Information Technology ACT 2000

Businessmen nowadays are increasingly using computers to manage their affairs in electronic form instead of the traditional paper form. The information kept in electronic form is cheaper, easier to store, can be retrieved and is speedier to communicate. Although people are aware of the advantages which the electronic form of business provides but people are reluctant to conduct as or conclude transactions in the electronic form due to a lack of a proper legal frame work.

 The electronic commerce eliminates the needs for the paper based transactions. The two principal hurdles which stand in the way of facilitating electronic commerce and electronic governance are the requirements of writing and the signature for legal recognitions. At present many legal provisions assume the existence of paper based records which should bear the signatures. To facilitate the e-commerce, the need for legal changes has become an urgent necessity. The Government of India realized the need for introducing a new law and for making suitable amendments to the existing laws to facilitate the e-commerce and give legal recognitions to electronic records and digital signatures.

 The legal recognitions to the electronic records and digital signatures in turn, will facilitate the conclusions of the contract and the creations of legal rights and obligations through the electronic communications like Internet. This need of legal recognitions to the electronic commerce gave birth to Information Technology Bill, 1999. In the year 2000, both the house of parliament passed the Information Technology Bill. The Bill received the assent of the President in August 2000 and came to be known as the Information Technology Act, 2000. Cyber Laws are also contained in the Information Technology Act, 2000. (Cyber law describes the legal issues related to use of inter-networked information technology. )

 India is 12th nation in the world to adopt cyber laws. IT Act is based on Model law on e-commerce adopted by UNCITRAL The United Nations Commission on International Trade Law.

 SCOPE OF THE ACT Information Technology Act, 2000 extends to the whole of India. However, the act does not apply to the following categories of transactions. A negotiable instrument other than cheque. It means the Information Technology Act is applicable to cheque. A power-of-attorney. A trust as defined in India Trusts Act. A will. Any contract for sale or conveyance of immovable property. Any such class of documents or transactions as may be notified by Central Government in Official Gazette.

Objectives of the IT Act

To provide legal recognition for transactions: Carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce To give legal recognitions to digital signatures. To facilitate electronic filing of documents with Government agencies and E-Payments To facilitate electronic storage of data. To facilitate and give legal sanctions to electronic fund transfer between the banks and financial institutions. To give legal recognitions for keeping the books of account by bankers in electronic form. To amend the Indian Penal Code, Indian Evidence Act,1872, the Bankers Books Evidence Act 1891,Reserve Bank of India Act ,1934

Definitions ( section 2)
"computer" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network; "computer network" means the interconnection of one or more computers through (i) the use of satellite, microwave, terrestrial line or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;

Definitions ( section 2)
"computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions; "data" means a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or

 "electronic record" means date, record or date generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;

Definitions ( section 2)

secure system means computer hardware, software, and procedure that(a) are reasonably secure from unauthorized access and misuse; (b) provide a reasonable level of reliability and correct operation; (c) are reasonably suited to performing the intended function; and (d) adhere to generally accepted security procedures
security procedure means the security procedure prescribed by the Central Government under the IT Act, 2000. secure electronic record where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification

Definitions ( section 2)
Function Function in relation to a computer includes Logic, Control, Arithmetical process, Deletion, Storage and retrieval, Communication, or Telecommunication from or within a computer, Originator originator' means a person who sends, generates stores or transmits any electronic messages or uses any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary.

 Public-key (asymmetric) cryptography: Because of the open nature of the Internet, it is easy for people to intercept messages that travel across it-making it difficult to send confidential messages or financial data, such as credit card information. To solve the problem, cryptosystems have been developed. publickey cryptography, is based on the use of two different keys, instead of just one. In public-key cryptography, the two keys are called the private key and the public key Private key: This key must be know only by its owner. Public key: This key is known to everyone (it is public) Relation between both keys: What one key encrypts, the other one decrypts, and vice versa.

 In a basic secure conversation using public-key cryptography, the sender encrypts the message using the receiver's public key which is known to everyone. The encrypted message is sent to the receiving end, who will decrypt the message with his private key. Only the receiver can decrypt the message because no one else has the private key.

 As can be noticed from the diagram, the encryption algorithm is the same at both ends. what is encrypted with one key is decrypted with the other key using the same algorithm. The RSA algorithm is the best-known public-key system. The key pairs of RSA are derived by multiplying two large (each a few hundred bits long) prime numbers (factorization) and additional mathematical calculations.

 Digital signatures: Integrity in public-key systems Integrity is guaranteed in public-key systems by using digital signatures. A digital signature is a piece of data which is attached to a message and which can be used to find out if the message was tampered with during the conversation (e.g. through the intervention of a malicious user) The digital signature for a message is generated in two steps: 1. A message digest is generated. A message digest is a 'summary' of the message we are going to transmit, and has two important properties: (1) It is always smaller than the message itself and (2) Even the slightest change in the message produces a different digest. The message digest is generated using a set of hashing algorithms. 2.The message digest is encrypted using the sender's private key. The resulting encrypted message digest is the digital signature.

 The digital signature is attached to the message, and sent to the receiver. The receiver then does the following: 1. Using the sender's public key, decrypts the digital signature to obtain the message digest generated by the sender. 2. Uses the same message digest algorithm used by the sender to generate a message digest of the received message. 3. Compares both message digests (the one sent by the sender as a digital signature, and the one generated by the receiver). If they are not exactly the same, the message has been tampered with by a third party. We can be sure that the digital signature was sent by the sender (and not by a malicious user) because only the sender's public key can decrypt the digital signature (which was encrypted by the sender's private key; remember that what one key encrypts, the other one decrypts, and vice versa).

 Using public-key cryptography in this manner ensures integrity, because we have a way of knowing if the message we received is exactly what was sent by the sender. The above example guarantees only integrity. The message itself is sent unencrypted. This is not necessarily a bad thing as in some cases we might not be interested in keeping the data private, we simply want to make sure it isn't tampered with. To add privacy to this conversation, we would simply need to encrypt the message as explained in the first diagram.

 Authentication in public-key systems The above example does guarantee, to a certain extent, the authenticity of the sender. Since only the sender's public key can decrypt the digital signature (encrypted with the sender's private key). However, the only thing this guarantees is that whoever sent the message has the private key corresponding to the public key we used to decrypt the digital signature. Although this public key might have been advertised as belonging to the sender, we can not be absolutely certain. Maybe the sender isn't really who he claims to be, but just someone impersonating the sender.

 Some security scenarios might consider that the 'weak authentication' shown in the previous example is sufficient. However, other scenarios might require that there is absolutely no doubt about a user's identity. This is achieved with digital certificates.

 Digital Certificates and certificate authorities (CA) A digital certificate is a digital document that certifies that a certain public key is owned by a particular user. This document is signed by a third party called the certificate authority (or CA).

 The important thing to remember is that the certificate is signed by a third party (the certificate authority) which does not itself take place in the secure conversation. The signature is actually a digital signature generated with the CA's private key. Therefore, we can verify the integrity of the certificate using the CA's public key. If you digitally sign your message with your private key, and send the receiver a copy of your certificate, he can know for sure that the message was sent by you (because only your public key can decrypt the digital signature... and the certificate assures that the public key the receiver uses is yours and no one else's). This allows us to conquer the third pillar of a secure conversation: Authentication.

 What is a Certifying Authority? Certifying Authority means a person who has been granted a license to issue a Digital Signature certificate. Certification Agencies are appointed by the office of the Controller of Certification Agencies (CCA) under the provisions of IT Act, 2000. There are a total of seven Certification Agencies authorised by the CCA to issue the Digital Signature Certificates. 1. Customs & Central Excise New Delhi 2. (n)Code Solutions Ltd., (A division of Gujarat Narmada Valley Fertilisers Company Ltd.)- Ahmedabad 3. e-Mudhra CA Banglore 4. MTNL - New Delhi 5. National Informatics Centre New Delhi 6. Safescrypt Chennai 7. Tata Consultancy Services Ltd - Mumbai

 Procedure to obtain Digital Certificate: The sender sends his public key to the certification authority along with the information, specific to his identification and other relevant information. The certification authority uses this information to verify the sender and his public key. The certifying authority will issue the digital certificate to the subscriber on the payment of a certain fees not exceeding Rs.25,000 after satisfying itself that the subscriber holds the private key for the corresponding public key to be listed in the digital certificate and private key is capable for creating digital signature.

Suspension of Digital Signature Certificates The certifying authority may suspend the digital signature certificate in public interest for a period not exceeding 15 days. The certifying authority may suspend the digital signature if request in this regard is received from the subscriber. On suspension of the digital signature communication should be made to the subscriber.

Revocation of Digital Signature Certificates The certifying authority may revoke the digital signature issued by it in following cases: 1. Where the subscriber or any other person authorized by him, makes a request to that effect. 2. Upon the death of the subscriber. 3. Upon the dissolution of the firm or winding of the company The certifying authority may revoke the digital signature if the material fact represented in the digital signature certificate is false or concealed or where the requirement of the digital signature certificate was not satisfied or the subscriber has become insolvent. On revocation of the digital signature, communication should be made to the subscriber.

 The Controller of Certifying Authorities (CCA) : It is empowered to resolve any disputes or conflicts of interests between the certifying authorities and subscribers. The Controller of Certifying Authorities is appointed by the Central Governments notification in the Official Gazette. The Controller is empowered to appoint such no. of Deputy Controller and Assistant Controllers as he may deem fit. The function of a controller is to exercise supervision and control over the activities of certifying authorities.

 Cyber Regulations Appellate tribunal (Sec. 48) The Central government shall, by notification, establish one or more appellate tribunals to be known as Cyber Regulations Appellate tribunal. It shall also specify, in the notification, the matters and places in relation to which the Cyber Appellate Tribunal may exercise its jurisdiction. The Appellate Tribunal shall consist of one person only, known as the presiding officer who shall be appointed by the Central Government. Such a person is equivalent to a high court judge. Any person aggrieved by the decision/order of the Controller may apply to the Cyber Regulations Appellate tribunal. Any person aggrieved by the decision/order of the Appellate Tribunal may apply to the High court within 60 days.

 What Is Electronic Governance? The e-governance means the filing of any form, application or other document with the government department in the electronic form and similarly the government department can issue or grant any license and permission through electronic means. Examples e-filing of company incorporation, and related documents www.mca.gov.in e-filing related income taxhttps://incomefaxindiaefiling.gov.in e-filing for patent applicationhttp://ipindiaonline.gov.in/on_line

 Benefits of Electronic Governance The e-governance will help in low cost, efficient and transparent working of the government department. The issue of man power shortage at the government office and bribe can be avoided easily. Accuracy and record maintenance will be faster and smoother.

 Legal Recognition of Electronic RecordsSection 4 Where any act requires that the information should be in writing and if such information or form is stored or saved in the electronic form the requirement of the act is satisfied if the information or matter is Rendered or made available in an electronic records. Accessible so as to be usable for a subsequent reference

Retention of Electronic Records If any act provides that the documents, records or information shall be retained for any specific period, then requirement of act is said to be satisfied if The information contained in the electronic form remains accessible and useable for future. The electronic record is retained in the format in which it was originally sent or received or generated. The details of identification of origin, destination, date and time of dispatch or receipt of records are available.

 CASE STUDY: Gyandoot as an e-government project In June 2000, Gyandoot, an e-government project launched by the state of Madhya Pradesh (India) won the prestigious "Stockholm Challenge Award in the 'Public service and democracy' category. The project bagged the award for being the best among the 600 e-government projects from all over the world.

 The project aimed to find low-cost ways of overcoming the problems created due to the state's poor infrastructure and attempted to connect remote rural areas with major markets and distant government offices. Senior officials in the panchayats of the Dhar district of MP in collaboration with the state government decided to connect all the villages through a network of computers. One of the major problems faced by the villagers of Dhar district was the lack of correct and timely information as a result of which, they did not get adequate returns for their efforts. After the implementation of the project, all the relevant information and few government related services required by the villagers were made available at the click of a mouse.

 In its initial phase, the Gyandoot project aimed at establishing 21 computer centers/rural cyber cafes Each computer center, on an average, provided services to about 15 Gram Panchayats, 25 to 30 villages serving around 20,000 to 30,000 villagers. Most of the centers had been established in the buildings of gram panchayats, which were located at prominent market places or villages on major roads, where people traveled frequently. The gram panchayat also provided the required furniture, telephone and electric connection to the computer centers.

 After analyzing the profit potential of computer centers, the District Level Coordination Committee of bankers approved a loan unit for setting up of computer centers under the Swarnajayanti Gram Swarozgar (Golden Jubilee Village Self Employment) scheme. The scheme offered self-employment opportunities to the local youth who had passed 10th standard. By taking a loan from the bank, these individuals could purchase computers and set-up computer centers on their own. This would enable them to earn their livelihood as well as generate the money needed to maintain and run the system. The best part of this scheme was that it did not burden the MP government financially, as it was self-sustainable and viable.

 Gyandoot was evaluated on the basis of five basic criteria User Need, Innovation, Accessibility, Transferability and Sustainability. Gyandoot was judged as the best e-government project due to its social, economic and cultural relevance and its immense potential to improve the society in which it functioned.

Pune Citibank Mphasis Call Center Fraud It is a case of sourcing engineering. US $ 3,50,000 from City bank accounts of four US customers were dishonestly transferred to bogus accounts in Pune, through internet. Some employees of a call centre gained the confidence of the US customers and obtained their PIN numbers under the guise of helping the customers out of difficult situations.. Later they used these numbers to commit fraud. Highest security prevails in the call centers in India as they know that they will lose their business. The call center employees are checked when they go in and out so that they can not copy down numbers and therefore they could not have noted these down. They must have remembered these numbers, gone out immediately to a cyber caf and accessed the Citibank accounts of the customers. All accounts were opened in Pune and the customers complained that the money from their accounts was transferred to Pune accounts and thats how the criminals were traced. Police has been able to prove the honesty of the call center and has frozen the accounts where the money was transferred.

 On the basis of above case, It is very clear that there is a need for a strict background check of the call centre executives. However, even the best of background checks can not eliminate bad elements from coming in and breaching security. We must still ensure such checks when a person is hired. There is a need for a national ID and a national data base where a name can be referred to. However, In this case the preliminary investigations do not reveal that the criminals had any crime history. The customer education is very important so customers do not get taken for a ride. Most banks are guilty of not doing this.

Sony.Sambandh.Com Case

A complaint was filed by Sony India Private Ltd, which runs a website called www.sonysambandh.com, targeting Non Resident Indians. The website enables NRIs to send Sony products to their friends and relatives in India after they pay for it online. The company undertakes todeliver the products to the concerned recipients. In May 2002, someone logged onto the website under the identity of Barbara Campa and ordered a Sony Colour Television set and a cordless head phone. She gave her credit card number for payment and requested that the products be delivered to Arif Azim in Noida. The payment was duly cleared by the credit card agency and the transaction processed. After following the relevant procedures of due diligence and checking, the company delivered the items to Arif Azim. At the time of delivery, the company took digital photographs showing the delivery being accepted by Arif Azim . The transaction closed at that, but after one and a half months the credit card agency informed the company that this was an

The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered a case. The matter was investigated into and Arif Azim was arrested. Investigations revealed that Arif Azim, while working at a call centre in Noida gained access to the credit card number of an American national which he misused on the companys site. The CBI recovered the colour television and the cordless head phone. The court convicted Arif Azim for cheating under Section 418, 419 and 420 of the Indian Penal Code this being the first time that a cyber crime has been convicted. The court, however, felt that as the accused was a young boy of 24 years and a first-time convict, a lenient view needed to be taken. The court therefore released the accused on probation for one year. The judgment is of immense significance for the entire nation. Besides being the first conviction in a cyber crime matter, it has shown that the Indian Penal Code can be effectively applied to certain categories of cyber crimes which are not covered under the Information Technology Act 2000. Secondly, a judgment of this sort sends out a clear message to all that the law cannot be taken for a ride.

 SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra

In this case, the defendant Jogesh Kwatra being an employee of the plaintiff company started sending derogatory, defamatory, filthy and abusive emails to his employers as also to different subsidiaries of the said company all over the world with the aim to defame the company and its Managing Director Mr. R K Malhotra. The plaintiff filed a suit for permanent injunction restraining the defendant from sending derogatory emails to the plaintiff. The plaintiff contended that the emails sent by the defendant were distinctly obscene, abusive, intimidating, humiliating and defamatory in nature and the aim of sending the said emails was to malign the high reputation of the plaintiffs all over India and the world. The Delhi High Court restrained the defendant from sending derogatory, defamatory, obscene, humiliating and abusive emails either to the plaintiffs or to its subsidiaries all over the

 Further, The Hon'ble Judge also restrained the defendant from publishing, transmitting or causing to be published any information in the actual world as also in cyberspace which is derogatory or defamatory or abusive of the plaintiffs. This order of Delhi High Court assumes tremendous significance as this is for the first time that an Indian Court assumes jurisdiction in a matter concerning cyber defamation and grants an injunction restraining the defendant from defaming the plaintiffs by sending defamatory emails.

State of Tamil Nadu Vs Suhas Katti (2004)

The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo message group. EMails were also forwarded to the victim for information by the accused through a false e-mail account opened by him in the name of the victim. The posting of the message resulted in annoying phone calls to the lady in the belief that she was soliciting. The accused was a known family friend of the victim and was reportedly interested in marrying her. She however married another person. This marriage later ended in divorce and the accused started contacting her once again. On her reluctance to marry him, the accused took up the harassment through the Internet. The accused is found guilty and convicted for offences under section 469, 509 IPC and 67 of IT Act 2000 . This is considered as the first case convicted under section 67 of Information Technology Act 2000 in Seth Associates, 2008 All Rights Reserved India.

The verdict extract

The accused is convicted and is sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently.

The accused paid fine amount and he was lodged at Central Prison, Chennai.

 PHISHING IN INDIA Phishing means sending an e-mail that falsely claims to be from a particular enterprise (like your bank) and asking for sensitive financial information. Another variant of phishing is Vishing (voice-phishing). It is the practice of sending fraudulent email to consumers that appears to be an email from a local bank, credit union or other financially related web site and contains what appears to be a local phone number. The fraudulent email will appear to inform the consumer of some type of problem with their account and instruct them to dial a local phone number. Consumers who are used to calling automated tellers are being tricked into using their phone keypad to type in vital account numbers, pin numbers, and other financial information into overseas computers (Baker (2007)).

 In India there have been several cases of attacks35 on genuine websites. Financial institutions are the main targets of phishers, particularly, private banks. The major incidents are reported about ICICI, HDFC, UTI, and Stat bank of India. Many elderly customers who have just begun using online facilities of the financial institutions are falling prey to phishers. The messages send to customers are similar to as one given in the following which was sent to ICICI customers. The mail reads that the ICICI bank is upgrading to a new SSL Server to insulate customers against online Identity Theft and other criminal activities. Users are told to confirm their personal banking information following the link given in the mail. It also warns that if the user does not complete the form, the online bank account will be suspended till further notification36.