+(,121/,1(

Citation: 43 Comm. L. World Rev. 208 2014

Content downloaded/printed from

HeinOnline (http://heinonline.org)
Wed Mar 16 03:37:50 2016

-- Your use of this HeinOnline PDF indicates your acceptance

of HeinOnline's Terms and Conditions of the license
agreement available at http://heinonline.org/HOL/License

-- The search text of this PDF is generated from

uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

of your HeinOnline license, please use:

https://www.copyright.com/ccc/basicSearch.do?
&operation=go&searchType=0
&lastSearch=simple&all=on&titleOrStdNo=1473-7795

Electronic copy available at: http://ssrn.com/abstract=2748441

 Signature Provisions in
the Amended Indian
Information Technology
Act 2000: Legislative
Chaos
t
Hemali Shah* and Aashish Srivastava

Abstract: The Indian Parliament enacted the Information Technology

Act (ITA) in 2000 to provide legal recognition to e-commerce and
e-governance. The ITA, however, was heavily criticized for being
technology-specific in nature and was therefore amended in 2008 to
give it a technology-neutral status. The aim of this paper is to examine
critically the provisions related to electronic signatures in the amended
legislation by comparing them with the United Nations Commission on
International Trade Law (UNCITRAL) model laws, the European Union
Directive on Electronic Signatures and other electronic signatures
legislation across the world. The paper concludes that, despite the
amendments, the ITA is still a weak legislation, complex to understand,
ambiguous and fails to address many aspects of electronic signatures
usage. It is also an over-regulated legislation compared with similar
legislation in other developing countries such as China and developed
countries such as Australia, the UK and Singapore. Finally, the authors
provide some recommendations, which can potentially address the
shortcomings of the ITA.
Keywords: electronic signatures, digital signature, India, Information
Technology Act 2000

I. Introduction
Various governments and international organizations have intro-
duced electronic signatures legislation (ESL) to promote global

* PhD candidate, Department of Business Law and Taxation, Monash University,

Melbourne, Victoria, Australia; hemali.shah@monash.edu
t Senior Lecturer, Department of Business Law and Taxation, Monash University,
Melbourne, Victoria, Australia; aashish.srivastava@monash.edu
1 For the sake of convenience, the generic term 'Electronic Signatures Legisla-
tion' (ESL) has been used in this paper with reference to the laws governing
electronic transactions, including electronic signatures.

208 Common Law World Review 43 (2014) 208-230

DOI: 10.1350/clwr.2014.43.3.0271

Electronic copy available at: http://ssrn.com/abstract=2748441

 INDIAN INFORMAION ILCHNOLOGY ACI

e-commerce 2 and provide electronic signatures3 with the same

legal recognition as manuscript signatures. The United Nations
Commission on International Trade Law (UNCITRAL) introduced
the Model Law on Electronic Commerce 1996 (MLEC) and Model
Law on Electronic Signatures 2001 (MLES). The European Union
(EU) enacted the Electronic Signatures Directive 1999 (EU E-signa-
tures Directive) to ensure consistency and legal validity of electronic
signatures among its member states.4 Typically, the ESL of any
country is based on one of the three approaches, which are in turn
based on different assumptions about the legal status and admissi-
bility of electronic signatures. The approaches are:
(1) a minimalist or technology-neutral approach, where any tech-
nology can be used as an electronic signature provided it
satisfies the legal function of a signature and does not prefer
one particular technology over the other;'
(2) a prescriptive or technology-specific approach, which recog-
nizes the use of one particular form of technology, i.e. digital
signature; 6 and
(3) a hybrid or two-pronged approach, which provides an eviden-
tiary presumption in favour of the validity of an electronic
signature if the parties use specific technologies, in particular,

2 E-commerce can be defined as 'the use of an electronic network to exchange

information, products, services and payments for commercial and commu-
nication purposes between individuals (consumers) and businesses, between
businesses themselves, between individuals themselves, within government
or between the public and government and, last between business and
government'. See Department of Communications, A Green Paper on Electronic
Commerce for South Africa (Republic of South Africa: Pretoria, 2000) 2,
available at http://www.polity.org.za/polity/govdocs/green-papers/greenpaper/
index.html (accessed 10 May 2014).
3 There is no universally accepted definition of an electronic signature and
different statutes across the world provide different definitions. Appendix 1
briefly outlines what an electronic signature is.
4 Directive 1999/93/EC of the European Parliament and of the Council of 13
December 1999 on a Community Framework for Electronic Signatures [2000]
OJ L13/13, available at http://ec.europa.eu/digital-agenda/en/pillar-i-digital-sin
gle-market/action-8-revision- esignature- directive (accessed 10 May 2014). The
EU E-signatures Directive was successful in promoting the use of electronic
signatures in the member states of the European Union. However, it has
recently been reviewed in the context of mutual recognition of electronic iden-
tification to provide a comprehensive and predictable legal framework with
a view to enhance user empowerment, convenience and trust in the digital
world.
5 A. Srivastava, 'Legal Understanding and Issues with Electronic Signatures-An
Empirical Study of Large Business' (2008) 35 Rutgers Computer and Technology
Law Journal 44. Most common law countries like Australia, Canada, the United
States and New Zealand have adopted the minimalistic approach.
6 Ibid. Digital signature is one of the forms of an electronic signature. It has
been briefly explained in Appendix 1. Countries like Nepal, Mongolia and
Indonesia have adopted a technology-specific approach.
COMMON LAW WORLD REVIEW

digital signature issued by a recognized certifying authority

7
(CA).
Appendix 1 provides a short description of an electronic signature,
including digital signature, and a brief overview of the functions of
a CA with regard to a digital signature.
The Indian Parliament enacted the Information Technology Act
(ITA) in 2000 to provide legal recognition to the transactions carried
out by an electronic means of communication, commonly known
as e-commerce, and to facilitate e-governance. 8 The ITA, however,
was heavily criticized for being technology-specific in nature by
permitting only the use of a digital signature issued by a licensed
CA as a legally valid signature. The ITA was therefore amended by
the Information Technology Amendment Act in 2008 (ITAA 2008)
to give the legislation a technology-neutral flavour.9 In doing so,
the 2008 amendment has introduced new provisions and revised
some of the existing provisions in the ITA. Nevertheless, the ITA
(as amended by the ITAA 2008) still remains complex, cabalistic and

7 Ibid. Certifying authority (CA) is also referred to as a Certification Service

Provider (CSP) in some jurisdictions. The ITA of India uses the term 'certifying
authority'. A CA/CSP is a person that issues certificates and may provide
other services related to electronic signatures: UNCITRAL, Guide to Enactment
of the UNCITRAL Model Law on Electronic Signatures 2001 (MLES), Art.
2(e), available at http://www.uncitral.org/uncitral/en/uncitral-texts/electronic_
commerce.html (accessed 10 May 2014). See also the discussion in Appendix 1.
Countries like China and South Africa have adopted a two-pronged approach
to legislation. Germany initially adopted a technology-specific approach but
this was later amended to a two-pronged approach.
8 'E-governance' means electronic governance, i.e. using information and com-
munication technologies (ICT) at various levels of the government and the
public sector and beyond, for the purpose of enhancing governance: S. Jain
Palvia and S. Sharma, 'E-government and E-governance: Definitions/Domain
Framework and Status around the World' (2007) 5th International Conference
on E-governance 2, available at www.iceg.net/2007/books/1/1_369.pdf (accessed
10 May 2014).
9 Government websites such as that of the Press Information Bureau of the
Government of India say that 'the ITA needed to be technology-neutral to
provide for alternative technology of electronic signature for bringing har-
monisation with the MLES'. The ITA was therefore amended by the ITAA
2008: The Government of India Press Information Bureau, 'The Informa-
tion Technology (Amendment) Act 2008 Comes into Force' (27 October 2009),
available at http://pib.nic.in/newsite/erelease.aspx?relid=53617 (accessed 10 May
2014).
 INDIAN INFUIAMAION ILCHNOLOGY ACI

extremely confusing, in particular the provisions related to electronic

signatures."°
The aim of this paper is to critically analyse the provisions related
to electronic signatures in the ITA. The structure of the paper is as
follows. Part II examines the various types of electronic signature
mentioned in the ITA for authentication of an electronic record by
comparing them to provisions in the UNCITRAL model laws and
the ESL of other countries. It argues that the amendment of the
ITA has resulted in a legislative chaos with regard to electronic
signature provisions. Part III critically reviews the laws and reg-
ulations governing the use and acceptance of electronic signature
from other countries in a cross-border transaction. Part IV inves-
tigates whether the objective of the ITA's amendment-to make
the ITA technology-neutral-has been achieved. Part V compares
and contrasts the ITA with similar legislation in other countries
and claims that the ITA is prone to over-regulation. Finally, Part VI
makes some concluding remarks and recommends a few measures
that can help to enhance the legal position of electronic signatures
in India.

II. Governance of Various Types

of Signature in India
As mentioned above, the ITA was amended in 2008. The aim of this
amendment was to align it to the MLES and make the Act technology-
neutral. This was in part put into action by introducing the term
,electronic signature'. However, unlike any other ESL in the world,
the ITA mentions four types of signature: electronic signature,"
reliable electronic signature, 12 secure electronic signature 3 and digital

10 Note that in India there is only one Act i.e. the Information Technology Act
2000 (ITA). The Information Technology Amendment Act 2008 (ITAA 2008)
was passed by the Parliament to amend the ITA. Therefore all the sections
amended or newly introduced in the Act have become part of the amended
ITA and not the ITAA 2008. Similarly, the rules notified should be treated as
the rules under the ITA (as modified by the ITAA 2008). Further, the rules
notified under the ITA (prior to the 2008 amendment) still remain part of the
ITA to the extent that a specific section has not been amended by the ITAA
2008. If a particular section was modified by the ITAA 2008, but has not been
supplemented by relevant rules or an explanation that the old rule would be
applicable, the old rule should be applied only to the extent of the unamended
part of the ITA. This means that if a particular section has been modified
by the ITAA 2008 and the old rule does not apply to the amended part of a
section, it may be treated as a 'rule pending' to the extent that the old rule
fails to address the amended part of the section.
11 ITA, s. 2(ta).
12 Ibid. at s. 3A(2).
13 bid. at s. 15.
COMMON LAW WORLD REVIEW

signature. 14 The sections below critically examine the provisions of

the ITA that relate to these four types of signature.

i. Electronic Signature
Section 5 of the ITA provides legal requirements associated with
the use of an electronic signature. It states that where any law' 5
provides that information shall be authenticated by affixing"6 a
signature, or any document shall bear the signature of any person,
then that requirement shall be deemed to have been satisfied if an
'electronic signature' has been affixed in such manner as prescribed
by the central government. 7 In this context, section 2(ta) defines
electronic signature as 'authentication of any electronic record by
a subscriber 8 by means of an electronic technique specified in the
second schedule and includes digital signature'." Sections 2(ta) and
5 are poorly drafted, and this is one of the major issues with the
ITA's electronic signatures provisions. There are two main issues
with sections 2(ta) and 5. These are: the blank second schedule of
the ITA and the legal functions of a signature, which are discussed
in paragraphs (a) and (b).

(a) Blank Second Schedule of the ITA

As mentioned above, section 2(ta) defines electronic signature as
authentication of any electronic record by a subscriber by means
of the electronic technique specified in the second schedule. The
definition also expressly includes digital signature. The inclusion of
this term means that the regulations regarding 'electronic signature'
2
will be applicable to digital signature. 1
A key aspect of the definition of 'electronic signature' is the
reference to the second schedule. However, despite it being five
years since the ITA was amended, to date the particulars of a new
second schedule have not yet been provided or notified. 21 The ITA,
therefore, does not provide any description or procedure regarding

14 Ibid. at s. 2(p). Each of the four types of signature has been discussed in detail
later in this paper.
15 'Law' means any legislation, common law or law of an unspecified nature: ibid.
at s. 2(y).
16 'Affixing', with grammatical variations and cognate expressions, means
adoption of any methodology or procedure by a person for the purpose of
authenticating an electronic record by means of electronic signature: ibid. at
s. 2(d).
17 Ibid. at s. 5.
18 'Subscriber' means a person in whose name the 'electronic signature certifi-
cate' is issued: ibid. at s. 2(zg).
19 Ibid. at s. 2(ta).
20 Naavi, 'Digital Signatures Under ITA 2008-a Blunder Repeated' (2009),
available at http://www.naavi.org/cl-editorial-09/edit-janl9 itaa analysis 10
elecsig.htm (accessed 10 May 2014).
21 Naavi, The Second Schedule: Electronic Signature or Electronic Authentication
Technique and Procedure, available at http://www.naavi.org/ita_2008/index.htm
(accessed 10 May 2014).
 INDIAN INFORMAION TECHNOLOGY ACI

IAAccording
. ..
*~ i Section 2(ta) defines electronic signature as
to section 5, 1I the authentication of any electronic record by a
where any law requires V>1 subscriber
,authentication by the'!
laffixing of a signature,
such requirement is
Ifulfilled by an electronic B
signature ele sothe Includes digital
)
specified in the signature
second schedule
Because of the inclusion of
+II~t +M.444 L1 LtJA+I -

The second schedule does not section 2(ta), the provisions

provide any description or
procedure to authenticate electronic regarding
t~~l ~ telal
electronic
Ulgl al sgtt
signature
t i
1

records by means of an electronic are applicable to digital

signature or authentication technique signature

Implication Implication

It cannot satisfy the To date only digital signature can

signature requirement satisfy the signature requirement under
under section 5 section 5

Figure 1: Operational effect of a new second schedule of the ITA on

section 2(ta) and section 5

the use of electronic signature or authentication technique to

authenticate an electronic record. Hence the present system of
digital signature will continue for the time being and remains the
sole method of authentication of an electronic document recognized
by Indian law. 22 The amendment of the ITA in 2008 has therefore not
resulted in any change in the authentication mechanism under the
ITA. Figure 1 provides a graphical representation of the status of a
new 'second schedule' and its operational effect on section 2(ta) and
eventually section 5.

(b) Legal Functions of a Signature

There are two important underlying legal principles for a signature
to be legally enforceable. These are: (i) it must carry out the function
of a signature (this, rather than the signature's form, is paramount)
and (ii) there must be an express or implied indication that the signer
of a document has an intention to adopt the information contained
in the document.2 3 A signature performs three main functions:

22 See Naavi, above n. 20.

23 C. Reed, "What is a Signature?' (2000) 3(1) Journal of Information, Law and
Technology [4].
COMMON LAW WORLD REVIEW

identification, evidence of personal involvement and attribution.2 4

In all, this means that unless a purported signatory provides the
evidence of authentication of a document and his/her intention to
adopt the information contained in the document, the signature will
not be considered a valid signature.
Focusing on these two basic requirements of a signature to be
legally enforceable, Article 9(3) of the United Nations Convention
on the Use of Electronic Communications in International Contract
2005 (the Convention) establishes the principle that, in an electronic
environment, the basic legal functions of a signature are performed
by way of a method that identifies the originator of an electronic
communication and indicates the originator's intention in respect
of the information contained in the electronic communication .2 5
It states that where the law requires that a communication or a
contract should be signed by a party, or provides consequences for
the absence of a signature, that requirement is met in relation to an
electronic communication if:
(a) a method is used to identify the party and to indicate that party's
intention in respect of the information contained in the electronic
communication; and
(b) the method used is either:
(i) as reliable as appropriate for the purpose for which the
electronic communication was generated or communicated,
in the light of all the circumstances, including any relevant
agreement; or
(ii) proven in fact to have fulfilled the functions described in
subparagraph (a) above, by itself or together with further
26
evidence.
In contrast, the provisions of the ITA are confined to the 'method
of authentication' of an electronic record. It does not provide any
requirement to indicate the signer's intention to adopt the content of
an electronic record, a central rationale of a signature. The concept of
'authentication' and 'authenticity' generally are understood in law as
referring to the genuineness of the document or record and mainly
serve the function of identification, confirmation of authority and
assurance concerning integrity of the documents.2 7 In the electronic
era, authentication means linking information in electronic form
to a person or entity.28 It does not necessarily constitute a signa-
tory's intention to adopt the content of the document. Thus, merely

24 A. Raymond, 'Improving Confidence in Cross Border Electronic Commerce,

Communication, Signature, and Authentication Device' (2011) 14(3) Journal of
Internet Law 25.
25 UNCITRAL, UN Convention on the Use of Electronic Communications in Inter-
national Contract 2005, GA Res. 60/21, UN Doc. A/60/515 (9 December 2005)
explanatory paragraphs 154, 159, 53 and 54.
26 Ibid. Art. 9(3).
27 See Raymond, above n. 24 at 27.
28 bid. at 25.

214
 INDIAN INFORMAION ILCHNOLOGY ACI

affixing a person's name without his/her intention to acknowledge

the content of the document does not constitute a legally valid
signature. For a signature to be legally valid it must be capable of
identifying the signatory and there must be an express or implied
indication that the person who has signed the document has an
intention to adopt the content of the document. This second element
is lacking in the ITA.

ii. Reliable Electronic Signature

Section 3A of the ITA talks about reliable electronic signature. It
lays down the criteria for the authentication of an electronic record
by a subscriber by using electronic signature or electronic authen-
tication technique. It states that:
(1) Notwithstanding anything contained in section 3,29 but subject
to the provisions of sub-section (2), a subscriber may authenticate
any electronic record by such 'electronic signature' or 'electronic
authentication technique' which-
(a) is considered reliable; and
(b) may be specified in the Second Schedule.
(2) For the purposes of this section any electronic signature or
electronic authentication technique shall be considered reliable if-
(a) The signature creation data" or the authentication data31 are,
within the context in which they are used, linked to the signatory
or, as the case may be, the authenticator and to no other person;
(b) the signature creation data or the authentication data were, at the
time of signing, under the control of the signatory or, as the case
may be, the authenticator and no other person;
(c) any alteration to the electronic signature made after affixing such
signature is detectable;
(d) any alteration to the information made after its authentication by
electronic signature is detectable; and 32
(e) it fulfils such other conditions which may be prescribed.
According to section 3A, it is not mandatory to authenticate an
electronic record by affixing a digital signature as provided under
section 3. A subscriber may authenticate an electronic record by

29 ITA, s. 3 deals with the authentication of an electronic record by a subscriber

by using a digital signature. It is discussed later in this paper.
30 The ITA does not define the term 'signature creation data'. However,
according to s. 2 of the Electronic Signatures Regulations 2002 (ESR) of the
United Kingdom, signature creation data means unique data (including, but
not limited to, codes or private cryptographic keys) which are used by the
signatory to create an electronic signature.
31 The ITA also does not define the term 'signature authentication data'. Art.
34(5) of the Electronic Signature Law (ESL) of China, which is identical to s. 2
of the ESR (in the UK), defines the term 'electronic signature authentication
data'. It states that 'electronic signature authentication data' means data used
in the authentication of electronic signing, including the codes, passwords,
algorithm and public keys.
32 ITA, s. 3A.
COMMON LAW WORLD REVIEW

using an electronic signature or electronic authentication technique,

which is reliable under sub-section (2) of section 3A and may be
specified in the second schedule. It is important to mention here that
section 3A(2)(a)-(d) is based on Article 6(3) of the MLES. 33 However,
the ITA adds an extra provision, section 3A(2)(e), which requires that
an electronic signature or electronic authentication technique fulfils
such other conditions as may be prescribed.This provision is clearly
vague, particularly given the restrictive definition of 'prescribed' in
the legislation. According to section 2(zb), the term 'prescribed'
means the rules made under the ITA. A closer look at the rules that
34
supplement the ITA reveals that there are no rules for section 3A.
This restrictive definition is different to that used in other countries.
The UK, for example, has adopted a wider approach under section
5 of the Electronic Communications Act 2000 (ECA). It defines the
term 'prescribed' in Part I of the ECA as 'prescribed by regulations
made by the Secretary of State, or determined in such manner as
3
may be provided for in any such regulations'. 1
The 'reliability test' listed under section 3A(2)(a)-(e) provides an
opportunity to a party to the transaction to escape its obligation
by denying the validity of a party's signature on the ground that

33 Art. 6(3) of the MLES states that an electronic signature is considered to be

reliable if (a) the signature creation data are linked to the signatory; (b) the
signature creation data were, at the time of signing, under the control of the
signatory; (c) any alteration to the electronic signature, made after the time
of signing, is detectable; and (d) where a purpose of the legal requirement
for a signature is to provide assurance as to the integrity of the informa-
tion to which it relates, any alteration made to that information after the time
of signing is detectable. It is to be noted that Art. 6(4) does not restrict any
person to prove or to establish in any other way the appropriateness and reli-
ability of the electronic signature in question. However, without any proper
directions to prove it, the vagueness and ambiguity prevails.
34 These rules include the Information Technology (Certifying Authorities)
Rules 2000, the Cyber Regulation Appellate Tribunal (Procedure) Rules 2000,
the Information Technology (Other Powers of Civil Court Vested in Cyber
Appellate Tribunal) Rules 2003, the Information Technology (Other Standards)
Rules 2003, the Information Technology (Qualification and Experience of Adju-
dicating Officers and Manner of Holding Enquiry) Rules 2003, the Information
Technology (Use of Electronic Records and Digital Signatures) Rules 2004, the
Information Technology (Security Procedure) Rules 2004, the Cyber Appellate
Tribunal (Salary, Allowances and Other Terms and Conditions of Services
of Chairperson and Members) Rules 2009, the Cyber Appellate Tribunal
(Procedure of Investigation of Misbehaviour or Incapacity of Chairperson and
Members) Rules 2009, the Information Technology (Procedure and Safeguards
for Blocking for Access of Information by Public) Rules 2009, the Informa-
tion Technology (Procedure and Safeguards for Monitoring and Collecting
Traffic Data or Information) Rules 2009, the Information Technology (Certifying
Authorities) Amendment Rules 2011 (ITCA) and the rules for the appointment
of CERT (Computer Emergency Response Team) as an agency. The compre-
hensive list of all the rules is available at http://deity.gov.in/content/notifications
(accessed 10 May 2014). In the context of the discussion in n. 10 above, note
that if there is no rule for the corresponding section, it does not negate
the section, but for such blind portion 'due diligence or common business
practice' will be applicable.
35 The ECA 2000 (c. 7), s. 5.

216
 INDIAN INFORMAION ILCHNOLOGY ACI

the method of signature employed was not reliable, even if there

is no question as to the authenticity of the electronic signature.
Moreover, if a dispute arises in the court proceeding regarding the
reliability of an electronic signature, the court may invalidate the
entire contract on the ground that the electronic signature was not
reliable in the provided circumstances." To resolve the vagueness
associated with the reliability test Article 9(3) of the Convention has
added an extra provision, Article 9(3)(b)(ii), 37 which ensures that a
party to the contract should not be allowed to invoke the 'reliabil-
ity test' to repudiate its signature if the actual identity of the party
and its actual intention could be proved. 38 Article 9(3)(b)(ii) of the
Convention validates a signature method regardless of its reliabil-
ity in principle whenever the signature method used is proven in
fact to have identified the signatory and indicated the signatory's
intention in respect of the information contained in the electronic
39
communication.

iii. Secure Electronic Signature

Section 15 of the ITA defines the term 'secure electronic signature'.
It states that an 'electronic signature' shall be deemed to be a secure
electronic signature if:
(1) the signature creation data, at the time of affixing signature, was
under the exclusive control of signatory and no other person; and
(2) the signature creation data was stored and affixed in such exclusive
manner as may be prescribed."
According to section 85B(2)(a) of the amended Indian Evidence
Act 1872 (IEA), a secure electronic signature is presumed to be
affixed by a subscriber with an 'intention' of signing or 'approving'
the electronic record, unless the contrary is proved.4 After reading
through these provisions, one could assume that when a question
arises as to the 'intention' of a signer to 'approve' the content of an
electronic record, only a secure electronic signature could establish
the signer's intention, a fundamental requirement of a signature
(manuscript or electronic), as discussed earlier.
The secure electronic signature provision of the ITA has been
borrowed from section 17 of the Electronic Transactions Act 1998
of Singapore. 2 Note that the Electronic Transactions Act 1998 was

36 S. Mason, Electronic Signatures in Law (Cambridge University Press:

Cambridge, 2012) 104.
37 To refer to Art. 9(3)(b)(ii) of the Convention, see UNCITRAL, above n. 25.
38 See UNCITRAL, above n. 25, explanatory paragraph 164.
39 Ibid.
40 ITA, s. 15.
41 Indian Evidence Act 1872, s. 85B(2).
42 F. Mir and M. Banday, 'Authentication of Electronic Records: Limitations of
Indian Legal Approach' (2012) 7 Journal of International Commercial Law and
Technology 229.
COMMON LAW WOIRLD R EVIEW

repealed and re-enacted in July 2010 as the Electronic Transac-

tions Act 2010 (Cap. 88) (the 2010 ETA). 43 The new Act reinstates 44
the provision relating to secure electronic signature in section 18.
Furthermore, section 19 of the 2010 ETA provides a rebuttable pre-
sumption relating to a secure electronic signature. It states that a
secure electronic signature is a signature of the person to whom
that signature correlates, made with the intention of signing or
approving the record. 41 Section 19 complements section 8 of the
2010 ETA, 46 which has been amended based on Article 9(3) of the
Convention, to make the legislation technology-neutral. Section 8
authorizes a person to use a signature method that can identify the
signer and indicate the signer's intention with respect to the infor-
4
mation contained in the electronic records. Figure 2 demonstrates
how the secure electronic signature presumption provision made
under section 19 complements section 8 of the 2010 ETA.
On the other hand, the presumption provision made under section
85B(2)(a) of the IEA conflicts with section 5 of the ITA. Figure 3
explains how a secure electronic signature presumption provision
made under section 85B(2)(a) of the IEA conflicts with the provisions
relating to a valid signature under section 5 of the ITA.
Moreover, unlike the ITA, the 2010 ETA does not prescribe any
particular form of signature for the authentication of an electronic
record. On the contrary, section 5 of the ITA, although it uses a
neutral term 'electronic signature' to provide legal validity to infor-
mation or matter authenticated by any form of electronic signature
(as discussed above), impliedly recognizes only the use of a digital
48
signature.

iv. Digital Signature

The ITA also exclusively authorizes the use of a digital signature
to authenticate the electronic record. Section 2(p) defines digital
signature as 'authentication of electronic record by a subscriber by
means of an electronic method or procedure in accordance with the
provision of section 3'. Section 3 states that:

43 Hereafter, in this paper only provisions of the 2010 ETA (Cap. 88) have been
discussed.
44 2010 ETA, s. 18 states that an electronic signature is to be treated as a secure
electronic signature if it can be verified that it was, at the time it was made,
unique to the person using it, capable of identifying such person, created
under the sole control of the person using it, and linked to the record in a
manner such that if the record is changed the electronic signature would
be invalid. The verification is through the application of a specified security
procedure or a commercially reasonable security procedure agreed to by the
parties. The 2010 ETA (Cap. 88), Explanatory statement, s. 18.
45 The 2010 ETA (Cap. 88), Explanatory statement, s. 19.
46 2010 ETA, s. 8 provides legal requirements for a valid signature.
47 The 2010 ETA (Cap. 88), s. 8.
48 See Figure 1.

218
 INDIAN INFORMATON ICHNOLOGY ACI

i 8ofe2010EA ction19ofte20 A ection 8iofgthe 2e010 ETA

(Singapore) (Singapore) (Singapore)

Imriutable]11\d tl e 1
Irem i netic 2L111I i

Figure 2: Relationship between section 19 and section 8 of the 2010

ETA

eetion
15 of the ITA (India) Scon85B(2)(a)ofth EA Son5oftTA(Idia)

II lp

Figure 3: Relationship between section 85B(2)(a) of the TEA and section

5 of the ITA
COMMON LAW WORLD REVIEW

(1) Subject to the provisions of this section, any subscriber may

authenticate an electronic record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected by the
use of asymmetric crypto system and hash function, which envelop
and transform the initial electronic record into another electronic
record.
(a) To derive or reconstruct the original electronic record from the
hash result produced by the algorithm;
(b) Those two electronic records can produce the same hash result
using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify
the electronic record.
(4) The private key and the public key are unique to the subscriber
and constitute a functioning key pair.49
A subscriber may authenticate an electronic record by affixing a
digital signature provided the procedure laid down under section 3
has been duly complied with. Section 3(2) provides the procedure
to authenticate an electronic record by using an asymmetric crypto
system and hash function. n°
It should be noted that, unlike section 85B of the IEA, which has
a provision establishing a presumption regarding the intention of
a signer using a secure electronic signature, there is no such pre-
sumption of intention for a digital signature. Therefore, when the
document is authenticated using a digital signature, which may or
may not indicate the intention of a signer to approve the content
of the document, the inclusion or exclusion of evidence relating to
this signature will be a matter of procedure, rules and the court's
ex-post facto rationalization.

v. The Amendment of the ITA

The use of the terms 'electronic signature certificate' and 'digital
signature certificate' throughout the ITA creates ambiguity in the
mind of the reader. For example, Chapter VII of the ITA is titled
'electronic signature certificate'. However, excluding section 35,
all other sections and provisions of this Chapter use the term
'digital signature certificate'. The terms are not interchangeable,

49 ITA, s. 3. Note that as against s. 3A, which provides criteria for authentication
of electronic record by using an electronic signature or electronic authentica-
tion technique, s. 3 provides the procedure to authenticate an electronic record
by using digital signature.
50 In this context, ITA, s. 2(f) defines 'asymmetric crypto system' as a system of
a secure key pair consisting of a private key for creating a digital signature
and a public key to verify the digital signature. Here the term 'key pair' means
a private key and its mathematically related public key, which are so related
that the public key can verify a digital signature created by the private key:
ITA, s. 2(x). 'Private key' means the key of a key pair used to create a digital
signature: ITA, s. 2(zc). 'Public key' means the key of a key pair used to verify
a digital signature and listed in the digital signature certificate: ITA, s. 2(zd).
 INDIAN INFORMAION ILCHNOLOGY ACI

and provisions using 'digital signature certificate' may not in fact

apply to electronic signature certificate. 5 To avoid such perplexity,
the Electronic Signature Law (ESL) of China uses the generic
term 'electronic signature authentication certificate'. 2 Similarly,
the ECA in the UK has adopted a broad approach and uses the
term 'certificate'. 3 Singapore, which has recently amended its
2010 ETA from technology-specific to technology-neutral, has
also adopted a generic approach, using the term 'certificate' like
the UK. 4 The inconsistency in the Indian legislation has created
obscurity and a legislative chaos for the interpretation of the
provisions of the ITA.
Furthermore, according to section 40 of the ITA, the subscriber
of any digital signature certificate shall generate the key pair by
applying the 'security procedure'. According to section 2(zf),
'security procedure' means the security procedure prescribed under
section 16 of the ITA, which states that the central government
may, for the purpose of sections 14 (secure electronic record) and
15 (secure electronic signature), prescribe the security procedures
and practices. Section 16 does not make any provision for section
40. Thus, it is unclear what security procedures will be applicable
for section 40.
It seems that the amendment of the ITA from technology-spe-
cific to technology-neutral has rendered the Act nebulous. Other
countries such as Singapore have amended their ESL much more
effectively. The 2010 ETA does not mention four different types of
signature like the ITA but instead is confined to 'secure electronic
signature'. 55 The ECA in the UK defines 'electronic signature' 56 and
the Electronic Signatures Regulations 2002 (ESR) of the UK define
an 'advanced electronic signature'. 57 Even two-pronged legisla-
tion such as the EU E-signatures Directive defines either 'reliable
electronic signature' or 'secure/advanced/qualified electronic
signature'. For example, the ESL in China defines 'electronic
signature' 58 and 'reliable electronic signature'. 9 Thus a successful
piece of legislation defines either 'reliable electronic signature'
or 'secure/advanced/qualified electronic signature'. Only the EU
E-signatures Directive mentions three different forms of electronic

51 See Naavi, above n. 20.

52 Electronic Signature Law, Art. 20.
53 Electronic Communications Act 2000 (c. 7), s. 7(1).
54 2010 ETA (Cap. 88), s. 1(1), part I of the third schedule.
55 Ibid. at s. 2(1).
56 Electronic Communications Act 2000 (c. 7), s. 7(2).
57 Electronic Signatures Regulations 2002, s. 2.
58 Electronic Signature Law, Art. 2.
59 bid. at Art. 13.
COMMON LAW WORLD REVIEW

signature, i.e. 'simple electronic signature', 60 'advanced electronic

signature' 61 and 'qualified electronic signature'. 62 In practice, the
classification of electronic signatures provided by the EU E-signa-
tures Directive creates increasing levels of authentication. 63 It has
been argued that while the legal conditions for the 'simple electronic
signature' could be met by the use of any technology, the require-
ments for the 'advanced electronic signature' could be fulfilled only
by the use of a digital signature based on a public key infrastruc-
ture (PKI), and those for the 'qualified electronic signature' only
64
by the use of a digital signature based on PKI and a smart card.
However, the ITA has taken a step further and adopted four types
of electronic signature. In the physical world, there is only one
type of signature, i.e. a handwritten signature. For an electronic
signature to be readily adopted for a commercial transaction, a
similar approach should be taken. The best way to do this is to
have a provision similar to the Convention, which recognizes the
use of any method as a valid signature that identifies the party
and indicates the party's intention with respect to the information
6 5
contained in the electronic communication.

III. Recognition of Foreign

Certifying Authorities
It is a matter of public policy whether a country sets up a
compulsory implementation scheme to provide for a technical
framework for CAs or permits a voluntary scheme. 66 In a
'compulsory' scheme, a person or entity that wants to serve as a
CA is required to hold a licence issued by a designated authority or7
6
entity. Under a voluntary scheme, no such licensing is required.
Unlike Singapore, Australia and the UK, who have adopted a
voluntary licensing regime, India has adopted a compulsory

60 Directive 1999/93/EC of the European Parliament and of the Council of 13

December 1999 on a Community Framework for Electronic Signatures [2000]
OJ L13/13, Art. 2(1).
61 Ibid. at Art. 2(2).
62 Ibid. at Art. 5(1).
63 UNNExT, UNESCAP and UNECE, Electronic Single Window Legal Issues: A
Capacity-building Guide, UN Doc ST/ESCAP/2636 (2012) 29.
64 Ibid.
65 Refer to Art. 9(3) of the Convention: see UNCITRAL, above n. 25.
66 See Mason, above n. 36 at 174.
67 However, even in the voluntary system, it is hard to find an unlicensed CA/
CSP because unless a CA/CSP holds a licence, any electronic signature or
document verified by them will not be accorded a strong legal status. S.
Blythe, 'A Critique of India's Information Technology Act and Recommenda-
tion for Improvement' (2006) 34 Syracuse Journal of International Law and
Commerce 20.
 INDIAN INFORMAION ILCHNOLOGY ACI

licensing regime,68 like China. However, the ITA's provisions for CAs
are more ambiguous than the ESL in China. This may be the reason
for there being 22 CAs in China69 compared with only seven in India"

68 Those who want to provide a certification service can apply to be licensed by

the Controller of Certifying Authority (CCA) to operate as a CA in India as
per ITA, s. 21. The CCA is a body appointed by the Central Government by
notification in the official gazette by virtue of ITA, s. 17. The Root Certifying
Authority of India (RCAI) is set up by the CCA to serve as the root of trust
in the hierarchical PKI model. It issues public key certificates to the licensed
CA with its self-signed root certificate. These licensed CAs in turn issue an
electronic signature certificate to the end user (subscriber): Department of
Information Technology, Guidelines for Usage of Digital Signatures in e-Gov-
ernance: Version 1.0 (Ministry of Communications and Information Technology:
New Delhi, 2010) 7.
Subject to the provisions of s. 21(2), any person may make an application
to the CCA for a licence to issue an electronic signature certificate under ITA,
s. 21(1). Rule 8 of the Information Technology (Certifying Authorities) Rules
2000 (ITCA) provides a list of persons who may apply for a grant of a licence
to issue a digital signature certificate. Moreover, according to s. 21(3), the
licence will be valid for such period as prescribed by the Central Government
and is not transferable or heritable. According to ITA, s. 24, the CCA may
grant or reject a licence on the receipt of an application under s. 21(1) after
considering the documents accompanying the application and such other
factors (ITCA, Rule 16). The ITA authorizes the CCA to set standards and
conditions for licensing and governing the function of the CA.
69 It includes: Anhui Certification Authority Co., Ltd, Flying Integrity Technology
Co., Ltd, Unitrust, Beijing Certificate Authority, Shanghai Electronic Certifica-
tion Authority Center Co., Jiangsu Certificate Authority Inc., Hebei Electronic
Commerce CA Ltd, Shandong Certification Authority Co., Ltd, GuangXi Cer-
tificate Authority Ltd, Fujian Digital Certificate Authority Co., Ltd, Liao Ning
Certification Authority Center, Guang Dong Certification Center, Chongqing
Digital Certificates and Certification Center, Shaanxi Digital Certification
Authority, Xinjiang Certificate Authority, Henan Certificate Authority, Shanxi
Electronic Certification Authority, Tianjin Certificate Authority, CFCA-
China Financial Certification Authority, Office of the State of Commercial
Password Management, Beijing Certification Authority and Institute of High
Energy Physics CA: Tractis, Certification Authorities in People's Republic of
China (March 2010) available at https://www.tractis.com/contracts/872866772
(accessed 10 May 2014).
70 It includes: Safescrypt (www.safescrypt.com), National Informatics Centre
(www.nic.in), Institute for Development and Research in Banking Technology
(www.idrbtca.org.in), Tata Consultancy Service (www.tcs-ca.tcs.co.in),
Gujarat Narmada Valley Fertilizer Company Ltd (www.ncodesolutions.
com), e-MudhraCA (www.e-Mudhra.com) and Indian Air Force: Controller
of Certifying Authorities, Licensed CAs, available at http://cca.gov.in/
cca/?q=licensed ca.html (accessed 10 May 2014).
COMMON LAW WORLD REVIEW

that have been granted a licence by the Controller of Certifying

71
Authority (CCA).
Chapter VI of the ITA acknowledges the requirements to recognize
foreign CAs in India. It gives equal legal status and validity to a cer-
tificate issued by a foreign CA as a certificate issued by a domestic
CA provided it satisfies the requirements laid down in section 19.
Section 19 states that:
(1) Subject to such conditions and restrictions as may be specified,
by regulations, the Controller may, with the previous approval of
the Central Government, and by notification in the official gazette,
recognise any foreign CA as a CA for the purpose of this Act.
(2) Where any CA is recognised under sub-section (1), the electronic
signature certificate issued by such CA shall be valid for the purpose
of this Act.
Note that although section 19 provides legal recognition to a certif-
icate issued by a foreign CA, it does not address the issue of
cross-certification of a certificate issued by a foreign CA. The issue
of cross-certification is dealt with by rule 12 of the ITCA. Rule 12
of the ITCA states that:
the arrangement for cross-certification by the licensed CA with a
foreign CA along with the application shall be submitted to the
CCA in such a form and manner as may be provided in the regula-
tions made by the CCA; and the licensed CA shall not commence
cross-certification operations unless it has obtained written or digital
signature approval from the CCA.
Note that neither the amendment of section 19 (i.e. replacement
of the term 'digital signature certificate' with 'electronic signature
certificate') nor rule 12 has yet been supplemented by any regula-
tions, which creates ambiguity for these provisions' interpretation.
Generally, if any particular provision of the Act is modified or
amended it should be supplemented with either a new regulation or
clarification that the old regulation would be applicable. However,

71 Note that the number of CAs in India is considerably higher than the number
of CAs in the countries having a voluntary licensing regime such as Australia
(four) and the UK (four). In Australia the Department of Defence, Medicare
Australia, Verizon Australia Pty Ltd and Australian Taxation Office are the
accredited CAs, while Australia Post and Symantec Australia Pty Ltd are
undergoing accreditation under the Gatekeeper PKI framework. Baltimore
Certificates Australia Pty Ltd, Telstra Corporation Limited, Pricewaterhouse-
Coopers and ANZ Banking Group Limited were former accredited service
providers under the Gatekeeper framework: Australian Government Infor-
mation Management Office (AGIMO), Directory of Gatekeeper Accredited
Service Providers, available at http://agimo.gov.au/policy-guides-procurement/
gatekeeper-public-key-infrastructure/directory- of-gatekeeper- accredited- service-
providers/ (accessed 10 May 2014). The CAs in the UK are Trust Assured (The
Royal Bank of Scotland: www.trustassured.co.uk), BT Ignite (www.btglobal-
services.com), Trustis Ltd (www.trustis.com) and Equifax Secure Ltd (www.
equifaxsecure.co.uk).
 INDIAN INFORMAION ILCHNOLOGY ACI

no such clarification has come into force after the 2008 amendment
72
of the ITA.
Another issue with section 19 is that it requires the CCA to
satisfy several complex requirements, such as obtaining prior
approval from the central government and providing notification in
the official gazette. Furthermore, section 32 requires that every CA
shall display its licence in a conspicuous place at the premises in
which it carries on its business. As the ITA is confined to the terri-
torial jurisdiction of India for matters related to electronic signature,
reading sections 19 and 32 together one can infer that if a foreign
CA is recognized as a domestic CA under section 19 it should also
satisfy the requirements of section 32 and thus would be expected
to open a physical office in India. For example, assume an Indian
subscriber who has obtained an electronic signature certificate from
Safescrypt (an Indian licensed CA) and who attempts to enter into
a contract with its Australian counterpart, who holds the electronic
signature certificate issued by Medicare Australia (accredited CA of
Australia). This contract may not be considered valid under the ITA
unless Medicare Australia applies to the CCA under section 19 for
recognition and opens a place of business in India that displays its
licence under section 32. Perhaps these complex provisions are the
reason why in the last nine years, despite India offering the biggest
market for the trust services, not a single foreign CA has applied
73
for or requested recognition of their services.
A more appropriate approach is used in Article 26 of the ESL
of China. Article 26 states that after being approved by the State
Council Department of the Ministry of Information Industry (MI)
according to the related agreement and principles of equity, the
electronic signature authentication certificates issued at places by
the CA outside the borders of the People's Republic of China shall
have the same legal effect as the electronic authentication certifi-
cates issued by the CA established according to the ESL. This means
that if the State Council Department of the M11 has a reciprocity
agreement with the CCA in India, the certificate issued by a CA
of India will be recognized in China and vice versa. The ITA could
have also considered Article 7(c) of the EU E-signatures Directive,
which states that the certificate or the CA is recognized under a
bilateral or multilateral agreement between the community and
third countries or international organizations. It further states that
the EU Commission shall make proposals, where appropriate, to

72 The non-exhaustive list of the rules and regulations relevant to this paper has
been provided in n. 34 above.
73 Symantec, Foreign Certifying Authorities Welcome to India (13 November 2013),
available at http://www.symantec.com/connect/blogs/foreign-certifying-authori
ties -welcome-india (accessed 10 May 2014).
COMMON LAW WOIRLD R EVIEW

achieve the effective implementation of standards and international

agreements applicable to certification services. If required, it shall
also submit proposals to the EU Council for appropriate mandates
for the negotiation of bilateral and multilateral agreements with
third countries and international organizations.

IV. Has the Objective of the Amendment

to make the ITA a Technology-
neutral Legislation been Realized?
As mentioned above, the ITA was amended in 2008 with the aim of
making it technology-neutral rather than a technology-specific legis-
lation. The key amendment was the replacement of the term 'digital
signature' with the more generic term 'electronic signature', which
was intended to broaden the scope of recognized technologies.
However, some of the changes made in the Act are obscure and
difficult to interpret. For example, the ITA does not specify which
forms of electronic signature fall under the ambits of 'reliable' and
,secure' electronic signatures. A close look at sections 3A(2) and 15
reveals that these sections impliedly support only digital signature
technology because no other form of electronic signature technology
can presently satisfy the sections' criteria. If these provisions are
read with other provisions of the ITA, it is clear that the provided
criteria facilitate only an encryption system that uses Public Key
Cryptography (PKC). The hash algorithms and the asymmetric
crypto systems used for the current digital signature technique
are considered 'reliable' and 'secure' as per sections 3A and 15
respectively because only these systems can satisfy the stringent
requirements of these provisions.
Furthermore, as explained earlier, the empty second schedule
also means that only a digital signature can satisfy section 2(ta). 4
In the absence of an informative second schedule, it could be
considered that, at least for the near future, traditional digital
signature technology will continue to be the sole method of authen-
tication of any electronic record that will be recognized by the Act.
The absence also means that only a digital signature will be able to
meet the requirement of authentication of an electronic record by a
subscriber under section 5.75
Note that many sections of the ITA also use the terms 'digital
signature', 'digital signature certificate' and 'CA', and establish

74 ITA, s. 2(ta) defines an electronic signature. See Figure 1.

75 See Figure 1.
 INDIAN INFORMAION ILCHNOLOGY ACI

invigilance processes for such certificates and CAs.7 6 Moreover,

the definitions of various forms of electronic signature are mainly
based on PKI and asymmetric crypto systems, making the Act a
two-pronged legislation, if not a technology-specific legislation.

V. Over-regulation
The ITA (India) has 13 chapters, 90 sections and two schedules. To
supplement this legislation various regulations and rules have been
put in force, which include the ITCA, which has 34 sections and
five schedules, the Cyber Regulations Appellate Tribunal (Procedure)
Rules 2000, which has 28 sections, and many other rules and regula-
tions with a number of sections and provisions.7 7 This appears to be a
case of over-regulation, particularly when compared with other legis-
lation across the world. For example, China has adopted a detailed
approach in its ESL but has done so in a concise and positive way.
The provisions and regulations of the ESL are precise and unam-
biguous compared with the ITA. The ESL has just 36 Articles and
the Administrative Measure on Electronic Certification Service 2005
(AMECS) supplements the ESL with 43 Articles. Similarly, in the UK
the ECA has just 16 sections and the ESR has five sections. Further,
the Electronic Transactions Act 1999 (Cth.) (ETA) of Australia has
17 sections and one schedule, which has been supplemented by the
Electronic Transactions Regulations 2000, which has 11 regulations
and one schedule. The Singapore 2010 ETA has 39 sections and
four schedules, and has been supplemented by the Electronic Trans-
actions (Certification Authority) Regulations 2010 (Cap. 88, Rg 1,
2010), which has 38 regulations. In comparison, the ITA is massively
over-regulated and contains complex and ambiguous provisions.

VI. Conclusion and Recommendations

This paper critically examined the provisions of the ITA from its
electronic signature perspective and found it to be a weak legisla-
tion which is complex to understand, ambiguous and not addressing

76 For example, ss 2(f) (asymmetric crypto system), 2(g) (CA), 2(h) (certification
practice statement), 2(p) (digital signature), 2(q) (digital signature certificate),
2(x) (key pair), 2(zc) (private key), 2(zd) (public key), s. 3 (authentication of
electronic record by using a digital signature), s. 19 (recognition of foreign
certifying authority), s. 25 (suspension of licence), s. 26 (notice of suspension
or revocation of licence), s. 30 (CA to follow certain procedure), s. 31 (CA to
ensure compliance with the Act), s. 32 (display of licence), s. 33 (surrender
of licence), s. 34 (disclosure), s. 35 (CA to issue certificate), s. 36 (representa-
tion upon issuance of digital signature certificate), s. 37 (suspension of digital
certificate), s. 38 (revocation of digital signature certificate), s. 39 (notice of
suspension or revocation), s. 40 (generating key pair), s. 41 (acceptance of
digital signature certificate) and s. 42 (control of private key) of the ITA.
77 See above n. 34.
COMMON LAW WORLD REVIEW

many aspects of electronic signatures. In this regard the following

observations can be made.
First, the ITA is widely believed to be technology-neutral leg-
islation. 78 In reality, however, it has a two-pronged approach. It
facilitates the authentication of electronic records by using both
electronic signatures and digital signature but gives greater rec-
ognition to digital signature (referring to it as reliable and secure
electronic signatures). To make the ITA technology-neutral it is rec-
ommended that section 5 of the ITA be amended based on Article
9(3) of the Convention. The Convention was adopted by the General
Assembly on 23 November 2005 and came into force on 1 March
2013. The Convention is the latest development in the area of ESL.79
Article 9(3) of the Convention allows a person to use any signature
method that is capable of identifying the signatory and indicating
the signatory's intention in respect of the information contained in
the electronic communication. The advantage of amending section 5
of the ITA in accordance with Article 9(3) of the Convention is that
the ITA would not require a definition of an electronic signature.
This will overcome the currently existing anomaly and vagueness
created by the definition of an electronic signature under section
2(ta). Another advantage of amending section 5 based on Article
9(3) of the Convention is that it would resolve the reliability issue
under section 3A(2).
Second, it would have been more appropriate if India had followed
Singapore by repealing the ITA enacted in 2000 and re-enacting
a new Act based on the provisions of the Convention. Singapore
repealed its original ETA and re-enacted the ETA in 2010 based
on the provisions of the Convention. Singapore has also ratified
the Convention. By adopting the Convention, India would have
avoided the complexity and ambiguity created by the amendment
of existing provisions and incorporation of new provisions into the
ITA. Moreover, it would have brought uniformity of the provisions
relating to electronic signature with that of the ESL of other
countries across the world.
Third, the provision regarding recognition of foreign CAs (section
19) has too many complex requirements. It requires offices to be

78 See, for example, V. Sharma, Information Technology Law and Practice: Law
and Emerging Technology Cyber Law and E-commerce, 3rd edn (Universal Law
Publishing: Delhi, 2011) 28; Department of Information Technology, Proposed
Amendments to Information Technology Act 2000: Summary (Ministry of Com-
munications & Information Technology: New Delhi, 2005) 2.
79 There are four purposes of the Convention. These are: facilitating the use
of electronic communication in cross-border trade; reinforcing the level of
uniformity in the enactment of the UNCITRAL Model Law (the MLEC and the
MLES); updating certain provisions of the MLEC and the MLES; and providing
core e-commerce legislation to the countries lacking or having incompatible
law in this area. See L. Castellani, 'Policy Considerations on the Electronic
Communications Convention' (2010) 19 Korean Journal of International Trade
and Business Law 2.
 INDIAN INFORMAION ILCHNOLOGY ACI

opened in India, an application to be made for recognition, approval

from the central government, the licence to be displayed and, most
importantly, notification in the official gazette. The most efficient
way to address this issue would be to remove the requirement of
approval of the central government and instead provide compre-
hensive rules and guidelines similar to Article 26 of the ESL in
China and Article 12 of the MLES. Article 12 of the MLES provides
guidelines to determine whether or to what extent a certificate or any
electronic signature is capable of being legally effective. According
to Article 12, this decision should be based on its technical reliabil-
ity and not on the geographic location or jurisdiction where the
certificate is issued or the electronic signature is created or used.80
It further acknowledges that there might be significant variance
between the requirements of individual jurisdictions. The require-
ment of equivalence does not mean that the level of reliability of a
foreign certificate should be exactly identical with that of a domestic
certificate. 8 The Article also states that, in determining whether a
digital signature certificate or an electronic signature offers a sub-
stantially equivalent level of reliability to domestic legislation, regard
should be given to recognized international standards and any
other relevant factors. The recognized international standards may
be statements of accepted technical, legal or commercial practices,
whether developed by the public or private sector (or both), which
are generally accepted as applicable internationally. 2 If revising
section 19 fully or partially based on Article 12 of the MLES is not
possible, the ITA should at least be amended to ensure that the
central government, while approving or rejecting the application for
cross-recognition of foreign CA, should take into consideration the
recognized international standards.
Fourth, the ITA differentiates between a digital signature certifi-
cate8 3 and an electronic signature certificate,84 which is obscure. It is
recommended that the term 'digital signature certificate' should be
replaced by 'certificate' throughout the Act. However, it is important
to mention here that mere replacement or introduction of the term
,electronic signature' in the Act does not necessarily make it tech-
nology-neutral. A major amendment of several provisions of the ITA
is required to make it technology-neutral. The ITA could achieve this
by adopting the provisions of the Convention.
To conclude, the ITA is prone to over-regulation compared with
the ESL of other developing countries such as China and developed
countries such as Australia, the UK and Singapore. The ITA needs

80 See UNCITRAL, above n. 7, Art. 12.

81 Ibid. Article by Article remarks of the UNCITRAL, Chapter II, 70.
82 bid. at 72.
83 ITA, s. 2(q).
84 bid. at s. 2(tb).
COMMON LAW WORLD REVIEW

substantial revision to bring it in line with other successful pieces

of legislation across the world.

Appendix 1. Brief Overview of an

Electronic Signature, Its Various
Forms and the Role of a CA
According to Article 2(a) of the UNCITRAL Model Law on Electronic
Signatures 2001, an electronic signature means 'data in electronic
form in, affixed to or logically associated with, a data message,
which may be used to identify the signatory in relation to the data
message and to indicate the signatory's approval of the informa-
tion contained in the data message'. The various forms of electronic
signature include digital signature, PIN, password, fingerprint,
retinal scan, scanned image of a handwritten signature, name typed
at the end of an email message and biometrics. Among the various
types of electronic signature, digital signature has been the most
widely preferred electronic signature. It has been considered to be
the most secure and robust form of electronic signature.
PKC is used in the creation of a digital signature to ensure the
authenticity and integrity of the contents of the data message. It
is a process that involves two signing keys, namely a private key
and a public key. These two keys are unique to the user and work
together as a key pair. A data message encrypted by one key can
only be decrypted by its corresponding public key and vice versa.
A digital signature is generally used within a PKI set-up, which is a
combination of hardware, software, people, policies and procedures
required to create, manage, store, distribute and revoke digital cer-
tificates based on PKC. To ensure that the digital signature belongs
to the signatory, an organization known as a certification authority
is established as a part of the PKI.
A CA issues an electronic ID certificate known as a 'digital cer-
tificate' to ensure that the digital signature belongs to the signatory.
Before issuing a digital certificate, the CA verifies the identity of
the signatory and confirms that the signatory is the owner of the
private key associated with the public key. The primary purpose
of the digital certificate is to bind the key holder to a key pair by
specifying the public key of that pair.