Professional Documents
Culture Documents
It Read
It Read
https://www.copyright.com/ccc/basicSearch.do?
&operation=go&searchType=0
&lastSearch=simple&all=on&titleOrStdNo=1473-7795
I. Introduction
Various governments and international organizations have intro-
duced electronic signatures legislation (ESL) to promote global
10 Note that in India there is only one Act i.e. the Information Technology Act
2000 (ITA). The Information Technology Amendment Act 2008 (ITAA 2008)
was passed by the Parliament to amend the ITA. Therefore all the sections
amended or newly introduced in the Act have become part of the amended
ITA and not the ITAA 2008. Similarly, the rules notified should be treated as
the rules under the ITA (as modified by the ITAA 2008). Further, the rules
notified under the ITA (prior to the 2008 amendment) still remain part of the
ITA to the extent that a specific section has not been amended by the ITAA
2008. If a particular section was modified by the ITAA 2008, but has not been
supplemented by relevant rules or an explanation that the old rule would be
applicable, the old rule should be applied only to the extent of the unamended
part of the ITA. This means that if a particular section has been modified
by the ITAA 2008 and the old rule does not apply to the amended part of a
section, it may be treated as a 'rule pending' to the extent that the old rule
fails to address the amended part of the section.
11 ITA, s. 2(ta).
12 Ibid. at s. 3A(2).
13 bid. at s. 15.
COMMON LAW WORLD REVIEW
i. Electronic Signature
Section 5 of the ITA provides legal requirements associated with
the use of an electronic signature. It states that where any law' 5
provides that information shall be authenticated by affixing"6 a
signature, or any document shall bear the signature of any person,
then that requirement shall be deemed to have been satisfied if an
'electronic signature' has been affixed in such manner as prescribed
by the central government. 7 In this context, section 2(ta) defines
electronic signature as 'authentication of any electronic record by
a subscriber 8 by means of an electronic technique specified in the
second schedule and includes digital signature'." Sections 2(ta) and
5 are poorly drafted, and this is one of the major issues with the
ITA's electronic signatures provisions. There are two main issues
with sections 2(ta) and 5. These are: the blank second schedule of
the ITA and the legal functions of a signature, which are discussed
in paragraphs (a) and (b).
14 Ibid. at s. 2(p). Each of the four types of signature has been discussed in detail
later in this paper.
15 'Law' means any legislation, common law or law of an unspecified nature: ibid.
at s. 2(y).
16 'Affixing', with grammatical variations and cognate expressions, means
adoption of any methodology or procedure by a person for the purpose of
authenticating an electronic record by means of electronic signature: ibid. at
s. 2(d).
17 Ibid. at s. 5.
18 'Subscriber' means a person in whose name the 'electronic signature certifi-
cate' is issued: ibid. at s. 2(zg).
19 Ibid. at s. 2(ta).
20 Naavi, 'Digital Signatures Under ITA 2008-a Blunder Repeated' (2009),
available at http://www.naavi.org/cl-editorial-09/edit-janl9 itaa analysis 10
elecsig.htm (accessed 10 May 2014).
21 Naavi, The Second Schedule: Electronic Signature or Electronic Authentication
Technique and Procedure, available at http://www.naavi.org/ita_2008/index.htm
(accessed 10 May 2014).
INDIAN INFORMAION TECHNOLOGY ACI
IAAccording
. ..
*~ i Section 2(ta) defines electronic signature as
to section 5, 1I the authentication of any electronic record by a
where any law requires V>1 subscriber
,authentication by the'!
laffixing of a signature,
such requirement is
Ifulfilled by an electronic B
signature ele sothe Includes digital
)
specified in the signature
second schedule
Because of the inclusion of
+II~t +M.444 L1 LtJA+I -
Implication Implication
214
INDIAN INFORMAION ILCHNOLOGY ACI
216
INDIAN INFORMAION ILCHNOLOGY ACI
43 Hereafter, in this paper only provisions of the 2010 ETA (Cap. 88) have been
discussed.
44 2010 ETA, s. 18 states that an electronic signature is to be treated as a secure
electronic signature if it can be verified that it was, at the time it was made,
unique to the person using it, capable of identifying such person, created
under the sole control of the person using it, and linked to the record in a
manner such that if the record is changed the electronic signature would
be invalid. The verification is through the application of a specified security
procedure or a commercially reasonable security procedure agreed to by the
parties. The 2010 ETA (Cap. 88), Explanatory statement, s. 18.
45 The 2010 ETA (Cap. 88), Explanatory statement, s. 19.
46 2010 ETA, s. 8 provides legal requirements for a valid signature.
47 The 2010 ETA (Cap. 88), s. 8.
48 See Figure 1.
218
INDIAN INFORMATON ICHNOLOGY ACI
Imriutable]11\d tl e 1
Irem i netic 2L111I i
eetion
15 of the ITA (India) Scon85B(2)(a)ofth EA Son5oftTA(Idia)
II lp
49 ITA, s. 3. Note that as against s. 3A, which provides criteria for authentication
of electronic record by using an electronic signature or electronic authentica-
tion technique, s. 3 provides the procedure to authenticate an electronic record
by using digital signature.
50 In this context, ITA, s. 2(f) defines 'asymmetric crypto system' as a system of
a secure key pair consisting of a private key for creating a digital signature
and a public key to verify the digital signature. Here the term 'key pair' means
a private key and its mathematically related public key, which are so related
that the public key can verify a digital signature created by the private key:
ITA, s. 2(x). 'Private key' means the key of a key pair used to create a digital
signature: ITA, s. 2(zc). 'Public key' means the key of a key pair used to verify
a digital signature and listed in the digital signature certificate: ITA, s. 2(zd).
INDIAN INFORMAION ILCHNOLOGY ACI
licensing regime,68 like China. However, the ITA's provisions for CAs
are more ambiguous than the ESL in China. This may be the reason
for there being 22 CAs in China69 compared with only seven in India"
71 Note that the number of CAs in India is considerably higher than the number
of CAs in the countries having a voluntary licensing regime such as Australia
(four) and the UK (four). In Australia the Department of Defence, Medicare
Australia, Verizon Australia Pty Ltd and Australian Taxation Office are the
accredited CAs, while Australia Post and Symantec Australia Pty Ltd are
undergoing accreditation under the Gatekeeper PKI framework. Baltimore
Certificates Australia Pty Ltd, Telstra Corporation Limited, Pricewaterhouse-
Coopers and ANZ Banking Group Limited were former accredited service
providers under the Gatekeeper framework: Australian Government Infor-
mation Management Office (AGIMO), Directory of Gatekeeper Accredited
Service Providers, available at http://agimo.gov.au/policy-guides-procurement/
gatekeeper-public-key-infrastructure/directory- of-gatekeeper- accredited- service-
providers/ (accessed 10 May 2014). The CAs in the UK are Trust Assured (The
Royal Bank of Scotland: www.trustassured.co.uk), BT Ignite (www.btglobal-
services.com), Trustis Ltd (www.trustis.com) and Equifax Secure Ltd (www.
equifaxsecure.co.uk).
INDIAN INFORMAION ILCHNOLOGY ACI
no such clarification has come into force after the 2008 amendment
72
of the ITA.
Another issue with section 19 is that it requires the CCA to
satisfy several complex requirements, such as obtaining prior
approval from the central government and providing notification in
the official gazette. Furthermore, section 32 requires that every CA
shall display its licence in a conspicuous place at the premises in
which it carries on its business. As the ITA is confined to the terri-
torial jurisdiction of India for matters related to electronic signature,
reading sections 19 and 32 together one can infer that if a foreign
CA is recognized as a domestic CA under section 19 it should also
satisfy the requirements of section 32 and thus would be expected
to open a physical office in India. For example, assume an Indian
subscriber who has obtained an electronic signature certificate from
Safescrypt (an Indian licensed CA) and who attempts to enter into
a contract with its Australian counterpart, who holds the electronic
signature certificate issued by Medicare Australia (accredited CA of
Australia). This contract may not be considered valid under the ITA
unless Medicare Australia applies to the CCA under section 19 for
recognition and opens a place of business in India that displays its
licence under section 32. Perhaps these complex provisions are the
reason why in the last nine years, despite India offering the biggest
market for the trust services, not a single foreign CA has applied
73
for or requested recognition of their services.
A more appropriate approach is used in Article 26 of the ESL
of China. Article 26 states that after being approved by the State
Council Department of the Ministry of Information Industry (MI)
according to the related agreement and principles of equity, the
electronic signature authentication certificates issued at places by
the CA outside the borders of the People's Republic of China shall
have the same legal effect as the electronic authentication certifi-
cates issued by the CA established according to the ESL. This means
that if the State Council Department of the M11 has a reciprocity
agreement with the CCA in India, the certificate issued by a CA
of India will be recognized in China and vice versa. The ITA could
have also considered Article 7(c) of the EU E-signatures Directive,
which states that the certificate or the CA is recognized under a
bilateral or multilateral agreement between the community and
third countries or international organizations. It further states that
the EU Commission shall make proposals, where appropriate, to
72 The non-exhaustive list of the rules and regulations relevant to this paper has
been provided in n. 34 above.
73 Symantec, Foreign Certifying Authorities Welcome to India (13 November 2013),
available at http://www.symantec.com/connect/blogs/foreign-certifying-authori
ties -welcome-india (accessed 10 May 2014).
COMMON LAW WOIRLD R EVIEW
V. Over-regulation
The ITA (India) has 13 chapters, 90 sections and two schedules. To
supplement this legislation various regulations and rules have been
put in force, which include the ITCA, which has 34 sections and
five schedules, the Cyber Regulations Appellate Tribunal (Procedure)
Rules 2000, which has 28 sections, and many other rules and regula-
tions with a number of sections and provisions.7 7 This appears to be a
case of over-regulation, particularly when compared with other legis-
lation across the world. For example, China has adopted a detailed
approach in its ESL but has done so in a concise and positive way.
The provisions and regulations of the ESL are precise and unam-
biguous compared with the ITA. The ESL has just 36 Articles and
the Administrative Measure on Electronic Certification Service 2005
(AMECS) supplements the ESL with 43 Articles. Similarly, in the UK
the ECA has just 16 sections and the ESR has five sections. Further,
the Electronic Transactions Act 1999 (Cth.) (ETA) of Australia has
17 sections and one schedule, which has been supplemented by the
Electronic Transactions Regulations 2000, which has 11 regulations
and one schedule. The Singapore 2010 ETA has 39 sections and
four schedules, and has been supplemented by the Electronic Trans-
actions (Certification Authority) Regulations 2010 (Cap. 88, Rg 1,
2010), which has 38 regulations. In comparison, the ITA is massively
over-regulated and contains complex and ambiguous provisions.
76 For example, ss 2(f) (asymmetric crypto system), 2(g) (CA), 2(h) (certification
practice statement), 2(p) (digital signature), 2(q) (digital signature certificate),
2(x) (key pair), 2(zc) (private key), 2(zd) (public key), s. 3 (authentication of
electronic record by using a digital signature), s. 19 (recognition of foreign
certifying authority), s. 25 (suspension of licence), s. 26 (notice of suspension
or revocation of licence), s. 30 (CA to follow certain procedure), s. 31 (CA to
ensure compliance with the Act), s. 32 (display of licence), s. 33 (surrender
of licence), s. 34 (disclosure), s. 35 (CA to issue certificate), s. 36 (representa-
tion upon issuance of digital signature certificate), s. 37 (suspension of digital
certificate), s. 38 (revocation of digital signature certificate), s. 39 (notice of
suspension or revocation), s. 40 (generating key pair), s. 41 (acceptance of
digital signature certificate) and s. 42 (control of private key) of the ITA.
77 See above n. 34.
COMMON LAW WORLD REVIEW
78 See, for example, V. Sharma, Information Technology Law and Practice: Law
and Emerging Technology Cyber Law and E-commerce, 3rd edn (Universal Law
Publishing: Delhi, 2011) 28; Department of Information Technology, Proposed
Amendments to Information Technology Act 2000: Summary (Ministry of Com-
munications & Information Technology: New Delhi, 2005) 2.
79 There are four purposes of the Convention. These are: facilitating the use
of electronic communication in cross-border trade; reinforcing the level of
uniformity in the enactment of the UNCITRAL Model Law (the MLEC and the
MLES); updating certain provisions of the MLEC and the MLES; and providing
core e-commerce legislation to the countries lacking or having incompatible
law in this area. See L. Castellani, 'Policy Considerations on the Electronic
Communications Convention' (2010) 19 Korean Journal of International Trade
and Business Law 2.
INDIAN INFORMAION ILCHNOLOGY ACI