Offences and Penalties under Technology Act

The Information Technology Act, 2000 was introduced when India was on the
brink of digitalization, with the core objective of providing legal recognition for
electronic data interchange and other means of electronic communication. The Act
was later amended by the formation of the Information Technology (Amendment)
Act, 2008. This article looks at the offences and penalties under the Act.
The Background
The advent of the internet has almost wiped out the traditional mode of
communication on papers. We are now the beneficiaries of a cheaper, user-friendly
and speedier form of communication. But, as is imperative, anything
transformational could also herald its own consequences, which in this case arose
in the form of cybercrimes. To curtail such occurrences, the Information
Technology Act, 2000 was enforced, which was conceptualized on the model of the
United Nations Commission on International Trade Law (UNCITRAL).
Objectives of the Act
The Act seeks to:
 Accord legal recognition to E-Transactions, as well as digital signatures for
authentication.
 Make way for the electronic filing of data and information.
 Facilitate the electronic storage of data.
 Grant recognition for the maintenance of books of accounts in Electronic
Form.
 Levy offences for defaults.
 The Act seeks to protect all transactions done through electronic means.
 E-commerce has reduced paperwork used for communication purposes. It
also gives legal protection to communication and the exchange of
information through electronic means.
  It protects the digital signatures that are used for any sort of legal
authentication.
 It regulates the activities of intermediaries by keeping a check on their
powers.
 It defines various offences related to data privacy of citizens and hence
protects their data.
 It also regulates and protects the sensitive data stored by social media and
other electronic intermediaries.
 It provides recognition to books of accounts kept in electronic form
regulated by the Reserve Bank of India Act, 1934.

Features of Information Technology Act, 2000

Following are the features of the Act:
 The Act is based on the Model Law on e-commerce adopted by
UNCITRAL.
 It has extra-territorial jurisdiction.
 It defines various terminologies used in the Act like cyber cafes, computer
systems, digital signatures, electronic records, data, asymmetric
cryptosystems, etc under Section 2(1).
 It protects all the transactions and contracts made through electronic means
and says that all such contracts are valid. (Section 10A)
 It also gives recognition to digital signatures and provides methods of
authentication.
 It contains provisions related to the appointment of the Controller and its
powers.
 It recognises foreign certifying authorities (Section 19).
 It also provides various penalties in case a computer system is damaged by
anyone other than the owner of the system.
 The Act also provides provisions for an Appellate Tribunal to be established
under the Act. All the appeals from the decisions of the Controller or other
Adjudicating officers lie to the Appellate tribunal.
 Further, an appeal from the tribunal lies with the High Court.
  The Act describes various offences related to data and defines their
punishment.
 It provides circumstances where the intermediaries are not held liable even if
the privacy of data is breached.
 A cyber regulation advisory committee is set up under the Act to advise the
Central Government on all matters related to e-commerce or digital
signatures.
The Amendment at a Glance
The 2008 amendment of the Act has:
 Laid emphasis on data privacy and information security.
 Defined cyber-café.
 Classified digital signatures as technology neutral.
 Defined the security process to be followed by a corporate.
 Redefined the role of intermediaries.
 Recognized the role of Indian Computer Emergency Response Team.
 Made way for inclusion of crimes such as child pornography and cyber
terrorism.
 Vested an Inspector with the rights of investigating cyber-crimes. The role
was previously donned by a DSP (Deputy Superintendent of Police).

The offences and penalties defined under the Information Technology Act,
2000

S.no. Offences Section Punishment

Tampering with the Imprisonment of 3

Section
documents stored in a years or a fine of Rs. 2
65
computer system lakhs or both.

Offences related to Section Imprisonment of 3

computers or any act years or a fine that
 extends to Rs. 5 lakhs
mentioned in Section 43. 66
or both.

Imprisonment for 3
Receiving a stolen computer Section
years or a fine of Rs. 1
source or device dishonestly 66B
lakh or both.

Imprisonment of 3
Section
Identity theft years or a fine of Rs. 1
66C
lakh or both

Either imprisonment
Section
Cheating by personation for 3 years or a fine of
66D
Rs. 1 lakh or both.

Either imprisonment
Section
Violation of privacy up to 3 years or a fine
66E
of Rs. 2 lakhs or both

Section
Cyber terrorism Life imprisonment
66F

Imprisonment of 5
Transmitting obscene Section
years and a fine of Rs.
material in electronic form. 67
10 lakhs.

Transmission of any material

Imprisonment of 7
containing sexually explicit Section
years and a fine of Rs.
acts through an electronic 67A
10 lakhs.
mode.

Depicting children in
Imprisonment of 7
sexually explicit form and Section
years and a fine of Rs.
transmitting such material 67B
10 lakhs.
through electronic mode

Failure to preserve and

Section Imprisonment for 3
retain the information by
67C years and a fine.
intermediaries
1️⃣ Unauthorized Access (Section 43):
Unauthorized access to computer systems, data, or networks can lead to
imprisonment up to 3 years or a fine of up to 5 lakh rupees, or both.

2️⃣ Damage to Computer Systems (Section 43A):

Causing damage to computer systems, resulting in compensation claims, may
lead to imprisonment for up to 3 years or a fine of up to 5 lakh rupees, or both.

3️⃣ Hacking (Section 66):

Hacking into computer systems, networks, or devices with an intent to cause
damage, steal information, or commit fraud can result in imprisonment for up to
3 years or a fine of up to 2 lakh rupees, or both.

4️⃣ Identity Theft (Section 66C):

Fraudulently using another person's identity electronically can lead to
imprisonment for up to 3 years or a fine of up to 1 lakh rupees, or both.

5️⃣ Publishing Obscene Content (Section 67):

Publishing or transmitting obscene material online can result in imprisonment
for up to 3 years and a fine of up to 5 lakh rupees for the first offense.
Subsequent offenses can lead to imprisonment for up to 5 years and a fine of up
to 10 lakh rupees.

6️⃣ Privacy Violation (Section 66E):

 Capturing, transmitting, or publishing private images of a person without their
consent can lead to imprisonment for up to 3 years or a fine of up to 2 lakh
rupees, or both.

7️⃣ Cyber Terrorism (Section 66F):

Engaging in cyber terrorism activities, including unauthorized access to critical
information infrastructure, can result in imprisonment for life.

Section 43 – Penalty for Damages

On a lighter note, any person damaging the computer (or its network) of the owner
or any other person-in-charge would be forced to remit a penalty and compensation
to the person so affected.
Section 44 – Documentation and Reporting
 Any person not furnishing the required documents, returns or report to the
controller or certifying authority would be liable to remit a penalty of up to
INR 1,50,000.
 If a person fails to furnish any information, books or other documents within
the prescribed time-frame, then he/she would be imposed with a penalty of
INR 5,000 for each day of the default.
 If a person doesn’t maintain the books of accounts or other records, he/she
would be forced to remit a penalty of INR 10,000 per day.
Section 65 – Manipulating Source Document
Any person who deliberately tampers, destroys, conceals or alters any computer
source document intentionally would be liable for penal charges amounting to Rs.
2,00,000 and/or imprisonment of up to three years.
Section 66 – Dishonesty and Fraudulence
Any person committing dishonesty and fraudulence under the Act as specified in
Section 43 above would be forced to remit a penalty of up to INR 5,00,000 and/or
imprisonment of up to three years. On similar lines:
  Section 66B of the Act states that any person who dishonestly or
fraudulently receives/retains any stolen computer resource or
communication device would be required to remit a penalty of INR 1,00,000
and/or imprisonment of up to three years.
 Section 66C of the Act states that any person who dishonestly or
fraudulently employs the electronic signature, password or any other unique
identification feature of another person would be required to remit a penalty
of up to INR 1,00,000 and/or imprisonment of up to three years.
 Section 66D states that any person who dishonestly or fraudulently
personates through any communication device or computer resource would
be forced to remit a penalty of INR 1,00,000 or lesser, which could be added
or replaced by an imprisonment term of three years.
 Section 66E states that any person who deliberately captures, publishes or
transmits the image of a private area of a person without his/her consent
would be slapped a penalty of not more than INR 2,00,000, which could be
replaced or added with an imprisonment period of three years or less.
 Section 66F states that any person who fails to act electronically or threatens
the unity, integrity, security or sovereignty of the country would be
imprisoned for life.
Section 67 – Electronic Publishing or Transmission
Any person who electronically transmits any material which appeals to unhealthy
interest, or is likely to deprave and corrupt any other who may refer to the
information provided in it, would be forced to remit a penalty of not more than
INR 5,00,000. The penalty could be added or replaced by a period of imprisonment
of up to three years. If convicted again on the same grounds, the concerned
individual would be levied with a penalty of up to INR 10,00,000, which again,
could be added or replaced by a term of imprisonment of up to five years.
On the same page, Section 67A coveys that any person who electronically
publishes or transmits any content which may not be unhealthy but consists of any
sexually explicit act or conduct, he/she would be liable to remit a penalty of not
more than INR 10,00,000, which could be replaced or added with a five-year
imprisonment term. Repeated offences of such kind may result in a similar penalty,
with an imprisonment term that could scale up to seven years.
Section 68 – Powers if the Controller
The Controller may order a Certifying Authority or any employee of such authority
to cease the performance of any activities as stated in the order. Any person who
deliberately contravenes with such an order is bound to pay a penalty of INR
1,00,000, which could be added or replaced with a term of imprisonment of two
years or less.
Section 69 – Powers of the Government
The Central or State Government, in the best interests of the nation, may order any
agency to monitor or decrypt any information generated, transmitted, received or
stored in any computer resource. Any non-compliance with such order could result
in imprisonment of seven years and a fine as determined by the authorities.
Section 70 – Declaration a Protected System
The Governments concerned is vested with the rights of declaring any computer
resource, which affects the facility of Critical Information Infrastructure, as a
protected system. Non-compliance with this notification, which as per rules would
be published in the Official Gazette, would lead to a period of imprisonment of ten
years and a fine so determined by the authorities.
Section 71 – Misrepresentation or Suppression
This section is applicable for any person who makes any misrepresentation of
information or suppresses any material facts from the Controller or the Certifying
Authority with the intention of obtaining any License or Electronic Signature
Certificate. The Act explicitly states that such individuals would be forced to remit
a penalty of up to INR 1,00,000; as an addition or replacement to which, a period
of imprisonment which numbers to not more than two years would be applicable.
Section 72 – Provisions of Secured Access
This provision applies to any person with secured access to any electronic record,
book, register, correspondence, information, document or other material. The Act
states that if such a person reveals the details of such documents to any other
person without the consent of the person concerned, then he/she would be forced to
remit a penalty of INR 1,00,000; which could be added or replaced by a term of
imprisonment which is not more than two years.
On the other hand, if any person indulges in such acts with the intent of causing
wrongful loss or wrongful gain disclosures, then the range of penalty imposable
goes up to INR 5,00,000, and that of imprisonment to three years.
Section 73 and 74 – Publishing of Certificate
The provisions of Section 73 would apply to a person who publishes an Electronic
Signature Certificate or makes it available to any other person knowing that the
Certifying Authority hasn’t issued it, the subscriber hasn’t accepted it, or the
certificate has been revoked or suspended. The Act states that such a person would
be forced to remit a penalty of up to INR 1,00,000; which could be added or
replaced by imprisonment for a term of two years.
On the other hand, Section 74 states that any person who deliberately creates,
publishes or otherwise makes available Electronic Signature Certificate for any
fraudulent or unlawful purpose would be imposed with a penalty of up to INR
1,00,000; which could be added or replaced with an imprisonment of not more than
two years.
Section 75 – Offence or Contravention Outside India
Any person who has committed any offence or contravention outside India
involving a computer, computer system or computer network located in India
would qualify for the penal provisions of the Act, irrespective of his/her
nationality.
Section 76 – Provision of Confiscation
Section 76 of the Act states that any non-compliances concerned with the
provisions of a computer, computer system, floppies, compact disks, tape drives or
any other relevant accessories could result in the confiscation of such accessories.
However, proving that such accessories weren’t employed in committing any fraud
may abate any instance of arrests.

Overview of Information Technology Act, 2000

The Act deals with e-commerce and all the transactions done through it. It gives
provisions for the validity and recognition of electronic records along with a
license that is necessary to issue any digital or electronic signatures. The article
further gives an overview of the Act.
Electronic records and signatures
The Act defines electronic records under Section 2(1)(t), which includes any data,
image, record, or file sent through an electronic mode. According to Section 2(1)
(ta), any signature used to authenticate any electronic record that is in the form of a
digital signature is called an electronic signature. However, such authentication
will be affected by asymmetric cryptosystems and hash functions as given
under Section 3 of the Act.
Section 3A further gives the conditions of a reliable electronic signature. These
are:
 If the signatures are linked to the signatory or authenticator, they are
considered reliable.
 If the signatures are under the control of the signatory at the time of signing.
 Any alteration to such a signature must be detectable after fixation or
alteration.
 The alteration done to any information which is authenticated by the
signature must be detectable.
 It must also fulfill any other conditions as specified by the Central
Government.
The government can anytime make rules for electronic signatures according
to Section 10 of the Act. The attribution of an electronic record is given
under Section 11 of the Act. An electronic record is attributed if it is sent by the
originator or any other person on his behalf. The person receiving the electronic
record must acknowledge the receipt of receiving the record in any manner if the
originator has not specified any particular manner. (Section 12). According
to Section 13, an electronic record is said to be dispatched if it enters another
computer source that is outside the control of the originator. The time of receipt is
determined in the following ways:
 When the addressee has given any computer resource,
o Receipt occurs on the entry of an electronic record into the designated
computer resource.
o In case the record is sent to any other computer system, the receipt
occurs when it is retrieved by the addressee.
  When the addressee has not specified any computer resource, the receipt
occurs when the record enters any computer source of the addressee.
Certifying authorities
Appointment of Controller
Section 17 talks about the appointment of the controller, deputy controllers,
assistant controllers, and other employees of certifying authorities. The deputy
controllers and assistant controllers are under the control of the controller and
perform the functions as specified by him. The term, qualifications, experience and
conditions of service of the Controller of certifying authorities will be determined
by the Central Government. It will also decide the place of the head office of the
Controller.
Functions of the Controller
According to Section 18, the following are the functions of the Controller of
certifying authority:
 He supervises all the activities of certifying authorities.
 Public keys are certified by him.
 He lays down the rules and standards to be followed by certifying
authorities.
 He specifies the qualifications and experience required to become an
employee of a certifying authority.
 He specifies the procedure to be followed in maintaining the accounts of
authority.
 He determines the terms and conditions of the appointment of auditors.
 He supervises the conduct of businesses and dealings of the authorities.
 He facilitates the establishment of an electronic system jointly or solely.
 He maintains all the particulars of the certifying authorities and specifies the
duties of the officers.
 He has to resolve any kind of conflict between the authorities and
subscribers.
  All information and official documents issued by the authorities must bear
the seal of the office of the Controller.
License for electronic signatures
It is necessary to obtain a license certificate in order to issue an electronic
signature. Section 21 of the Act provides that any such license can be obtained by
making an application to the controller who, after considering all the documents,
decides either to accept or reject the application. The license issued is valid for the
term as prescribed by the central government and is transferable and heritable. It is
regulated by terms and conditions provided by the government.
According to Section 22 of the Act, an application must fulfill the following
requirements:
 A certificate of practice statement.
 Identity proof of the applicant.
 Fees of Rupees 25,000 must be paid.
 Any other document as specified by the central government.
The license can be renewed by making an application before 45 days from the
expiry of the license along with payment of fees, i.e., Rupees 25000. (Section 23)
Any license can be suspended on the grounds specified in Section 24 of the Act.
However, no certifying authority can suspend the license without giving the
applicant a reasonable opportunity to be heard. The grounds of suspension are:
 The applicant makes a false application for renewal with false and fabricated
information.
 Failure to comply with the terms and conditions of the license.
 A person fails to comply with the provisions of the Act.
 He did not follow the procedure given in Section 30 of the Act.
The notice of suspension of any such license must be published by the Controller
in his maintained records and data.
Powers of certifying authorities
Following are the powers and functions of certifying authorities:
  Every such authority must use hardware that is free from any kind of
intrusion. (Section 30)
 It must adhere to security procedures to ensure the privacy of electronic
signatures.
 It must publish information related to its practice, electronic certificates and
the status of these certificates.
 It must be reliable in its work.
 The authority has the power to issue electronic certificates. (Section 35)
 The authority has to issue a digital signature certificate and certify that:
o The subscriber owns a private key along with a public key as given in
the certificate.
o The key can make a digital signature and can be verified.
o All the information given by subscribers is accurate and reliable.
 The authorities can suspend the certificate of digital signature for not more
than 15 days. (Section 37)
 According to Section 38, a certificate can be revoked by the authorities on
the following grounds:
o If the subscriber himself makes such an application.
o If he dies.
o In case, the subscriber is a company then on the winding up of the
company, the certificate is revoked.
Circumstances where intermediaries are not held liable
Section 2(1)(w) of the Act defines the term ‘intermediary’ as one who receives,
transmits, or stores data or information of people on behalf of someone else and
provides services like telecom, search engines and internet services, online
payment, etc. Usually, when the data stored by such intermediaries is misused, they
are held liable. But the Act provides certain instances where they cannot be held
liable under Section 79. These are:
 In the case of third-party information or communication, intermediaries will
not be held liable.
  If the only function of the intermediary was to provide access to a
communication system and nothing else, then also they are not held liable
for any offence.
 If the intermediary does not initiate such transmissions or select the receiver
or modify any information in any transmission, it cannot be made liable.
 The intermediary does its work with care and due diligence.
However, the section has the following exemptions where intermediaries cannot be
exempted from the liability:
 It is involved in any unlawful act either by abetting, inducing or by threats or
promises.
 It has not removed any such data or disabled access that is used for the
commission of unlawful acts as notified by the Central Government.