Professional Documents
Culture Documents
OVERVIEW OF INFORMATION TECHNOLOGY ACT 2000 - Huzaifa Salim
OVERVIEW OF INFORMATION TECHNOLOGY ACT 2000 - Huzaifa Salim
OVERVIEW OF INFORMATION TECHNOLOGY ACT 2000 - Huzaifa Salim
INTRODUCTION
The evolution of human civilization form Stone Age to the contemporary era of information
technology has left the regulatory authorities grappling to draft a suitable legislation suiting
the new age of information technology. With the advent of new age facilities like storing,
sharing, disseminating information, e-trade and commerce, an effective and efficacious legal
mechanisms to combat the challenged posed by these facilities became inevitable and led to
the enactment of Information Technology Act, 2000. The present legislating is based on
Model Law on Electronics Commerce adopted by the United Nations Commission on
International Trade. The act inter alia provides legal recognition to transactions carried out
through electronic commerce and facilitates electronic filling of document.
To bring Indian techno-legal landscape in line with the international standards and give effect
to UN General Assembly resolution, the government of India enacted the Information
Technology Act, 2000. The act extends to whole of India and has extra territorial application
in case of offence and contravention committed outside India by any person. The act to
encompass the ever spreading paradigms of the information technology era defines myriad
terms relating to information technology landscape. It defines
(f) asymmetric crypto system means a system of a secure key pair consisting of a private key
for creating a digital signature and a public key to verify the digital signature;1
(g) Certifying Authority means a person who has been granted a licence to issue a
[electronic signature] Certificate under section 24;2
(nb) cyber security means protecting information, equipment, devices, computer, computer
resource, communication device and information stored therein from unauthorised access,
use, disclosure, disruption, modification or destruction;3
1
Section 2(f) The Information Technology Act, 2000.
2
Section 2(g) The Information Technology Act, 2000.
3
Section 2 (nb) The Information Technology Act, 2000.
be processed, is being processed or has been processed in a computer system or computer
network, and may be in any form (including computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the memory of the computer; 4
(p) digital signature means authentication of any electronic record by a subscriber by means
of an electronic method or procedure in accordance with the provisions of section 3;5
(r) electronic form with reference to information, means any information generated, sent,
received or stored in media, magnetic, optical, computer memory, micro film, computer
generated micro fiche or similar device;6
(u) function, in relation to a computer, includes logic, control, arithmetical process, deletion,
storage and retrieval and communication or telecommunication from or within a computer;7
(w) intermediary, with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or provides any service
with respect to that record and includes telecom service providers, network service
providers, internet service providers, web-hosting service providers, search engines, online
payment sites, online-auction sites, online-market places and cyber cafes;8
(x) key pair, in an asymmetric crypto system, means a private key and its mathematically
related public key, which are so related that the public key can verify a digital signature
created by the private key9
(ze) secure system means computer hardware, software, and procedure that– (a) are
reasonably secure from unauthorised access and misuse; (b) provide a reasonable level of
reliability and correct operation; (c) are reasonably suited to performing the intended
functions; and (d) adhere to generally accepted security procedures;10
Chapter II of the act deals with electronic signatures. It inter alia provides for authentication
of electronic records by use of asymmetric crypto system or hash system (they are used to
create digital signature in an electronic system) i.e. digital signature. Chapter III of the act has
paved the way for an of E-Governance. Section 4 of the act gives legal recognition to
4
Section 2 (o) The Information Technology Act, 2000.
5
Section 2(p) The Information Technology Act, 2000.
6
Section 2(r) The Information Technology Act, 2000.
7
Section 2(u) The Information Technology Act, 2000.
8
Section 2(w) The Information Technology Act, 2000.
9
Section 2(x) The Information Technology Act, 2000.
10
Section (ze)The Information Technology Act, 2000.
electronic records whereas section 5 endows legal recognition of electronic signatures.
Section 6 further spreads the use of electronic records and electronic signatures to
government and its agencies. It provides for filling form or any application etc. to a
government instrumentality, issue of licences, permits etc. and payments and receipts through
an electronic medium. The government is authorized to hire any individual, private agency,
private company, partnership firm or any such other service provider for efficient delivery of
11
services to public through electronic means. Section 7 permits the retention of any records,
data or information in an electronic form for specified period while section 8 provides for
publication of rules, regulations, bye-laws, notification in the electronic gazette. Section 10
A declares the contracts formed, proposals communicated, proposals accepted, revoked by an
electronic medium shall be unenforceable solely on the ground that such electronic form or
means was used for the purpose. 12 Chapter IV provides for attribution, acknowledgement and
dispatch of electronic records. Section 11 reads that an electronic record shall be attributed to
the originator if it was sent by the originator, any authorized person, or by an information
system programmed to operate on behalf of originator. 13 Where the originator and addressee
haven’t agreed as to form of acknowledgment, it may be given by communication to the
14
addressee or by any conduct sufficient to indicate the communication. Where the
originator has explicitly stated that electronic record shall be binding only on the receipt of
acknowledgement, it shall be deemed to have never originated unless the acknowledgement
has been received the originator. 15
Chapter V deals with secure electronic records and signature. Section 14 enacts that when a
security procedure has been applied to an electronic record at a specific point of time, then
such record shall he deemed to be a secure electronic record from such point of time to the
16
time of verification. An electronic signature shall be deemed to be a secure electronic
signature if the signature creation data, at the time of affixing signature, was under the
exclusive control of signatory and the signature creation data was stored and affixed in
prescribed manner. 17
11
Section 6A The Information Technology Act, 2000.
12
Section 10A The Information Technology Act, 2000.
13
Section 11 The Information Technology Act, 2000.
14
Section 12(1) The Information Technology Act, 2000.
15
Section 12(2) The Information Technology Act, 2000.
16
Section 14 The Information Technology Act, 2000.
17
Section 16 The Information Technology Act, 2000
Chapter VI regulates certifying authorities and inter-alia provides appointment and functions
of controller, application for license to issue digital certificates, procedure for grant and
rejection of such application, suspension of license etc. Chapter IX deals with compensation
and adjudication (dealt in dealt in later part of this article) and Chapter X provides for
appellate tribunal. Chapter XI prescribes a list of offences and punishment thereto. Though
Chapter XII exempts intermediaries in certain cases
ELECTRONIC SIGNATURES
The concept of electronic signature under the Information Technology Act, 2000 is
essentially based on the UNICATRAL Model Law on Electronic Signatures 2001. The model
law was enacted with the intent to bring uniformity to the divergent legislative approaches to
electronic signature framework and to tackle the uncertainties which may arise due to use of
such modern technologies. Section 2 (ta) of the act defines electronic signature as a method
of authenticating any electronic record by means of means of electronic technique specified
in second schedule or a digital signature. There are different types of electronic signature,
however, not all of them are secure; hence only the techniques notified in the official gazette
or in the second schedule can be used as a legitimate electronic signature. 18 As per the
provisions of the act there are two methods of creating electronic signature first using e-KYC
service specified in second schedule and second, asymmetric crypto system i.e digital
signature. As per second schedule electronic signature can be created using e- authentication
services issued in accordance with e-authentication guidelines by controller of certifying
authority. Prior to 2019, the e-signature could be created only by aadhaar based e-KYC
service but following the Puttaswamy judgment an amendment was brought to the relevant
provisions to substitute aadhaar based authentication with e-KYC based verification. Now
through an amendment in 2020, e- authentication technique can be offered by trusted third
parties also. The provisions further lays down duties of the trusted third party, like facilitating
identity verification of the Digital Signature Certificate applicant, facilitating key pair-
19
generation, secure storage of subscriber’s signature key, etc. The digital signature method
of electronic signature authenticates electronic record by electronic method or an asymmetric
crypto system and hash function. Section 5 of the IT Act, 2000 confers legal validity on
18
Yogesh Kolekar, Electronic Signature: Legal and Technical Aspect, LEGALLY INDIA, (January 24, 2021,
4:12 p.m.) http://www.legalservicesindia.com/article/1827/Electronic-Signature:-Legal-and-Technical-
aspect.html#:~:text=The%20legal%20recognition%20of%20electronic,of%20information%20technology%20A
19
MEITY amends the Second Schedule of the IT Act, 2000, LEGALITY SIMPLIFIED, (January 24, 2021,
4:37 p.m.) https://legalitysimplified.com/2020/10/07/meity-amends-the-second-schedule-of-the-it-act-2000/
electronic signatures by declaring that any record or information requiring authentication by
affixing signatures shall be deemed to have been executed by affixing electronic signatures.
Section 3A provides that electronic record can be authenticated by electronic signature only if
it’s reliable or listed in second schedule. Section 3A(2) lays down the condition for an
electronic signature to be reliable “(a) the signature creation data or the authentication data
are, within the context in which they are used, linked to the signatory or, as the case may be,
the authenticator and to no other person; (b) the signature creation data or the
authentication data were, at the time of signing, under the control of the signatory or, as the
case may be, the authenticator and of no other person; (c) any alteration to the electronic
signature made after affixing such signature is detectable; (d) any alteration to the
information made after its authentication by electronic signature is detectable; and (e) it
fulfils such other conditions which may be prescribed.”20
DIGITAL SIGNATURE
Section 2(p) define digital signature as a method of authenticating any electronic record by
means of any electronic method or procedure established in section 3.21 Section 3 enunciates
that a subscriber may authenticate an electronic record by means of digital signature. It
further lays down authentication of electronic record shall be effected by asymmetric crypto
function or hash function which envelop and transform the initial electronic record into
another electronic record to derive or reconstruct the original electronic record from the hash
result produced by the algorithm and that two electronic records can produce the same hash
22
result using the algorithm. The authentication process is carried by a functioning key pair
i.e. a public key and a private key. A public key can be used by any person to authenticate
the record of the subscriber while a private key as the name suggests is a unique key known
only to its holder and is used to generate a digital signature. Section 5 confers legal validity
on authentication by digital signature. A digital signature is not secure unless the private key
at times of affixing signature is not under exclusive control of signatory and store and affixed
23
in the prescribes manner. The certifying authority has the license to issue digital signature
certificates. The Controller, appointed by the central government inter-alia exercises control
over activities of certifying authority, certifies public keys of certifying authorities,. Chapter
20
Section 3A(2) Information Technology Act, 2000.
21
Section 2(p) Information Technology Act, 2000.
22
Section 3 Information Technology Act, 2000.
23
Section 15 Information Technology Act, 2000.
VII of the act deals with electronic signature certificates and authorises the certifying
authority to issue, suspend and revoke such certificate.
CRYPTOGRAPHY
Hash can defined as the process of mapping large quantum of date into smaller blocks
through the use of hash function. Explanation to section 3(2) defines hash function as an
algorithmic mapping or translation of one sequence of bits into smaller set known as hash
result in such manner that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it computationally
27
Section 69(1) Information Technology Act, 2000.
28
Donnie Ashok, A brief history of Internet, cryptography, cryptanalysis and encryption laws of India, INDIA
TECHNOLOGY LAW, (Jan 26, 2021, 10:54 a.m.) https://indiatechlaw.com/security/basics-internet-encryption-
cryptography-cryptanalysis-laws/
29
Section 2(f) Information Technology Act,2000.
30
Section 2(zc) Information Technology Act,2000 see also section 2(zd) Information Technology Act,2000
31
Section 3(3) Information Technology Act, 2000.
infeasible to derive or reconstruct the original electronic record from the hash result produced
by the algorithm and so that two electronic records can produce the same hash result using
the algorithm.32 The rule 3, 4 and 5 of Information Technology (Certifying Authorities) Rules
2000 enunciate the application of the hash function in authentication of information by digital
signature and in creation and verification of digital signatures and further lay down that the
electronic record was unaltered, which is known to be the case if the hash result computed by
the verifier is identical to the hash result extracted from the Digital Signature during the
verification process.33 The Rule 6 of the Information Technology (Certifying Authorities)
Rules 2000 recognize the MD5 & SHA-2 as the accepted digital hash function.34
The Information Technology Act recognises two types of violations first contraventions
relating to damage to computer, computer systems; protection of data; failure to furnish
information, violation of any provision, rule, regulation or direction under the Act. 35Second
offences relating, to identity theft, cyber terrorism, publishing or transmitting obscene and
sexually explicit materials, (also providing special protection to children in such cases), cyber
terrorism, violation of privacy etc. 36
Section 2(c) of the act defines adjudicating officer as adjudicating officer appointed under
sub-section (1) of section 46. Section 46 provides for appointment of adjudicating officer
who shall investigate into the allegations of violation of provision of IT act and adjudicate
upon quantum of compensation/penalty to be awarded in case of violation. The adjudicating
officer has the power of civil court and proceedings before it are deemed to be judicial
proceedings. As per the Ministry of Electronics and Information Technology (“MeitY”), the
secretary of the department of information technology of each state is appointed as the AO
for that state by default. 37 The Telecom Disputes Settlement and Appellate Tribunal is the be
the Appellate Tribunal for the purposes of this Act and the said Appellate Tribunal has the
32
Explanation to section 3(2), Information Technology Act, 2000.
33
Neeraj Arora,Hash Value: Authentication and Admissibility in Indian Perspective, CRIS, (January 28, 2021,
5:00 p.m.) https://cyberpandit.org/?article_post=hash-value-authentication-and-admissibility-in-indian-
perspective#:~:text=The%20rule%203%2C%204%20and,is%20known%20to%20be%20the
34
Rule 6 The Information Technology (Certifying Authorities) Rules 2000
35
Section 43-44 Information Technology Act, 2000.
36
Chapter XI Information Technology Act, 2000.
37
Order, Ministry of Communication and Information Technology (Department of Information Technology), Gazette
of India, 25 March 2013, http://egazette.nic.in/WriteReadData/2003/E_136_2011_029.pdf
38
jurisdiction, powers and authority conferred on it by or under this Act. Any party aggrieved
39
by the order of adjudicating officer or controller can file an appeal before the said tribunal.
The appellate tribunal is not bound by the procedures laid down in Civil Procedure Code
1908, rather it has the power to devise its own rules to regulate its procedure including the
place of its sittings.40 An appeal against the order of appellate tribunal shall lie before high
court41 and no civil court shall have the jurisdiction to entertain any matter in respect of
which adjudicating officer has been appointed or appellate tribunal has been constituted. 42
CONCLUSION
The advent of computer and internet bought things we couldn’t have imagined on our finger
tips at an un surmountable speed but with these sweet fruit come the bitter implications of
such a technology. It is a no hidden fact that in today’s era or information technology cyber
-crimes or information technology related crimes are not merely confined to pornography,
identity theft, bank fraud etc. but have extended their arms to terrorism, drug trafficking and
other nefarious criminal activities. In this landscape, which could have led to utter chaos
Information technology Act has served great purpose. It inter-alia lay down the laws to
regulate e-commerce, modern day computer crimes and offences and punishment in case of
violation of the act as well as commission of any offence. The act also recognizes electronic
signatures and digital signatures and confers legal recognition on electronic record
authenticated through these signatures. Despite these advantages the act does not adequately
deals with certain issues like privacy, vast powers of police, ambiguous definition of certain
terms like cyber terrorism and the dispute resolution framework. In order to synchronize the
dream of digital India with a ‘secure digital India’, it is pertinent to further strengthen the
Information technology Act especially on aspects of privacy and dispute resolution in case of
cyber and computer related offences.
38
Section 48 Information Technology Act, 2000.
39
Section 57 Information Technology Act, 2000.
40
Section 58 Information Technology Act, 2000.
41
Section 62 Information Technology Act, 2000.
42
Information Technology Act, 2000.