indian cyberlaw and security
DESCRIPTION
INDIAN CYBERLAW AND SECURITYTRANSCRIPT
INDIAN CYBERLAW INDIAN CYBERLAW AND SECURITYAND SECURITY
A A
PRESENTATION PRESENTATION
BY BY
PAVAN DUGGAL,PAVAN DUGGAL,ADVOCATE,ADVOCATE,
SUPREME COURT OF INDIA SUPREME COURT OF INDIAPRESIDENT,CYBERLAWS.NETPRESIDENT,CYBERLAWS.NET
HEAD-PAVAN DUGGAL HEAD-PAVAN DUGGAL ASSOCIATES ASSOCIATES
INTERNATIONAL CONFERENCE INTERNATIONAL CONFERENCE ON e GP, NEW DELHI-11-3-2005ON e GP, NEW DELHI-11-3-2005
CYBER LAW IN INDIACYBER LAW IN INDIA
In India the Information Technology Act, In India the Information Technology Act,
2000 is the legislation that deals with issues 2000 is the legislation that deals with issues
related to the Internet.related to the Internet.
THE THE INFORMATION INFORMATION
TECHNOLOGY ACT , 2000TECHNOLOGY ACT , 2000
I.T. ACT, 2000:I.T. ACT, 2000:OBJECTIVESOBJECTIVES
Different approaches for controlling, Different approaches for controlling,
regulating and facilitating electronic regulating and facilitating electronic
communication and commerce.communication and commerce.
Aim to provide legal infrastructure for Aim to provide legal infrastructure for
e-commerce in India.e-commerce in India.
OBJECTIVES (contd.)OBJECTIVES (contd.)
To provide legal recognition for transactions:-To provide legal recognition for transactions:- Carried out by means of electronic data Carried out by means of electronic data
interchange, and interchange, and Other means of electronic communication, Other means of electronic communication,
commonly referred to as "electronic commonly referred to as "electronic commerce", involving the use of alternatives commerce", involving the use of alternatives to paper-based methods of communication and to paper-based methods of communication and storage of information.storage of information.
OBJECTIVES (contd.)OBJECTIVES (contd.)
To facilitate electronic filing of documents To facilitate electronic filing of documents
with the Government agencieswith the Government agencies
To amend the Indian Penal Code, the Indian To amend the Indian Penal Code, the Indian
Evidence Act, 1872, the Banker's Book Evidence Act, 1872, the Banker's Book
Evidence Act, 1891 and the Reserve Bank of Evidence Act, 1891 and the Reserve Bank of
India Act, 1934 India Act, 1934
AUTHENTICATION OF AUTHENTICATION OF ELECTRONIC RECORDSELECTRONIC RECORDS
Any subscriber may authenticate an electronic Any subscriber may authenticate an electronic record record
Authentication by affixing his digital Authentication by affixing his digital signature. signature.
Any person by the use of a public key of the Any person by the use of a public key of the subscriber can verify the electronic recordsubscriber can verify the electronic record
LEGALITY OF DIGITAL LEGALITY OF DIGITAL SIGNATURESSIGNATURES
Legal recognition of digital signatures.Legal recognition of digital signatures.
Electronic Signatures not yet legal in India.Electronic Signatures not yet legal in India.
Certifying Authorities for Digital Signatures.Certifying Authorities for Digital Signatures.
Scheme for Regulation of Certifying Scheme for Regulation of Certifying
Authorities for Digital SignaturesAuthorities for Digital Signatures
CONTROLLER OF CONTROLLER OF CERTIFYING CERTIFYING
AUTHORITIESAUTHORITIES
Shall exercise supervision over the Shall exercise supervision over the
activities of Certifying Authorities activities of Certifying Authorities
Lay down standards and conditions Lay down standards and conditions
governing Certifying Authorities governing Certifying Authorities
Specify various forms and content of Specify various forms and content of
Digital Signature CertificatesDigital Signature Certificates
DIGITAL SIGNATURES & DIGITAL SIGNATURES & ELECTRONIC RECORDSELECTRONIC RECORDS
Use of Electronic Records and Digital Use of Electronic Records and Digital
Signatures in Government Agencies. Signatures in Government Agencies.
Publications of rules and regulations in the Publications of rules and regulations in the
Electronic Gazette.Electronic Gazette.
INFORMATION SECURITY INFORMATION SECURITY LAWLAW
India does not have a dedicated law on India does not have a dedicated law on Information SecurityInformation Security
IT ACT, 2000IT ACT, 2000
Not a law dedicated to securityNot a law dedicated to security
However, since security is an absolutely However, since security is an absolutely
necessity for e-commerce transactions, the necessity for e-commerce transactions, the
laws covers some aspects relating to securitylaws covers some aspects relating to security
DEFINITIONSDEFINITIONS
Definitional clause of the Indian Cyberlaw Definitional clause of the Indian Cyberlaw
does not give a legal definition of securitydoes not give a legal definition of security
Provides the definition of a secure system and Provides the definition of a secure system and
security proceduresecurity procedure
Section 79Section 79
For the removal of doubts, it is hereby For the removal of doubts, it is hereby declared that no person providing any service declared that no person providing any service as a network service provider shall be liable as a network service provider shall be liable under this Act, rules or regulations made under this Act, rules or regulations made thereunder for any third party information or thereunder for any third party information or data made available by him if he proves that data made available by him if he proves that the offence or contravention was committed the offence or contravention was committed without his knowledge or that he had exercised without his knowledge or that he had exercised all due diligence to prevent the commission of all due diligence to prevent the commission of such offence or contravention.such offence or contravention.
Network Service Providers:Network Service Providers:When Not LiableWhen Not Liable
Explanation.—Explanation.—For the purposes of this section, For the purposes of this section, ——
(a) (a) "network service provider" means an "network service provider" means an intermediary;intermediary;
(b) (b) "third party information" means any "third party information" means any information dealt with by a network service information dealt with by a network service provider in his capacity as an intermediary.provider in his capacity as an intermediary.
““SECURE SYSTEM”SECURE SYSTEM”
““secure system” means computer hardware, software, secure system” means computer hardware, software, and procedure that- and procedure that- (a) are reasonably secure from unauthorized access (a) are reasonably secure from unauthorized access and misuse;and misuse;(b) provide a reasonable level of reliability and (b) provide a reasonable level of reliability and correct operation;correct operation;(c) are reasonably suited to performing the intended (c) are reasonably suited to performing the intended function; andfunction; and(d)(d) adhere to generally accepted security adhere to generally accepted security proceduresprocedures
DEFINITTIONSDEFINITTIONS
““security procedure” means the security security procedure” means the security procedure prescribed by the Central procedure prescribed by the Central Government under the IT Act, 2000.Government under the IT Act, 2000.
secure electronic record – where any security secure electronic record – where any security procedure has been applied to an electronic procedure has been applied to an electronic record at a specific point of time, then such record at a specific point of time, then such record shall be deemed to be a secure record shall be deemed to be a secure electronic record from such point of time to electronic record from such point of time to the time of verificationthe time of verification
SECURE DIGITAL SIGNATURESECURE DIGITAL SIGNATURE If by application of a security procedure agreed to by the If by application of a security procedure agreed to by the
parties concerned, it can be verified that a digital signature, at parties concerned, it can be verified that a digital signature, at the time it was affixed, was:the time it was affixed, was:
(a) unique to the subscriber affixing it;(a) unique to the subscriber affixing it;
(b) capable of identifying such subscriber;(b) capable of identifying such subscriber;
(c) created in a manner or using a means under the exclusive (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, record was altered the digital signature would be invalidated,
then such digital signature shall be deemed to be a secure then such digital signature shall be deemed to be a secure digital signature.digital signature.
POWER TO CENTRAL POWER TO CENTRAL GOVERNMENTGOVERNMENT
Central Government empowered to prescribe the security Central Government empowered to prescribe the security procedure, having regard to the commercial circumstances procedure, having regard to the commercial circumstances prevailing at the time when the procedure was used, prevailing at the time when the procedure was used, including-including- the nature of the transaction; the nature of the transaction; the level of sophistication of the parties with reference to their the level of sophistication of the parties with reference to their
technological capacity;technological capacity; the volume of similar transactions engaged in by other parties;the volume of similar transactions engaged in by other parties; the availability of alternatives offered to but rejected by any the availability of alternatives offered to but rejected by any
party;party; the cost of alternative procedures;the cost of alternative procedures; the procedures in general use for similar types of transactions the procedures in general use for similar types of transactions
or communications.or communications.
BREACH OF SECURITYBREACH OF SECURITY
The Indian Cyberlaw makes breach of security an The Indian Cyberlaw makes breach of security an act which attracts consequences of civil liability.act which attracts consequences of civil liability.
If a person without the permission of owner or any If a person without the permission of owner or any other person in charge of a computer, computer other person in charge of a computer, computer system or computer network, accesses or secures system or computer network, accesses or secures access to such computer, computer system or access to such computer, computer system or computer network, he is liable to pay statutory computer network, he is liable to pay statutory damages by way of compensation, not exceeding damages by way of compensation, not exceeding one Crore rupees ( Rs 10,000,000/- ) to the person one Crore rupees ( Rs 10,000,000/- ) to the person so affected.so affected.
BREACH OF SECURITYBREACH OF SECURITY
Thus, merely gaining access to any computer, Thus, merely gaining access to any computer, computer system or computer network by computer system or computer network by breaching or violating the security processes or breaching or violating the security processes or mechanisms is enough to attract the civil mechanisms is enough to attract the civil liability.liability.
CRIMINAL OFFENCECRIMINAL OFFENCE
Breach of security is also implicitly recognized Breach of security is also implicitly recognized as a penal offence in the form of hackingas a penal offence in the form of hacking
Section 66 of the IT Act, 2000 makes hacking Section 66 of the IT Act, 2000 makes hacking a penal offence punishable with three years a penal offence punishable with three years imprisonment and two lakh rupees ( Rs imprisonment and two lakh rupees ( Rs 200,000/- ) fine200,000/- ) fine
PROTECTED SYSTEMPROTECTED SYSTEM
The appropriate government, be it the Central or State The appropriate government, be it the Central or State Government, has been given the discretion to declare Government, has been given the discretion to declare any computer, computer system or computer network any computer, computer system or computer network as a protected system. as a protected system.
Any person who secures access or attempts to secure Any person who secures access or attempts to secure access to a protected system in contravention of the access to a protected system in contravention of the provisions of the law, shall be punished with provisions of the law, shall be punished with imprisonment of either description for a term which imprisonment of either description for a term which may extend to ten years and shall be liable to fine.may extend to ten years and shall be liable to fine.
OFFENCES & PENALTIESOFFENCES & PENALTIES
Penalties and adjudication for various offences Penalties and adjudication for various offences involving computers, computer systems and involving computers, computer systems and computer networks. computer networks.
Penalties for damage to computer, computer Penalties for damage to computer, computer system etc. system etc.
Fixed as damages by way of compensation Fixed as damages by way of compensation not exceeding Rs. 1,00,00,000/- to affected not exceeding Rs. 1,00,00,000/- to affected persons.persons.
CYBER OFFENCESCYBER OFFENCES
Various cyber offences definedVarious cyber offences defined
Cyber offences to be investigated only by a Cyber offences to be investigated only by a
Police Officer not below the rank of the Police Officer not below the rank of the
Deputy Superintendent of Police. Deputy Superintendent of Police.
CYBER OFFENCES (contd.)CYBER OFFENCES (contd.)
Tampering with computer source documents.Tampering with computer source documents.
Publishing of information which is obscene in Publishing of information which is obscene in
electronic form.electronic form.
Breach of confidentiality and privacy.Breach of confidentiality and privacy.
CYBER OFFENCES (contd.)CYBER OFFENCES (contd.)
HackingHacking
MisrepresentationMisrepresentation
Publishing Digital Signature Certificate false Publishing Digital Signature Certificate false
in certain particulars and publication for in certain particulars and publication for
fraudulent purposes.fraudulent purposes.
RETENTION OF RETENTION OF INFORMATION IN INFORMATION IN
ELECTRONIC FORMATELECTRONIC FORMAT Can legally retain information in the Can legally retain information in the
electronic form, if- electronic form, if-
(a)(a) the information contained therein remains the information contained therein remains accessible so as to be usable for a subsequent accessible so as to be usable for a subsequent reference; reference;
RETENTION OF RETENTION OF INFORMATION IN INFORMATION IN
ELECTRONIC FORMATELECTRONIC FORMAT
(b) the electronic record is retained in the format (b) the electronic record is retained in the format in which it was originally generated, sent or in which it was originally generated, sent or received or in a format which can be received or in a format which can be demonstrated to represent accurately the demonstrated to represent accurately the information originally generated, sent or information originally generated, sent or received;received;
RETENTION OF RETENTION OF INFORMATION IN INFORMATION IN
ELECTRONIC FORMAT ELECTRONIC FORMAT (contd)(contd)
(c) the details which will facilitate the (c) the details which will facilitate the identification of the origin, destination, date identification of the origin, destination, date and time of dispatch or receipt of such and time of dispatch or receipt of such electronic record are available in the electronic electronic record are available in the electronic record.record.
INVESTIGATIONINVESTIGATION
For the purpose of investigating the offences For the purpose of investigating the offences detailed under the IT Act, 2000, police officers detailed under the IT Act, 2000, police officers not below the rank of Deputy Superintendent not below the rank of Deputy Superintendent of Police have been duly authorized and have of Police have been duly authorized and have also been given the power of entry, search and also been given the power of entry, search and arrest without warrant in public places.arrest without warrant in public places.
PROVING ITPROVING IT
Amendments made in the Indian Evidence Act Amendments made in the Indian Evidence Act 1872 by the IT Act, 20001872 by the IT Act, 2000
In any proceedings involving a secure In any proceedings involving a secure electronic record, the court shall presume, electronic record, the court shall presume, unless contrary is proved, that the secure unless contrary is proved, that the secure electronic record has not been altered since the electronic record has not been altered since the specific point of time, to which the secure specific point of time, to which the secure status relatesstatus relates
PROVING ITPROVING IT
The law also presumes that in any The law also presumes that in any proceedings, involving secure digital proceedings, involving secure digital signature, the court shall presume, unless the signature, the court shall presume, unless the contrary is proved, that the secure digital contrary is proved, that the secure digital signature is affixed by the subscriber with the signature is affixed by the subscriber with the intention of signing or approving the electronic intention of signing or approving the electronic recordrecord
IT SECURITY GUIDELINESIT SECURITY GUIDELINES
Information Technology Act, 2000 has come Information Technology Act, 2000 has come up with Information Technology Security up with Information Technology Security GuidelinesGuidelines
As also Information Technology (Certifying As also Information Technology (Certifying Authority) Rules, 2000Authority) Rules, 2000
INFORMATION SECURITY INFORMATION SECURITY GUIDELINESGUIDELINES
The Information Security guidelines are The Information Security guidelines are generic and broad and should be followed by generic and broad and should be followed by all legal entities involved in computer, all legal entities involved in computer, computer systems and computer networkscomputer systems and computer networks
More relevant in the context of Electronic More relevant in the context of Electronic Government Procurement in India as the Government Procurement in India as the sector’s life and spirit is dependant upon the sector’s life and spirit is dependant upon the Information Security of its systems and Information Security of its systems and networksnetworks
LITIGATION ALREADY LITIGATION ALREADY BEGUNBEGUN
Litigation already begun in India relation to e-Litigation already begun in India relation to e-procurement.procurement.
Numerous legal issues relating to electronic Numerous legal issues relating to electronic government procurement will continue to government procurement will continue to emerge in the near future.emerge in the near future.
Need to adopt a proactive approach in dealing Need to adopt a proactive approach in dealing with these various legal challengeswith these various legal challenges
NEED TO COMPLY NEED TO COMPLY
There is a need to proactively comply with the There is a need to proactively comply with the requirements of the Indian Cyberlaw .requirements of the Indian Cyberlaw .
Necessary to limit liability and emergence of Necessary to limit liability and emergence of undesirable consequences.undesirable consequences.
The Information Technology Act, 2000 The Information Technology Act, 2000 currently under review by the Government.currently under review by the Government.
Need to adopt a flexible approach of due Need to adopt a flexible approach of due diligence.diligence.
THAT WAS A PRESENTATION THAT WAS A PRESENTATION
BY BY
PAVAN DUGGAL,PAVAN DUGGAL,
ADVOCATE, SUPREME COURT OF INDIAADVOCATE, SUPREME COURT OF INDIA
PRESIDENT, CYBERLAWS.NETPRESIDENT, CYBERLAWS.NET
HEAD-PAVAN DUGGAL ASSOCIATES HEAD-PAVAN DUGGAL ASSOCIATES
EMAIL : [email protected] : [email protected]
[email protected]@gmail.com