Unit 4

Cybercrime and Cybersecurity: The Legal

Perspectives
Why do we need cyberlaws: The Indian Context
Cyberlaw is a framework created to give legal recognition to all risks arising out
of the usage of computers and computer networks.

Several aspects under cyberlaw are

1. Intellectual property

2. Data protection and privacy

3. Freedom of expression

4. Crimes committed using computers

The Indian parliament passed its first cyberlaw, the ITA 2000- aimed at providing
the legal infrastructure for E-commerce in India.
The reason for enactment of cyberlaws in India are

1. It is essential to address some suitable laws as there is increase in use of

internet and other computer technologies in India.

2. There is need to have some legal recognition to the internet.

3. With the growth of internet, new concept called cyberterrorism came

into existence.

Indian parliament passed the Information Technology Bill on 17 May 2000,

known as the ITA 2000.

This law is based on model UNCITRAL law for E-Commerce.

The Indian IT Act
The Indian IT Act was published in the year 2000 with the purpose of providing
legal recognition for E-Commerce.

Another purpose of the Indian IT Act was to amend

1. The Indian Penal Code(IPC)

2. The Indian Evidence Act 1872

3. The Banker’s Books Evidence Act 1891

4. The Reserve Bank of India Act 1934

The original ITA 2000 contained 94 sections, divided into 13 chapters and 4
schedules.
Sections relevant to the discussions of cybercrime in legal
context

Section 65: Tampering with computer sources documents

Whoever knowingly or intentionally conceals, destroys or alters any source code

used for a computer, computer programme, computer system or computer network.

He/she shall be punishable with imprisonment up to 3 years, or with fin which may
extend up to 2 lakh rupees or with both.
Section 66: Computer-related offences

Whoever is intent to cause wrongful loss or damage to the public or any person
destroy or alter or delete the information residing in the computer resource or
diminishes its value or utility or commits hack.

He/she shall be punishable with imprisonment up to 3 years, or with fine which

may extend up to 5 lakhs rupees or with both.
Section 67: Punishment for publishing or transmitting obscene material in
electronic form

Whoever publishes or transmits or causes to be published or transmitted in the

electronic form, any material which is lascivious or appeals to the prurient interest
or if its effect is such as to tend to deprave and corrupt persons who are likely,
having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it.

He/she shall be punished with imprisonment for three years and with fine of 5 lakh
rupees or with imprisonment of three years and with fine of 10 lakh rupees.
Section 71: Penalty for misrepresentation

Whoever makes any misrepresentation to, or suppresses any material fact from,
the controller or the certifying authority for obtaining any license or digital
signature certificate.

He/she shall be punished with imprisonment for a term which may extend to 2
years, or with fine which may extend to 1 lakh rupees, or both.
Section 72: Penalty for breach of confidentiality and privacy

Section 72 of the IT Act provides for a criminal penalty where a government

official discloses records and information accessed during his or her duties
without the consent of the concerned person, unless permitted by other laws.

He/she shall be punished with imprisonment for a term which may extend to 2
years, or with fine up to 1 lakh rupees.
Section 73: Penalty for publishing Digital Signature Certificate false in certain
particulars

No person shall publish a Digital Signature Certificate or otherwise make it available
to any other person with the knowledge that:

1. The certifying Authority listed in the certificate has not issued it; or

2. The subscriber listed in the certificate has not accepted it; or

3. The certificate has been revoked or suspended, unless such publication is

for the purpose of verifying a digital signature created prior to such
suspension

He/she shall be punished with the imprisonment for 2 years or fine up to 1 lakh
rupees or with both.
Section 74: Publication of fraudulent purpose

Whoever knowingly creates, publishes or otherwise makes available a Digital

Signature Certificate for any fraudulent or unlawful purpose.

He/ she shall be punished with imprisonment up to 2 years, or with fine up to 1

lakh rupees, or with both.
Positive Aspects Of the ITA 2000
Indian ITA 2000 legally recognises the electronic format.

From the perspective of the corporate sector, companies are able to carry out E-
Commerce using legal infrastructure provided by the ITA 2000.

Corporate will now be able to use digital signature to carry out their transactions
online.

A remedy is provided to the company by the ITA 2000 in the form of monetary
damages, via compensation, not exceeding Rs 10,000,000.

ITA 2000 defined various cybercrimes.

Weak Areas of the ITA 2000
The ITA 2000 is likely to cause a conflict of jurisdiction.

It does not pay any heed on Domain Name related issues. It does not deal with the
rights and liabilities of domain name holders

It does not cover various evolving forms and manifestations of cybercrimes such
as:
• Cyber theft
• Cyber stalking
• Cyber harassment
• Cyber defamation
• Cyber fraud
• Misuse of credit card numbers
• Theft of Internet hour
It is not explicit about regulations of electronic payments.

ITA 2000 does not deal for Proper Intellectual Property Protection for Electronic
Information and Data. Contentious yet very important issues concerning online
copyrights, trademarks and patents have been left unnoticed by the law, thereby
leaving many loopholes.

IT Act does not touch upon antitrust issues.

The most serious concern about the Indian cyberlaw relates to its implementation.
Objectives of IT Act 2000

To provide legal recognition for all the transactions that are carried out by means
of electronic data interchange or electronic commerce in place of paper-based
methods of communication.

To grant legal recognition to digital signatures for the authentication of any matter
or information that requires authentication under any law.

To facilitate the electronic filing of Government documents with the respective
departments. Also, it facilitates the electronic storage of data.

To provide legal sanction for the transfer of funds electronically to and between
financial institutions and banks.
To grant legal recognition for keeping the books of accounts in an electronic
format for the bankers.

To promote legal infrastructure and e-commerce along with secure information
systems. At the same time, amended the Indian Penal Code, Bankers Book
Evidence Act, 1891, and RBI Act, 1934.

To enforce certain laws that would manage and reduce cyber-crimes at national
and international levels. The IT Act 2000 governs all internet activities in India,
and it is applicable to all online transactions. It provides for the penalties and
prosecution for all the non-compliances.
Public-Key Infrastructure Technology(PKI)

Encryption – Process of converting electronic data into another form, called

ciphertext, which cannot be easily understood by anyone except the authorized
parties. This assures data security.

Decryption– Process of translating code to data.

Types of Encryption

There are two types of encryption

1. Symmetric Encryption

2. Asymmetric Encryption
Asymmetric Cryptography is also known as public-key cryptography. It uses
public and private keys to encrypt and decrypt data.

Public key cryptography plays an important role in providing needed security

services including confidentiality, authentication, digital signatures and integrity.

PKI is a framework for services that generate, distribute, control and account for
public key certificates. PKI uses certification Authority(CA) to validate and bind a
user identity with a digital certificate

PKI provides the means to bind public keys to their owners

The PKI technology has the six basic components namely

1. Certificate user

2. Public-key certificate

3. Certification Authority(CA)

4. Registration Authority(RA)

5. Certificate revocation list(CRL)

6. Certificate repository
Digital Signature
A digital signature is an electronic, encrypted stamp of authentication on digital
information such as messages. The digital signature confirms the integrity of the
message.

A valid digital signature on a message gives a recipient confidence that the

message came from a sender known to the recipient.

Digital signatures use a standard, accepted format, called Public Key

Infrastructure (PKI), to provide the highest levels of security and universal
acceptance. PKI involves using a digital certificate for identity verification.
Digital Certificate or Public-Key Certificate
Digital certificate is issued by a trusted third party which proves sender’s identity
to the receiver and receiver’s identity to the sender.

A digital certificate is a certificate issued by a Certificate Authority (CA) to verify

the identity of the certificate holder.

The CA issues a digital certificate containing the applicant’s public key and a
variety of other identification information.

Digital certificate is used to attach public key with a particular individual or an

entity.
A digital certificate includes:

1. Name of certificate holder.

2. Serial number which is used to uniquely identify a certificate, the

individual or the entity identified by the certificate

3. Expiration dates.

4. Copy of certificate holder’s public key.(used for decrypting messages

and digital signatures)

5. Digital Signature of the certificate issuing authority.

Digital signature is used to verify authenticity, integrity, non-repudiation, while

digital certificate is used to verify the identity of the user, maybe sender or
receiver.
Certifying Authorities
Certifying authority means a person who has been granted a licence to issue and
electronic signature certificate under section 24 of IT Act 2000.

Trusted person who issue digital certificates and public-private key pairs.

It assures that the one who is transferring the certificate is, in fact, he or she
claims to be/ proves the owner of the certificate.

Certifying authorities verifies the physical documents of the person who is willing
to get digital certificate.
Licensing of Certificate Authorities(CA)
IT Act 2000 had prescribed digital signatures based on Asymmetric cryptosystem
and hash system as the only acceptable form of authentication of electronic
documents recognized as equivalent to “signatures” in paper form.

Section 21 of the Act defines the licensing procedure for CAs. The applicant
should fulfil all the necessary requirements of “qualification”, “expertise”, “man-
power”, “financial resources” and “infrastructural facilities” which are necessary
to issue digital certificates prescribed by the central government.

The validity for CA license will be prescribed by central government which

cannot be transferred or inherited.

The license period should be long enough to make the business viable.
Steps followed in creating digital signature
1. Message digest is computed by applying hash function on the message and then
message digest is encrypted using private key of sender to form the digital
signature.

2. Digital signature is then transmitted with the message.

3. Receiver decrypts the digital signature using the public key of sender.

4. The receiver now has the message digest.

5. The receiver can compute the message digest from the message.

6. The message digest computed by receiver and the message digest (got by
decryption on digital signature) need to be same for ensuring integrity.
X.509 Certificates
X.509 is a digital certificate that is built on top of a widely trusted standard known
as ITU or International Telecommunication Union X.509 standard, in which the
format of PKI certificates is defined.

This certificate is encoded in Abstract Syntex Notation One (ASN.1), a standard

syntax for describing messages that can be sent or received on a network.

Some of the most widely visible application of X.509 certificates today is in web
browsers that support the secure socket layer(SSL) protocol.
The X.509 certificate includes

• X.509 version information;

• A serial number that uniquely identifies the certificate;

• A common name that identifies the subjects;

• The public key associated with the common name;

• Subject name;

• Information about the certificate issuer;

• Signature of issuer;

• Information about algorithm used to sign the certificate;

• Some optional X.509 version extensions.

Benefits of Digital Signature
Digital signatures can bring several benefits to your business, including increased
productivity and efficiency, reduced turnaround time and streamlined processes.

Digital signatures demonstrate:

1. Authenticity
2. Integrity
3. Non-Repudiation

As digital signatures go through greater lengths to record transactions and verify
identity, they’re considered to be more secure than regular electronic signatures
Licence Certifying Authorities in India

Safescrypt

E-Mudhra

National Informatics Centre(NIC)

Tata Consultancy Services(TCS)

Capricorn
Electronic Signature
In comparison to digital signatures, basic electronic signatures are a lot simpler;
they’re essentially a digital version of an ink signature.

An electronic signature can be anything from a typed/drawn out name, a tick box
plus declaration, symbol, or PIN.

The main characteristic of an electronic signature is that it reveals the signer's intent
to sign the document. It usually complies with contracts or other agreements that are
entered into by two parties

Section 3A defines electronic Signature whereas Section 3 defines Digital Signature.

Section 3A- Electronic Signature

Under section 3A any electronic signature shall be considered reliable if

1. The signature creation data or authentication data are within the context in
which they are used , linked to the signatory or, as the case may be, the
authenticator and of no other person.
2. The signature creation data or the authenticated data were, at the time of
signing, under the control of the signatory or the authenticator and of no other
person;
3. Any alteration to the electronic signature made after affixing such signature is
detectable;
4. Any alteration to the information made after its authentication by electronic
signature is detectable and it fulfils such other conditions which may be
prescribed.
 Digital Signature
A digital signature relies on public key infrastructure
which authenticates the electronic signature
Digital signatures carry a user's information along with
electronic signatures.
A digital signature secures a document.
Digital signatures are validated by licensed certifying
authorities such as eMudhra.
Digital signatures come with encryption standards.
A digital signature consists of various security features
and is less prone to tampering.
A digital signature acts as an electronic fingerprint that
consists of a person's identification.
A digital signature is created via cryptographic
algorithms.
A digital signature is authenticated using a digital
signature certificate.
Electronic signature
An electronic signature is simply a legally valid electronic
replacement of a handwritten signature.
Electronic signatures do not contain any authentication
attached to them.
An electronic signature verifies the document.
Electronic signatures are not validated by licensed certifying
authorities.
Electronic signatures do not come with encryption
standards.
An electronic signature is less secure and is more vulnerable
to tampering.
An electronic signature can be a file, image, or symbol
attached to a document to give consent for a signature.
An electronic signature offers lower security, and no
cryptographic algorithms are used in creating a simple
electronic signature.
An electronic signature is authenticated using a phone
number, SMS, etc.
Amendments to the Indian IT Act 2000

The amended to IT Act took place in 2008.

To support the development of the cybersecurity infrastructure, the amendments

also focuses on

1. Defining penalties for violation;

2. Defining appropriate level of compensation;

3. Setting up an authority for implementation.

Cybercrime and Punishment

Cybercrime ,which are more harmful acts committed from or against a computer
or network, differs from most terrestrial crimes in four ways

1. They are easy to learn how to commit

2. They require few resources relative to the potential damage caused

3. They are committed in a jurisdiction without being physically present

4. They are often not clearly illegal.

Drawback of punishments to cybercrime

Reliance on terrestrial laws may not be a reliable approach.

Weak penalties limit deterrence.

Self-protection remains the first line of defence.

A global patchwork of laws creates little certainty.

A model approach is needed.