It is an undisputed fact that the Cyber networking was the flag bearer of Information Technology revolution world saw in post war era. As far as India is concerned the need of providing a legal backbone to regulate the Cyber Operations in India was bestowed upon the Information Technology Act, 2000 (hereinafter IT Act). The legal framework to cyber security needs of India revolves around the 13 Chapters, 90 sections, 2 schedules of this 16-year-old legislation.
The IT Act, 2000 was drafted in conformity with the United Nations Model Law on Electronic Commerce; the same was adopted by General Assembly on 30th January 1997. This Act had to fulfil three-fold objectives-
- provide legal recognition to transactions carried through electronic means and facilitate international trade (E-Commerce)
- Provide alternative to paper based method of storing information and filing of paper-less documents with government agencies.
- To criminalise and penalise offences committed through electronic medium.
The amplitude of this Act is such that it attempts to provide confidence, protection and means of redressal to even owner of a single computer system or network. The provisions of this Act have been discussed hereinafter as to how it affirms the cyber security needs of India.
JURISDICTIONAL EXTENT OF THE ACT
A very interesting feature of this Act is that it has extraterritorial jurisdiction, this can be understood from the reading of section 1(2) and section 75.
it applies to any person, irrespective of his nationality, for any offence or contravention committed outside India, provided that the act or conduct constituting the offence involves a computer, computer system or computer network situated in India.
The first section also provides that the Act extends to whole of India including the state of Jammu and Kashmir, in furtherance of power of Parliament (under Article 253) to implement an International Agreement.
COMMUNICATION PROCESS IN E-COMMERCE AND ELECTRONIC SIGNATURE
The term e-commerce in a loose and brief sense mean business over the internet. Since the business transactions and communication process in e-commerce were conducted over the internet it was never considered secure enough to deny any threat of interception, transmission delay, deletion and authenticity or verification,
To serve the purpose of providing integrity, authenticity and non-repudiation, the Digital Signatures were first introduced based on Cryptographic system. However, the 2008 amendment also introduced Electronic Signatures which widened the scope of authenticating in electronic world by means of Biometrics, Fingerprint, any secret code affixed or PIN codes.
Section 3 provides that a subscriber may authenticate an electronic record by way of affixing his digital signature, subject to provisions of this Act and such authentication shall be done by way of ‘asymmetric crypto system’ and ‘hash function’.
Whereas the newly inducted Section 3A provides that a subscriber may authenticate the electronic record by electronic signature or authentication technique which is reliable and may be mentioned in the Second Schedule of the Act.
PENALTIES AND COMPENSATION UNDER THE ACT
The section 43 formulates from clause (a) to (j), a comprehensive list of acts causing damage to computer, computer system and computer resource. The section mandates that without the permission of owner of Computer, Computer Resource etc. any person-
- accesses or secures accesses to such computer, computer resource
- download, copies or extracts any data including data from removable storage medium
- introduces or causes to introduce any computer contaminant or virus
- damages or causes damage to computer data or network
- disrupts or causes disruption of computer, computer system and resource
- denies or causes denial of access to any authorised person
- provides assistance any person to facilitate access to a computer, computer system or network
- charges the services availed of by a person to the account of another person by tampering or manipulating any computer, computer system or network
- destroys, deletes or alters any information residing in a computer or diminishes its value or utility
- Steals conceal alters or destroys any computer source code or causes any person to do such.
Any person committing any of the abovementioned acts under the section shall be liable to pay compensation up to One Crore Rupees.
This section is heart-of-the-matter of Information Technology Act, 2000.
Further the Section 43A compensates for failure to protect any sensitive personal data, due to negligence bya body-corporate laden with responsibility of such data protection, such as “data processor” or “data controller”. The compensation may amount up to Five Crore Rupees.
The section 43 though being comprehensive solely dealt with unauthorised access and is more of a cyber contravention rather than a cyber offence. Chapter XI of the Act deals with Cyber Offence.
There is a thin line demarcation between the Cyber Contravention and Cyber Offences, the difference lies in the degree and extent of criminal activity. This head attempts to cover major Computer Related Offences.
Tampering with computer source code required to be kept or maintained by law.
Whoever intentionally or knowingly conceals, destroys, alters any computer source code used for a computer or causes another to do so is punishable with imprisonment up to three years or fine up to two lakh rupees or with both.
This section provides that, any act referred in section 43 (a)-(j), done fraudulently or dishonestly, is punishable with Imprisonment up to 3 years or with fine up to five lakh rupees or with both.
This section punishes for sending offensive messages which include-
- Sending any information that is grossly offensive or menacing
- Sending Any false message persistently for purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity or hatred
- Sending any electronic mail for purpose of causing annoyance or inconvenience or to deceive or mislead the addressee.
Punishment under this section is imprisonment up to 3 years and with Fine.
This section punishes for dishonestly receiving or retaining any stolen computer resource or communication device, for which punishment is imprisonment up to 3years or fine which may extend to one lakh rupees or with both.
This section punishes fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person. Punishment for which is imprisonment up to 3 years or fine extending to one lakh rupees.
The section punishes cheating by personation, by way of or using any communication device, with imprisonment with a term extending to three years and fine up to one lakh rupees.
Section 66E – Violation of Privacy
This section protects privacy of a person. It punishes capturing, publishing or transmitting the image of a private area of any person without his/her consent with imprisonment up to three years or fine up to two lakh rupees, or with both.
Section 66F -Cyber Terrorism
When a person-
- denies access or causes denial of access to any person authorized to access such computer
- attempts to penetrate or secure access without authorization or exceeding such authorization.
- Introduces or causes to introduce any computer contamination
Does such with an intent to threaten Unity, Integrity, Security or Sovereignty of India or strike terror in the people or section of people and by such mean causes or likely to cause death of person or damage to property is punishable with imprisonment which may extend to life.
This Act under sections 67, 67A and 67B makes an attempt to combat publication and transmission, in and through electronic medium an obscene material, materials containing sexually explicit acts and Child Obscenity and Abuse.
However, the Act exempts any publication which is justified for public good and which is kept for bona-fide heritage or religious purpose.
AUTHORITIES AND AGENCIES UNDER THE ACT
The Act mandates creation of various authorities and Agencies to perform the duties and providing cyber security to the persons concerned.
Controller of Certifying Authority
The Certifying Authority is a trusted third party which verifies and authenticates the identity of a subscriber. The Certifying Authority receives license from Controller of Certifying Authority. The IT Act, 2000, under Chapter VI, provides detailed provisions for Controller of Certifying Authority to regulate Certifying Authority.
National Nodal Agency
The major amendment introduced in 2008, mandated establishment of a National Nodal Agency by Central Government. The agency is entrusted with responsibility of research and development relating to protection of Critical Information Infrastructure.
The Indian Computer Emergency Response Team (ICRT) serves as the National Nodal Agency; the ICRT performs following functions to ensure cyber security-
- Collect, analyse and disseminate the information related to cyber incidents
- Forecast and alert of cyber security incidents.
- Emergency measures for handling cyber security incidents and coordination of cyber incidents response activities
- The ICRT also issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, prevention, response and reporting of cyber incidents.
The ICRT while discharging its functions, may call for information or direct any service providers, body corporate, data centres, intermediaries, failure to comply with such direction attracts a punishment of imprisonment up to 1 year or with fine which may extend to one lakh rupees or with both.
Further the Courts are barred from taking cognizance of any offence under this section unless the complaint is made by the Officer authorised.
ADJUDICATION OF CLAIMS UNDER THE ACT
The Central Government appoints any officer not below the rank of Director to Government of India or equivalent officer as Adjudicating Officer. The Adjudicating Officer has the jurisdiction over claim or injuries up to five crore rupees.
Cyber Appellate Tribunal
The Central Government under Chapter X establishes Cyber Appellate Tribunals, presided by a Chairman. The Tribunal is empowered to hear appeals lying from any decision of Controller or adjudicating officer. The Tribunal in discharging its function is guided by the principles of Natural Justice.
Any person aggrieved by the order or decision of the Cyber Appellate Tribunal may file an appeal before the High Court, within sixty days of communication of such order or decision.
The cyber security regime of India under the Information Technology Act is often cited as inadequate in providing a backbone to India’s burgeoning e-commerce and insufficient in managing techno legal issues of cyber world. Moreover, the provisions of the Act evade making any reference to mainstream cyber security issues such as, sending bulk of importune e-mails (Spamming) and obtaining fraudulently information from people (Phishing).
However, the Central and State Governments are entrusted with power of making Rules for carrying out provisions of this Act, which is more of an attempt to mitigate any shortcomings of this Act in providing a concrete support to cyber security needs of India.