Saturday, April 27, 2013

List of Cyber Laws in India

Posted by Loveneesh Malik at 10:14 PM 0 comments

Categories :

. . .

List of Cyber Laws in India List of Cyber Laws in India List of Cyber Laws in India List of Cyber Laws in India
Cyber Laws in India
Cyber Crime is not defined in Information Technology Act 2000 nor in the I.T. Amendment Act 2008 nor in any other legislation in India. In fact, it cannot be too. Offence or crime has been dealt with elaborately listing various acts and the punishments for each, under the Indian Penal Code, 1860 and quite a few other legislations too. Hence, to define cyber crime, we can say, it is just a combination of  crime and computer. To put it in simple terms ‘any offence or crime in which a computer is used is a cyber crime’. Interestingly even a petty offence like stealing or pick-pocket can be brought within the broader purview of cyber crime if the basic data or aid to such an offence is a computer or an information stored in a computer used (or misused) by the fraudster. The I.T. Act defines a computer, computer network, data, information and all other necessary ingredients that form part of a cyber crime, about which we will now be discussing in detail.


Amendment Act 2008:
Being the first legislation in the nation on technology, computers and e-commerce and e-communication, the Act was the subject of extensive debates, elaborate reviews and detailed criticisms, with one arm of the industry criticizing some sections of the Act to be draconian and other stating it is too diluted and lenient. There were some conspicuous omissions too resulting in the investigators relying more and more on the time-tested (one and half century-old) Indian Penal Code even in technology based cases with the I.T. Act also being referred in the process and the reliance more on IPC rather on the ITA.

Thus the need for an amendment – a detailed one – was felt for the I.T. Act almost from the year 2003-04 itself. Major industry bodies were consulted and advisory groups were formed to go into the perceived lacunae in the I.T. Act and comparing it with similar legislations in other nations and to suggest recommendations. Such recommendations were analysed and subsequently taken up as a comprehensive Amendment Act and after considerable administrative procedures, the consolidated amendment called the Information Technology Amendment Act 2008 was placed in the Parliament and passed without much debate, towards the end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had taken place). This Amendment Act got the President assent on 5 Feb 2009 and was made effective from 27 October 2009.

Some of the notable features of the ITAA are as follows:
  • Focussing on data privacy
  • Focussing on Information Security
  • Defining cyber café
  • Making digital signature technology neutral
  • Defining reasonable security practices to be followed by corporate
  • Redefining the role of intermediaries
  • Recognising the role of Indian Computer Emergency Response Team
  • Inclusion of some additional cyber crimes like cyber terrorism Authorizing an Inspector to investigate cyber offences (as against the DSP earlier)


How the Act is structured:
The Act totally has 13 chapters and 90 sections (the last four sections namely sections 91 to 94 in the ITA 2000 dealt with the amendments to the four Acts namely the Indian Penal Code 1860, The Indian Evidence Act 1872, The Bankers’ Books Evidence Act 1891 and the Reserve Bank of India Act 1934). The Act begins with preliminary and definitions and from thereon the chapters that follow deal with authentication of electronic records, digital signatures, electronic signatures etc.
Elaborate procedures for certifying authorities (for digital certificates as per IT Act -2000 and since replaced by electronic signatures in the ITAA -2008) have beenspelt out. The civil offence of data theft and the process of adjudication and appellate procedures have been described. Then the Act goes on to define and describe some of the well-known cyber crimes and lays down the punishments therefore. Then the concept of due diligence, role of intermediaries and some miscellaneous provisions have been described.
Rules and procedures mentioned in the Act have also been laid down in a phased manner, with the latest one on the definition of private and sensitive personal data and the role of intermediaries, due diligence etc., being defined as recently as April 2011.


Applicability:
The Act extends to the whole of India and except as otherwise provided, it applies to also any offence or contravention there under committed outside India by any person. There are some specific exclusions to the Act (ie where it is not applicable) as detailed in the First Schedule, stated below:

a) negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881;
b) a power-of-attorney as defined in section 1A of the Powers-of Attorney Act, 1882;
c) a trust as defined in section 3 of the Indian Trusts Act, 1882
d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including any other testamentary disposition
e) any contract for the sale or conveyance of immovable property or any interest in such property;
f) any such class of documents or transactions as may be notified by the Central Government


Definitions:
The ITA-2000 defines many important words used in common computer parlance like ‘access’, ‘computer resource’, ‘computer system’, ‘communication device’, ‘data’, ‘information’, ’security procedure’ etc. The definition of the word ‘computer’ itself assumes significance here.

‘Computer’ means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;

Digital Signature:
‘Electronic signature’ was defined in the ITAA -2008 whereas the earlier ITA -2000 covered in detail about digital signature, defining it and elaborating the procedure to obtain the digital signature certificate and giving it legal validity. Digital signature was defined in the ITA -2000 as “authentication of electronic record” as per procedure laid down in Section 3 and Section 3 discussed the use of asymmetric crypto system and the use of Public Key Infrastructure and hash function etc.
This was later criticized to be technology dependent ie., relying on the specific technology of asymmetric crypto system and the hash function generating a pair of public and private key authentication etc.
Thus Section 3 which was originally “Digital Signature” waslater renamed as “Digital Signature and Electronic Signature” in ITAA - 2008 thus introducing technological neutrality by adoption ofelectronic signatures as a legally valid mode of executing signatures. This includes digital signatures as one of the modes of signatures and is far broader in ambit covering biometrics and other new forms of creating electronic signatures not confining the recognition to
digital signature process alone. While M/s. TCS, M/s. Safescript and M/s. MTNL are some of the digital signature certifying authorities in India, IDRBT (Institute for Development of Research in Banking Technology – the research wing of  RBI) is the Certifying Authorities (CA) for the Indian Banking and financial sector licensed by the Controller of Certifying Authorities, Government of India.
It is relevant to understand the meaning of digital signature (or electronic signature) here. It would be pertinent to note that electronic signature (or the earlier digital signature) as stipulated in the Act is NOT a digitized signature or a scanned signature. In fact, in electronic signature (or digital signature)
there is no real signature by the person, in the conventional sense of the term. Electronic signature is not the process of storing ones signature or scanning ones signature and sending it in an electronic communication like email. It is a process of authentication of message using the procedure laid down in Section 3 of the Act.
The other forms of authentication that are simpler to use such as biometric based retina scanning etc can be quite useful in effective implementation of the Act. However, the Central Government has to evolve detailed procedures and increase awareness on the use of suchsystems among the public by putting in
place the necessary tools and stipulating necessary conditions.
Besides, duties of electronic signature certificate issuing authorities for bio-metric based authentication mechanisms have to be evolved and the necessary parameters have to be formulated to make it user-friendly and at the same time without compromising security

Section 43 deals with penalties and compensation for damage to computer, computer system etc. This section is the first major and significant legislative step in India to combat the issue of data theft.
The IT industry has for long been clamouring for a legislation in India to address the crime of data theft, just like physical theft or larceny of goods and commodities.
This Section addresses the civil offence of  theft of data. If any person without permission of the owner or any other person who is in charge of a computer, accesses or downloads, copies or extracts any data or introduces any computer contaminant like virus or damages or disrupts any computer or denies access
to a computer to an authorised user or tampers etc...he shall be liable to pay damages to the person so affected. Earlier in the ITA -2000 the maximum damages under this head was Rs.1 crore, which (the ceiling) was since removed in the ITAA 2008.
The essence of this Section is civil liability. Criminality in the offence of data theft is being separately dealt with later under Sections 65 and 66. Writing a virus program or spreading a virus mail, a bot, a Trojan or any other malware in a computer network or causing a Denial of Service Attack in a server will all come under this Section and attract civil liability by way of compensation. Under this Section, words like Computer Virus, Compute Contaminant, Computer database and Source Code are all described and defined.


Section 65:
Tampering with source documents is dealt with under this section. Concealing, destroying, altering any computer source code when the same is required to be kept or maintained by law is an offence punishable with three years imprisonment or two lakh rupees or with both. Fabrication of an electronic record or committing forgery by way of interpolations in CD produced as evidence in a court (Bhim Sen Garg vs State of Rajasthan and others, 2006, Cri LJ, 3463, Raj 2411) attract punishment under this Section. Computer source code under this Section refers to the listing of programmes, computer commands, design and layout etc in any form.
Section 66:
Computer related offences are dealt with under this Section. Data theft stated in Section 43 is referred to in this Section. Whereas it was a plain and simple civil offence with the remedy of compensation and damages only, in that Section, here it is the same act but with a criminal intention thus making it a criminal offence. The act of data theft or the offence stated in Section 43 if done dishonestly or fraudulently becomes a punishable offence under this Section and attracts imprisonment  upto three years or a fine of five lakh rupees or both. Earlier hacking was defined in Sec 66 and it was an offence.
Now after the amendment, data theft of Sec 43 is being referred to in Sec 66 by making this section more purposeful and the word ‘hacking’ is not used. The word ‘hacking’ was earlier called a crime in this Section and at the same time, courses on ‘ethical hacking’ were also taught academically. This led to an anomalous situation of people asking how an illegal activity be taught academically with a word ‘ethical’ prefixed to it. Then can there be training programmes, for instance, on “Ethical burglary”,
“Ethical Assault” etc say for courses on physical defence? This tricky situation was put an end to, by the ITAA when it re-phrased the Section 66 by mapping it with the civil liability of Section 43 and removing the word ‘Hacking’. However the act of hacking is still certainly an offence as per this Section, though some experts interpret ‘hacking’ as generally for good purposes (obviously to facilitate naming of the courses as ethical hacking) and ‘cracking’ for illegal purposes. It would be relevant to note that the technology involved in both is the same and the act is the same, whereas in ‘hacking’ the owner’s consent is obtained or assumed and the latter act ‘cracking’ is perceived to be an offence.
Thanks to ITAA, Section 66 is now a widened one with a list of offences as follows:
  • 66A Sending offensive messages thro communication service, causing annoyance etc through an electronic communication or sending an email to mislead or deceive the recipient about the origin of such messages (commonly known as IP or email spoofing) are all covered here. Punishment for these acts is imprisonment upto three years or fine.
  • 66B Dishonestly receiving stolen computer resource or communication device with punishment upto three years or one lakh rupees as fine or both.
  • 66C Electronic signature or other identity theft like using others’ password or electronic signature etc. Punishment is three years imprisonment or fine of one lakh rupees or both.
  • 66D Cheating by personation using computer resource or a communication device shall be punished with imprisonment of either description for a term which extend to three years and shall also be liable to fine which may extend to one lakh rupee.
  • 66E Privacy violation – Publishing or transmitting private area of any person without his or her consent etc. Punishment is three years imprisonment or two lakh rupees fine or both.
  • 66F Cyber terrorism – Intent to threaten the unity, integrity, security or sovereignty of the nation and denying access to any person authorized to access the computer resource or attempting to penetrate or access a computer resource without authorization. Acts of causing a computer contaminant (like virus or Trojan Horse or other spyware or malware) likely to cause death or injuries to persons or damage to or destruction of property etc. come under this Section. Punishment is life imprisonment.

It may be observed that all acts under S.66 are cognizable and non-bailable offences. Intention or the knowledge to cause wrongful loss to others ie the existence of criminal intention and the evil mind ie concept of  destruction, deletion, alteration or diminishing in value or utility of data are all the major ingredients to bring any act under this Section.
To summarise, what was civil liability with entitlement for compensations and damages in Section 43, has been referred to here, if committed with criminal
intent, making it a criminal liability attracting imprisonment and fine or both.

Section 67 deals with publishing or transmitting obscene material in electronic form. The earlier Section in ITA was later widened as per ITAA 2008 in which child pornography and retention of  records by intermediaries were all included.
Publishing or transmitting obscene material in electronic form is dealt with here. Whoever publishes or transmits any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely to read the matter contained in it, shall be punished with first conviction for a term upto three years and fine of five lakh rupees and in second conviction for a term of five years and fine of ten lakh rupees or both.
This Section is of historical importance since the landmark judgement in what is considered to be the first ever conviction under I.T. Act 2000 in India, was obtained in this Section in the famous case “State of  Tamil Nadu vs Suhas Katti” on 5 November 2004. The strength of the Section and the reliability of
electronic evidences were proved by the prosecution and conviction was brought about in this case, involving sending obscene message in the name of a married women amounting to cyber stalking, email spoofing and the criminal activity stated in this Section.
Section 67-A deals with publishing or transmitting of material containing explicit act in electronic form. Contents of Section 67 when combined with the material containing explicit material attract penalty under this Section.

Section 69:
This is an interesting section in the sense that it empowers the Government or agencies as stipulated in the Section, to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource, subject to compliance of procedure as laid down here. This power can be exercised if the Central Government or the State Government, as the case may be, is satisfied that it is necessary or expedient in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. In any such case too, the necessary procedure as may be prescribed, is to be followed and the reasons for taking such action are to be recorded in writing,
by order, directing any agency of the appropriate Government. The subscriber or intermediary shall extend all facilities and technical assistance when called upon to do so.
  • Section 69A inserted in the ITAA, vests with the Central Government or any of its officers with the powers to issue directions for blocking for public access of any information through any computer resource, under the same circumstances as mentioned above.
  • Section 69B discusses the power to authorise to monitor and collect traffic data or information through any computer resource.

Commentary on the powers to intercept, monitor and block webs
ites:
In short, under the conditions laid down in the Section, power to intercept, monitor or decrypt does exist. It would be interesting to trace the history of telephone tapping in India and the legislative provisions
(or the lack of it?) in our nation and compare it with the powers mentioned here. Until the passage of this Section in the ITAA, phone tapping was governed by Clause 5(2) of the Indian Telegraph Act of 1885, which said that “On the occurrence of any public emergency, or in the interest of the public safety, the Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order orfor preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the
Government making the order or an officer thereof mentioned in the order”. Other sections of the act mention that the government should formulate “precautions to be taken for preventing the improper interception or disclosure of messages”.
There have been many attempts, rather many requests, to formulate rules to govern the operation of Clause 5(2). But ever since 1885, no government has formulated any such precautions, maybe for obvious reasons to retain the spying powers for almost a century.
A writ petition was filed in the Supreme Court in 1991 by the People’s Union for Civil Liberties, challenging the constitutional validity of this Clause 5(2). The petition argued that it infringed the constitutional right to freedom of speech and expression and to life and personal liberty. In December 1996, the Supreme Court delivered its judgment, pointing out that  “unless a public emergency has occurred or the interest of public safety demands, the authorities have no jurisdiction to exercise the powers” given them under 5(2). They went on to define them thus: a public emergency was the “prevailing of a sudden condition or state of
affairs affecting the people at large calling for immediate action”, and public safety “means the state or condition of freedom from danger or risk for the people at large”. Without those two, however “necessary or expedient”, it could not do so.
Procedures for keeping such records and the layer of authorities etc were also stipulated. Now, this Section 69 of ITAA is far more intrusive and more powerful than the above-cited provision of Indian Telegraph Act 1885. Under this ITAA Section, the nominated Government official will be able to listen in to all phone calls, read the SMSs and emails, and monitor the websites that one visited, subject to adherence to the prescribed procedures and without a warrant from a magistrate’s order. In view of the foregoing, this Section was critizised to be draconian vesting the government with much more powers than required.
Having said this, we should not be oblivious to the fact that this power (of intercepting, monitoring and blocking) is something which the Government represented by the Indian Computer Emergency Response Team, (the National Nodal Agency, as nominated in Section 70B of ITAA) has very rarely exercised. Perhaps believing in the freedom of
expression and having confidence in the self-regulative nature of the industry, the CERT-In has stated that these powers are very sparingly (and almost never) used by it.
Critical Information Infrastructure and Protected System have been discussed in Section 70.
The Indian Computer Emergency Response Team (CERT-In) coming under the Ministry of Information and Technology, Government of India, has been designated as the National Nodal Agency for incident response. By virtue of this, CERT-In will perform activities like collection, analysis and dissemination of information on cyber incidents, forecasts and alerts of cyber security incidents, emergency measures for handling cyber security incidents etc.
The role of CERT-In in e-publishing security vulnerabilities and security alerts is remarkable.The Minister of State for Communications and IT Mr.Sachin Pilot said in a written reply to the Rajya Sabha said that (as reported in the Press), CERT-In has handled over 13,000 such incidents in 2011 compared to 8,266 incidents in 2009. CERT-In has observed that there is significant increase in the number of cyber security incidents in the country. A total of 8,266, 10,315 and 13,301 security incidents were reported to and handled by CERT-In during 2009, 2010 and 2011, respectively,"
These security incidents include website intrusions, phishing, network probing, spread of malicious code like virus, worms and spam, he added. Hence the role of CERT-In is very crucial and there are much expectations from CERT In not just in giving out the alerts but in combating cyber crime, use the weapon of monitoring the web-traffic, intercepting and blocking the site, whenever so required and with due process of law.
Penalty for breach of confidentiality and privacy is discussed in Section 72 with the punishment being imprisonment for a term upto two years or a fine of one lakh rupees or both.

Considering the global nature of cyber crime and understanding the real time scenario of fraudster living in one part of the world and committing a data theft or DoS(Denial of Service) kind of an attack or other cyber crime in an entirely different part of the world, Section 75 clearly states that the Act applies to offences or contravention committed outside India, if the contravention or the offence involves a computer or a computer network located in India.
This Act has over-riding provisions especially with regard to the regulations stipulated in the Code of Criminal Procedure. As per Section 78,notwithstanding anything contained in the Code of Criminal Procedure, a police officer not below the rank of an Inspector shall investigate an offence under this Act. Such powers were conferred to officers not below the rank of a Deputy Superintendent of Police earlier in the ITA which was later amended as Inspector in the ITAA.


Other Acts amended by the ITA:
The Indian Penal Code, 1860: Normally referred to as the IPC, this is a very powerful legislation and probably the most widely used in criminal jurisprudence, serving as the main criminal code of India. Enacted originally in 1860 and amended many time since, it covers almost all substantive aspects of
criminal law and is supplemented by other criminal provisions. In independent India, many special laws have been enacted with criminal and penal provisions which are often referred to and relied upon, as an additional legal provision in cases which refer to the relevant provisions of IPC as well.
ITA 2000 has amended the sections dealing with records and documents in the IPC by inserting the word ‘electronic’ thereby treating the electronic records and documents on a par with physical records and documents. The Sections dealing with false entry in a record or false document etc (eg 192, 204, 463, 464, 464, 468 to 470, 471, 474, 476 etc) have since been amended as electronic record and electronic document thereby bringing within the ambit of IPC, all crimes to an electronic record and electronic documents just like physical acts of forgery or falsification of physical records.
In practice, however, the investigating agencies file the cases quoting the relevant sections from IPC in addition to those corresponding in ITA like offences under IPC 463,464, 468 and 469 read with the ITA/ITAA Sections 43 and 66, to ensure the evidence or punishmentstated at least in either of the
legislations can be brought about easily.
The Indian Evidence Act 1872:
This is another legislation amended by the ITA. Prior to the passing of ITA, all evidences in a court were in the physical formonly. With the ITA giving recognition to all electronic records and documents, it was but natural that the evidentiary legislation in the nation be amended in tune with it. In the definitions part of the Act itself, the “all documents including electronic records” were substituted. Words like ‘digital signature’, ‘electronic form’, ‘secure electronic record’ ‘information’ as used in the ITA, were all inserted to make them part of the evidentiary mechanism in legislations. Admissibility of electronic records as evidence as enshrined in Section 65Bof the Act assumes significance. This is an elaborate section and a landmark piece of legislation in the area of evidences produced from a computer or electronic device. Any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer shall be treated like a document, without further proof or production of the original, if the conditions like these are satisfied:
(a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly .... by lawful persons..
(b) the information ...derived was regularly fed into the computer in the ordinary course of the said activities;
(c) throughout the material part of the said period, the computer was operating properly ...... and ......a certificate signed by a person .....responsible..... etc.

To put it in simple terms, evidences (information) taken from computers or electronic storage devices and produced as print-outs or in electronic media are valid if they are taken from system handled properly with no scope for manipulation of data and ensuring integrity of data produced directly with or without human intervention etc and accompanied by a certificate signed by a responsible person declaring as to the correctness of the records taken from a system a computer with all the precautions as laid down in the Section.
However, this Section is often being misunderstood by one part of the industry to mean that computer print-outs can be taken as evidences and are valid as proper records, even if they are not signed. We find many computer generated letters emanating from big corporates with proper space below for signature under the words “Your faithfully” or “truly” and the signature space left blank, with a Post Script remark at the bottom “This is a computer generated letter and hence does not require signature”.
The Act does not anywhere say that ‘computer print-outs need not be signed and can be taken as record’.
The Bankers’ Books Evidence(BBE) Act 1891
Amendment to this Act has been included as the third schedule in ITA. Prior to the passing of ITA, any evidence from a bank to be produced in a court, necessitated production of the original ledger or other register for verification at some stage with the copy retained in the court records as exhibits. With the passing of the ITA the definitions part of the BBE Act stood amended as: "’bankers ' books’ include ledgers, day-books, cash-books, account-books
and all other books used in the ordinary business of a bank whether kept in the written form or as printouts of data stored in a floppy, disc, tape or any other form of electro-magnetic data storage device”. When the books consist of printouts of data stored in a floppy, disc, tape etc, a printout of such entry ...certified in accordance with the provisions ....to the effect that it is a printout of such entry or a copy of such printout by the principal accountant or branch manager; and (b) a certificate by a person in-charge of computer system
containing a brief description of the computer system and the part
iculars of the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorised persons; the safeguards adopted to prevent and detect unauthorised change of data ...to retrieve data that is lost due to systemic failure or .....
In short, just like in the Indian Evidence Act, the provisions in Bankers Books Evidence Act make the printout from a computer system or a floppy or disc or a tape as a valid document and evidence, provided, such print-out is accompanied by a certificate stating that it is a true extract from the official records of the bank and that such entries or records are from a computerised system with proper integrity of data, wherein data cannot be manipulated or accessed in an unauthorised manner or is not lost or tamperable due to system failure or such other reasons.
Here again, let us reiterate that the law does not state that any computerised print-out even if not signed, constitutes a valid record. But still even many banks of repute (both public sector and private sector) often send out printed letters to customers with the space for signature at the bottom left blank after the line “Yours faithfully” etc and with a remark as Post Script reading: “This is a computer generated letter and hence does not require signature”. Such interpretation is grossly misleading and sends a message to public that computer generated reports or letters need not be signed, which is never mentioned anywhere in nor is the import of the ITA or the BBE.
The next Act that was amended by the ITA is the Reserve Bank of India Act, 1934. Section 58 of the Act sub-section (2), after clause (p), a clause relating to
the regulation of funds transfer through electronic means between banks (ie transactions like RTGS and NEFT and other funds transfers) was inserted, to facilitate such electronic funds transfer and ensure legal admissibility of documents and records therein.

You may also be interested in How to report cyber crime in india.

Leave a Reply

Subscribe to: Post Comments (Atom)
 
How To 99 © 2013 How to 99 &

How to Tutorial in 99 Categories