ISEA Cyber Law Training Material PDF

Module 6 IT Act, Cyber Laws and their relevance Module 6: IT Act, Cyber Laws and their relevance Page 1 of 189 This page is left blank intentionally. Module 6: IT Act, Cyber Laws and their relevance Page 2 of 189 Table of Content 1. Foundations of Cyber Law _______________________________________________________ 8 1.1. Impact of the Internet on Business and Governance ________________________8 1.2. Why Existing Legal Provisions were not sufficient? _________________________9 1.3. Background of Cyber Law ___________________________________________________ 12 1.4. Applicability, Scope and Significance of IT Act _____________________________ 13 1.5. Objectives & Applicability of IT Act _________________________________________ 15 1.6. Evolution of Cyber Laws in India ____________________________________________ 17 1.7. Definitions ____________________________________________________________________ 19 2. Electronic Authentication ______________________________________________________ 25 2.1. Background of Electronic Authentication in India _________________________ 25 2.2. Electronic Contracts __________________________________________________________ 25 2.3. Digital Signature ______________________________________________________________ 29 2.4. Electronic Governance _______________________________________________________ 31 2.5. Attribution, Acknowledgment and Despatch of Electronic Records _____ 33 2.6. Digital Signature Vs. Electronic Signature __________________________________ 35 2.7. Authentication of Electronic Records _______________________________________ 36 2.8. Role and Functions of the Controller of Certifying Authorities ___________ 40 2.9. Certifying Authorities Rules _________________________________________________ 42 2.10. Recognition of Foreign Certifying Authorities ___________________________ 43 3. Sensitive Personal Data and Information (SPDI) _____________________________ 45 3.1. Background and Definitions _________________________________________________ 45 3.2. Applicability of SPDI Rules __________________________________________________ 46 3.3. Reasonable Security Practices _______________________________________________ 48 3.4. Security Controls _____________________________________________________________ 49 3.5. Overview of ISO/IEC 27001 Standards _____________________________________ 50 3.6. Key Features of Privacy Policy as per IT Rules, 2011 ______________________ 52 3.7. Consent and Notification under IT Rules, 2011 ____________________________ 53 3.8. Use, Retention, and Withdrawal under IT Rules, 2011 ____________________ 54 3.9. Disclosure of Sensitive Personal Data or Information _____________________ 54 4. Data Privacy Law of India ______________________________________________________ 56 4.1. Background of Indian Data Privacy Law ____________________________________ 56 4.2. Importance of Data Privacy Law for CISO’s ________________________________ 56 Module 6: IT Act, Cyber Laws and their relevance Page 3 of 189 4.3. Data, Personal Data, Processing & Consent_________________________________ 57 4.4. Objectives, Applicability and Exemptions of Data Privacy Law ___________ 59 4.5. Rights and Obligations of Data Principal ___________________________________ 64 4.6. Duties of Data Fiduciary and Data Processor ______________________________ 66 4.7. Operational Mechanism of Consent Managers _____________________________ 70 4.8. Consent Notice and its Requirements ______________________________________ 73 4.9. Data Protection Board _______________________________________________________ 75 4.10. Significant Data Fiduciary _________________________________________________ 78 4.11. Data Breach Response Protocol ___________________________________________ 79 4.12. Steps of Grievance Redressal______________________________________________ 82 4.13. Penalties and Adjudication under DPDPA _______________________________ 83 4.14. Action Points for Compliance with DPDP Act ____________________________ 84 5. International Data Privacy Laws _______________________________________________ 88 5.1. Important Data Privacy Legislations of the World _________________________ 88 5.2. Overview of GDPR ____________________________________________________________ 89 5.3. American Data Privacy Laws ________________________________________________ 92 5.4. Asian Data Privacy Laws _____________________________________________________ 96 5.5. Differences between Indian & Global Data Privacy Laws _________________ 99 5.6. Global Data Privacy Compliance for Indian Organisations _______________102 6. Law for Service Delivery, Resource Handling & Interception ______________ 106 6.1. Electronic Service Delivery Rules __________________________________________106 6.2. Rules for Computer Resource Handling ___________________________________108 6.3. Interception, Monitoring, and Decryption of Information _______________110 6.4. Monitoring and Collecting Traffic Data or Information __________________112 6.5. Blocking of Access of Information __________________________________________115 6.6. Roles & Responsibilities of CERT-In _______________________________________121 7. Cyberspace & Intellectual Property Laws of India __________________________ 124 7.1. Indian Intellectual Property Law in Cybersecurity _______________________124 7.2. Patentability, Non-Patentability, Validity__________________________________125 7.3. Software Patent and India __________________________________________________128 7.4. Halts in Software Updates: Technical or IP Issue? ________________________129 7.5. Indian, American, and European Patent Laws ____________________________130 7.6. Cyberspace and Indian Copyright Law ____________________________________132 Module 6: IT Act, Cyber Laws and their relevance Page 4 of 189 7.7. Major Provisions of the Indian Copyright Act _____________________________135 7.8. Copyright Liability of Intermediaries ______________________________________136 7.9. Trademark in Cyberspace __________________________________________________138 7.10. Types of Trademark Violation in Cyberspace___________________________139 8. Cybercrimes and Punishments _______________________________________________ 143 8.1. Damage to Computer, Computer System __________________________________143 8.2. Failure to Furnish and Residuary of Information _________________________144 8.3. Adjudication and Cyber Appellate Tribunal _______________________________146 8.4. Tampering with Computer Source Documents ___________________________148 8.5. Hacking, Identity Theft, Cheating, etc ______________________________________148 8.6. Cyber Terrorism _____________________________________________________________150 8.7. Obscenity, Pornography and Child-Pornography _________________________151 8.8. Preservation and Retention of Information by Intermediaries __________153 8.9. Offences related to Electronic Signature __________________________________154 8.10. Penalty for Breach of Confidentiality and Privacy ______________________156 8.11. Offences by Companies & Intermediary Due Diligence ________________157 8.12. Compounding of Offences & Bail Provisions ____________________________158 8.13. Abetment & Attempt of Offences ________________________________________158 8.14. Provision of Penalty in Bharatiya Nyaya Sanhita _______________________159 9. Law for Electronic Evidence __________________________________________________ 162 9.1. Primary and Secondary Evidence __________________________________________162 9.2. Situations & Conditions for Acceptance of Secondary Evidence _________163 9.3. Acceptance of Electronic Records __________________________________________166 9.4. Content of Section 63 Certificate ___________________________________________167 9.5. Testimony for Electronic Evidence ________________________________________168 9.6. Format for Section 63 Certificate___________________________________________171 9.7. Importance of Chain of Custody ____________________________________________172 10. Appendix________________________________________________________________________ 175 10.1. What is ‘Law’? _____________________________________________________________175 10.2. What is ‘Bill’? ______________________________________________________________175 10.3. What is ‘Act’? ______________________________________________________________176 10.4. What is ‘Rule’? _____________________________________________________________177 10.5. What is ‘Amendment’? ____________________________________________________178 Module 6: IT Act, Cyber Laws and their relevance Page 5 of 189 10.6. What is ‘By-law’? __________________________________________________________178 10.7. What is ‘Case Law’? _______________________________________________________179 10.8. What is ‘Ordinance’? ______________________________________________________179 10.9. Fundamentals of Theory of Natural Justice _____________________________180 10.10. Difference between ‘Offence’ & ‘Crime’ _______________________________182 10.11. Civil Offence Vs. Criminal Offence _____________________________________184 10.12. What are the major elements of a crime? _____________________________185 10.13. Types of Punishments __________________________________________________186 10.14. Judicial Hierarchy in India _____________________________________________187 Module 6: IT Act, Cyber Laws and their relevance Page 6 of 189 This page is left blank intentionally. Module 6: IT Act, Cyber Laws and their relevance Page 7 of 189 1. Foundations of Cyber Law 1.1. Impact of the Internet on Business and Governance The 1990s saw the rise of the internet as a game-changing force that significantly altered the landscape of business, communication, and governance. This decade was pivotal as the internet evolved from a specialized technology into a robust tool for global interaction, innovation, and efficiency. In the realm of business, the internet set the stage for the digital economy. The emergence of websites and online platforms gave birth to e-commerce, with trailblazers like Amazon (established in 1994) and eBay (launched in 1995) revolutionizing the way products and services were exchanged. Businesses began to harness digital marketing through email campaigns and early search engines, allowing for more targeted customer engagement. Additionally, the adoption of enterprise software and interconnected systems improved operational efficiency and allowed companies to compete on a global scale. However, obstacles such as limited internet access, slow connection speeds, and concerns over online payment security hindered its full potential. In terms of communication, the internet brought about a groundbreaking shift in how individuals connected and shared information. The introduction of email, with services like Hotmail (debuted in 1996), replaced traditional mail, offering a quicker and more efficient means of communication. Early chat platforms and forums, including AOL Instant Messenger (1997) and bulletin board systems (BBS), fostered new avenues for social interaction. The launch of the World Wide Web (created in 1991 by Tim Berners-Lee) and web browsers like Netscape (1994) empowered both individuals and organizations to publish and access information in unprecedented ways. While the internet made communication more accessible, challenges such as the digital divide and insufficient broadband infrastructure limited its reach, particularly in developing countries. In the realm of governance, the internet started to reshape public administration with the introduction of early e-governance projects. Governments began to explore online platforms to offer essential services like tax submissions and information sharing. A notable example is India’s NICNET (‘National Informatics Centre Network’, which is a satellite-based computer-communication network that connects the entire country of India managed by the National Informatics Centre), which was launched in 1987 and grew throughout the 1990s to link government offices nationwide. On a global scale, initiatives such as the U.S. Government’s GPO Access, introduced in 1994, provided the public with access to legal and governmental documents. The United Nations also advocated for the use of the internet as a means of fostering development. However, this decade also brought about rising concerns regarding cybersecurity, privacy, and the necessity for legal frameworks to tackle new challenges, which led to the initial drafting of laws like India’s Information Technology Act in 2000. Module 6: IT Act, Cyber Laws and their relevance Page 8 of 189 The years between 1990 and 2000 marked a pivotal time for the internet, laying down the essential technologies and practices that still shape business, communication, and governance today. Although the advantages of the internet were considerable, challenges related to infrastructure, accessibility, and legal systems underscored the importance of ongoing investment and innovation. The Information Technology Act of 2000 was the first major law in India aimed at governing digital technology, online commerce, and cybercrime. This legislation was introduced to legally recognize transactions conducted electronically and to tackle the new challenges that arise in the digital world. 1.2. Why Existing Legal Provisions were not sufficient? India did have a few legal provisions to govern the field of technology, namely Indian Telegraph Act, 1885 and Indian Wireless Telegraphy Act, 1933. The first one made to manage telegraph lines and later expanded to include phone systems and other communication setups. It mainly focused on the physical stuff like telegraph wires and lines, not really thinking ahead about digital communication or the internet. Whereas, the later one was introduced to regulate wireless telegraphy equipment, including radio transmitters and receivers to prevent unauthorized devices from being used for communication. It was not never intended to address the dynamic and decentralized nature of cyberspace, but rather to regulate radio frequencies. Here are a few important points on the reasons of these two Acts were not sufficient to govern the cyberspace. Digital Data and Transactions: The Acts did not recognize or provide a framework for electronic data, digital records, or e-commerce. They were rooted in a time when communication was physical or analog, and the concept of digital transactions or electronic evidence was non-existent. Anonymity and Decentralization of the Internet: Cyberspace is characterized by its decentralized nature and the anonymity it offers to users. The existing laws were focused on centralized systems with identifiable users, making them inadequate for addressing issues like anonymous cyber threats or jurisdictional challenges in cyberspace. Global Nature of Cyberspace: The Telegraph and Wireless Telegraphy Acts were designed for a national framework of communication. They lacked the scope to address cross-border issues that arise in cyberspace, such as international cybercrimes, data breaches, and jurisdictional disputes. Evolving Nature of Cyber Offenses: Both Acts lacked provisions to address cybercrimes, such as hacking, identity theft, phishing, or online fraud. With the growth of the internet, these became significant challenges requiring specialized legal frameworks. Moreover, the technology of cyberspace Module 6: IT Act, Cyber Laws and their relevance Page 9 of 189 evolves rapidly, introducing new forms of offenses, such as ransomware, cyberbullying, and digital piracy, which these Acts were not equipped to handle. They lacked provisions for proactive measures like encryption, data protection, or digital evidence collection. Consumer Protection: With the emergence of e-commerce and online banking, consumer protection became critical. The older Acts had no provisions to safeguard users from online fraud, payment issues, or privacy violations. Digital Identity and Authentication: Cyberspace relies heavily on digital identities and authentication mechanisms, such as digital signatures. These Acts had no provisions for recognizing or regulating digital identities or electronic authentication. Data Protection and Privacy: The need for robust data protection laws arose with the widespread use of the internet. These Acts did not address issues like personal data privacy, unauthorized data collection, or data breaches. Legal Recognition of Electronic Records: Electronic contracts, records, and signatures are integral to cyberspace. The older laws did not provide legal validity or recognition to such digital tools, making them inadequate for regulating modern digital interactions. In a nutshell, the Indian Telegraph Act, 1885, and the Indian Wireless Telegraphy Act, 1933, were tailored to address the communication technologies of their respective eras. However, the advent of the internet and cyberspace introduced entirely new challenges, requiring a comprehensive, modern legal framework. The Indian Penal Code (IPC), 1860, used to be the cornerstone of criminal law in India, addressing a wide range of offenses. In common practice, some of its penal sections were often used (till IPC was replaced by the Bharatiya Nyaya Sanhita, 2023) in certain cases of Cybercrimes even after enforcement of the Information Technology Act. However, IPC was not designed to address the unique challenges posed by cybercrime. The inadequacies of the IPC in governing cybercrime can be attributed to the following reasons: Lack of Technological Context: The IPC was drafted in 1860, long before the advent of computers, the internet, or digital technology. It was designed to address traditional crimes, such as theft, fraud, and physical harm, without any anticipation of crimes committed in the virtual world. Cybercrimes involve intangible elements like data, networks, and digital identities, which were beyond the imagination of the framers of the IPC. Absence of Specific Provisions for Cybercrimes: The IPC does not specifically define or address modern cybercrimes such as, Hacking, Module 6: IT Act, Cyber Laws and their relevance Page 10 of 189 Phishing, Identity theft, Cyberstalking, Online harassment, Data breaches, Ransomware attacks, Digital piracy. Etc. These crimes require precise legal definitions and specialized frameworks, which the IPC lacks. Global and Anonymous Nature of Cybercrime: Cybercrime is often cross- border in nature, with offenders located in different jurisdictions. The IPC was designed for crimes within the physical and territorial boundaries of India and does not account for the complexities of jurisdictional challenges in cyberspace. Anonymity in cyberspace makes it harder to apply traditional laws to identify and prosecute offenders. Data Theft and Unauthorized Access: Cybercrimes often involve the theft of data or unauthorized access to digital systems. The IPC primarily deals with theft of physical property (Section 378), which does not extend to intangible assets like data, making it insufficient to prosecute such offenses. In IPC, the act of ‘theft’ was defined as ‘intending to take dishonestly any moveable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.’ This essentially indicates that to consider some object to be stolen, the primary condition is unavailability of the object at its primary location. Whereas, data theft can happen even by unauthorised copying/ access, where, the stolen object (i.e. data) may still exist at its original location. This is one of the various instances, where any conventional law may muddle up in dealing with the Cyberspace. Privacy Violations: Cybercrime often involves violations of individual privacy, such as, unauthorized sharing of private photos or videos, data breaches compromising personal information, etc. The IPC does not have specific provisions to address these digital privacy violations. Cyberterrorism: Acts like hacking into critical infrastructure, disrupting communication networks, or spreading propaganda online are forms of cyberterrorism. The IPC’s provisions on terrorism are not equipped to deal with these advanced, technology-driven crimes. Defamation in Cyberspace: Traditional defamation laws under IPC (Section 499 and 500) are not well-suited to address defamation in cyberspace, where content can be disseminated instantly to a global audience, causing widespread damage. Online Fraud and Financial Crimes: The IPC addresses traditional forms of fraud but lacks specific provisions for cyber fraud, such as online payment scams, credit card frauds, cryptocurrency-related crimes, etc. Handling of these crimes require a more technology-oriented legal framework. Module 6: IT Act, Cyber Laws and their relevance Page 11 of 189 Cyber Harassment and Bullying: While the IPC criminalizes physical harassment, it does not adequately address harassment and bullying conducted online, such as cyberstalking. revenge porn, trolling and abusive behavior on social media platforms. Crimes such as the distribution of child pornography or grooming minors online are not explicitly addressed under the IPC. These require targeted provisions to protect children from online exploitation. In conclusion, the IPC, though comprehensive for its time, was inherently insufficient to address the complexities and technicalities of cybercrimes in the digital age. 1.3. Background of Cyber Law The latter part of the 20th century experienced significant advancements in information technology and the internet, leading to profound changes in commerce, communication, and governance. Nations across the globe began to develop legal frameworks aimed at addressing the challenges posed by the emerging digital economy. In 1991, India took significant steps to liberalize its economy, which spurred the expansion of the IT and software services industry. This shift allowed companies such as Infosys, Wipro, and TCS to rise to global prominence, highlighting the importance of strong legal frameworks for digital operations. The Y2K challenge further showcased India's IT capabilities, emphasizing the necessity for improved digital infrastructure and regulatory measures. In 1996, the United Nations Commission on International Trade Law introduced the Model Law on Electronic Commerce, which was designed to promote electronic transactions. This framework became a foundational reference for India's Information Technology Act. The global surge in digital commerce underscored the necessity for regulations governing online contracts, payment systems, and consumer protection. In 1998, the Government of India acknowledged the rapid progress in technology and its effects by setting up the National Task Force on Information Technology and Software Development. This task force offered suggestions aimed at fostering a supportive atmosphere for IT growth, emphasizing the importance of a strong legal structure for electronic commerce and cybersecurity. These suggestions laid the groundwork for the formulation of the IT Act. The Information Technology Bill was introduced in Parliament in 1999 and passed in 2000. It aimed to: (1) Provide legal recognition for electronic documents and digital signatures, (2) Facilitate electronic filing of documents with government agencies, (3) Address issues of data protection, cybersecurity, and cybercrime and (4) Promote e-commerce by establishing trust in electronic transactions. Module 6: IT Act, Cyber Laws and their relevance Page 12 of 189 The IT Act came into effect on 17th October 2000, marking a milestone in India’s legislative history. It was enacted as a comprehensive law to address issues related to electronic commerce, digital communication, and cybercrime. India is the twelfth country in the world to have its own law governing the cyberspace. As technology advanced, the IT Act underwent amendments to address emerging challenges. The 2008 Amendment introduced provisions for data protection, penalties for identity theft, and regulation of intermediaries, further strengthening India’s cyber law framework. 1.4. Applicability, Scope and Significance of IT Act The Information Technology Act, 2000 (IT Act) is a comprehensive legislative framework established by the Indian government to tackle the difficulties arising from the rapid expansion of the internet and digital technologies. This Act provides a legal framework to promote e-commerce, IT enablement and secure cyberspace in India. It defines and penalizes cybercrimes while also facilitating e-governance and electronic transactions through legal recognition of electronic documents and digital (electronic) signatures. The Preamble of the Information Technology Act, 2000 (IT Act, 2000) sets the tone and purpose of the Act. It states: "An Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic commerce, which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934, and for matters connected therewith or incidental thereto." This preamble emphasizes modernizing India's legal framework to keep pace with technological advancements and enable a robust digital economy. Key Points of the Preamble are: Legal recognition for electronic transactions: Establishes the validity of digital signatures and records. Encourages e-governance: Facilitates filing documents electronically with government bodies. Amendments to other laws: Aligns existing laws like IPC, Indian Evidence Act, etc., to accommodate digital and electronic processes. Facilitation of e-commerce: Aims to promote and secure electronic commerce in India. Module 6: IT Act, Cyber Laws and their relevance Page 13 of 189 Scope of the IT Act Facilitation of E-Commerce and E-Governance: The Information Technology Act grants legal acknowledgment to digital records and electronic signatures, ensuring that online transactions are as valid as conventional paper methods. Additionally, this act enables the government to provide public services online through e-governance. Cybercrime and Offenses: The Information Technology Act defines and penalizes cybercrimes, including hacking, identity theft, phishing, and data breaches. It also covers offenses related to unauthorized access, spreading viruses, and cyber terrorism. Regulation of Intermediaries: The Information Technology Act establishes accountability for intermediaries like internet service providers and social media platforms concerning user content. Digital Evidence: The Information Technology Act recognizes electronic records as admissible evidence in courts, facilitating the legal process in cases involving cybercrimes. Data Protection and Privacy: The Information Technology Act includes provisions (though basic) to safeguard data from misuse, forming the foundation for later laws like the Digital Personal Data Protection Act, 2023. Cross-Border Transactions: The Information Technology Act facilitates international business by aligning with global standards, particularly with the UNCITRAL Model Law on E-Commerce. Significance of the IT Act Legal Framework for the Digital Economy: The Information Technology Act has in fact paved the way for India’s transformation into a digitally empowered economy by providing a secure framework for online transactions and digital communication. Promotion of Digital Trust: One of the major significances of the Information Technology Act is that it increases the trust factor in digital environment by legalizing digital signatures and providing secure methods for authentication, it has enhanced trust in electronic commerce and communication. Combating Cyber Threats: The Information Technology Act functions as a deterrent to cybercriminals through clear definitions of offenses and stringent penalties. Module 6: IT Act, Cyber Laws and their relevance Page 14 of 189 Encouragement of Innovation and Investment: The Information Technology Act provides confidence to businesses, startups, and foreign investors by ensuring a secure digital legal environment. Foundation for Further Legislation: The Information Technology Act served as a precursor to more robust laws like the Data Protection Act and emerging drafts like the Digital India Act. Global Alignment: The Information Technology Act demonstrates India’s commitment to global standards in managing cyberspace, making it a credible player in the international digital domain. To sum up, the Information Technology Act is vital in facilitating India’s transition to digital by establishing a secure and legally acknowledged structure for online transactions, tackling cybercrime, and promoting confidence in the digital environment. Its influence keeps changing with technological progress, establishing it as a fundamental element of India’s cyber legal framework. 1.5. Objectives & Applicability of IT Act The IT Act can handle both domestic and foreign cyber activities that impact India's digital systems because of its wide geographic applicability. In addition to legalising India's digital economy and protecting its cyberspace, this offers a framework for combating cross-border cybercrime. All of India, including the Union Territories, is covered by the IT Act. This implies that when carried out inside the nation's borders, all digital contracts, cybercrimes, and other issues covered by the Act are subject to its jurisdiction. If a computer, computer system, or network located in India is subject to any offence or violation committed from outside of India, the IT Act is applicable. The IT Act applies to any person, whether an Indian citizen, a foreign national, or a corporate entity, as long as the contravention involves a system in India. If someone in the USA breaches the database of an Indian business that is housed on servers in India. Since the impacted system is located in India, this person may face prosecution under the IT Act. Section 75 of the Act specifies the above extraterritorial clause. The section protects computers, systems, and networks located in India, irrespective of who (Indian or foreign individual/ entity) owns or operates them. For example: A multinational corporation's server located in India being targeted by a foreign entity falls under the jurisdiction of the IT Act. This provision reinforces India’s digital sovereignty by safeguarding its cyberspace and critical digital assets. The IT Act aligns with international frameworks for combating cybercrime and ensures India can respond effectively to cross-border Module 6: IT Act, Cyber Laws and their relevance Page 15 of 189 cyber threats. Cooperation agreements with foreign nations may further aid enforcement. However, there are a few challenges in practical implementation, including: Jurisdictional Issues: International agreements and collaboration are necessary to enforce Indian law against foreign entities. Evidence Collection: Due to disparate legal systems, collecting digital evidence internationally can be challenging. Extradition: There are frequently legal and diplomatic obstacles in bringing criminals to India for prosecution. A long-arm statute is a crucial legal tool to address cases involving non-residents or cross-border issues. In the context of cyber laws, it helps countries protect their digital infrastructure and citizens from global threats while promoting accountability in cyberspace. A long arm statute is a law that allows state courts to exercise jurisdiction over non-resident defendants. This means that a state court can try a defendant who lives outside of the state. Section 1 of the Information Technology Act, 2000 deals with the short title, extent, commencement, and application of the Act. Short Title: The Act is officially known as the Information Technology Act, 2000. Example: Extent: The Act extends to the whole of India. As already explained, it also applies outside India to offenses or contraventions committed by any person if the act involves a computer, computer system, or network located in India. Commencement: The Act came into effect on October 17, 2000. Certain provisions may have been brought into force at later dates as specified by the government. For practical purposes, cases related to electronic records or digital signatures could only be addressed under the IT Act after this date. Applicability: The Act applies to electronic records, digital signatures, and all activities related to computer systems, networks, and cybercrime. It also provides for the legal recognition of electronic contracts and transactions. Filing tax returns online or signing an agreement electronically is covered under the Act. Exceptions: Section 1(4) of the Act specifies that it does not apply to (1) Negotiable instruments (e.g., cheques, promissory notes) other than in electronic form, (2) Powers of attorney, (3) Wills and codicils, (4) Trust deeds and (5) Any other documents notified by the government as excluded. For an example, a handwritten Will created by a person is not governed by Module 6: IT Act, Cyber Laws and their relevance Page 16 of 189 the IT Act but falls under other relevant laws, like the Indian Succession Act, 1925. Technology Neutrality: The provisions apply irrespective of the technology or platform used. 1.6. Evolution of Cyber Laws in India India's digital landscape has grown rapidly, making the country a centre for online services, e-commerce, and digital innovation. A strong legal framework is required to handle the particular difficulties presented by cyberspace because of this quick evolution. This requirement is reflected in India's evolving cyber laws, which have undergone a slow but notable transition towards a more thorough and complex legal framework. India's cyber legal history reached a major turning point with the passage of the Information Technology Act, 2000. It sought to establish a legislative framework for data protection, digital signatures, and electronic commerce. The Act was criticised, nevertheless, for having a narrow purview and failing to effectively address new cybercrimes such as data breaches, online harassment, and cyberbullying. Accompanying the IT Act are several critical regulations and rules that further shape the landscape of cyber law in India: Information Technology (Certifying Authorities) Rules, 2000: These rules lay down the criteria for the appointment and functioning of Certifying Authorities, which are responsible for issuing digital certificates needed to authenticate electronic records and transactions. Information Technology (Certifying Authority) Regulations, 2001: Enforced from July 9, 2001, these regulations set forth the technical standards and operational procedures for Certifying Authorities, ensuring the security and reliability of digital certifications. Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004: These rules provide a legal framework for the electronic filing of documents with government agencies and the issuance of licenses, facilitating smoother, paperless transactions with the government. Information Technology (Security Procedure) Rules, 2004: Effective from October 29, 2004, these rules define the procedures to ensure the security and integrity of digital signatures and electronic records. The Indian government implemented changes to the 2000 Act in 2008. The Act's purview was expanded by these amendments to include more recent cybercrimes like online defamation, identity theft, and cyberstalking. Additionally, they Module 6: IT Act, Cyber Laws and their relevance Page 17 of 189 introduced data protection provisions, albeit with a somewhat narrow focus. The Information Technology (Amendment) Act, 2008 was a significant update to the original law. This amendment addressed new-age cyber threats and expanded the scope of the Act. Key changes included: Introduction of Cybersecurity Measures: The amendment introduced Section 66F, which defined and penalized cyberterrorism. Data Protection: Sections 43A and 72A were added to hold entities accountable for data breaches and ensure compensation for affected individuals. Intermediary Liability: Intermediaries like social media platforms and internet service providers were made responsible for removing objectionable content upon receiving notices. Stronger Penalties: Enhanced penalties for offenses like phishing, spamming, and identity theft were introduced. In 2011, the Government of India introduced some rules and regulations (no specific amendments) under the IT Act, 2000, based on the amendments made in 2008. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These rules mandate that entities handling sensitive personal data must implement reasonable security practices and procedures to protect such data. This includes measures like data encryption, access controls, and regular security audits. The rules aim to safeguard sensitive personal information like financial, health, and biometric data from unauthorized access and misuse. Information Technology (Intermediary Guidelines) Rules, 2011: These rules outline the responsibilities of intermediaries like social media platforms, search engines, and internet service providers. They are required to take down or disable access to content that is illegal, harmful, or objectionable. The rules also require intermediaries to assist law enforcement agencies in investigations related to cybercrimes. Information Technology (Cyber Cafes) Rules, 2011: These rules govern the operation of cyber cafes and internet centers. They require such establishments to maintain records of their customers, including their names, addresses, and the duration of their internet usage. This is intended to aid in the investigation of cybercrimes and prevent their misuse. India’s judiciary has played a pivotal role in shaping cyber laws. Some landmark judgments include: Module 6: IT Act, Cyber Laws and their relevance Page 18 of 189 Shreya Singhal v. Union of India (2015): The Shreya Singhal v. Union of India (2015) case centered on the constitutionality of Section 66A of the Information Technology Act, 2000. This section criminalized the transmission of any "offensive" messages through communication services, a term deemed excessively broad and vague. Shreya Singhal challenged Section 66A, arguing that it violated her fundamental rights to freedom of speech and expression (Article 19(1)(a)) and the right to life and personal liberty (Article 21) of the Indian Constitution. The Supreme Court of India, recognizing the potential for the arbitrary suppression of free speech, declared Section 66A unconstitutional. The judgment emphasized that any restrictions on fundamental rights must be narrowly tailored, precise, and justifiable under the "reasonable restrictions" clause of Article 19(2) of the Constitution. This landmark ruling reinforced the importance of safeguarding freedom of speech and expression in a democratic society. Justice K.S. Puttaswamy v. Union of India (2017): The landmark case of Justice K.S. Puttaswamy v. Union of India (2017) established the right to privacy as a fundamental right under the Indian Constitution. This nine- judge bench decision held that the right to privacy is an intrinsic part of the right to life and personal liberty guaranteed by Article 21. The Court recognized that privacy is essential for individual autonomy, dignity, and the development of personality. The judgment has significant implications for various aspects of life, including data protection, surveillance, and the right to bodily autonomy. It has been hailed as a crucial step towards safeguarding individual liberties in the digital age and strengthening democratic values. In response to growing concerns about data privacy, India proposed the Personal Data Protection Bill in 2019, later reintroduced as the Digital Personal Data Protection Act, 2023. This legislation aims to regulate the collection, storage, and processing of personal data, empower individuals with rights over their data and impose obligations on data fiduciaries to ensure data security and transparency. This law is seen as a cornerstone for safeguarding privacy in the digital age. 1.7. Definitions The Information Technology Act, 2000 provides various definitions to clarify key terms used in the Act. These definitions, primarily found in Section 2, form the foundation for understanding the provisions of the law. Computer [Section 2(i)]: Computer has been defined as any electronic, magnetic, optical, or similar device capable of processing data. It includes both hardware and software components used for computation and data storage. The term broadly encompasses desktops, laptops, servers, and other data-processing devices. (Example: A smartphone capable of accessing the internet and running applications is a computer.) Module 6: IT Act, Cyber Laws and their relevance Page 19 of 189 Computer Network [Section 2(j)]: Computer Network is a system of interconnected computers that share data and resources. It includes wired and wireless connections, allowing communication between devices. Computer networks can range from small local networks to global systems like the internet. (Example: An office LAN connecting multiple computers and printers.) Computer Resource [Section 2(k)]: Computer Resource refers to computers, computer systems, networks, data, and related software or services. It includes any infrastructure used for data processing, storage, and communication. The term encompasses cloud services, databases, and computing devices. (Example: A company’s server used to store and process client information.) Computer System [Section 2(l)]: Computer System is a device or combination of devices capable of performing logical, arithmetic, or memory functions. It includes hardware, software, and firmware working together to process data. Computer systems are the building blocks of modern computing environments. Secure System [Section 2(zc)]: It refers to any system that meets security requirements as prescribed by the IT Act. Secure systems protect data and resources from unauthorized access or threats. They are essential for ensuring confidentiality, integrity, and availability. (Example: A bank’s encrypted database for storing customer details.) While not explicitly defined, a "Secure System" within the context of the IT Act can be broadly interpreted as a computer system or network that implements appropriate security measures: This includes measures like access controls, encryption, firewalls, intrusion detection systems, and regular security audits, protects data from unauthorized access, use, disclosure, disruption, modification, or destruction, maintains data integrity and availability and complies with relevant security standards and regulations. The specific requirements for a secure system may vary depending on the nature of the data being handled, the criticality of the system, and applicable industry standards. Data [Section 2(o)]: Data is any representation of information, knowledge, facts, or figures in a digital format. Data can include text, images, audio, video, and other forms of electronic information. It serves as the foundation for processing and communication in computer systems. (Example: A text file containing customer details is data.) Information [Section 2(v)]: Information includes data, text, images, sound, voice, codes, and other forms of digital content. Information serves as a medium for communication and knowledge transfer. The IT Act provides safeguards for secure handling of electronic information. (Example: A multimedia presentation combining text, images, and audio.) Module 6: IT Act, Cyber Laws and their relevance Page 20 of 189 Electronic Form [Section 2(r)]: It refers to information created, sent, received, or stored electronically. It allows for paperless communication and storage of data. Electronic forms are integral to e-governance and online services. (Example: An online application form for a government service.) Electronic Record [Section 2(t)]: It refers to data, information, or documents stored or transmitted electronically. It includes emails, text messages, digital contracts, and other digital content. Electronic records are admissible as evidence under the Indian Evidence Act. Access [Section 2(a)]: Access refers to gaining entry into any system, resource, or information in any manner. It includes the ability to view, retrieve, or interact with data stored in a computer resource. Unauthorized access is considered an offense under the IT Act, ensuring protection against intrusion. (Example: Logging into someone’s email account without permission constitutes unauthorized access.) Function [Section 2(u)]: It includes logical, control, arithmetic, deletion, storage, and retrieval operations. Functions represent the operations performed by a computer system. They are essential for processing data and executing commands in a computer. (Example: Performing calculations in a spreadsheet program.) Intermediary [Section 2(w)]: It refers to entities like ISPs, web hosting providers, social media platforms, or search engines. Intermediaries facilitate the transmission or hosting of electronic data or records. They have specific obligations under the IT Act, like content regulation and due diligence. Originator [Section 2(za)]: It refers to the person who generates, stores, or transmits any electronic message. The originator initiates the communication process in electronic systems. This definition helps identify the source of digital communication. (Example: An individual sending an email is the originator of that message.) Addressee [Section 2(b)]: Addressee refers to the person intended by the originator to receive an electronic record. The addressee can be an individual or an organization that receives digital communication. It is essential for establishing the flow of communication and ensuring legal accountability. (Example: In an email, the person mentioned in the "To" field is the addressee.) Digital Signature [Section 2(p)]: This is a mechanism of authentication of an electronic record by a subscriber using an asymmetric cryptosystem and hash function. It provides a secure way to verify the identity of the sender and the integrity of the message. Digital signatures are widely used in e- governance and secure online transactions. Module 6: IT Act, Cyber Laws and their relevance Page 21 of 189 Digital Signature Certificate [Section 2(q)]: This is the certificate issued by a certifying authority to authenticate the digital signature of a subscriber. It verifies the identity of the certificate holder for secure electronic communication. Digital signature certificates are mandatory for certain online transactions. The term ‘Digital’ has been replaced by ‘Electronic’ during 2008 amendment. Electronic Signature [Section 2(ta)]: It refers to authentication of an electronic record by a subscriber using electronic techniques or methods. It ensures the identity of the sender and the integrity of the signed document. Electronic signatures are legally valid under the IT Act. Affixing Digital Signature [Section 2(d)]: Affixing Digital Signature refers to the process of attaching a digital signature to an electronic record. It ensures the authenticity, integrity, and non-repudiation of the signed document. A digital signature uses cryptographic methods to verify the sender's identity. (Example: Signing an electronic agreement using a digital signature certificate.) Key Pair [Section 2(x)]: It refers to a private key and its corresponding public key in an asymmetric cryptosystem. The key pair ensures secure encryption and decryption of data. It is a fundamental component of digital signatures and secure communication. (Example: A user encrypting a message with a public key and decrypting it with a private key.) Asymmetric Cryptosystem [Section 2(f)]: It is a cryptographic system that uses a pair of keys: a private key and a public key. It ensures secure communication by allowing encryption and decryption using different keys. This system is crucial for digital signatures and secure data transmission. (Example: Sending encrypted emails using a recipient's public key.) Verify [Section 2(ze)]: It refers to the process of ensuring the accuracy and integrity of a digital signature or data. Verification involves confirming the authenticity of a sender or document. It is a crucial step in maintaining trust in electronic transactions. (Example: Checking the validity of a digital signature on an e-contract.) Controller [Section 2(m)]: Controller refers to the Controller of Certifying Authorities appointed under the IT Act. The controller oversees the functioning of certifying authorities and ensures compliance. They are responsible for regulating the issuance of digital signature certificates. Certifying Authority [Section 2(g)]: Certifying Authority is an entity authorized to issue digital signature certificates under the IT Act. Certifying authorities verify the identity of individuals or organizations before issuing certificates. They play a critical role in ensuring the credibility of electronic Module 6: IT Act, Cyber Laws and their relevance Page 22 of 189 transactions. (Example: Organizations like eMudhra or NIC issue digital signature certificates in India.) Subscriber [Section 2(zd)]: A person who owns the digital signature certificate for electronic authentication. Subscribers are responsible for using and safeguarding their digital certificates. The IT Act governs the responsibilities and liabilities of subscribers. (Example: A business owner using a DSC for online transactions.) Prescribed [Section 2(zb)]: It refers to any matter or process defined or specified by rules made under the IT Act. The term ‘prescribed’ outlines the scope of procedures or standards established by law. It is used to provide clarity and consistency in the implementation of the Act. (Example: "Prescribed security standards" refer to officially mandated security measures.) Adjudicating Officer [Section 2(c)]: Adjudicating Officer is appointed under the Act to resolve disputes and impose penalties for offenses. The adjudicating officer ensures compliance with the provisions of the IT Act. They have the authority to handle cases involving breaches of data or cybersecurity. (Example: A dispute involving a cyber fraud may be resolved by the adjudicating officer.) Appropriate Government [Section 2(e)]: Appropriate Government refers to the Central or State Government based on jurisdiction over specific matters. The appropriate government enforces and implements the provisions of the IT Act. It also includes responsibilities like appointing adjudicating officers and certifying authorities. (Example: The Central Government oversees matters related to digital signature certificates.) The rules and amendments introduced under the Information Technology Act, 2000 (IT Act), such as the IT Rules, 2011, expanded the scope of the Act by introducing additional definitions to address emerging challenges in cyberspace. These definitions provided clarity on concepts related to privacy, data protection, intermediary liability, and cybersecurity. Below is a list of the additional definitions introduced through these rules and amendments: Sensitive Personal Data or Information (SPDI): It has been defined under Rule 3 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This includes (1) Passwords (2) Financial information such as bank account details, credit/debit card information, etc, (3) Medical records (4) Biometric data (5) Sexual orientation, (6) Mental, physical of psychological condition and (7) Any detail related to the above categories. However, it excludes information freely available in the public domain irrespective of its nature. Module 6: IT Act, Cyber Laws and their relevance Page 23 of 189 Reasonable Security Practices and Procedures: It refers to security practices required to protect sensitive personal data or information as prescribed under the Rules. Organizations often follow industry-standard frameworks like ISO/IEC 27001. Intermediaries: This definition has been expanded under the Information Technology (Intermediaries Guidelines) Rules, 2011, intermediaries include social media platforms, internet service providers (ISPs), web hosting providers, online marketplaces, search engines, payment gateways, etc. The rules emphasize the due diligence intermediaries must exercise in hosting, publishing, or transmitting content. Grievance Officer: It has been introduced under the Intermediaries Guidelines Rules, 2011. Intermediaries must appoint a grievance officer to handle complaints from users regarding content or data breaches. The grievance officer's name and contact details must be published on the intermediary’s website. Cyber Café: It has been defined under the Information Technology (Cyber Café) Rules, 2011 as any facility offering public access to computers for internet use. This rule requires cybercafé to maintain user logs and verify user identity through valid ID proof. Critical Information Infrastructure (CII): It has been defined in the Information Technology (Amendment) Act, 2008. It refers to computer resources vital for national security, defense, and economy, whose incapacitation could harm the country significantly. This includes sectors like Power and energy, Banking and financial services, Government, Telecommunications, Transport, Healthcare and Defense. Such infrastructures are protected by the National Critical Information Infrastructure Protection Centre (NCIIPC). Harm: This includes physical or mental injury, identity theft, financial loss, or damage to reputation caused by data breaches or other cyber offenses. Electronic Service Delivery: It has been defined under the IT (Electronic Service Delivery) Rules, 2011. It covers any government service delivered electronically, such as tax filing, issuing licenses, or registrations. *** Module 6: IT Act, Cyber Laws and their relevance Page 24 of 189 2. Electronic Authentication 2.1. Background of Electronic Authentication in India Electronic authentication is a critical aspect of modern digital transactions, enabling secure communication and verification in various sectors, including e-commerce and governance. The legal framework governing electronic authentication in India is primarily established by the Information Technology Act, 2000 (IT Act) and its subsequent amendments. The provisions established under the IT Act and relevant rules create a robust legal framework for electronic authentication in India. By recognizing electronic signatures as legally valid and providing guidelines for their use, the IT Act facilitates secure online transactions and enhances trust in digital communications. As technology evolves, ongoing amendments to this framework will be essential to address emerging challenges in cybersecurity and data protection. In India, the legal recognition of electronic data is primarily governed by the Information Technology Act, 2000 (IT Act). This landmark legislation provides a framework for the use of electronic records and digital signatures, ensuring that electronic communications hold the same legal validity as traditional paper documents. Section 4 of the IT Act explicitly states that any information or matter that is required to be in writing or in a printed form can be maintained in electronic form. This provision allows businesses and individuals to engage in electronic transactions confidently, knowing that their digital records are legally recognized. Moreover, Section 5 of the IT Act grants legal recognition to digital signatures, equating them with handwritten signatures. This ensures that electronic documents can be authenticated and verified securely, fostering trust in digital transactions. The act also mandates that electronic records must be retained in a manner that ensures their integrity and accessibility. Additionally, the Information Technology (Use of Electronic Records and Digital Signature) Rules, 2004, further support this framework by outlining the procedures for using electronic records and signatures. Collectively, these provisions create a robust legal environment for electronic data, facilitating e-commerce and digital governance in India. 2.2. Electronic Contracts With the rapid growth of technology and digitization, electronic contracts (e- contracts) have become an integral part of business and personal transactions. An e-contract is essentially an agreement that is created, communicated, and executed Module 6: IT Act, Cyber Laws and their relevance Page 25 of 189 electronically, eliminating the need for physical documents. In India, the legal framework for e-contracts is established under the Information Technology (IT) Act, 2000, ensuring their validity and enforceability. This article explores the concept of e-contracts, their legal recognition, and the key provisions governing them under Indian law. An electronic contract is a contract created and executed electronically, often without physical interaction between the parties. It may take the form of emails, digital forms, click-wrap agreements, browse-wrap agreements, or agreements signed using digital signatures. E-contracts are widely used in e-commerce, online banking, software licensing, and other digital transactions. The Trimex International FZE Ltd. v. Vedanta Aluminium Ltd. (2010) case established the validity of email contracts under Indian law. The Supreme Court held that an exchange of emails can constitute a binding contract if the essential terms are agreed upon and there is an intention to be bound. In this case, the parties negotiated a supply agreement via emails, and the court found that these emails met the requirements of a valid contract under the Indian Contract Act, 1872—namely offer, acceptance, and mutual consent. This judgment reinforced that electronic communications are legally enforceable in modern commercial transactions. The legal recognition and enforceability of e-contracts in India are primarily governed by the Indian Contract Act, 1872, and the Information Technology Act, 2000. While the Indian Contract Act provides the general principles of contract law, the IT Act facilitates the use of electronic records and digital signatures in contractual agreements. The essential elements for a valid contract are: Offer and Acceptance: A contract begins with a lawful offer made by one party and its acceptance by another. The terms of the offer and acceptance must be clear, definite, and communicated effectively. For example, A offers to sell a software solution to B for ₹2,00,000. B agrees to buy it at the same price. This creates a valid offer and acceptance. Intention to Create Legal Relationship: The parties must have the intention to enter into a legally binding relationship. Social or domestic agreements are generally not enforceable. For example, an agreement between family members/ friends to attend dinner is not legally enforceable, but a business agreement to supply goods is. Lawful Consideration: There must be lawful consideration (something of value exchanged between the parties). The consideration must not be illegal, immoral, or against public policy. For example, in a contract for the sale of goods or services, the buyer pays money (lawful consideration) in exchange for the goods or services delivered by the seller (lawful consideration). Module 6: IT Act, Cyber Laws and their relevance Page 26 of 189 Capacity of Parties: The parties entering into the contract must be competent. Both of them must be of sound mind, must have attained the age of majority (18 years or older) and must not be disqualified by law. A contract with a minor or mentally challenged/ incapacitated or an intoxicated person is void as they lack legal capacity. Free Consent: Consent of the parties must be free and not obtained through coercion (committing, or threatening to commit, any act forbidden by the law), undue influence (one of the parties is in a position to dominate the will of the other), fraud, misrepresentation and/ or mistake. Lawful Object: The object of the contract must not be illegal, immoral, or contrary to public policy. A contract to sell smuggle goods or pirated software or illegal data is void as its object is unlawful. Certainty and Possibility of Performance: The terms of the contract must be clear and certain. The agreement should not include vague or ambiguous terms. The performance of the contract must also be possible. An agreement to sell ‘some software’ is void due to uncertainty. A contract to find treasure in the moon is void as it is impossible to perform. Agreement not Expressly Declared Void: The contract must not fall under agreements expressly declared void by law, such as agreements in restraint of trade (restrains a party from exercising a lawful profession, trade, or business), agreements in restraint of marriage (that interfere with social and familial norms by restricting marriage) and wagering agreements (betting on result of any game or other uncertain event) Legal Formalities: The contract must comply with the legal formalities required under law. Certain contracts, like sale deeds of immovable property, must be in writing, signed, and registered. A verbal agreement to transfer ownership of a house is invalid as registration is mandatory under the law. Mutual Obligation: The obligations of both parties must be mutual, meaning each party should have some duty or performance under the contract. If A agrees to sell a software and B agrees to pay for it, the mutual obligation ensures both parties are bound to perform their respective promises. The IT Act, 2000, provides the legal framework for electronic records and digital signatures, which are essential for the validity of e-contracts. Key provisions include: Module 6: IT Act, Cyber Laws and their relevance Page 27 of 189 Legal Recognition of Electronic Records (Section 4): Any information or agreement that is in electronic form and accessible for future reference is considered valid. Legal Recognition of Digital Signatures (Section 5): Digital signatures are legally valid for authenticating electronic documents. They are verified using asymmetric cryptosystems and hash functions. Attribution of Electronic Records (Section 11): Electronic records are attributed to the originator if sent by the originator or by a person authorized to act on their behalf. Time and Place of Dispatch and Receipt (Sections 13 and 14): The time and place of the dispatch and receipt of electronic communications are defined to determine when and where the contract is concluded. Types of Electronic Contracts Click-Wrap Agreements: These require users to click "I Agree" or "Accept" to the terms and conditions before proceeding with a service or product. Browse-Wrap Agreements: These agreements are implied by the user’s continued use of a website. Terms are often available via hyperlinks but do not require explicit consent. Shrink-Wrap Agreements: Common in software licensing, these agreements are accepted when the user opens the software packaging or installs the software. Email Contracts: Agreements made through email exchanges where offer and acceptance are communicated via email. E-Signature Agreements: Agreements signed electronically using tools like Aadhaar eSign, digital certificates, or other e-signature platforms. Advantages of Electronic Contracts Convenience and Efficiency: E-contracts save time and effort, allowing parties to execute agreements remotely. Cost-Effective: They eliminate the need for physical paperwork, printing, and courier services. Secure and Reliable: Digital signatures provide a high level of security and authenticity. Environmentally Friendly: Reduces paper consumption, promoting sustainable practices. Global Reach: Facilitates cross-border transactions and agreements. Challenges and Limitations of E-Contracts Authentication Issues: Although digital signatures enhance security, verifying the identity of parties can sometimes be challenging. Jurisdictional Disputes: E-contracts often involve parties from different jurisdictions, raising issues of applicable laws and jurisdiction. Lack of Awareness: Many individuals and small businesses are unaware of the legal framework and validity of e-contracts. Module 6: IT Act, Cyber Laws and their relevance Page 28 of 189 Fraud and Cybersecurity Threats: E-contracts are vulnerable to fraud, hacking, and other cybercrimes. Enforceability of Browse-Wrap Agreements: Courts may question the validity of agreements where users are not explicitly required to consent. Electronic contracts are a cornerstone of India’s digital transformation. The legal framework provided by the Indian Contract Act, 1872, and the IT Act, 2000, ensures their validity and enforceability while fostering trust in digital transactions. However, challenges like cybersecurity threats and jurisdictional issues need to be addressed to further strengthen the e-contract ecosystem. As technology evolves, e-contracts will continue to play a vital role in driving innovation, efficiency, and global connectivity. 2.3. Digital Signature Digital signatures are a fundamental component of modern cryptography, ensuring data authenticity, integrity, and non-repudiation in electronic communications. A digital signature is a cryptographic technique used to verify the authenticity and integrity of digital messages or documents. It ensures that the message originates from a verified source (authentication), has not been altered during transmission (integrity) and cannot be denied by the sender (non-repudiation). Key Components of a Digital Signature: Hash Function: A mathematical algorithm that converts an input message into a fixed-length string of characters, which is unique to the input (message digest). Even a small change in the input drastically changes the output. Public-Key Cryptography: Public-key cryptography, also known as asymmetric cryptography, is a method of encryption that uses a pair of mathematically related keys: a public key that can be freely shared with anyone, and a private key that must be kept secret; data encrypted with the public key can only be decrypted with the corresponding private key, allowing secure communication without the need to pre-share a secret key beforehand. Certificate Authority (CA): A trusted third-party entity that issues digital certificates, ensuring the legitimacy of the public key owner. Recursive Authentication: A concept where each stage of authentication reinforces the previous one. In the context of digital signatures, recursive authentication involves verifying not just the final signature but also intermediate steps such as the integrity of the public key and the trustworthiness of the Certificate Authority. This layered approach ensures a chain of trust throughout the verification process. Working Principle: The digital signature process involves three main steps: Signing, Transmission, and Verification. Module 6: IT Act, Cyber Laws and their relevance Page 29 of 189 Signing Process: Message Preparation: The sender creates the digital message (e.g., a document, email, or transaction record). Hashing the Message: A hash function is applied to the message to generate a fixed-size hash value (message digest). Example hash functions include SHA-256, SHA-3, etc. Encrypting the Hash: The sender’s private key is used to encrypt the hash value. This encrypted hash is the digital signature. Attaching the Signature: The digital signature is appended to the original message, forming a signed document or package. Transmission Process: The signed message (original message + digital signature) is transmitted to the recipient over a communication channel. This could be email, a file-sharing platform, or other secure data transfer methods. Verification Process: Extracting the Digital Signature and Message: Upon receiving the signed package, the recipient separates the original message and the digital signature. Hashing the Original Message: The recipient applies the same hash function to the original message to generate a new hash value. Decrypting the Digital Signature: The recipient uses the sender’s public key to decrypt the digital signature. This reveals the hash value originally created by the sender. Recursive Authentication Check: The recipient ensures the authenticity of the sender’s public key by verifying it against a digital certificate issued by a trusted Certificate Authority (CA). The recipient also checks the CA’s credentials to confirm it is a legitimate and trusted entity. These steps ensure a chain of trust that reinforces the verification process. Comparing the Hash Values: The recipient compares the newly generated hash with the decrypted hash. If the two hashes match, the message is verified as authentic and unaltered. If the hashes do not match, it indicates tampering or that the signature is invalid. Class 1, 2, and 3 Certificates: Class 1, 2, and 3 certificates refer to different levels of Digital Signature Certificates (DSCs), with Class 1 being the lowest level of security used primarily for email verification, Class 2 offering moderate security for activities like online tax filing, and Class 3 providing the highest level of security needed for sensitive government transactions like e-tendering and high-value contracts; essentially, the higher the class, the stricter the identity verification process required to obtain the certificate. Here are a few key points about each class: Class 1: This needs basic verification, often only requiring an email address. This type of DSC is used for simple email signing and Module 6: IT Act, Cyber Laws and their relevance Page 30 of 189 authentication. It is not suitable for high-security transactions. The verification requirements are (i) Aadhaar eKYC Biometric or (ii) paper-based application form and supporting documents or (iii) Aadhaar eKYC OTP and Video Verification. The Private Key generation and storage can be done in software. Class 2: This needs moderate verification, usually requiring basic identity details like PAN card. This type of DSC is used for online forms, tax filing, and some company registrations. It can be used by both individuals and businesses. The verification requirements are (i) Aadhaar eKYC Biometric or (ii) Paper based application form and supporting documents or (iii) Aadhaar eKYC OTP and Video Verification. The Private Key generation and storage should be in Hardware cryptographic device validated to, FIPS 140-2 level 2. (FIPS: US government computer security standard used to approve cryptographic modules) Class 3: This needs the highest level of verification, requiring physical appearance and in-depth identity checks. This type of DSC is mandatory for high-security activities like e-tendering, government contracts, and online auctions. It is considered the most secure option for sensitive transactions. The verification requirements are (i) Aadhaar eKYC Biometric or (ii) Paper based application form and supporting documents and (physical personal appearance before CA or Video verification) or (iii) Aadhaar eKYC OTP and Video Verification. The Private Key generation and storage should be in Hard ware cryptographic device validated to FIPS 140-2 level 2. The same class and/or type of certificates issued by all CAs have the same level of assurance and trust. India PKI follows a Hierarchical PKI model where Root CA certifies CA and CA in turn certifies the subscriber. The India PKI Certificate Policy is applicable to the entire eco-system of CA certificate, subscriber’s certificates and key storage medium. The method of verification prior to issuance of same assurance level certificate is as per the IVG. Similarly, the content format and storage medium for all certificates issued by all Licensed Cas are as per Interoperability Guidelines for DSC and X.509 Certificate Policy for India PKI (In cryptography, X.509 is an International Telecommunication Union/ ITU standard defining the format of public key certificates). There is no difference in the certificates of same class and type issued by different Cas. The price of the certificate may however vary from one CA to another. 2.4. Electronic Governance Electronic governance, commonly referred to as e-governance, represents a significant evolution in the way governments interact with citizens and deliver services. Chapter III of the Information Technology Act, 2000 (IT Act) provides a Module 6: IT Act, Cyber Laws and their relevance Page 31 of 189 comprehensive legal framework that facilitates the use of electronic records and digital signatures in governmental processes. This chapter underscores the importance of integrating technology into governance to enhance efficiency, transparency, and accessibility. Legal Recognition of Electronic Records: Section 4 of the IT Act establishes the legal recognition of electronic records, asserting that any information or matter required to be in writing can be maintained electronically. This provision ensures that electronic documents are treated equally to traditional paper documents, thereby legitimizing their use in legal and administrative contexts. For instance, a citizen applying for a government service can submit their application online, and it will be considered valid under the law. Digital Signatures: Section 5 focuses on digital signatures, which are crucial for authenticating electronic documents. The act states that wherever a signature is required, it can be replaced by a digital signature, provided it is affixed in a manner prescribed by the government. This legal recognition is vital for secure transactions; for example, digital signatures are used in e- filing income tax returns, allowing taxpayers to sign their documents electronically without needing physical signatures. However, the word ‘Digital’ has been replaced by ‘Electronic’ at the 2008 amendment of the act. Reason for the same will be explained later. Use in Government Services: Section 6 emphasizes the use of electronic records and signatures by government agencies. This section allows citizens to file applications, submit documents, or make payments electronically. A practical example is the e-District project, which enables citizens to access various government services online, such as obtaining certificates and licenses without visiting government offices. Retention and Audit of Records: Sections 7 and 7A address the retention and audit of electronic records. They mandate that electronic records must be maintained securely and are subject to audit similar to physical documents. This ensures accountability and traceability in government transactions. For instance, electronic records related to public procurement can be audited to ensure compliance with regulations. Publication in Electronic Gazette: Section 8 allows for the publication of rules and regulations in an Electronic Gazette, which modernizes how government notifications are disseminated. This shift enhances accessibility as citizens can easily access official announcements online rather than relying solely on printed gazettes. Limitations on Rights: Section 9 clarifies that while electronic records are generally given legal recognition under the IT Act, there are specific situations where they cannot replace traditional paper-based documents. In Module 6: IT Act, Cyber Laws and their relevance Page 32 of 189 these cases, the law explicitly requires documents to be in a physical format (printed or written), signed or attested in the presence of a witness, etc. Section 9 limits the use of electronic records in situations where physical documents are mandatory such as instruments like cheques, promissory notes, and bills of exchange, powers of attorney, wills and codicils, contracts for sale or transfer of immovable property, which require physical signatures to be legally valid. Preserving the legitimacy, dependability, and procedural protections necessary for particular legal documents is the basis for Section 9. Higher levels of physical presence, attestation, and verification are33acilited for some transactions and records in order to guard against fraud and guarantee legal compliance. In conclusion, IT Act lays a robust foundation for electronic governance in India by recognizing electronic records and digital signatures as legally valid. This framework facilitates efficient service delivery and enhances transparency in governmental operations. As India continues its digital transformation journey, e- governance initiatives will play a crucial role in improving citizen engagement and streamlining administrative processes. By embracing technology within governance structures, India aims not only to modernize its public services but also to foster a more inclusive society where access to information and services is equitable for all citizens. 2.5. Attribution, Acknowledgment and Despatch of Electronic Records The Information Technology Act, 2000 (IT Act) serves as a pivotal legal framework in India, facilitating the recognition and regulation of electronic records and transactions. Chapter IV of the Act specifically addresses Attribution, Acknowledgment, and Dispatch of Electronic Records, establishing essential guidelines for how electronic communications are validated and authenticated in legal contexts. This chapter is crucial for enhancing the reliability of digital transactions across various sectors. Attribution of Electronic Records: Section 11 of the IT Act deals with the attribution of electronic records. It states that an electronic record is attributed to the originator if it is sent by the originator themselves, by someone authorized to act on their behalf, or through an information system programmed to operate automatically (such as out-of-office message/ automated reply system of email/ phone) on behalf of the originator. If a company sends an automated invoice to a customer via email using its billing system. The invoice is attributed to the company, as the system was programmed to perform this task. If a manager delegates an assistant to send a project document via email, the record is still attributed to the manager or the organization. This provision ensures clarity regarding who Module 6: IT Act, Cyber Laws and their relevance Page 33 of 189 is responsible for the content of electronic communications, thereby reducing disputes over authorship. Acknowledgment of Receipt: Section 12 outlines the acknowledgment of receipt of electronic records. If the originator has not specified a particular method for acknowledgment, the recipient must acknowledge receipt in any manner. This provision is vital for reducing disputes related to whether a record was received, particularly in commercial transactions. For instance, when users submit an online application for a government service, they typically receive an automatic confirmation email acknowledging receipt of their application. This acknowledgment serves as proof that the application was successfully submitted and is essential for maintaining a transparent communication process. If the originator has specified that acknowledgment is required, the record is considered sent only when the acknowledgment is received. The acknowledgment can be sent in any form, such as an email, a message, or even an action by the recipient (e.g., clicking on a confirmation link or downloading a file, agreeing to send a ‘read-receipt’ to an email, ‘blue-tick’ on WhatsApp message, etc). If a supplier sends an electronic purchase order to a buyer and requests acknowledgment via email. If the buyer replies with a confirmation email, the acknowledgment is complete, and the order process can proceed. During any e-commerce transaction, clicking on a ‘Confirm Order’ button serves as an acknowledgment of the order details sent by the platform. If the acknowledgment is not received by the originator within the time stipulated or after single/ multiple reminder(s), the originator may treat the record as not sent. (Illustration: X wants to sale something to Y. X sends an email to Y asking for an acknowledgement. Y does not send any such acknowledgement. X sends an email to Y asking for an acknowledgement and waits for a certain period. Still Y does not send any such acknowledgement. The email sent by X will be considered as never been sent.) Despatch and Receipt of Electronic Records: Section 13 of the IT Act governs the despatch and receipt of electronic records, establishing clarity on when and where an electronic record is deemed sent and received. As per the provisions of this section, an electronic record is deemed despatched when it enters an information system that is beyond the control of the originator (e.g. the moment an email sender clicks on ‘send button’). The message is deemed received when it enters an information system designated by the recipient (such as, mail inbox) or, in the absence of such designation, when the recipient retrieves it. Module 6: IT Act, Cyber Laws and their relevance Page 34 of 189 The place of dispatch and receipt is determined on the physical location of the originator and recipient (irrespective of the location of the email/ message server). Generally, the originator’s business location or residential address (if no business address exists) is treated as the place of despatch. The recipient’s specified or usual location is treated as the place of receipt. For instance, a company in Delhi emails a contract to a recipient in Mumbai. The record is deemed despatched when it leaves the company’s email server (which may be located in London) and enters the recipient’s designated server (which may be located in New York). The place of dispatch is Delhi, and the place of receipt is Mumbai. The moment the originator presses the ‘send email’ or ‘submit’ button is considered as ‘time of despatch’, since after this, the electronic data/ content travels through the internet, hence it is out of control of the originator. Similarly, the moment the electronic data/ content reaches the addressee (actually the destination server) is considered as ‘time of receipt. This is irrespective of whether the addressee has opened it or not/ there was on auto response system activated/ having any problem in his/her system or network. In electronic transactions, the attribution, acknowledgement, and despatch clauses guarantee accountability, clarity, and legal enforceability. They are especially important in automated processes, cross-border transactions, and e-commerce, where there is a significant reliance on electronic records. These regulations increase confidence in India’s digital economy by fostering trust between parties and streamlining the legal framework for digital communication. 2.6. Digital Signature Vs. Electronic Signature Since the 2008 amendment to the IT Act replaced the term ‘digital’ with ‘electronic,’ let’s examine the distinctions between the two terms. Although the terms ‘electronic signature’ and ‘digital signature certificates’ are frequently used interchangeably, they have different meanings. The primary purpose of digital signatures is document security. While an electronic signature is frequently linked to a contract where the signer intends to do so, it is approved by certification authorities. A ‘digital signature’ is a specific type of ‘electronic signature’ that uses cryptographic encryption to secure a document, offering a higher level of authenticity and tamper-proof verification, according to the Information Technology Act, 2000 (as amended in 2008). In contrast, an ‘electronic signature’ is a more general term that encompasses any method of electronically indicating consent, which may be less secure and may not involve encryption technology; in other words, all digital signatures are electronic signatures, but not all electronic signatures are digital signatures. Some of the major differences between digital Module 6: IT Act, Cyber Laws and their relevance Page 35 of 189 signature and generic electronic signature (excluding its subset of digital signature) are mentioned below. A digital signature relies on public key infrastructure which authenticates the electronic signature. Whereas, electronic signature is simply a legally valid electronic replacement of a handwritten signature. Digital signatures carry a user’s information along with electronic signatures. But electronic signatures do not contain any authentication attached to them. Digital signatures come with encryption standards and they secure the document. Wherein electronic signatures do not come with encryption standards and they can only verify the documents. Digital signatures are validated by licensed certifying authorities such as eMudhra. But electronic signatures are not validated by licensed certifying authorities. A digital signature consists of various security features and is less prone to tampering. In comparison electronic signature is less secure and is more vulnerable to tampering. A digital signature acts as an electronic fingerprint that consists of a person’s identification. However, electronic signature can be a file, image, or symbol attached to a document to give consent for a signature. A digital signature is created via cryptographic algorithms. But an electronic signature offers lower security and no cryptographic algorithms are used in creating a simple electronic signature. A digital signature is authenticated using a digital signature certificate. Whereas, electronic signature is authenticated using a phone number, SMS, etc. 2.7. Authentication of Electronic Records Authentication of electronic records is a critical aspect of modern digital transactions, ensuring that data integrity and authenticity are maintained in an increasingly digital world. The Information Technology Act, 2000 (IT Act) provides the legal framework for the authentication of electronic records in India, establishing the necessary protocols and standards for secure electronic communications. The IT Act recognizes electronic records and signatures as legally valid, enabling their use in various transactions. Section 3 of the IT Act specifies that any subscriber can authenticate an electronic record by affixing a digital signature. This process relies on asymmetric cryptography and hash functions, which transform the original electronic record into a secure format that verifies its authenticity and integrity Secure Electronic Records: A secure electronic record is defined under Section 14 of the IT Act. For an electronic record to be considered secure, it must meet specific criteria: Module 6: IT Act, Cyber Laws and their relevance Page 36 of 189 The signature creation data must be under the exclusive control of the signatory. Any alteration made after affixing the signature must be detectable. The record must fulfill additional conditions prescribed by regulations. These criteria ensure that electronic records are not only authentic but also tamper- proof, providing a reliable means of conducting digital transactions. Characteristics of Secure Electronic Records are: Integrity: The record must remain unchanged during transmission. Confidentiality: Only authorized parties should have access to the record. Availability: The record should be accessible when needed. For instance, if a bank sends an electronic statement to its customer, it must ensure that the statement is encrypted and can only be accessed by the intended recipient. Secure Digital Signature: A digital signature is a cryptographic technique used to validate the authenticity and integrity of a message or document. It is created using a digital signature certificate (DSC) issued by a certifying authority (CA). The process involves creating a hash of the original message and encrypting it with the signer’s private key, which can then be decrypted by anyone with access to the corresponding public key. The legal definition of a digital signature is provided in the IT’Act, distinguishing it from other forms of electronic signatures. Digital signatures are recognized as more secure due to their reliance on cryptographic techniques, making them suitable for high-stakes transactions where authenticity is paramount. A secure digital signature is defined under Section 15 of the IT Act as an electronic signature that meets specific criteria: Uniqueness: The signature must be unique to the subscriber. Identification: It must identify the subscriber. Control: The means used to create the signature must be under the exclusive control of the subscriber. Linkage: The signature must be linked to the electronic record in such a way that any alteration invalidates it. Security Procedures: The IT Act empowers the Central Government to prescribe security procedures and practices to ensure the integrity of electronic records. These procedures may vary depending on commercial circumstances and transaction types. The goal is to establish a robust framework that safeguards against unauthorized access and ensures that only authorized individuals can authenticate records. For example, a healthcare provider must encrypt patient records and restrict access to authorized staff only. Some of the Key elements of Security Procedures are: Encryption Standards: All sensitive data should be encrypted using robust algorithms. Access Controls: Only authorized personnel should have access to sensitive information. Regular Audits: Conducting periodic audits ensures compliance with security protocols. Module 6: IT Act, Cyber Laws and their relevance Page 37 of 189 Technical Standards for Digital Signatures: The technical standards for digital signatures are crucial for ensuring their reliability and security. These standards help maintain interoperability between different systems and ensure that digital signatures can be trusted across various platforms. These standards include: Key Management: Proper key management practices must be implemented to safeguard private keys from unauthorized access. Minimum key lengths for encryption algorithms (e.g., RSA keys should be at least 2048 bits). Cryptographic Algorithms: Certifying authorities must utilize approved cryptographic algorithms for generating keys and signing processes. Acceptable hash algorithm is SHA-256 or above. Certificate Content: Digital signature certificates must contain specific information, including details about the certificate holder and validity periods. Standard formats for digital certificates is ‘International Telecommunication Union (ITU) X.509’. Controller of Certifying Authorities: The Controller of Certifying Authorities (CCA) plays a pivotal role in regulating certifying authorities in India. Appointed

ISEA Cyber Law Training Material PDF

Document Details

Tags

Related

Summary

Full Transcript