr crib ibed ed (x) (x) any any othe otherr matt matter er which which is required to be, or may be, prescribed

Constitution of Advisory Committee (Sec. 88) The

Central

Government

shall,

as

soon

as

maybe

after

the

commencement of this Act, constitute a Committee called the Cyber Regulations Advisory Committee It shall advise: (a) the Central Government either generally as regards any rules or for any other purpose connected with this Act; (b) the Controller in framing the regulations under this Act. Power of controller, to make regulations (Sec. 89) The controller may make regulations consistent with this Act and the rules made there under to carry out the purposes of this Act. Such regulations may provide for all or any of the following •

the the part partic icul ular ars s relat relating ing to maint mainten enan ance ce of data databa base se cont contain ainin ing g the the disclosure record of every Certifying Authority

•

the the cond condit ition ions s and and rest restric ricti tion ons s su subj bjec ectt to whic which h the the Cont Contro rolle llerr may may recognise any Foreign Certifying Authority

•

the terms and conditions subject to which a licence may be granted

•

other standards to be observed by a Certifying Authority

•

the manner in which the Certifying Authority shall disclose V the matters specified in Sec. 34(1)

•

the particulars of statement which shall accompany an application

•

the manner manner by which which the subscr subscriber iber commun communica icate te the compro compromis mise e of private key to the Certifying Authority.

Power of State Government to make rule (Sec. 90) The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act. Such rules may provide for all or any of the following matters (a) the electronic form in which filing, issue, grant receipt or payment shall be effected (b) for matters specified in Sec. 6(2) (c) any other matter which is required to be provided by rules by the State Government

Page 22

[email protected]

The Information Technology Act 2000

Recommend Documents