SECURITY ISSUES IN E-COMMERCE

Rapid advancements in technology is allowing everyone to send and receive information from
anywhere in the world. This facility is thoroughly exploited by the commerce as e-commerce.
Commerce taking place using WWW as the enabling transport is e-commerce. It includes any
computer mediated business process over the internet. However, any transaction (message
delivery) taking place across the public internet is open to a wide variety of security problems.
The successful functioning of e-commerce security depends on a complex interrelationship
between several components, including the applications development platforms, database
management systems, system software and network infrastructure.

E-Commerce Security Issues

E-commerce systems are based upon Internet use. As the Internet is unregulated, unmanaged
and uncontrolled, it introduces a wide range of risks and threats to the systems operating on it.
The important security issues related to e-commerce are:-
1. Access Control: If access control is properly implemented, many other security problems,
like lack of privacy, will either be eliminated or mitigated. Access control ensures that only
those who legitimately require access to resources are given access. This includes both
physical access as well as logical access to resources.

2. Privacy: Privacy ensures that only authorized parties can access information in any system.
The information should also not be distributed to parties that should not receive it. Issues
related to privacy can be considered as a subset of issues related to access control.

3. Authentication: Authentication ensures that the origin of an electronic message is correctly

identified. i.e. having the capability to determine who sent the message and from where or
which machine.

4. Non-Repudiation: Non-repudiation is closely related to authentication and this ensures the

sender cannot deny sending a particular message and the receiver cannot deny receiving a
message. If this happens infrequently, it may not significantly harm e-commerce, however,
on a large scale this can be devastating. For example, if many customers receive goods and
then deny placing an order, the shipping, handling and associated costs with the order can
be significant for the company processing the order.

5. Availability: Availability ensures that the required systems are available when needed, i.e.
the customer order systems are available all the time. Two major threats to availability
problems are virus attacks and denial of service (DoS).

One complicating factor for any e-commerce venture is security for customer information,
such as credit card numbers and personal data and this issue has kept many customers from
 purchasing products on the internet. Transaction security has kept many customers from
purchasing products on the internet. Even if secure software programs are more protective,
foolproof systems may never be developed because new threats are always there.

Risks involved in E-Commerce

Some of the common threats that hackers pose to e-commerce systems include:-
a) Carrying out denial-of-service (D0S) attacks that stop access to authorized users of a
website, so that the site is forced to offer a reduced level of service or, in some cases, cease
operation completely.
b) Gaining access to sensitive data such as price lists, catalogues and valuable intellectual
property, and altering, destroying or copying it.
c) Altering the website, thereby damaging one’s image or directing one’s customers to
another site.
d) Gaining access to financial information about one’s business or one’s customers with a view
to perpetrating fraud.
e) Using viruses to corrupt one’s business data.
Impact Upon the Business: All of these risks can have a significant impact upon a business
running an e-commerce service. The potential business implications of a security incident
include the following:-
a) Direct financial loss as a consequence of fraud or litigation.
b) Consequential loss as a result of unwelcome publicity.
c) Criminal charges if you are found to be in breach of the Data Protection or Computer
Misuse Acts, or other regulation on e-commerce.
d) Loss of market share if customer confidence is affected by a denial-of-service attack, or
other.
The image presented by one’s business together with the brands under which one trade, are
valuable assets. Hence it is important to recognize that the use of e-commerce creates new
ways for both image and brands.
Risks from Viruses, Trojans and Worms
Viruses, Trojan horses and worms are all computer programs that can infect computers. They
spread across computers and networks by making copies of themselves, usually without the
knowledge of the computer user.
A Trojan Horse is a program that appears to be legitimate but actually contains another
program or block of undesired malicious, destructive code, disguise and hidden in a block of
desirable code. Trojans can be used to infect a computer with a virus.
A back-door Trojan is a program that allows a remote user or hacker to bypass the normal
access controls of a computer and gives them unauthorized control over it.
Typically a virus is used to place the back-door Trojan onto a computer, and once the computer
is online, the person who sent the Trojan can run programs on the infected computer, access
personal files, and modify and upload files.
Risks to E-commerce Systems
Some viruses can have extremely harmful effects. Some major threats that they pose to e-
commerce systems include:-
 Corrupting or deleting data on the hard disk of the server.

• Stealing confidential data by enabling hackers to record user keystrokes.

• Enabling hackers to hijack one’s system and use it for their own purpose.
• Using one’s computer for malicious purposes, such as carrying out a DoS attack on
another website.
• Harming customer and trading partner relationships by forwarding viruses to them from
the affected system.
Spread of viruses
Viruses are able to infect computers via a number of different routes. These include:
• CDs and pen drives containing infected documents.
• Emails containing infected attachments.
• Internet worms that exploit holes in the system’s operating system when it is connected
to the Internet.
Spyware
Spyware is a software that is placed on one’s computer when one visit certain websites. It is
used to secretly gather information about one’s usage and sends it back to advertisers or other
interested parties. It can also slow down or crash the computer.

Protecting E-Commerce System

Securing one’s E-Commerce System
As the use of the Internet continues to grow, websites are assuming greater importance as the
public face of business. Moreover, the revenues generated by e-commerce systems mean that
organizations are becoming ever more reliant upon them as core elements of their business.
With this high level of dependency upon the services provided by e-commerce systems, it is
essential that they are protected from the threats posed by hackers, viruses, fraud and denial-
of-service (DoS) attacks.
Identifying E-Commerce Threats and Vulnerabilities
It is important that one understand the risks facing his e-commerce system, and the potential
impact should any security incident arise.
Threats: Threats to e-commerce systems can be either malicious or accidental. The procedures
and controls one put in place to protect the site should help minimize both.
Malicious threats could include:
• Hackers attempting to penetrate a system to read or alter sensitive data.
• Burglars stealing a server or laptop that has unprotected sensitive data on its disk.
• Imposters masquerading as legitimate users and even creating a website similar to the
original one.
• Authorized users downloading a web page or receiving an email with hidden active
content that attacks the systems or send sensitive information to unauthorized people.
The potential threats to sensitive information can be considered from three angles:
• Where (or who) are the potential sources of threats?
• What level of expertise is the hacker likely to pose? How much effort are they likely to
expend in attempting to breach the security?
• What facilities and tools are available to them?
The real threat may not be the most obvious one. Attacks from authorized users (such as a
dissatisfied employee or partner) are far more common than attacks by hackers.
Risk Assessment
A risk assessment provides an organization with a clear understanding of the risks facing its e-
commerce system and associated business processes, and the potential impact if a security
incident arises.
A key part of a risk assessment is defining the business’ information access requirements as it
will cover the rules of access for different groups of users.
Any analysis should also take into account of how electronic transactions are verified. How do
we know that an order has actually come from a known customer? Where contracts are
exchanged electronically, who can sign them and how can it be proved that which is the signed
version?

Common E-Commerce Security Tools

One should introduce sufficient security controls to reduce risk to e-commerce systems.
However, these controls should not be so restrictive that they damage the employees’
performance.
Common security controls are:-
1. Authentication: There are several techniques that can identify and verify someone seeking
to access an e-commerce system. These include:-
• A user name and password combination, where the password can vary in length and
include numbers and characters.
• “Two-factor” authentication requiring something the user has (eg. An authentication
token) and something the user knows (eg. A personal identification number).
• A digital certificate that enables authentication through the use of an individual’s unique
signing key.
• A person’s unique physical attribute, referred to as a biometric. This can range from a
fingerprint or iris scan, through to retinal or facial-feature recognition.
2. Access Control: This restricts different classes of users to subsets of information and
ensures that they can only access data and services for which they have been authorized.
These include using:-
• Network restrictions to prevent access to other computer systems and networks.
• Application controls to ensure individuals are limited in the data or service they can
access.
• Changes to access privileges must be controlled to prevent users retaining them if they
transfer between departments or leave the business.
3. Encryption: This technique scrambles data, and is used to protect information that is being
either held on a computer or transmitted over a network. It uses technologies such as
virtual private networks (VPNs) and secure socket layers (SSLs).

4. Firewall: Firewall is a hardware or software security device that filters information passing
between internal and external networks. It controls access to the Internet by internal users,
preventing outside parties from gaining access to systems and information on the internal
network. A firewall can be applied at the network level to provide protection for multiple
 workstations or internal networks or at the personal level where it is installed on an
individual PC.
A firewall typically takes one of two forms:-
Software firewall: Specialized software running on an individual computer.
Network firewall: A dedicated device designed to protect one or more computers.
Both types of firewall allow the user to define access policies for inbound connections to the
computers they are protecting. Many also provide the ability to control what services the
protected computers are able to access on the Internet. Most firewalls intended for home use
come with pre-configured security policies from which the user choose, and also allow the user
to customize these policies for their specific needs.
Types of Firewalls: There are three basic types of firewalls depending on:-
a. Whether the communication is being done between a single node and the network, or
between two or more networks.
b. Whether the communication is intercepted at the network layer, or at the application
layer.
c. Whether the communication state is being tracked at the firewall or not.
With regard to the scope of filtered communication there exist:-
• Personal firewalls: A software application, which normally filters traffic entering, or
leaving a single computer.
• Network firewalls: Normally running on a dedicated network device or computer
positioned on the boundary of two or more networks. Such a fire wall filters all traffic
entering or leaving the connected networks.
Intrusion Detection
The software related to intrusion detection monitor system and network activity to spot any
attempt being made to gain access. If a detection system suspects an attack, it can generate an
alarm, such as an e-mail alert, based upon the type of activity it has identified.
Despite the sophistication of these controls, they are only as good as the people who use them
and hence a continual awareness program is a vital component of any security policy.

Anti-Virus Software
Anti-virus software is used to protect against viruses, Trojans and worms. It can detect them,
prevent access to infected files, repair them and if can’t be repaired then quarantine such
infected file.
Different types of anti-virus software:-
 • Virus Scanners: Must be updated regularly, usually by connecting to the supplier’s
website, in order to recognize new viruses.
• Heuristics Software: Detects viruses by applying general rules about what viruses look
like. While it does not require frequent updates, this software can be prone to giving
false alarms.
The threat of virus infection can be minimized by:-
• Using a virus checker on one’s Internet connection to trap viruses both entering and
leaving the business’ IT system.
• Running virus checkers on servers to trap any viruses that have managed to evade the
above check.
• Running individual virus checkers on users’ PCs to ensure that they have not
downloaded a virus directly, or inadvertently introduced one via a CD, pen drive etc.
Other Methods of Preventing Viruses:-
• Installing software patches provided by the supplier of one’s operating system to close
security loopholes that could be exploited by viruses.
• Using a firewall to prevent unauthorized access to one’s network.
• Avoiding download of unauthorized programs and documents from the Internet and
ensuring that everyone in the organization adhere to this policy.
One’s system may still become infected even if the above guidelines are followed. Hence
regular back-ups of the data and software should be taken so that the infected files can be
replaced with clean copies if required.
Virus Alerting Services: One can subscribe to a service or supplier who will provide virus alerts.
Some are available on a paid-for basis, while others are provided by suppliers of anti-virus
software to their customers.
Spyware: There are software available that scan the systems and detect for known spyware
programs. Spyware can then be removed or quarantined. As with anti-virus software, it is
important to keep this software up-to-date.
Digital Identity & Digital Signature: Digital identity refers to the aspect of digital technology
that is concerned with the mediation of people’s experience of their own identity and the
identity of other people and things.
Digital identity is a safe personal web platform that gives the individual the power to control
how they interact with the Internet and share their personal information. Each individual is
assigned a personal web address that functions as a master key to all his or her online
communication.
Through a number of practical tools such as online business cards, CV, favorites, personal
messages, access control etc. the individual creates and have full control of their online
information. With Digital identity each individual becomes an integrated part of the Internet, so
other websites, search engines and applications automatically can interact with the online
identity.
The basis of Digital identity are:-
• It is the online presence of an individual or business which gives access to online
services – Authentication.
• It defines the level of access to online services – Authorization.
• It is a repository of information for use by the subscriber, for the subscriber and is the
first point of all online communications.
Biometric: Biometric refers to the automatic identification of a person based on his
physiological or behavioral characteristics. Example of physical characteristics include
fingerprints, eye retinas and irises, facial patterns and hand measurements; while examples of
behavioral characteristics include signature, gait and typing patterns.
This method of identification offers several advantages over traditional methods involving ID
cards or PIN numbers for various obvious reasons:-
i. The person to be identified is required to be physically present at the point-of-
identification.
ii. Unlike biometric traits, PINs or passwords may be forgotten, and tokens like passports
and driver’s licenses may be forged, stolen, or lost.
iii. By replacing PINs (or using biometrics in addition to PINs), biometric techniques can
potentially prevent unauthorized access to sensitive places and sensitive equipment.

Client-Server Network Security

Computer security violations cost businesses a huge amount each year. Network security on the
internet is a major concern for commercial organizations, especially top management. By
connecting to the internet, a local network organization may be exposing itself to the entire
population on the internet. An internet connection effectively breaches the physical security
perimeter of the corporate network and itself to access from other networks comprising the
public internet.
For many commercial operations, security is simply is a matter of making sure that existing
system features, such as passwords and privileges, are configured properly and need to audit all
access to the network.
A system that records all log-on attempts particularly the unsuccessful ones – can alert
managers for the need of stronger measures. However, where secrets are at stake or where
important corporate assets must be made available to remote users, additional measures
must be taken. Hackers can use passwords guessing, password tapping, security holes in
programs, or common network access producers to impersonate users and thus pose a
threat to the server.
Client-Server network security problems manifest themselves in three ways:-
i. Physical security holes result when individuals gain unauthorized physical access to a
computer. For example, in a public workstation room, a hacker many reboot a machine
into single-user mode and tamper with the files, if precautions are not taken. On
networks also hackers gain access to network systems by guessing passwords of various
users.
ii. Software security holes result when badly written program or ‘privileged’ software are
‘compromised’ into doing things they shouldn’t. The most famous example is the ‘send
mail’ hole, which brought the internet to its knees in 1988. The more recent problem
was the ‘rlogin’ hole in the IBM RS-6000 workstations, which enabled a cracker (a
malicious hacker) to create a ‘root’ shell or super user access mode. This is the highest
level of access possible and could be used to delete the entire file system, or create a
new account or password file resulting in incalculable damage.
iii. Inconsistent usage holes result when a system administrator enables a combination of
hardware and software such that the system is seriously flawed from a security point of
view like the incompatibility of attempting two unconnected but useful things creates
the security hole. Problems like this are difficult to isolate once the system is setup and
running. Hence one should be carefully build the system with these things in mind.
To reduce these security threats, over the years, several protection methods have been
developed:-
a. Trust Based Security: Trust-based security means to trust everyone and do nothing
extra for ensuring security; assuming that all the users are trustworthy and competent
in their use of the shared network.
b. Security Through Obscurity: Most organizations in the mainframe era practiced in a
philosophy known as Security Through Obscurity (STO) – the notion that any network
can be secure as long as nobody outside it’s management group is provided information
on a need–to–know basis. Hiding account passwords in binary files or scripts with the
presumption that ‘nobody will ever find them’ is a prime case of STO (somewhat like
 hiding the house key under the doormat and telling only family and friends). In short,
STO provides a false sense of security in computing systems without hiding information.
c. Firewall and Network Security: The most commonly accepted network, protection is a
barrier, a firewall between the corporate network and the outside world (untrusted
networks). Firewall is a method of placing a device – a computer or a router – between
the network and the internet to control and monitor all the traffic between the outside
world and the local networks. Typically, the device allows insiders to have full access to
the services on the outside networks but grants only selective access based on login
names, password, IP address or other identifiers to the outsiders.

Data and Message Security:-

Encryption: The success of an e-commerce operation hinges on myriad factors including the
business model, the team, the customers, the investors, the product, and the security of data
transmissions and storage.
Data security has taken an increased importance because of a series of high-profile ‘cracker’
attacks have humbled popular web sites, resulted in the impersonation of Microsoft employees
for the purposes of digital certification, and the misuse of credit card numbers of customers at
B2C entrepreneur who solicits, stores, or communicates any information that may be sensitive
if lost. An arms race is underway: technologists are building new security measures while others
are working to crack the security systems. One of the most effective means of ensuring data
security and integrity is encryption.
Encryption is a generic term that refers to the act of encoding data so that those data can be
securely transmitted via the Internet. Encryption can protect the data at the simplest level by
preventing other people from reading the data. In the event that someone intercepts a data
transmission and manages to deceive any user identification scheme, the data that they see
appears to be gibberish without a way to decode it.
Encryption technologies can help in other ways as well – by establishing the identity of users (or
abusers); control the unauthorized transmission or forwarding of data; verify the integrity of
the data (i.e. it has not been altered in any way); and ensure that users take responsibility for
data that they have transmitted. Encryption can therefore be used either to keep
communications secret (defensively) or to identify people involved in communications
(offensively).
E-commerce systems can use the following encryption techniques:-
a. Public Key Encryption or Asymmetric Key-based algorithm: This method uses one key
to encrypt data and a different key to decrypt the same data. It is also called Public
Key / Private Key encryption.
b. Symmetric Key-based Algorithms or Block-and-Stream Ciphers: Using these cipher
types, the data is separated into chunks, and those chunks are encrypted and decrypted
based on a specific key. Stream ciphers are used more predominantly than block
ciphers, as the chunks are encrypted on a bit-by-bit basis. This process is much smaller
and faster than encrypting larger (block) chunks of data.
c. Hashing or Creating a Digital Summary of a String or File: This is the most common way
to store passwords on a system, as the passwords aren’t really what’s stored, just a hash
that can’t be decrypted.
 Legal Issues in E-Commerce
The use of internet allows the organizations to compete in a global virtual market-space. The
consumers from different cultures may differ in perceptions, beliefs, selection and participation
in e-commerce. Moreover, language becomes an important factor. Many customers want the
websites in their native tongue which reflect their cultural and social biases. These issues
remain adhered to the environment of e-commerce. So, companies operating in the multi-
cultural market-space that span across political and geographical boundaries try to remain
consistent by providing proper policies in this regard.
A global information infrastructure (GII) is a basic necessity for e-commerce to be a truly global
tool for trade and development. The International Telecommunication Union (ITU) in Geneva
works towards developing standards for such GII. The telecommunication networks and
services should be expanded properly in developing countries to get the benefits of e-
commerce.
Again, implementation of e-commerce involves many legal issues. The two main legal issues
are (i) Validity of contracts related to software purchase and distribution & (ii) intellectual
property and software piracy. E-commerce is new trend of commerce and hence the legal,
ethical and other public policy issues are still evolving or changing.
These issues can be classified as:-
Privacy: Privacy means the right to be left alone and the right to be free of unreasonable
personal intrusions. Information privacy is the “claim of individuals, groups or institutions to
determine for themselves when and to what extent, information about them is communicated
to others.”
Privacy Principles: The code’s 10 principles for privacy are:-
1. Accountability: An organization is responsible for personal information under its control
and shall designate an individual or individuals who are accountable for the
organization’s compliance with the following principles.
2. Identifying Purposes: The purposes for which personal information is collected shall be
identified by the organization at or before the time the information is collected.
3. Consent: The knowledge and consent of the individual are required for the collection,
use or disclosure of personal information, except when inappropriate.
4. Limiting Collection: The collection of personal information shall be limited to that,
which is necessary for the purposes identified by the organization and should be
collected by fair and lawful means.
5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or
disclosed for purposes other than those for which it has been collected, except with the
 consent of the individual or as required by the law. Moreover, personal information
shall be retained only as long as necessary for fulfillment of those purposes.
6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is
necessary for the purposes for which it is to be used.
7. Safeguards: Personal information shall be protected by security safeguards appropriate
to the sensitivity of the information.
8. Openness: An organization shall make readily available to individuals specific
information about its policies and practices relating to the management of personal
information.
9. Individual Access: Upon request, an individual shall be informed of the existence, use
and disclosure of his or her personal information and shall be given access to that
information. An individual shall be able to challenge the accuracy and completeness of
the information and have it amended as appropriate.
10. Challenging Compliance: An individual shall be able to address a challenge concerning
compliance with the above principles to the designated individual or individuals for the
organization’s compliance.
Protecting one’s Privacy:-
1. Think before giving out personal information on a site.
2. Track the use of your name and information.
3. Keep your newsgroup's posts out of archives.
4. Use the Anonymizer when browsing.
5. Live without cookies.
6. Use anonymous remailers.
7. Use encryption.
8. Reroute your mail away from your office.
9. Ask your ISP or employer about a privacy policy.
Cookies: Cookies are the piece of information that allows a Web site to record the information
coming in and going out. Through cookies:-
• Web sites can remember information about users and respond to their preferences on a
particular site.
• Web sites can maintain information on a particular user across HTTP connections.
 Reasons for Using Cookies: Cookies are usually used for the following reasons:-
• To personalize information.
• To improve online sales / services.
• To simplify tracking of the popular links or demographics.
• To keep sites fresh and relevant to the user’s interests.
• To enable subscribers to log in without having to enter a password every time.
• To keep track of a customer’s search preferences.
• Personal profiles created are more accurate than self-registration.
Solutions to Cookies: As cookies are stored at client’s side (the person who is navigating the
site) and sends information about client to server (web site), hence sometimes it can be
dangerous for privacy. Some solutions to avoid cookies are:-
• Users can delete cookie files stored in their computer on a regular basis.
• Use of anti-cookie software.
Intellectual Property: Intellectual property is the intangible property created by individuals or
by corporations. It is difficult to protect since it is easy and inexpensive to copy and disseminate
digitized information.
Protecting Intellectual Property: Intellectual property is protected under copyright, trade
secret and patent laws.
1. Copyright: Copyright is a statutory grant that provides the creators of intellectual
property with ownership of it for 28 years.
2. Trade Secret: Trade secret is intellectual work such as a business plan, which is a
company secret and is not based on public information.
3. Patent: Patent is a document that grants the holder exclusive rights on an invention for
17 years.
4. Free Speech: Internet provides the largest opportunity for free speech. Provisions in law
for two cases that limit free speech are:-
a. Obscene material.
b. Compelling government interest.
Indecency: Indecency is any comment, request, suggestion, proposal, image, or other
communication that, in context, depicts or describes, in terms patently offensive as measured
by contemporary community standards, sexual or excretory activities or organs.
Taxation: Taxation is an issue as e-commerce companies do not have to collect sales tax on
their customer’s purchases. While this is an advantage to customers, it costs the government
very high.
Gambling: Gambling is an issue as the Internet makes it difficult to decide where the
transaction take place, and hence, which region’s law should regulate that transaction.
Other Legal Issues: Some other legal issues are:-
• What are the rules of electronic contracting, and whose jurisdiction prevails when
buyers, brokers and sellers are in different states and / or countries?
• How can gambling be controlled on the Internet as it is legal in many countries and
illegal in the other countries. How can the winner’s tax be collected?
• When are electronic documents admissible evidence in the courts of law? What one can
do if they are not?
• Time and place can carry different dates for the buyers and sellers when they are across
the ocean.
• Is a digital signature legal everywhere?
• The use of multiple networks and trading partners makes the documentation of
responsibility difficult. How to overcome such a problem?
Ethical Issues: Ethics is a branch of philosophy that deals with what is considered to be right or
wrong and the spread of electronic commerce has created many new ethical issues. For example
the monitoring of e-mails by the company is highly controversial as one group of people may agree to
this and one may disagree.

There are also differences regarding ethics among different countries. What is unethical in one culture
may be perfectly acceptable in another. Hence, many companies and professional organizations have
developed their own codes of ethics – a collection of principles intended as a guide for its members.

Mason has categorized these ethical issues into the following:-

1. Privacy: Collection, storage, and dissemination of information about individuals.
2. Property: Ownership and value of information and intellectual property.
3. Accuracy: Authenticity, fidelity, and accuracy of information collected and processed.
4. Accessibility: Right to access information and payment of fees to access it.
Cyber Law: Cyber law is a term which refers to all the legal and regulatory aspects of Internet
and the World Wide Web. Anything concerned with or related to, or emanating from, any legal
aspects or issues concerning any activity of netizens and others, in Cyberspace comes within the
ambit of Cyber Law.
Aims of Cyber Law:-
1. To facilitate electronic communications by means of reliable electronic records.
2. To facilitate and promote electronic commerce, to eliminate barriers to electronic
commerce resulting from uncertainties over writing and signature requirements, and to
promote the development of the legal and business infrastructure necessary to
implement secure electronic commerce.
3. To facilitate the electronic filing of documents with government agencies and statutory
bodies, and to promote efficient delivery of government services by means of electronic
records.
4. To minimize the incidence of forged electronic records, intentional and unintentional
alterations of records, and fraud in electronic commerce and other electronic
transactions.
5. To promote public confidence in the integrity and reliability of electronic records,
electronic signatures and electronic commerce.
6. To establish uniform rules and standards regarding the authentication and integrity of
electronic records.
7. To create a legal infrastructure for the use of digital signatures.
Cyber Law in India: In May 2000, both the houses of the Indian Parliament passed the
Information Technology Bill. The Bill received the assent of the President in August 2000 and
came to be known as the Information Technology Act, 2000. It was enacted on 7th June 2000
and was notified in the official gazette on 17 th October 2000 and is made applicable to the
whole of India.
Aim: The Information Technology (IT) Act 2000 aims to provide a legal and regulatory
framework for promotion of e-Commerce and e-Governance. The Act also aims to provide for
the legal framework so that legal sanctity is accorded to all electronic records and other
activities carried out by electronic means. The Act states that unless otherwise agreed, an
acceptance of contract may be expressed by electronic means of communication and the same
shall have legal validity and enforceability.
Salient Provisions of Cyber Law: The IT Act 2000 attempts to change outdated laws and
provides ways to deal with cybercrimes. In view of the growth in transactions and
communications carried out through electronic records, the Act seeks to empower government
departments to accept filing, creating and retention of official documents in the digital format.
The Act has also proposed a legal framework for the authentication and origin of electronic
records / communications through digital signature. From the perspective of e-commerce in
India, the IT ACT 2000 and its provisions contain many positive aspects.
• Firstly, the implications of these provisions for the e-businesses would be that email
would now be a valid and legal form of communication in our country that can be duly
produced and approved in a court of law.
• Companies shall now be able to carry out electronic commerce using the legal
infrastructure provided by the Act.
• Digital signatures have been given legal validity and sanction in the Act.
• The Act throws open the doors for the entry of corporate companies in the business of
being Certifying Authorities for issuing Digital Signature Certificates.
• The Act now allows Government to issue notification on the web thus heralding e-
governance.
• The Act enables the companies to file any form, application or any other document with
any office, authority, body or agency owned or controlled by the appropriate
Government in electronic form by means of such electronic form as may be prescribed
by the appropriate Government.
• The IT Act also addresses the important issues of security, which are so critical to the
success of electronic transactions. The Act has given a legal definition to the concept of
secure digital signatures that would be required to have been passed through a system
of a security procedure, as stipulated by the Government at a later date.
• Under the IT Act 2000, it shall now be possible for corporates to have a statutory
remedy in case if anyone breaks into their computer systems or network and causes
damages or copies data. The remedy provided by the Act is in the form of monetary
damages, not exceeding Rs. 1 crore.
Contracting And Contract Enforcement: A legally binding contract requires a few basic
elements: offer, acceptance and consideration. When the Contracting is performed
electronically then these requirements are difficult to establish.There are various acts and
laws are made for the contracting and contract enforcement. Some of them are:-
Uniform Electronic Transactions Act:
• It provides the means to effectuate transactions accomplished through an electronic
medium.
• It seeks to extend existing provisions for contract law to cyber law by establishing
uniform and consistent definitions to electronic records, digital signatures, and other
electronic communications.
• It is comprehensive law regarding business conduct.
Uniform Commercial Code (UCC):
• It provides a government code that supports existing and future electronic technologies
in the exchange of goods or of services related to exchange of goods.
• It provides clear language to address issues of offer and acceptance required for
formation of a contract.
Shrink-wrap Agreements (or Box Top Licenses):
• The user is bound to the license by opening the package even though he or she has not
used the product or even read the agreement, which has been a point of contention for
some time.
• The court felt that more information would provide more benefit to the consumer given
the limited space available on the exterior of the package.
Click-Wrap Contracts:
• The software vendor offers to sell or license the use of the software according to the
terms accompanying the software.
• The buyer agrees to be bound by the terms based on certain conduct.
IT Act – 2000
The Information Technology Act 2000 aims to provide a legal and regulatory framework for
Promotion of e-commerce and e-Governance. It was enacted on 7 th of June 2000 and was
notified in the official gazette on 17th of October 2000. it is applicable to whole of India.
Major Provisions Contained in the IT Act 2000 are:
• Extends to the whole of India.
• Electronic contracts will be legally valid.
• Legal recognition of digital signatures.
• Digital signature to be effected by use of asymmetric crypto system and hash function.
• Security procedure for electronic records and digital signature.
• Appointment of Certifying Authorities and Controller of Certifying Authorities, including
recognition of foreign Certifying Authorities.
• Controller to act as repository of all digital signature certificates.
• Certifying authorities to get License to issue digital signature certificates.
• Various types of computer crimes defined and stringent penalties provided under the
Act.
• Appointment of Adjudicating Officer for holding inquiries under the Act.
• Establishment of Cyber Appellate Tribunal under the Act.
• Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and not to any
Civil Court.
• Appeal from order of Cyber Appellate Tribunal to High Court.
• Act to apply for offences or contraventions committed outside India.
• Network service providers not to be liable in certain cases.
• Power of police officers and other officers to enter into any public place and search and
arrest without warrant.
• Constitution of Cyber Regulations Advisory Committee who will advice the Central
Government and Controller.
The IT Act enables:
• Legal recognition to electronic Transaction / Record.
• Facilitate Electronic Communication by means of reliable electronic record.
• Acceptance of contract expressed by electronic means.
• Facilitate Electronic Commerce and Electronic Data interchange.
• Electronic Governance.
• Facilitate electronic filing of documents.
• Retention of documents in electronic form.
• Where the law requires the signature, digital signature satisfy the requirement.
• Uniformity of rules, regulations and standards regarding the authentication and integrity
of electronic records or documents.
• Publication of official gazette in the electronic form.
• Interception of any message transmitted in the electronic or encrypted form.
• Prevent Computer Crime, forged electronic records, international alteration of
electronic records fraud, forgery or falsification in Electronic Commerce and Electronic
Transaction.
Authentication of the electronic Records in IT Act 2000: Section 3(2) of the IT Act 2000 has
provided that “The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record”.
Explanation: For the purposes of this sub-section, “hash function” means an algorithm
mapping or translation of one sequence of bits into another, generally smaller, set known as
“hash result” such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it computationally
infeasible:-
• To derive or reconstruct the original electronic record from the hash result produced by
the algorithm.
• That two electronic records can produce the same hash result using the algorithm.
Digital Signature: The digital signature is an encryption and decryption process allowing
both the positive identification of the author of an electronic message (Who wrote the
message) and verification of integrity of the message (Has the message been tampered with
during transmission).
Civil Offences Stipulated by IT Act 2000: Section 43 and Section 44 of the IT Act prescribes
the civil offences which covers:-
• Copy or extract any data, database.
• Unauthorized access and downloading files.
• Introduction of virus.
• Damage to computer System and Computer Network.
• Disruption of Computer, computer network.
• Denial to authorized person to access computer.
• Providing assistance to any person to facilitate unauthorized access to a computer.
• Charging the service availed by a person to an account of another person by tampering
and manipulation of other computer.
• Failure to furnish information, return etc. to the Controller by certifying authorities.
Criminal Offences Stipulated by IT Act 2000: Chapter XI (Sections 65 to 75) of the IT Act
prescribes the criminal offences which covers:-
• Tampering with computer source documents (i.e. listing of programs)
• Hacking with computer system.
• Electronic forgery i.e. affixing of false digital signature, making false electronic record.
• Electronic forgery for the purpose of Cheating.
• Electronic forgery for the purpose of harming reputation.
• Using as genuine a forged electronic record.
• Publication of digital signature certificate for fraudulent purpose.
• Offences and contravention by companies.
• Unauthorized access to protected system.
• Confiscation of computer, network, etc.
• Publication of information which is obscene in electronic form.
• Misrepresentation or suppressing of material fact.
• Breach of confidentiality and privacy.
• Publishing false Digital Signature Certificate.
Other Provisions / Acts that are not covered under the IT Act:-
• Negotiable instrument.
• Power of Attorney.
• Trust.
• Will.
• Any contract for the sale or the conveyance of immovable property or any interest in
such property.