OVERVIEW OF INFORMATION TECHNOLOGY ACT, 2000

INTRODUCTION

The evolution of human civilization form Stone Age to the contemporary era of information
technology has left the regulatory authorities grappling to draft a suitable legislation suiting
the new age of information technology. With the advent of new age facilities like storing,
sharing, disseminating information, e-trade and commerce, an effective and efficacious legal
mechanisms to combat the challenged posed by these facilities became inevitable and led to
the enactment of Information Technology Act, 2000. The present legislating is based on
Model Law on Electronics Commerce adopted by the United Nations Commission on
International Trade. The act inter alia provides legal recognition to transactions carried out
through electronic commerce and facilitates electronic filling of document.

KEY DEFINITIONS & CONCEPTS

To bring Indian techno-legal landscape in line with the international standards and give effect
to UN General Assembly resolution, the government of India enacted the Information
Technology Act, 2000. The act extends to whole of India and has extra territorial application
in case of offence and contravention committed outside India by any person. The act to
encompass the ever spreading paradigms of the information technology era defines myriad
terms relating to information technology landscape. It defines

(f) asymmetric crypto system means a system of a secure key pair consisting of a private key
for creating a digital signature and a public key to verify the digital signature;1

(g) Certifying Authority means a person who has been granted a licence to issue a
[electronic signature] Certificate under section 24;2

(nb) cyber security means protecting information, equipment, devices, computer, computer
resource, communication device and information stored therein from unauthorised access,
use, disclosure, disruption, modification or destruction;3

(o) data means a representation of information, knowledge, facts, concepts or instructions

which are being prepared or have been prepared in a formalised manner, and is intended to

1
Section 2(f) The Information Technology Act, 2000.
2
Section 2(g) The Information Technology Act, 2000.
3
Section 2 (nb) The Information Technology Act, 2000.
be processed, is being processed or has been processed in a computer system or computer
network, and may be in any form (including computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the memory of the computer; 4

(p) digital signature means authentication of any electronic record by a subscriber by means
of an electronic method or procedure in accordance with the provisions of section 3;5

(r) electronic form with reference to information, means any information generated, sent,
received or stored in media, magnetic, optical, computer memory, micro film, computer
generated micro fiche or similar device;6

(u) function, in relation to a computer, includes logic, control, arithmetical process, deletion,
storage and retrieval and communication or telecommunication from or within a computer;7

(w) intermediary, with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or provides any service
with respect to that record and includes telecom service providers, network service
providers, internet service providers, web-hosting service providers, search engines, online
payment sites, online-auction sites, online-market places and cyber cafes;8

(x) key pair, in an asymmetric crypto system, means a private key and its mathematically
related public key, which are so related that the public key can verify a digital signature
created by the private key9

(ze) secure system means computer hardware, software, and procedure that– (a) are
reasonably secure from unauthorised access and misuse; (b) provide a reasonable level of
reliability and correct operation; (c) are reasonably suited to performing the intended
functions; and (d) adhere to generally accepted security procedures;10

Chapter II of the act deals with electronic signatures. It inter alia provides for authentication
of electronic records by use of asymmetric crypto system or hash system (they are used to
create digital signature in an electronic system) i.e. digital signature. Chapter III of the act has
paved the way for an of E-Governance. Section 4 of the act gives legal recognition to
4
Section 2 (o) The Information Technology Act, 2000.
5
Section 2(p) The Information Technology Act, 2000.
6
Section 2(r) The Information Technology Act, 2000.
7
Section 2(u) The Information Technology Act, 2000.
8
Section 2(w) The Information Technology Act, 2000.
9
Section 2(x) The Information Technology Act, 2000.
10
Section (ze)The Information Technology Act, 2000.
electronic records whereas section 5 endows legal recognition of electronic signatures.
Section 6 further spreads the use of electronic records and electronic signatures to
government and its agencies. It provides for filling form or any application etc. to a
government instrumentality, issue of licences, permits etc. and payments and receipts through
an electronic medium. The government is authorized to hire any individual, private agency,
private company, partnership firm or any such other service provider for efficient delivery of
11
services to public through electronic means. Section 7 permits the retention of any records,
data or information in an electronic form for specified period while section 8 provides for
publication of rules, regulations, bye-laws, notification in the electronic gazette. Section 10
A declares the contracts formed, proposals communicated, proposals accepted, revoked by an
electronic medium shall be unenforceable solely on the ground that such electronic form or
means was used for the purpose. 12 Chapter IV provides for attribution, acknowledgement and
dispatch of electronic records. Section 11 reads that an electronic record shall be attributed to
the originator if it was sent by the originator, any authorized person, or by an information
system programmed to operate on behalf of originator. 13 Where the originator and addressee
haven’t agreed as to form of acknowledgment, it may be given by communication to the
14
addressee or by any conduct sufficient to indicate the communication. Where the
originator has explicitly stated that electronic record shall be binding only on the receipt of
acknowledgement, it shall be deemed to have never originated unless the acknowledgement
has been received the originator. 15

Chapter V deals with secure electronic records and signature. Section 14 enacts that when a
security procedure has been applied to an electronic record at a specific point of time, then
such record shall he deemed to be a secure electronic record from such point of time to the
16
time of verification. An electronic signature shall be deemed to be a secure electronic
signature if the signature creation data, at the time of affixing signature, was under the
exclusive control of signatory and the signature creation data was stored and affixed in
prescribed manner. 17

11
Section 6A The Information Technology Act, 2000.
12
Section 10A The Information Technology Act, 2000.
13
Section 11 The Information Technology Act, 2000.

14
Section 12(1) The Information Technology Act, 2000.
15
Section 12(2) The Information Technology Act, 2000.
16
Section 14 The Information Technology Act, 2000.
17
Section 16 The Information Technology Act, 2000
Chapter VI regulates certifying authorities and inter-alia provides appointment and functions
of controller, application for license to issue digital certificates, procedure for grant and
rejection of such application, suspension of license etc. Chapter IX deals with compensation
and adjudication (dealt in dealt in later part of this article) and Chapter X provides for
appellate tribunal. Chapter XI prescribes a list of offences and punishment thereto. Though
Chapter XII exempts intermediaries in certain cases

ELECTRONIC SIGNATURES

The concept of electronic signature under the Information Technology Act, 2000 is
essentially based on the UNICATRAL Model Law on Electronic Signatures 2001. The model
law was enacted with the intent to bring uniformity to the divergent legislative approaches to
electronic signature framework and to tackle the uncertainties which may arise due to use of
such modern technologies. Section 2 (ta) of the act defines electronic signature as a method
of authenticating any electronic record by means of means of electronic technique specified
in second schedule or a digital signature. There are different types of electronic signature,
however, not all of them are secure; hence only the techniques notified in the official gazette
or in the second schedule can be used as a legitimate electronic signature. 18 As per the
provisions of the act there are two methods of creating electronic signature first using e-KYC
service specified in second schedule and second, asymmetric crypto system i.e digital
signature. As per second schedule electronic signature can be created using e- authentication
services issued in accordance with e-authentication guidelines by controller of certifying
authority. Prior to 2019, the e-signature could be created only by aadhaar based e-KYC
service but following the Puttaswamy judgment an amendment was brought to the relevant
provisions to substitute aadhaar based authentication with e-KYC based verification. Now
through an amendment in 2020, e- authentication technique can be offered by trusted third
parties also. The provisions further lays down duties of the trusted third party, like facilitating
identity verification of the Digital Signature Certificate applicant, facilitating key pair-
19
generation, secure storage of subscriber’s signature key, etc. The digital signature method
of electronic signature authenticates electronic record by electronic method or an asymmetric
crypto system and hash function. Section 5 of the IT Act, 2000 confers legal validity on
18
Yogesh Kolekar, Electronic Signature: Legal and Technical Aspect, LEGALLY INDIA, (January 24, 2021,
4:12 p.m.) http://www.legalservicesindia.com/article/1827/Electronic-Signature:-Legal-and-Technical-
aspect.html#:~:text=The%20legal%20recognition%20of%20electronic,of%20information%20technology%20A
19
MEITY amends the Second Schedule of the IT Act, 2000, LEGALITY SIMPLIFIED, (January 24, 2021,
4:37 p.m.) https://legalitysimplified.com/2020/10/07/meity-amends-the-second-schedule-of-the-it-act-2000/
electronic signatures by declaring that any record or information requiring authentication by
affixing signatures shall be deemed to have been executed by affixing electronic signatures.
Section 3A provides that electronic record can be authenticated by electronic signature only if
it’s reliable or listed in second schedule. Section 3A(2) lays down the condition for an
electronic signature to be reliable “(a) the signature creation data or the authentication data
are, within the context in which they are used, linked to the signatory or, as the case may be,
the authenticator and to no other person; (b) the signature creation data or the
authentication data were, at the time of signing, under the control of the signatory or, as the
case may be, the authenticator and of no other person; (c) any alteration to the electronic
signature made after affixing such signature is detectable; (d) any alteration to the
information made after its authentication by electronic signature is detectable; and (e) it
fulfils such other conditions which may be prescribed.”20

DIGITAL SIGNATURE

Section 2(p) define digital signature as a method of authenticating any electronic record by
means of any electronic method or procedure established in section 3.21 Section 3 enunciates
that a subscriber may authenticate an electronic record by means of digital signature. It
further lays down authentication of electronic record shall be effected by asymmetric crypto
function or hash function which envelop and transform the initial electronic record into
another electronic record to derive or reconstruct the original electronic record from the hash
result produced by the algorithm and that two electronic records can produce the same hash
22
result using the algorithm. The authentication process is carried by a functioning key pair
i.e. a public key and a private key. A public key can be used by any person to authenticate
the record of the subscriber while a private key as the name suggests is a unique key known
only to its holder and is used to generate a digital signature. Section 5 confers legal validity
on authentication by digital signature. A digital signature is not secure unless the private key
at times of affixing signature is not under exclusive control of signatory and store and affixed
23
in the prescribes manner. The certifying authority has the license to issue digital signature
certificates. The Controller, appointed by the central government inter-alia exercises control
over activities of certifying authority, certifies public keys of certifying authorities,. Chapter

20
Section 3A(2) Information Technology Act, 2000.
21
Section 2(p) Information Technology Act, 2000.
22
Section 3 Information Technology Act, 2000.
23
Section 15 Information Technology Act, 2000.
VII of the act deals with electronic signature certificates and authorises the certifying
authority to issue, suspend and revoke such certificate.

CRYPTOGRAPHY

Cryptography can be aptly defined as science of encryption, which converts information in a

manner that can be read and processed only by the intended receivers. Cryptography
functions are carried by three types of algorithm hashing, symmetric cryptography and
asymmetric cryptography. Under the IT Act 2000 we find reference to hashing and
asymmetric cryptography. Explanation to section 3 defines hash function as an algorithmic
mapping or translation of one sequence of bits into another, smaller sets known as hash
result, such that an electronic record yields the same hash result every time the algorithm is
executed with the same electronic record as its input making it computationally infeasible–
(a) to derive or reconstruct the original electronic record from the hash result produced by the
algorithm; (b) that two electronic records can produce the same hash result using the
algorithm.24 Section 2(1)(f) defines asymmetric crypto system as a secure key pair consisting
of a private key for creating a digital signature and a public key to verify the digital signature.
25

As discussed earlier cryptography is a science of encryption, it becomes pertinent to take an

overview of provisions relating to encryption under Information Technology Act, 2000.
Section 84A empowers the central government to prescribe means and methods of encryption
26
for secure use of electronic medium for promotion of e-governance and e-commerce. As of
now there is no concrete legislation/law dealing exclusively with encryption, nevertheless
sectorial regulation in different industries like finance, banking and telecom prescribe
minimum standards for transaction and communication encryption. Section 69 of the act
further authorizes the central or state government on satisfaction that it is necessary or
expedient so to do, in the interest of the sovereignty or integrity of India, defence of India,
security of the State, friendly relations with foreign States or public order or for preventing
incitement to the commission of any cognizable offence relating to above or for investigation
of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded
in writing, by order, direct any agency of the appropriate Government to intercept, monitor or
decrypt or cause to be intercepted or monitored or decrypted any information generated,
24
Explanation Section 3 Information Technology Act, 2000.
25
Section 2(1)(f) Information Technology Act, 2000.
26
Section 84A Information Technology Act, 2000.
transmitted, received or stored in any computer resource.27  Further the Information
Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of
Information) Rules, 2009 provides for the legal mechanism in which the government may
deem itself responsible to legally cryptoanalyse the contents of any message.28

PUBLIC KEY/PRIVATE KEY AND A HASH EXPLAINED

The authentication of electronic record through the instrumentality of digital signature, is

carried in accordance with the procedure laid down in section 3 which inter-alia provides for
authentication of electronic record by asymmetric crypto system and a hash function. Section
2(f) defines asymmetric crypto system a system of a secure key pair consisting of a private
29
key for creating a digital signature and a public key to verify the digital signature. Section
2(zc) defines private key as a key of a key pair used to create a digital signature while section
2(zd) defines public key as the key of a key pair used to verify a digital signature and listed in
30
the Digital Signature Certificate. In simple terms public key and private key constitute a
functioning key pair unique to the subscriber. The private key enables the originator to
encrypt the electronic record in such a manner that no alternation, modification or tampering
with electronic record is possible except with the public key. Once the record is encrypted it
can only be decrypted by the public key of the originator which is unique to the private key.
Once the recipient has decrypted the records it becomes evident that records were encrypted
by the private key of the originator and no modification or alteration has been done to the
records. Any person by the use of a public key of the subscriber can verify the electronic
record.31

Hash can defined as the process of mapping large quantum of date into smaller blocks
through the use of hash function. Explanation to section 3(2) defines hash function as an
algorithmic mapping or translation of one sequence of bits into smaller set known as hash
result in such manner that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it computationally

27
Section 69(1) Information Technology Act, 2000.
28
Donnie Ashok, A brief history of Internet, cryptography, cryptanalysis and encryption laws of India, INDIA
TECHNOLOGY LAW, (Jan 26, 2021, 10:54 a.m.) https://indiatechlaw.com/security/basics-internet-encryption-
cryptography-cryptanalysis-laws/

29
Section 2(f) Information Technology Act,2000.
30
Section 2(zc) Information Technology Act,2000 see also section 2(zd) Information Technology Act,2000
31
Section 3(3) Information Technology Act, 2000.
infeasible to derive or reconstruct the original electronic record from the hash result produced
by the algorithm and so that two electronic records can produce the same hash result using
the algorithm.32 The rule 3, 4 and 5 of Information Technology (Certifying Authorities) Rules
2000 enunciate the application of the hash function in authentication of information by digital
signature and in creation and verification of digital signatures and further lay down that the
electronic record was unaltered, which is known to be the case if the hash result computed by
the verifier is identical to the hash result extracted from the Digital Signature during the
verification process.33 The Rule 6 of the Information Technology (Certifying Authorities)
Rules 2000 recognize the MD5 & SHA-2 as the accepted digital hash function.34

ENFORCEMENT AND ADJUDICATION MECHANISMS

The Information Technology Act recognises two types of violations first contraventions
relating to damage to computer, computer systems; protection of data; failure to furnish
information, violation of any provision, rule, regulation or direction under the Act. 35Second
offences relating, to identity theft, cyber terrorism, publishing or transmitting obscene and
sexually explicit materials, (also providing special protection to children in such cases), cyber
terrorism, violation of privacy etc. 36

Section 2(c) of the act defines adjudicating officer as adjudicating officer appointed under
sub-section (1) of section 46. Section 46 provides for appointment of adjudicating officer
who shall investigate into the allegations of violation of provision of IT act and adjudicate
upon quantum of compensation/penalty to be awarded in case of violation. The adjudicating
officer has the power of civil court and proceedings before it are deemed to be judicial
proceedings. As per the Ministry of Electronics and Information Technology (“MeitY”), the
secretary of the department of information technology of each state is appointed as the AO
for that state by default. 37 The Telecom Disputes Settlement and Appellate Tribunal is the be
the Appellate Tribunal for the purposes of this Act and the said Appellate Tribunal has the

32
Explanation to section 3(2), Information Technology Act, 2000.
33
Neeraj Arora,Hash Value: Authentication and Admissibility in Indian Perspective, CRIS, (January 28, 2021,
5:00 p.m.) https://cyberpandit.org/?article_post=hash-value-authentication-and-admissibility-in-indian-
perspective#:~:text=The%20rule%203%2C%204%20and,is%20known%20to%20be%20the

34
Rule 6 The Information Technology (Certifying Authorities) Rules 2000
35
Section 43-44 Information Technology Act, 2000.
36
Chapter XI Information Technology Act, 2000.
37
Order, Ministry of Communication and Information Technology (Department of Information Technology), Gazette
of India, 25 March 2013, http://egazette.nic.in/WriteReadData/2003/E_136_2011_029.pdf
 38
jurisdiction, powers and authority conferred on it by or under this Act. Any party aggrieved
39
by the order of adjudicating officer or controller can file an appeal before the said tribunal.
The appellate tribunal is not bound by the procedures laid down in Civil Procedure Code
1908, rather it has the power to devise its own rules to regulate its procedure including the
place of its sittings.40 An appeal against the order of appellate tribunal shall lie before high
court41 and no civil court shall have the jurisdiction to entertain any matter in respect of
which adjudicating officer has been appointed or appellate tribunal has been constituted. 42

CONCLUSION

The advent of computer and internet bought things we couldn’t have imagined on our finger
tips at an un surmountable speed but with these sweet fruit come the bitter implications of
such a technology. It is a no hidden fact that in today’s era or information technology cyber
-crimes or information technology related crimes are not merely confined to pornography,
identity theft, bank fraud etc. but have extended their arms to terrorism, drug trafficking and
other nefarious criminal activities. In this landscape, which could have led to utter chaos
Information technology Act has served great purpose. It inter-alia lay down the laws to
regulate e-commerce, modern day computer crimes and offences and punishment in case of
violation of the act as well as commission of any offence. The act also recognizes electronic
signatures and digital signatures and confers legal recognition on electronic record
authenticated through these signatures. Despite these advantages the act does not adequately
deals with certain issues like privacy, vast powers of police, ambiguous definition of certain
terms like cyber terrorism and the dispute resolution framework. In order to synchronize the
dream of digital India with a ‘secure digital India’, it is pertinent to further strengthen the
Information technology Act especially on aspects of privacy and dispute resolution in case of
cyber and computer related offences.

38
Section 48 Information Technology Act, 2000.
39
Section 57 Information Technology Act, 2000.
40
Section 58 Information Technology Act, 2000.
41
Section 62 Information Technology Act, 2000.
42
Information Technology Act, 2000.