It is an undisputed fact that Cyber networking was the flag bearer of the Information Technology revolution world saw in the post-war era. As far as India is concerned with the need for providing a legal backbone to regulate the Cyber Operations in India was bestowed upon the Information Technology Act, 2000 (from now on IT Act). The legal framework to Cyber Security needs of India revolves around the 13 Chapters, 90 sections, 2 schedules of this 16-year-old legislation.
The IT Act, 2000 was drafted in conformity with the United Nations Model Law on Electronic Commerce; General Assembly adopted the same on 30th January 1997. This Cyber Security Act had to fulfil three-fold objectives-
- provide legal recognition to transactions carried through electronic means and facilitate international trade (E-Commerce)
- Provide an alternative to the paper-based method of storing information and filing of paper-less documents with government agencies.
- To criminalise and penalise offences committed through an electronic medium.
The amplitude of this Act is such that it attempts to provide confidence, protection and means of redressal to even the owner of a single computer system or network. The provisions of this Act have been discussed from now on as to how it affirms the Cyber Security needs of India.
Jurisdictional Extent Of The IT Act
An exciting feature of this Act is that it has extraterritorial jurisdiction; this can be understood from the reading of section 1(2) and section 75.
it applies to any person, irrespective of his nationality, for any offence or contravention committed outside India, provided that the act or conduct constituting the offence involves a computer, computer system or computer network situated in India.
The first section also provides that the Act extends to the whole of India, including the state of Jammu and Kashmir, in furtherance of power of Parliament (under Article 253) to implement an International Agreement.
Cyber Security In E-Commerce And Electronic Signature
The term e-commerce in a loose and brief sense mean business over the internet. Since the business transactions and communication process in e-commerce were conducted over the internet it was never considered secure enough to deny any threat of interception, transmission delay, deletion and authenticity or verification,
To serve the purpose of providing integrity, authenticity and non-repudiation, the Digital Signatures were first introduced based on Cryptographic system. However, the 2008 amendment also introduced Electronic Signatures which widened the scope of authenticating in the electronic world employing Biometrics, Fingerprint, any secret code affixed or PIN codes.
Section 3 provides that a subscriber may authenticate an electronic record by way of affixing his digital signature, subject to provisions of this Act and such authentication shall be done by way of ‘asymmetric cryptosystem’ and ‘hash function’.
Whereas the newly inducted Section 3A provides that a subscriber may authenticate the electronic record by electronic signature or authentication technique which is reliable and may be mentioned in the Second Schedule of the Act.
Penalties And Compensation Under The Act
Section 43 formulates from clause (a) to (j), a comprehensive list of acts causing damage to the computer, computer system and computer resource. The section mandates that without the permission of the owner of Computer, Computer Resource etc. any person-
- accesses or secures accesses to such computer, computer resource
- download, copies or extracts any data including data from the removable storage medium
- introduces or causes to introduce any computer contaminant or virus
- damages or causes damage to computer data or network
- disrupts or disrupts a computer, computer system and resource
- denies or causes a denial of access to any authorised person
- assists with any person to facilitate access to a computer, computer system or network
- charges the services availed of by a person to the account of another person by tampering or manipulating any computer, computer system or network
- destroys, deletes or alters any information residing in a computer or diminishes its value or utility
- Steals conceal or destroys any computer source code or causes any person to do such.
Any person committing any of the abovementioned acts under the section shall be liable to pay compensation up to One Crore Rupees.
This section is heart-of-the-matter of Information Technology Act, 2000.
Further, the Section 43A compensates for failure to protect any sensitive personal data, due to negligence by body-corporate laden with the responsibility of such data protection, such as “data processor” or “data controller”. The compensation may amount up to Five Crore Rupees.
Cyber Security Offences
Section 43 though being comprehensive solely dealt with unauthorised access and is more of a cyber infringement rather than a cyber offence. Chapter XI of the Act deals with Cyber Offence.
There is a thin line boundary between the Cyber Contravention and Cyber Offences; the difference lies in the degree and extent of criminal activity. This head attempts to cover major Computer-Related Offences.
Tampering with computer source code required to be kept or maintained by law.
Whoever intentionally or knowingly conceals, destroys, alters any computer source code used for a computer or causes another to do so is punishable with imprisonment up to three years or fine up to two lakh rupees or with both.
This section provides that, any act referred in section 43 (a)-(j), done fraudulently or dishonestly, is punishable with imprisonment up to 3 years or with fine up to five lakh rupees or with both.
This section punishes for sending offensive messages which include-
- Sending any information that is grossly offensive or menacing
- Sending Any false message persistently to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity or hatred
- Sending any electronic mail for annoy, deceive or mislead the addressee.
Punishment under this section is imprisonment up to 3 years and with Fine.
This section punishes for dishonestly receiving or retaining any stolen computer resource or communication device, for which punishment is imprisonment up to 3years or fine which may extend to one lakh rupees or with both.
This section punishes fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person. Punishment for which is imprisonment up to 3 years or fine extending to one lakh rupees.
The section punishes cheating by personation, by way of or using any communication device, with imprisonment with a term extending to three years and fine up to one lakh rupees.
Section 66E – Violation of Privacy
This section protects the privacy of a person. It punishes capturing, publishing or transmitting the image of a private area of any person without his/her consent with imprisonment up to three years or fine up to two lakh rupees, or with both.
Section 66F -Cyber Terrorism
When a person-
- denies access or causes a denial of access to any person authorised to access such computer
- attempts to penetrate or secure access without authorisation or to exceed such permission.
- Introduces or causes to introduce any computer contamination
Does such with an intent to threaten Unity, Integrity, Security or Sovereignty of India or strike terror in the people or section of people and by such mean causes or likely to cause the death of person or damage to property is punishable with imprisonment which may extend to life.
This Act under sections 67, 67A and 67B attempts to combat publication and transmission, in and through electronic medium an obscene material, materials containing sexually explicit acts and Child Obscenity and Abuse.
However, the Act exempts any publication which is justified for the public good and which is kept for bonafide heritage or religious purpose.
Authorities And Agencies Under The Act
The Act mandates the creation of various bodies and Agencies to perform the duties and providing Cyber Security to the persons concerned.
Controller of Certifying Authority
The Certifying Authority is a trusted third party which verifies and authenticates the identity of a subscriber. The Certifying Authority receives a license from Controller of Certifying Authority. The IT Act, 2000, under Chapter VI, provides detailed provisions for Controller of Certifying Authority to regulate Certifying Authority.
National Nodal Agency
The significant amendment introduced in 2008, mandated the establishment of a National Nodal Agency by Central Government. The agency is entrusted with the responsibility of research and development relating to the protection of Critical Information Infrastructure.
The Indian Computer Emergency Response Team (ICRT) serves as the National Nodal Agency; the ICRT performs the following functions to ensure Cyber Security in India-
- Collect, analyse and disseminate the information related to cyber incidents
- Forecast and alert of Cyber Security incidents.
- Emergency measures for handling Cyber Security incidents and coordination of cyber incidents response activities
- The ICRT also issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, prevention, response and reporting of cyber incidents.
The ICRT while discharging its functions, may call for information or direct any service providers, body corporate, data centres, intermediaries, failure to comply with such direction attracts a punishment of imprisonment up to 1 year or with fine which may extend to one lakh rupees or with both.
Further, the Courts are barred from taking cognisance of any offence under this section unless the complaint is made by the Officer authorised.
Adjudication Of Claims Under The Act
The Central Government appoints any officer not below the rank of Director to Government of India or equivalent officer as Adjudicating Officer. The Adjudicating Officer has jurisdiction over the claim or injuries up to five crore rupees.
Cyber Appellate Tribunal
The Central Government, under Chapter X establishes Cyber Appellate Tribunals, presided by a Chairman. The Tribunal is empowered to hear appeals lying from any decision of Controller or adjudicating officer. The principles of Natural Justice guide the Tribunal in discharging its function.
Any person aggrieved by the order or decision of the Cyber Appellate Tribunal may file an appeal before the High Court, within sixty days of communication of such order or judgment.
The Cyber Security regime of India under the Information Technology Act is often cited as inadequate in providing a backbone to India’s burgeoning e-commerce and insufficient in managing techno legal issues of the cyber world. Moreover, the provisions of the Act evade making any reference to mainstream Cyber Security issues such as, sending the bulk of importune e-mails (Spamming) and obtaining fraudulently information from people (Phishing).
However, the Central and State Governments are entrusted with the power of making Rules for carrying out provisions of this Act, which is more of an attempt to mitigate any shortcomings of this Act in providing a concrete support to Cyber Security needs of India.