INDIAN CYBERLAW INDIAN CYBERLAW AND SECURITYAND SECURITY

A A

PRESENTATION PRESENTATION

BY BY

PAVAN DUGGAL,PAVAN DUGGAL,ADVOCATE,ADVOCATE,

SUPREME COURT OF INDIA SUPREME COURT OF INDIAPRESIDENT,CYBERLAWS.NETPRESIDENT,CYBERLAWS.NET

HEAD-PAVAN DUGGAL HEAD-PAVAN DUGGAL ASSOCIATES ASSOCIATES

INTERNATIONAL CONFERENCE INTERNATIONAL CONFERENCE ON e GP, NEW DELHI-11-3-2005ON e GP, NEW DELHI-11-3-2005

CYBER LAW IN INDIACYBER LAW IN INDIA

In India the Information Technology Act, In India the Information Technology Act,

2000 is the legislation that deals with issues 2000 is the legislation that deals with issues

related to the Internet.related to the Internet.

THE THE INFORMATION INFORMATION

TECHNOLOGY ACT , 2000TECHNOLOGY ACT , 2000

I.T. ACT, 2000:I.T. ACT, 2000:OBJECTIVESOBJECTIVES

Different approaches for controlling, Different approaches for controlling,

regulating and facilitating electronic regulating and facilitating electronic

communication and commerce.communication and commerce.

Aim to provide legal infrastructure for Aim to provide legal infrastructure for

e-commerce in India.e-commerce in India.

OBJECTIVES (contd.)OBJECTIVES (contd.)

To provide legal recognition for transactions:-To provide legal recognition for transactions:- Carried out by means of electronic data Carried out by means of electronic data

interchange, and interchange, and Other means of electronic communication, Other means of electronic communication,

commonly referred to as "electronic commonly referred to as "electronic commerce", involving the use of alternatives commerce", involving the use of alternatives to paper-based methods of communication and to paper-based methods of communication and storage of information.storage of information.

OBJECTIVES (contd.)OBJECTIVES (contd.)

To facilitate electronic filing of documents To facilitate electronic filing of documents

with the Government agencieswith the Government agencies

To amend the Indian Penal Code, the Indian To amend the Indian Penal Code, the Indian

Evidence Act, 1872, the Banker's Book Evidence Act, 1872, the Banker's Book

Evidence Act, 1891 and the Reserve Bank of Evidence Act, 1891 and the Reserve Bank of

India Act, 1934 India Act, 1934

AUTHENTICATION OF AUTHENTICATION OF ELECTRONIC RECORDSELECTRONIC RECORDS

Any subscriber may authenticate an electronic Any subscriber may authenticate an electronic record record

Authentication by affixing his digital Authentication by affixing his digital signature. signature.

Any person by the use of a public key of the Any person by the use of a public key of the subscriber can verify the electronic recordsubscriber can verify the electronic record

LEGALITY OF DIGITAL LEGALITY OF DIGITAL SIGNATURESSIGNATURES

Legal recognition of digital signatures.Legal recognition of digital signatures.

Electronic Signatures not yet legal in India.Electronic Signatures not yet legal in India.

Certifying Authorities for Digital Signatures.Certifying Authorities for Digital Signatures.

Scheme for Regulation of Certifying Scheme for Regulation of Certifying

Authorities for Digital SignaturesAuthorities for Digital Signatures

CONTROLLER OF CONTROLLER OF CERTIFYING CERTIFYING

AUTHORITIESAUTHORITIES

Shall exercise supervision over the Shall exercise supervision over the

activities of Certifying Authorities activities of Certifying Authorities

Lay down standards and conditions Lay down standards and conditions

governing Certifying Authorities governing Certifying Authorities

Specify various forms and content of Specify various forms and content of

Digital Signature CertificatesDigital Signature Certificates

DIGITAL SIGNATURES & DIGITAL SIGNATURES & ELECTRONIC RECORDSELECTRONIC RECORDS

Use of Electronic Records and Digital Use of Electronic Records and Digital

Signatures in Government Agencies. Signatures in Government Agencies.

Publications of rules and regulations in the Publications of rules and regulations in the

Electronic Gazette.Electronic Gazette.

INFORMATION SECURITY INFORMATION SECURITY LAWLAW

India does not have a dedicated law on India does not have a dedicated law on Information SecurityInformation Security

IT ACT, 2000IT ACT, 2000

Not a law dedicated to securityNot a law dedicated to security

However, since security is an absolutely However, since security is an absolutely

necessity for e-commerce transactions, the necessity for e-commerce transactions, the

laws covers some aspects relating to securitylaws covers some aspects relating to security

DEFINITIONSDEFINITIONS

Definitional clause of the Indian Cyberlaw Definitional clause of the Indian Cyberlaw

does not give a legal definition of securitydoes not give a legal definition of security

Provides the definition of a secure system and Provides the definition of a secure system and

security proceduresecurity procedure

Section 79Section 79

For the removal of doubts, it is hereby For the removal of doubts, it is hereby declared that no person providing any service declared that no person providing any service as a network service provider shall be liable as a network service provider shall be liable under this Act, rules or regulations made under this Act, rules or regulations made thereunder for any third party information or thereunder for any third party information or data made available by him if he proves that data made available by him if he proves that the offence or contravention was committed the offence or contravention was committed without his knowledge or that he had exercised without his knowledge or that he had exercised all due diligence to prevent the commission of all due diligence to prevent the commission of such offence or contravention.such offence or contravention.

Network Service Providers:Network Service Providers:When Not LiableWhen Not Liable

Explanation.—Explanation.—For the purposes of this section, For the purposes of this section, ——

(a) (a) "network service provider" means an "network service provider" means an intermediary;intermediary;

(b) (b) "third party information" means any "third party information" means any information dealt with by a network service information dealt with by a network service provider in his capacity as an intermediary.provider in his capacity as an intermediary.

““SECURE SYSTEM”SECURE SYSTEM”

““secure system” means computer hardware, software, secure system” means computer hardware, software, and procedure that- and procedure that- (a)    are reasonably secure from unauthorized access (a)    are reasonably secure from unauthorized access and misuse;and misuse;(b)   provide a reasonable level of reliability and (b)   provide a reasonable level of reliability and correct operation;correct operation;(c)    are reasonably suited to performing the intended (c)    are reasonably suited to performing the intended function; andfunction; and(d)(d) adhere to generally accepted security adhere to generally accepted security proceduresprocedures

DEFINITTIONSDEFINITTIONS

““security procedure” means the security security procedure” means the security procedure prescribed by the Central procedure prescribed by the Central Government under the IT Act, 2000.Government under the IT Act, 2000.

secure electronic record – where any security secure electronic record – where any security procedure has been applied to an electronic procedure has been applied to an electronic record at a specific point of time, then such record at a specific point of time, then such record shall be deemed to be a secure record shall be deemed to be a secure electronic record from such point of time to electronic record from such point of time to the time of verificationthe time of verification

SECURE DIGITAL SIGNATURESECURE DIGITAL SIGNATURE If by application of a security procedure agreed to by the If by application of a security procedure agreed to by the

parties concerned, it can be verified that a digital signature, at parties concerned, it can be verified that a digital signature, at the time it was affixed, was:the time it was affixed, was:

(a)     unique to the subscriber affixing it;(a)     unique to the subscriber affixing it;

(b)     capable of identifying such subscriber;(b)     capable of identifying such subscriber;

(c)  created in a manner or using a means under the exclusive (c)  created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, record was altered the digital signature would be invalidated,

then such digital signature shall be deemed to be a secure then such digital signature shall be deemed to be a secure digital signature.digital signature.

POWER TO CENTRAL POWER TO CENTRAL GOVERNMENTGOVERNMENT

Central Government empowered to prescribe the security Central Government empowered to prescribe the security procedure, having regard to the commercial circumstances procedure, having regard to the commercial circumstances prevailing at the time when the procedure was used, prevailing at the time when the procedure was used, including-including- the nature of the transaction; the nature of the transaction; the level of sophistication of the parties with reference to their the level of sophistication of the parties with reference to their

technological capacity;technological capacity; the volume of similar transactions engaged in by other parties;the volume of similar transactions engaged in by other parties; the availability of alternatives offered to but rejected by any the availability of alternatives offered to but rejected by any

party;party; the cost of alternative procedures;the cost of alternative procedures; the procedures in general use for similar types of transactions the procedures in general use for similar types of transactions

or communications.or communications.

BREACH OF SECURITYBREACH OF SECURITY

The Indian Cyberlaw makes breach of security an The Indian Cyberlaw makes breach of security an act which attracts consequences of civil liability.act which attracts consequences of civil liability.

If a person without the permission of owner or any If a person without the permission of owner or any other person in charge of a computer, computer other person in charge of a computer, computer system or computer network, accesses or secures system or computer network, accesses or secures access to such computer, computer system or access to such computer, computer system or computer network, he is liable to pay statutory computer network, he is liable to pay statutory damages by way of compensation, not exceeding damages by way of compensation, not exceeding one Crore rupees ( Rs 10,000,000/- ) to the person one Crore rupees ( Rs 10,000,000/- ) to the person so affected.so affected.

BREACH OF SECURITYBREACH OF SECURITY

Thus, merely gaining access to any computer, Thus, merely gaining access to any computer, computer system or computer network by computer system or computer network by breaching or violating the security processes or breaching or violating the security processes or mechanisms is enough to attract the civil mechanisms is enough to attract the civil liability.liability.

CRIMINAL OFFENCECRIMINAL OFFENCE

Breach of security is also implicitly recognized Breach of security is also implicitly recognized as a penal offence in the form of hackingas a penal offence in the form of hacking

Section 66 of the IT Act, 2000 makes hacking Section 66 of the IT Act, 2000 makes hacking a penal offence punishable with three years a penal offence punishable with three years imprisonment and two lakh rupees ( Rs imprisonment and two lakh rupees ( Rs 200,000/- ) fine200,000/- ) fine

PROTECTED SYSTEMPROTECTED SYSTEM

The appropriate government, be it the Central or State The appropriate government, be it the Central or State Government, has been given the discretion to declare Government, has been given the discretion to declare any computer, computer system or computer network any computer, computer system or computer network as a protected system. as a protected system.

Any person who secures access or attempts to secure Any person who secures access or attempts to secure access to a protected system in contravention of the access to a protected system in contravention of the provisions of the law, shall be punished with provisions of the law, shall be punished with imprisonment of either description for a term which imprisonment of either description for a term which may extend to ten years and shall be liable to fine.may extend to ten years and shall be liable to fine.

OFFENCES & PENALTIESOFFENCES & PENALTIES

Penalties and adjudication for various offences Penalties and adjudication for various offences involving computers, computer systems and involving computers, computer systems and computer networks. computer networks.

Penalties for damage to computer, computer Penalties for damage to computer, computer system etc. system etc.

Fixed as damages by way of compensation Fixed as damages by way of compensation not exceeding Rs. 1,00,00,000/- to affected not exceeding Rs. 1,00,00,000/- to affected persons.persons.

CYBER OFFENCESCYBER OFFENCES

Various cyber offences definedVarious cyber offences defined

Cyber offences to be investigated only by a Cyber offences to be investigated only by a

Police Officer not below the rank of the Police Officer not below the rank of the

Deputy Superintendent of Police. Deputy Superintendent of Police.

CYBER OFFENCES (contd.)CYBER OFFENCES (contd.)

Tampering with computer source documents.Tampering with computer source documents.

Publishing of information which is obscene in Publishing of information which is obscene in

electronic form.electronic form.

Breach of confidentiality and privacy.Breach of confidentiality and privacy.

CYBER OFFENCES (contd.)CYBER OFFENCES (contd.)

HackingHacking

MisrepresentationMisrepresentation

Publishing Digital Signature Certificate false Publishing Digital Signature Certificate false

in certain particulars and publication for in certain particulars and publication for

fraudulent purposes.fraudulent purposes.

RETENTION OF RETENTION OF INFORMATION IN INFORMATION IN

ELECTRONIC FORMATELECTRONIC FORMAT Can legally retain information in the Can legally retain information in the

electronic form, if- electronic form, if-

(a)(a) the information contained therein remains the information contained therein remains accessible so as to be usable for a subsequent accessible so as to be usable for a subsequent reference; reference;

RETENTION OF RETENTION OF INFORMATION IN INFORMATION IN

ELECTRONIC FORMATELECTRONIC FORMAT

(b) the electronic record is retained in the format (b) the electronic record is retained in the format in which it was originally generated, sent or in which it was originally generated, sent or received or in a format which can be received or in a format which can be demonstrated to represent accurately the demonstrated to represent accurately the information originally generated, sent or information originally generated, sent or received;received;

RETENTION OF RETENTION OF INFORMATION IN INFORMATION IN

ELECTRONIC FORMAT ELECTRONIC FORMAT (contd)(contd)

(c) the details which will facilitate the (c) the details which will facilitate the identification of the origin, destination, date identification of the origin, destination, date and time of dispatch or receipt of such and time of dispatch or receipt of such electronic record are available in the electronic electronic record are available in the electronic record.record.

INVESTIGATIONINVESTIGATION

For the purpose of investigating the offences For the purpose of investigating the offences detailed under the IT Act, 2000, police officers detailed under the IT Act, 2000, police officers not below the rank of Deputy Superintendent not below the rank of Deputy Superintendent of Police have been duly authorized and have of Police have been duly authorized and have also been given the power of entry, search and also been given the power of entry, search and arrest without warrant in public places.arrest without warrant in public places.

PROVING ITPROVING IT

Amendments made in the Indian Evidence Act Amendments made in the Indian Evidence Act 1872 by the IT Act, 20001872 by the IT Act, 2000

In any proceedings involving a secure In any proceedings involving a secure electronic record, the court shall presume, electronic record, the court shall presume, unless contrary is proved, that the secure unless contrary is proved, that the secure electronic record has not been altered since the electronic record has not been altered since the specific point of time, to which the secure specific point of time, to which the secure status relatesstatus relates

PROVING ITPROVING IT

The law also presumes that in any The law also presumes that in any proceedings, involving secure digital proceedings, involving secure digital signature, the court shall presume, unless the signature, the court shall presume, unless the contrary is proved, that the secure digital contrary is proved, that the secure digital signature is affixed by the subscriber with the signature is affixed by the subscriber with the intention of signing or approving the electronic intention of signing or approving the electronic recordrecord

IT SECURITY GUIDELINESIT SECURITY GUIDELINES

Information Technology Act, 2000 has come Information Technology Act, 2000 has come up with Information Technology Security up with Information Technology Security GuidelinesGuidelines

As also Information Technology (Certifying As also Information Technology (Certifying Authority) Rules, 2000Authority) Rules, 2000

INFORMATION SECURITY INFORMATION SECURITY GUIDELINESGUIDELINES

The Information Security guidelines are The Information Security guidelines are generic and broad and should be followed by generic and broad and should be followed by all legal entities involved in computer, all legal entities involved in computer, computer systems and computer networkscomputer systems and computer networks

More relevant in the context of Electronic More relevant in the context of Electronic Government Procurement in India as the Government Procurement in India as the sector’s life and spirit is dependant upon the sector’s life and spirit is dependant upon the Information Security of its systems and Information Security of its systems and networksnetworks

LITIGATION ALREADY LITIGATION ALREADY BEGUNBEGUN

Litigation already begun in India relation to e-Litigation already begun in India relation to e-procurement.procurement.

Numerous legal issues relating to electronic Numerous legal issues relating to electronic government procurement will continue to government procurement will continue to emerge in the near future.emerge in the near future.

Need to adopt a proactive approach in dealing Need to adopt a proactive approach in dealing with these various legal challengeswith these various legal challenges

NEED TO COMPLY NEED TO COMPLY

There is a need to proactively comply with the There is a need to proactively comply with the requirements of the Indian Cyberlaw .requirements of the Indian Cyberlaw .

Necessary to limit liability and emergence of Necessary to limit liability and emergence of undesirable consequences.undesirable consequences.

The Information Technology Act, 2000 The Information Technology Act, 2000 currently under review by the Government.currently under review by the Government.

Need to adopt a flexible approach of due Need to adopt a flexible approach of due diligence.diligence.

THAT WAS A PRESENTATION THAT WAS A PRESENTATION

BY BY

PAVAN DUGGAL,PAVAN DUGGAL,

ADVOCATE, SUPREME COURT OF INDIAADVOCATE, SUPREME COURT OF INDIA

PRESIDENT, CYBERLAWS.NETPRESIDENT, CYBERLAWS.NET

HEAD-PAVAN DUGGAL ASSOCIATES HEAD-PAVAN DUGGAL ASSOCIATES

EMAIL : pduggal@vsnl.comEMAIL : pduggal@vsnl.com

pduggal@gmail.compduggal@gmail.com