Course: Regulatory framework for

e-Governance

Day 2

Session 5: Legal & Policy Framework for

e-Governance Applications
Agenda

 Need for a Regulatory Framework for e-Governance

 IT Act 2000, its amendments & related provision

 Role of Digital Signature Certificates (DSCs) in e-Governance

Why a Regulatory Framework?

• e-Commerce & e-Government service delivery involves:

 Use of Electronic Records
 Electronic Transactions Most of these issues are
The existing Regulatory
 Electronic Contracts common also to the wider
Framework may need
 Handling of citizen data & privacy issues
e-Commerce landscape of
amendments to recognise
the country, and need to be
 Issue of Certificates electronically… this new form of doing
addressed to build trust in
business
electronic transactions
• Other e-Governance specific aspects include:
 Legal backing to e-Governance initiatives
 Formalisation of Standards and Interoperability norms
 Data Protection, Privacy and IPR issues
 Mechanism for socially inclusive service delivery

Slide 3
Emergence of e-Commerce

• Increased use of electronic means of transactions

• Bulk of transactions occur in G2B, B2G and B2B space
• Use of array of different technologies:
- Web-based applications
- Emails
- Instant messaging
- Mobile devices
• Importance of building a solid enabling regulatory framework for electronic
transactions is evident

Slide 4
Electronic Transactions: How are they different?

• Challenges posed by e-Commerce:

- Classification difficulties: the virtual goods
- New contract types: web hosting, web server etc.
- Transactions taking place in open platforms
• … but the essence of business transactions remains the same.
• Conventional law has not become obsolete...
- “On line” contracts are not different from “off line”
- Medium of a transaction is generally irrelevant for the law.
• …and nevertheless, it requires some adaptation.

Slide 5
Legal Obstacles to e-Commerce

• Legal concepts are based on the existence of a tangible medium:

- “instrument”, “document”, “original”, “signature”

• Legal concepts based on geographic location:

- “delivery”, “receipt”, “dispatch”, “surrender”
• Functional Equivalence needs to be established between the Manual
and Electronic media used (electronic records, signatures,
documents, communication)

Slide 6
Key Principle of IT Legislation - Functional Equivalence

• Paper-based requirements (“writing”, “record”, “signature”,

“original”) specify certain purposes and functions
• Consider criteria necessary to replicate those functions and
give electronic data the same level of recognition as
information on paper
• A paper document signed by an individual fulfils the following
criteria:
- The document can be attributed to the individual as the
signature is unique to the person (authenticity, non repudiation
and integrity)
• If the electronic document can replicate these functions (e.g. by use
of a Digital Signature Certificate attached to the document), it is
functionally equivalent to the paper document

Slide 7
Providing legal backing for Functional Equivalence

If certain conditions are fulfilled, the legal

value of electronic transactions shall be
equivalent to that of other forms of
communication, such as the written form.

This can be achieved by a

single enactment of Law
without having to review every
single piece of existing
Indian IT Act, 2000 achieves legislation establishing formal
this by defining the conditions requirements
by which equivalence can be
ascertained between paper
based and electronic
documents

Slide 8
Illustrative Example – Electronic Transactions

Individual Income tax filing - manual
• Citizen obtains the paper Income Tax
Return form
• Citizen fills up details in the ITR form
• Authenticates the ITR form by
affixing signature
• Submits the ITR form at the
respective Income Tax office and
obtains acknowledgement
Individual Income tax filing - electronic
• Citize downloads the return preparation
software tool from Income Tax portal
• Income details are entered in the tool and
the tool generates the ITR XML
• The XML is signed by the citizen using
Digital Signature Certificate and
submitted at the Income Tax portal
• The Portal provides acknowledgement of
submission

• Does the Digitally signed XML submission have the same legal recognition as the paper
return with handwritten signature??
• Can the acknowledgement be used as proof of IT return filing??

Yes! As long as the functional equivalence is established by law

Slide 9
Illustrative Example – Electronic Evidence

A terrorist attack has occurred at one of the important landmarks in the capital. The
terrorists involved were gunned down by police, and laptops and hard disks were seized
from them.

After inspection of the contents of the laptop and the hard disks, police have found
incriminating evidence relating to the conspirators behind the attack.

Police arrests the conspirators based on the evidence collected from the electronic data,
and builds a case around the evidence.
But will the evidence hold good in a Court of Law?

Yes! With the admissibility of electronic evidence under section 65B of the Indian Evidence
Act, 1872.
This scenario actually happened during the Parliament attack of 2001!!

Slide 10
Other Principles of IT Legislation (1/2)

Technology Neutrality
- Law should address all existing technologies and those that will
be developed in the future
- Equal treatment of paper-based and electronic transactions
- Equal treatment of different techniques (EDI, e-mail, Internet,
telegram, telex, fax)

Law should not mention any

specific technology, and should
allow Rules to be drafted under
the law to provide recognition
to specific technologies
(Case of electronic signatures)

Slide 11
Other Principles of IT Legislation (2/2)

Party Autonomy
- Primacy of party agreement on whether and how to use e-
commerce techniques
- Parties free to choose security level appropriate for their
transactions

EBay uses a security level for

buyers which consists of
username & password

Income Tax dept requires

Digital Signatures for online
filing of IT returns

Slide 12
Other Aspects of Regulatory Framework (1/2)

• Admissibility and evidential weight of e-communication:

 Evidence of record may not be excluded solely because it is in electronic
form, and evidential weight to be given according to reliability of data

• Data Protection and Privacy

 Clear distinction between personal and public data

 Protection for personal data

• Cyber crimes & Offences

 Specifying different types of Cybercrimes

 Empowerment of law enforcement agencies

Slide 13
Other Aspects of Regulatory Framework (2/2)

• Intellectual Property Rights:

 IPR for Software, source code, patents (for hardware & software),
trademarks (in relation to domain names)

• Consumer protection:
 Against invasion of privacy, spam, illegal or harmful content

• Liability and dispute settlement mechanisms

 Adjudication mechanisms for cyber offences

• Jurisdiction & e-taxation

 Jurisdiction for legal action and taxation

Slide 14
IT Act 2000, its Amendments & related
provisions
 Genesis of IT Act – UNCITRAL Model Law of e-Commerce
 Objectives of IT Act
 Snapshot of provisions of IT Act
 Admissibility of electronic records

Slide 15
Genesis of IT Act - The UNCITRAL Model Law

• As electronic transactions extends across national boundaries, there

is a need for international harmonization in IT Laws
• The United Nations Commission on International Trade Law
(UNCITRAL) is the legal body of the United Nations system in the
field of international trade law
• UNCITRAL drafted the “UNCITRAL Model Law on Electronic
Commerce - 1996” for adoption by countries
• The e-Commerce / IT Laws of most countries are modelled on
UNCITRAL Model Law

Slide 16
Adoption of UNCITRAL Model Law on e-Commerce

Australia (1999), Colombia * (1999), Bahrain (2002), Dominican

Republic * (2002), Ecuador * (2002), France (2000), India* (IT Act
2000), Ireland (2000), Jordan (2000), Mauritius (2000), Mexico
(2000), New Zealand (2000), Pakistan (2000), Panama * (2001),
Philippines (2000), Republic of Korea (1999), Singapore (1998),
Slovenia (2000), South Africa* (2002), Thailand (2003), and
Venezuela (2001), United States (Uniform Electronic Transactions
Act 1999)
* Except for provisions on electronic signatures

Slide 17
Objectives of the Model Law

• To facilitate rather than regulate electronic commerce

• To adapt existing legal requirements
• To provide basic legal validity and raise legal certainty

• Basic Principles of Model Law

• Functional Equivalence Law to provide conditions for
equivalence of handwritten
• Media and Technology Neutrality (manual) and electronic
• Party Autonomy records, signatures etc

Law to provide the

transacting parties the
autonomy to choose to use Law to treat all
e-Commerce and decide technologies on an
security levels equal footing

Slide 18
IT Act, 2000
• Came into effect from October 17th, 2000 on the lines of the UNCITRAL Model Law
• India is the 12th nation in the world to adopt digital signatures
• The Act applies to the whole of India and also applies to any offence or
contravention there under committed outside India by any person irrespective of his
nationality, if such act involves a computer, computer system or network located in
India
• 90 Sections segregated into 13 Chapters and 2 Schedules
• IT Act 2000 was amended through the Information Technology Amendment Act,
2008 which came into effect from October 27, 2009

Slide 19
Objectives of IT Act, 2000

• Legal Recognition for transactions carried out by means of electronic data

interchange
- Digital Signatures and Regulatory Regime for Digital Signatures
- Admissibility of Electronic Documents at par with paper documents
• E-Governance
- Use of electronic records & digital signatures by Government & its Agencies
• Define Civil wrongs, Offences, punishments
- Investigation, Adjudication of Cyber crimes
- Appeal provisions
• Amendment to the existing Acts to address IT Act provisions
- Indian Penal Code & Indian Evidence Act - 1872
- Banker’s Books Evidence Act – 1891 & Reserve Bank of India Act – 1934

Slide 20
Exceptions to the Applicability of the Act

• a negotiable instrument (Other than a cheque) as defined in section 13

of the Negotiable Instruments Act, 1881;
• a power-of-attorney as defined in section 1A of the Powers-of-Attorney
Act, 1882
• a trust as defined in section 3 of the Indian Trusts Act, 1882
• a will as defined in clause (h) of section 2 of the Indian Succession
Act, 1925 including any other testamentary disposition
• any contract for the sale or conveyance of immovable property or any
interest in such property
• any such class of documents or transactions as may be notified by the
Central Government

Slide 21
IT Act – Important Definitions

• "computer" means electronic, magnetic, optical or other high-speed date

processing device or system which performs logical, arithmetic and memory
functions by manipulations of electronic, magnetic or optical impulses, and includes
all input, output, processing, storage, computer software or communication facilities
which are connected or relates to the computer in a computer system or computer
network;

• "computer network" means the inter-connection of one or more computers through-

(i) the use of satellite, microwave, terrestrial lime or other communication media;
and (ii) terminals or a complex consisting of two or more interconnected computers
whether or not the interconnection is continuously maintained;

Slide 22
IT Act – Important Definitions

• "electronic record" means date, record or date generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro
fiche;

• secure electronic record – where any security procedure has been applied to an
electronic record at a specific point of time, then such record shall be deemed to be
a secure electronic record from such point of time to the time of verification

Slide 23
Snapshot of the IT Act and its provisions - 1

Chapter Coverage

Chapter I: Preliminary • Act extends to the whole of India (Section 1)

• Exceptions to Applicability (Section 1(4))

Chapter II: Digital • Authentication of electronic records (Section 3)

Signature • Legal Framework for affixing Digital signature by use of
asymmetric crypto system and hash function (Section 3)

Chapter III: Electronic • Legal recognition of electronic records (Section 4)

Governance • Legal recognition of digital signatures (Section 5)
• Retention of electronic record (Section 7)
• Publication of Official Gazette in electronic form (Section
8)

Slide 24
Snapshot of the IT Act and its provisions - 2

Chapter Coverage

Chapter IV • Attribution, Acknowledgement and Receipt of Electronic

Documents

Chapter V • Security procedure for electronic records and digital

signature (Sections 14, 15, 16)

Chapter VI - VIII • Licensing and Regulation of Certifying authorities for

issuing digital signature certificates (Sections 17-34)
• Functions of Controller (Section 18)
• Appointment of Certifying Authorities and Controller of
Certifying Authorities, including recognition of foreign
Certifying Authorities (Section 19)
• Controller to act as repository of all digital signature
certificates (Section 20)

Slide 25
Snapshot of the IT Act and its provisions - 3

Chapter Coverage

Chapter IX & XI • Data Protection (Sections 43 & 66, 66B, 66C, & 66D)
• Various types of computer crimes defined and stringent
penalties provided under the Act (Section 43, 43A and
Sections 66, 66B, 66C, & 66D, 67, 67A, 67B, 72, 72A)
• Appointment of Adjudicating officer for holding inquiries
under the Act (Sections 46 & 47)

Chapter X • Establishment of Cyber Appellate Tribunal under the Act

(Sections 48-56)
• Appeal from order of Adjudicating Officer to Cyber
Appellate Tribunal and not to any Civil Court (Section 57)
• Appeal from order of Cyber Appellate Tribunal to High
Court (Section 62)

Slide 26
Snapshot of the IT Act and its provisions - 4

Chapter Coverage

Chapter XI & XII • Interception of information from computer to computer (Section 69)
& Protection System (Section 70)
• Act to apply for offences or contraventions committed outside India
(Section 75)
• Investigation of computer crimes to be investigated by an officer not
below the rank of an Inspector
• Network service providers not to be liable in certain cases (Section
79)

Chapter XIII • Power of police officers and other officers to enter into any public
place and search and arrest without warrant (Section 80)
• Offences by the Companies (Section 85)
• Constitution of Cyber Regulations Advisory Committee who will
advice the Central Government and Controller (Section 88)

Slide 27
Snapshot of the IT Act and its provisions - 5

Chapter Coverage

Schedule I • Amendments to the Indian Penal Code (IPC)

Schedule II • Amendments to the Indian Evidence Act, 1872

• Clauses relating to admissibility of electronic records as evidence

Schedule III • Amendments to the Banker’s Book of Evidence Act, 1891

Schedule IV • Amendments to the Reserve Bank of India Act, 1934

Schedules III and IV deleted

in IT Act Amendment 2008

Slide 28
Overriding effect of the IT Act

• Section 81: The provisions of this Act shall have effect notwithstanding anything
inconsistent therewith contained in any other law for the time being in force.

• Only exceptions to the overriding effect of the IT Act are the Copyright Act and
Patents Act:
“Provided that nothing contained in this Act shall restrict any person from
exercising any right conferred under the Copyright Act 1957 or the Patents
Act 1970”

Slide 29
Authentication of Electronic Records

• Section 3: Any electronic record may be authenticated by a subscriber using a

Digital Signature
“The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record”

Digital Signature Regime will

be discussed in detail in the
next session

Slide 30
Retention of Electronic Records

Section 7: Where any law provides that documents, records or information

shall be retained for any specific period, then, that requirement shall be
deemed to have been satisfied if such documents, records or information are
retained in the electronic form, if:
• the information contained therein remains accessible so as to be usable for a
subsequent reference;
• the electronic record is retained in the format in which it was originally generated,
sent or received or in a format which can be demonstrated to represent accurately
• the details which will facilitate the identification of the origin, destination, date and
time of dispatch or receipt of such electronic record are available in the electronic
record:

Slide 31
Digital Signatures

 References in IT Act to Digital Signatures

 PKI Basics & How a Digital Signature Works
 Concepts of Integrity, Non repudiation, Authenticity and
Confidentiality
 Digital Signature for signing and encryption
 Digital Signature Regime
 Controller of CAs
 Certifying Authorities
 Subscribers

Slide 32
Digital Signatures – Reference in IT Act, 2000

• Section 3:
- Any subscriber may authenticate an electronic record by affixing his Digital
Signature
- The authentication to be affected by use of asymmetric crypto system and hash
function which envelop and transform the initial electronic record into another
electronic record
- The private key and the public key are unique to the subscriber and constitute
functioning key pair
- Verification of electronic record possible using public key of the subscriber
• Section 5: Establishes equivalence of Digital and Handwritten signature
• Section 10: Confers the authority to Central Government to prescribe Digital
Signature Regime using Rules drafted under IT Act, 2000

Slide 33
Digital Signatures – Rights conferred on Central Govt.

• (Section 10) The Central Government may, for the purposes of this Act, by rules,
prescribe:
- the type of digital signature;
- the manner and format in which the digital signature shall be affixed;
- the manner or procedure which facilitates identification of the person affixing
the digital signature;
- control processes and procedures to ensure adequate integrity, security and
confidentiality of electronic records or payments;
- any other matter which is necessary to give legal effect to digital signatures.

Slide 34
Specifics of IT (Certifying Authorities) Rules, 2000

• Rules brought out by Central Government as per section 10 of IT Act

- “Digital Signature shall be created and verified by cryptography that concerns
itself with transforming electronic record into seemingly unintelligible forms and
back again”;
- Public Key Cryptography to be used for creation and verification of Digital
Signatures
- Prescribes ITU X.509 version 3 standard of Digital Signatures
- Defines the Digital Signatures Regime including guidelines for Licensed
Certifying Authorities

Slide 35
Public Key Cryptography is..

• A form of cryptography in which each user has a private key and an

associated public key
• Distinct public / private key pairs may be used for either signing a message
or for data encryption
• Senders sign with their private key and encrypt with the recipient’s public
key.

Digital Signature Certificate is an electronic record that binds a

public key to the owner of the corresponding private key and is
signed by a trusted entity (Licensed Certifying Authority)

Slide 36
PKI Basics

• Any message irrespective of its length can be compressed or abridged

uniquely into a smaller length message called the Digest or the Hash
• Smallest change in the message will change the Hash value
• The user himself generates the key pair in his computer:
- Private Key, known only for the user, is used for making Digital Signature
- Public Key, which is published with the Certifying Authority is known to
everyone and is used to verify the Digital Signature
- The keys are unique to the user

Slide 37
What is a Digital Signature?

Private
Signature
Key

Algorithm Signature

Forms
Message RSA part of the
Electronic Digest Encryption document
Document

• Hash value of a message when encrypted with the private key of a person is his
digital signature on that e-Document
- Digital Signature of a person therefore varies from document to document
thus ensuring authenticity of each word of that document.
- As the public key of the signer is known, anybody can verify the message
and the digital signature

Slide 38
Security Services fulfilled by PKI

Service What it means How it is fulfilled

Privacy / Protection against access by By encryption using the

Confidentiality unintended recipients recipient’s Public Key

Authenticity Proof that the sender is actually

who he claims to be
By signing using the
Non Repudiation Proof that the sender has sender’s Private Key,
actually sent the signed which can be verified by
message the recipient using the
sender’s public key
Integrity Any changes in the original
signed message should be
detected

Slide 39
Digital Signature Signing – How it Works

A Sender’s
Public
Private Signature
Transmitted Key
Signature
Key Algorithm
Algorithm Signature
Electronic record

Digest 2 Digest 1
Equal?

Digest Yes - Good

No - Bad

Anyone with access to above information can: B

• Confirm A’s identity: Authenticate
• Confirm message is intact: Integrity
• Prove A sent message: Non-repudiation

Slide 40
Encryption using Digital Signatures - Confidentiality

B's public key B's private key

Plain text

A Ciphertext B
Encrypt Decrypt

• A sends confidential data to B, knowing that only B can decrypt what

is sent
• A encrypts with B’s public key (openly available)
• B decrypts with his own private key (kept secret)

Slide 41
PKI Hierarchy in India

Certifies the public key of CAs

CCA

Certificate Certificate
Directory CA CA CA Directory

CRL CRL
Certifies the public key
of subscribers

Subscriber Subscriber
Relying Party
Signs electronic record using
private key Requests CA for certification
of sender’s public key

Slide 42
Digital Signature Regime in India

• Controller of Certifying Authorities

 Set up as per IT Act, 2000 to license and regulate the working of Certifying Authorities
 Lay down standards and conditions governing Certifying Authorities and specify various
forms and content of Digital Signature Certificates
 Certifies by the Public Key of the licensed CAs by operating the Root Certifying Authority
of India (RCAI) key
• Licensed Certifying Authorities
 Agencies authorised by CCA to issue Digital Signatures Certificates to end users and to
certify the public key of the subscriber
• Registration Authorities
 Agencies authorized by CA for operational activities like face to face verification,
registration of certificate information etc
• Subscribers
 End users who apply for Digital Signature Certificates to Licensed CAs

Slide 43
Certifying Authorities in India

• Must be widely known and trusted Licensed CAs

• Must have well defined Identification process before

- Safescrypt
issuing the certificate
- IDBRT
• Provides online access to all the certificates issued
• Provides online access to the list of certificates revoked - NIC
(Certificate Revocation List) -TCS
• Displays online the license issued by the Controller - MTNL
• Displays online approved Certification Practice Statement -GNFC
(CPS)
-E Mudhra CA
• Must adhere to IT Act/Rules/Regulations and Guidelines

Slide 44
Maintenance of Certificate Database

Digital Signature Certificate

Certificate
User Database
User
credentials
credentials
Digitally
Signed User’s
Certificate using Public Publish
Request CA’s User 1 certificate
Key
private
User’s
key User 2 certificate
Public CA’s
key .
Name
Generated at the
user computer Validation
period

Signature
of CA

Slide 45
Registration Authorities

• Agencies who are authorized by CAs to carry out certain delegated

responsibilities
• Basic Tasks of RAs include:
 Registration of Certificate Information
 Face-to-Face Registration
 Remote Registration
 Automatic Registration
 Revocation
• The RA is subsumed in the CA, and total responsibility for all actions of the RA is
vested on the CA

Slide 46
Private Key Protection

• A critical requirement for the success of the Digital Signature Regime is the
security of the Private Keys
• To ensure security of private keys:
 The key pair is generated within the device holding the private key
 The key can be in a pin protected soft token residing in the user’s computer, or
in USB tokens or smart cards
• Pin protected Soft Tokens:
 Resides in the user’s computers and hence does not offer mobility
 Key resides in the encrypted form in the user’s hard disk

• USB/ Smart Card tokens:

 Provides mobility across computers with Smart Card reader / USB port
 Key is highly secured as it is generated within the device and does not leave
the device at any time
Slide 47
Classes of Digital Signatures

There are 4 general classes of Digital Signatures, classified as per

the level of assurance
• Class 0: Issued for demonstration / test purpose

Increasing level of assurance

• Class 1: Issued to individuals/ private subscribers. This class of
subscriber will authenticate only the username and the e-mail id
• Class 2: Issued to both business persons and private individuals.
This class of certificates confirms the information provided by the
subscriber
• Class 3: Issued to individuals as well as organizations. This class
of certificate is used in the e-Commerce application wherein high
assurance of certificates are required. This certificate is issued to
an individual only on their personal appearance before the CA

Slide 48
Digital Signatures – IT Act Amendment

• The PKI Digital Signature Regime proposed by IT Act of 2000 is

Technology specific
• This is against the global best practices as envisaged in the
UNCITRAL Model Law on e-Signatures – 2001:
 Any electronic signature technology which fulfills the criteria of equivalence
between handwritten and electronic signatures, should be admissible
• Accordingly, the IT Act Amendments of 2008 provided recognition to
other electronic signature technologies, which are identified by the
Central Government

Slide 49
Illustrative Case: Use of DSC in Income Tax filing

• Using PKI based Digital Signatures to

enable taxpayers to file tax returns
online
• By offering an electronic alternative,
the Tax Offices have reduced return-
processing times significantly.
• Any individual having a DSC from any
Licensed CA can file the return in a
complete online process

Source: https://incometaxindiaefiling.gov.in/portal/index.do

Slide 50
Illustrative Case: Use of DSC in MCA21

• Online submission of documents for

company registration
• Online filing of returns and balance
sheets
• Online filing of other documents
needed for statutory compliance
• Reduction in time and cost in
transacting with the Ministry
• Reduction in administrative burden for
Ministry in receipt and processing of
Source: http://www.mca.gov.in/MCA21/
documents

Slide 51
Illustrative Case: Use of DSC in GoAP e-Procurement

• Online procurement workflow by

government agencies
• Online bid preparation and submission
by the bidders with digital signing at
each workflow action
• Electronic evaluation of bids
• Reduction in time and cost in
procurement
• Improvement in transparency in
procurement
http://www.eprocurement.gov.in/

Slide 52
End of Session