Law related to

Cyber Space
 Introduction to Cyber Law
 "Cyber" is a prefix used to describe a person, thing,
or idea as part of the computer and information age
derived from kybernetes, Greek word for "steersman"
or "governor," it was first used in cybernetics, a word
coined by American Mathematician Norbert Wiener
and his colleagues.
 The virtual world of internet is known as cyberspace
and has universal jurisdiction.
 Cyber law is the law governing computers and the
internet.
 The growth of Electronic Commerce has propelled
the need for vibrant and effective regulatory
mechanisms which would further strengthen the
legal infrastructure, so crucial to the success of
Electronic Commerce.
History of Internet and World Wide Web

The origins of the Internet dates back to

the 1960’s when the United States funded
research projects of its military agencies to
build robust, fault-tolerant and distributed
computer networks called as “ARPANET”
(Advanced Research Projects Agency Network).

This research and a period of civilian

funding of a new U.S. backbone by the National
Science Foundation spawned worldwide
participation in the development of new
networking technologies and led to the
commercialization of an international network
in the mid 1990’s.
Internet and World Wide Web
The Internet is a global data
communications system. It is a
hardware and software infrastructure
that provides connectivity between
computers.
The Web is one of the services
communicated via the Internet. It is a
collection of interconnected
documents and other resources, linked
by hyperlinks and Uniform Resource
Locator [URLs].
 Internet and World Wide Web
The World Wide Web was invented in 1989
by the English physicist Tim Berners-Lee,
now the Director of the World Wide Web
Consortium, and later assisted by Robert
Cailliau, a Belgian computer scientist,
while both were working at CERN
(European Organization for Nuclear
Research) in Geneva, Switzerland. In
1990, they proposed building a "web of
nodes" storing "hypertext pages" viewed by
"browsers" on a network and released that
web in December.
 Need for Cyber Law
 Almost all transactions in shares are in DEMAT
form.

 Almost all companies extensively depend upon

their computer networks and keep their
valuable data in electronic form.

 Government forms including income tax

returns, company law forms etc. are now filled
in electronic form.

 Consumers are increasingly using credit cards

for shopping.

 Most people are using email, cell phones and

SMS messages for communication.
 Need for Cyber Law (Contd.)
 Even in "non-cyber crime" cases, important
evidence is found in computers / cell phones e.g.
in cases of divorce, murder, kidnapping, tax
evasion, organized crime, terrorist operations,
counterfeit currency, etc.

 Cyber crime cases such as online banking frauds,

online share trading fraud, source code theft,
credit card fraud, tax evasion, virus attacks,
cyber sabotage, phishing attacks, email
hijacking, denial of service, hacking,
pornography etc are becoming common.

 Digital signatures and e-contracts are fast

replacing conventional methods of transacting
business.
 Origin and Development of Cyber Law
Telegraph was first installed in 1851 and a
trans-India telegraph was completed three
years later in 1854.
The telegraph had become, in the
intervening thirty years, an important tool for
British dominion over India by quelling
rebellions and consolidating information.
It thus was important for the British to
control of telegraphy and infrastructure across
the subcontinent.
The Indian Telegraph Act, passed in 1885,
was intended to give the Central Government
power to establish telegraph lines on private as
well as public property.
 The Indian Telegraph Act, 1885 is a law in
India that governs the use of telegraphy, phones,
communication, radio, telex and fax in India.

It gives the Government of India exclusive

privileges of establishing, maintaining and
working telegraphs. It also authorizes the
government to tap phone lines under appropriate
conditions.

The act came into force on October 1, 1885.

Since that time, numerous amendments have
been passed to update the act to respond to
changes in technology. The latest amendment
was passed in 2006 redefining terms from the
original act.
 UNITED NATIONS COMMISSION ON
INTERNATIONAL TRADE LAW
(UNCITRAL)

 UNCITRAL Model Law on Electronic

Commerce (1996)

 UNCITRAL Model Law on Electronic

Signatures (2001)
E-Commerce in the UNCITRAL Model Law

Objectives of the Model Law:

 To facilitate rather than
regulate electronic commerce
 To adapt existing legal
requirements
 To provide basic legal validity
and raise legal certainty
Basic Principles of the Model Law
 Analyze purposes and functions
of paper-based requirements
(“writing”, “record”, “signature”,
“original”)
 Consider criteria necessary to
replicate those functions and
give electronic data the same
level of recognition as
information on paper
Basic Principles of the Model Law
Media and technology neutrality
 Equal treatment of paper-
based and electronic
transactions
 Equal treatment of different
techniques (Electronic Data
Interchange, E-mail, Internet,
Telegram, Telex, Fax)
Basic Principles of the Model Law
Party autonomy

 Primacy of party agreement

on whether and how to use
e-commerce techniques
 Parties free to choose
security level appropriate
for their transactions
 Promises and Reality of e-Commerce:
Potential for Developing Countries
Increased efficiency and reduced costs
 Government (administrative functions, procurement)

 Private sector and banking (B2B,B2C)

New business opportunities

 New activities and markets

 Data and records processing

 Customer service, telemarketing, call centres

 Software development

 Enhanced access to foreign markets

 Internet export sales

 Tourism
 Non-Technology Factors for
e-Commerce Success
Economic Factors
 Economic development
 Market size
 E-commerce strategy

Institutional and social factors

 Political stability
 Legal and regulatory framework
 E-Commerce and Regulatory
Framework: Two Basic Lessons
 Good laws alone won’t create the
market… but, inadequate laws may
shut the door of a potential
market.

 Customers who know you well may

be less concerned about the law…
but, the law may help building
trust among those who don’t.
 E-Commerce and Private Law
E-Commerce creates new issues:
 Classification difficulties: the virtual goods
 New contract types: web hosting, web server,
etc.
… but the essence of business transactions
remains the same.

Conventional law has not become

obsolete...
 “On line” contracts are not different from
“off line”

Medium of a transaction is generally

irrelevant for the law.… and nevertheless, it
requires some adaptation.
Legal Obstacles to E-Commerce

Tangible medium Geographic location

Instrument Delivery

Document Receipt

Original Dispatch

Signature Surrender
INFORMATION TECHNOLOGY ACT, 2000
– AN OVERVIEW
 The Information Technology Act, 2000
received the assent of President of India on 9th
June, 2000 and came into force from 17th October
in that same year.

The Act was enacted to provide legal

recognition for transaction carried out by means of
electronic data interchange and other means of
electronic communication, commonly referred to
as “Electronic Commerce”, to facilitate electronic
filling of documents with governments agencies
which involve the use of alternative to paper based
method of communication and storage
information.

This law applies to any kind of information

in the form of data message used in the context of
commercial activities.
 Objectives of the Act
 To grant legal recognition for transaction
carried out by means of electronic data
interchange and other means of electronic
communication;
 To give legal recognition to digital signature/
electronic signature for authentication
accepting of any information or matter which
require authentication under any law;
 To facilitate electronic of documents with
Government departments;
 To facilitate electronic storage of data ;
 To facilitate and give legal sanction to
electronic fund transfer between banks and
financial institution ;
 To give legal recognition for keeping books of
account by bankers in electronic form.
Reasons for enacting IT Act
 The Act does not apply to -
1. A Negotiable Instrument as defined in Section 13 of
the Negotiable Instrument Act, 1881;
2. A Power-of-Attorney as defined in section 1A of
the Powers-of-Attorney Act, 1882;
3. A Trust as defined in section 3 of the Indian Trusts
Act, 1882;
4. A Will as defined in section 2(h) of the Indian
Succession Act, 1925 including any other
testamentary disposition by whatever name called;
5. Any contract for the sale or conveyance of
immovable property or any interest in such property;
6. Any such class of documents or transactions as
may be notified by the Central Government in the
Official Gazette.
 I.T. (Amendment) Act, 2008
Being the first legislation in the nation on
technology, computers and e-commerce and e-
communication, the Act was the subject of extensive
debates, elaborate reviews and detailed criticisms, with
one arm of the industry criticizing some sections of the
Act to be draconian and other stating it is too diluted and
lenient.
There were some conspicuous omissions too
resulting in the investigators relying more and more on
the time-tested (nearly one and half century old) Indian
Penal Code even in technology based cases with the I.T.
Act also being referred in the process and the reliance
more on IPC rather on the ITA.
Thus the need for an amendment – a detailed one –
was felt for the I.T. Act almost from the year 2003-04
itself. Major industry bodies were consulted and advisory
groups were formed to go into the perceived lacunae in
the I.T. Act and comparing it with similar legislations in
other nations and to suggest recommendations.
 I.T. (Amendment) Act, 2008 (Contd…)
Such recommendations were analyzed and
subsequently taken up as a comprehensive
Amendment Act and after considerable administrative
procedures, the consolidated amendment called the
Information Technology Amendment Act 2008 was
placed in the Parliament and passed without much
debate, towards the end of 2008 (by which time the
Mumbai terrorist attack of 26 November 2008 had
taken place). This Amendment Act got the President
assent on 5th Feb 2009 and was made effective from
27th October 2009.

 124 sections and 14 chapters.

 Schedule I and II have been replaced & Schedules III
and IV are deleted.
 I.T. (Amendment) Act, 2008 (Contd…)
Some of the notable features of the I.T.
(Amendment) Act are as follows:
 Focusing on data privacy
 Focusing on Information Security
 Defining cyber cafe
 Making digital signature technology neutral
 Defining reasonable security practices to be
followed by corporate
 Redefining the role of intermediaries
 Recognizing the role of Indian Computer
Emergency Response Team
 Inclusion of some additional cyber crimes like
child pornography and cyber terrorism
 Authorizing an Inspector to investigate cyber
offences (as against the DSP earlier)
 Cyber Law Deals with -

 Electronic or Digital Signatures

 Intellectual Property

 Data Protection and Privacy

 Cyber Crimes
DIGITAL SIGNATURE
 Signature
“There is something sacred about the
signature; it makes everything valid, puts
the seal upon all undertakings, makes bonds
real, guarantees securities, cements pacts of
friendship and alliance between States,
provides the ultimate proofs of integrity in
the highest country of law – the signature is
all in all. Banks will not honour anything
which does not bear a signature; to them
the signature is omnipotenet, omnipresent,
omniscient and supreme!”
- Times of India (Annual), 1940
 A TRUE SIGNATURE -
 Is authentic
 Cannot be Forged
 Cannot be Reused
 Proves document has not been
altered
 Cannot be Repudiated
 DIGITAL SIGNATURE
 A digital signature is an electronic
scheme for demonstrating the
authenticity of a digital message or
document.
 A valid digital signature gives recipient a
reason to believe that the message was
created by a known sender and that it
was not altered in transit.
 Digital signatures are commonly used for
software distribution, financial
transactions, and in other cases where it
is important to detect imitation or
tampering.
Authentication of Digital Signature
A digital signature shall –

 be created and verified by cryptography that

concerns itself with transforming electronic
records.

 use “Public Key Cryptography” which employs an

algorithm using two different mathematical “keys”
– one for creating a digital signature or
transforming it and another key for verifying the
signature or returning the electronic record to
original form. Hash function shall be used to create
this signature. Software utilizing such keys are
termed as “asymmetric cryptography” [Rule 3 of IT
Rules, 2000].
 Authentication of Digital Signature
(Contd..)

 Digital signatures can be used to authenticate

the source of messages. When ownership of a
digital signature secret key is bound to a specific
user, a valid signature shows that the message
was sent by that user. The importance of high
confidence in sender authenticity is obvious in a
financial context.

 For example, suppose a bank's branch office

sends instructions to the central office
requesting a change in the balance of an
account. If the central office is not convinced
that such a message is truly sent from an
authorized source, acting on such a request
could be a grave mistake.
Verification of Digital Signature
Verification means to determine
whether –

the initial record was affixed with the

digital signature by using the “keys”
of the subscriber.

the original record is retained intact

or has been altered since such
electronic record was bounded with
the digital signature [Sec.2(1)(zh)].
 Digital Signature Certificate
 A digital signature certificate is an
electronic document which uses a digital
signature to bind an identity
information such as the name of a
person or an organization, their address,
and so forth. The certificate can be used
to verify that it belongs to an individual.

 Any person can make an application to

the Certifying Authority for the issue of
this digital certificate. The Authority
charges fees (as prescribed by the
Central Government) for the issue of
“digital signature certificate”.
 Generation of Digital Certificate
The generation of digital signature
certificate shall involve –

 receipt of an approved and verified

certificate request.
 creating a new digital signature
certificate.
 a distinguished name associated with
the digital certificate owner.
 a recognized and relevant policy as
defined in certification practice
statement [Rule 24 of the IT rules].
 Compromise of Digital Certificate
Digital signature certificate shall be
deemed to be compromised where the
integrity of –
 The key associated with the certificate
is in doubt.
 The certificate owner is in doubt, as to
the attempted use of his key pairs, or
otherwise for malicious or unlawful
purposes.
 The digital certificate shall remain in
the compromise state for only such
time as it takes to arrange for
revocation.
 Expiry of Digital Signature
Certificate
A digital signature certificate shall
be issued with a designated expiry
date. It will expire automatically and
on expiry, it shall not be re-used. The
period for which a digital certificate
has been issued shall not be extended,
but a new digital signature certificate
may be issued after the expiry of such
period [Rules 26 of IT Act, 2000].
Where does E-Signature works?
 DIGITAL SIGNATURE
I agree
efcc61c1c03db8d8ea8569545c073c814a0ed755
My place of birth is at Chennai.
fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25
I am 62 years old.
0e6d7d56c4520756f59235b6ae981cdb5f9820a0
I am an Engineer.
ea0ae29b3b2c20fc018aaca45c3746a057b893e7
I am a Engineer.
01f1d8abd9c2e6130870842055d97d315dff1ea3

These are digital signatures of same person on different

document

 Digital Signatures are numbers

 Same Length – 40 digits
 They are document content dependent
Paper Signature –Vs– Digital Signature

Parameter Paper Electronic

Authenticity May be forged Cannot be copied

Signature depends on
Signature independent
Integrity of the document
the contents of the
document

Non-  Handwriting expert

needed
 Any computer user
 Error free
repudiation  Error prone
DIVERSITY OF E-SIGNATURES

PIN code Click Wrap

Scanned Signature PKI Signature
Dynamic PW Captcha
Captured Signature Signature Machine
 CERTIFYING
AUTHORITIES
 Certifying Authority
A Certifying Authority is a trusted body whose central
responsibility is to issue, revoke, renew and provide directories
of Digital Certificates. In real meaning, the function of a
Certifying Authority is equivalent to that of the passport
issuing office in the Government. A passport is a citizen's
secure document (a "paper identity"), issued by an appropriate
authority, certifying that the citizen is who he or she claims to
be. Any other country trusting the authority of that country's
Government passport Office will trust the citizen's passport.

Similar to a passport, a user's certificate is issued and

signed by a Certifying Authority and acts as a proof. Anyone
trusting the Certifying Authority can also trust the user's
certificate.

According to Section 24 under Information Technology

Act 2000 "Certifying Authority" means a person who has been
granted a licence to issue Digital Signature Certificates.
 Who can be a Certifying
Authority (CA)?

Controller of Certifying Authority(CCA),

Ministry of Information Technology,

Government of India.
Certification Agencies authorised by the
CCA to issue the Digital Signature
Certificates (DSCs)

Safe Script CA, Sify

TCS
Communications Ltd

National Informatics Mahanagar Telecom

Centre Nigam Limited
Custom and Central
n Code Solutions
Excise
IDRBT CA E – Mudhra
REGULATION OF CERTIFYING AUTHORITIES

Govt. of India Supreme Court

Controller of
Certifying High Court
Authorities

Cyber
Deputy Regulations
Controllers Appellate
Tribunal

Assistant
Officer
Controllers

REGULATION STRUCTURE JUDICIAL STRUCTURE

 CCA’s role
 Licensing Certifying Authorities (CAs) under section
21 of the IT Act and exercising supervision over their
activities.
 Controller of Certifying Authorities as the “Root”
Authority certifies the technologies and practices of
all the Certifying Authorities licensed to issue Digital
Signature Certificates.
 Certifying the public keys of the CAs, as Public Key
Certificates (PKCs).
 Laying down the standards to be maintained by the
CA’s.
 Addressing the issues related to the licensing process
including:
 Approving the Certification Practice Statement(CPS);
 Auditing the physical and technical infrastructure of the
applicants through a panel of auditors maintained by the
CCA.
Controller of Certifying Authorities (CCA)
 The Controller of Certifying Authorities (CCA) has
been appointed by the Central Government under
section 17 of the Act for purposes of the IT Act.
 The Office of the CCA came into existence on 1st
November, 2000.
 It aims at promoting the growth of E-Commerce and
E-Governance through the wide use of digital
signatures.
 The Controller of Certifying Authorities (CCA) has
established the Root Certifying Authority (RCAI) of
India under section 18(b) of the IT Act to digitally
sign the public keys of Certifying Authorities (CA) in
the country.
 The RCAI is operated as per the standards laid down
under the Act.
Requirements to be fulfilled by the RCAI
1. All public keys corresponding to the signing private
keys of a CA are digitally signed by the CCA.
2. That these keys are signed by the CCA can be verified
by a relying party through the CCA’s website or
CA’s own website.
3. Authorized CCA personnel initiate and perform Root
CA functions in accordance with the Certification
Practice Statement of Root Certifying Authority of
India.
4. The term Root CA is used to refer to the total CA
entity, including the software and its operations.
5. The RCAI root certificate is the highest level of
certification in India. It is used to sign the public keys
of the Licensed CAs in India. The RCAI root certificate
is a self-signed certificate.
 Functions and Duties of
Controller of Certifying Authorities
The following are the functions of the Controller as per I.T ACT, 2000 (Section 18)
3.1. Functions of Controller
The Controller may perform all or any of the following functions, namely:
a) Exercising supervision over the activities of the Certifying Authorities;
b) Certifying public keys of the Certifying Authorities;
c) Laying down the standards to be maintained by the Certifying Authorities;
d) Specifying the qualifications and experience, which employees of the Certifying Authorities
should possess;
e) Specifying the conditions subject to which the Certifying Authorities shall conduct their
business;
f) Specifying the contents of written, printed or visual materials and advertisements that may be
distributed or used in respect of a Digital Signature Certificate and the public key;
g) Specifying the form and content of a Digital Signature Certificate and the key;
h) Specifying the form and manner in which accounts shall be maintained by the Certifying
Authorities;
i) Specifying the terms and conditions subject to which auditors may be appointed and the
remuneration to be paid to them;
j) Facilitating the establishment of any electronic system by a Certifying Authority either solely or
jointly with other Certifying Authorities and regulation of such systems;
k) Specifying the manner in which the Certifying Authorities shall conduct their dealings with the
subscribers;
l) Resolving any conflict of interests between the Certifying Authorities and the subscribers;
m) Laying down the duties of the Certifying Authorities;
n) Maintaining a database containing the disclosure record of every Certifying Authority containing
such particulars as may be specified by regulations, which shall be accessible to public.