Block-3 Information Technology Act 46

I~I ~~~o~~
08E-043
~ UNIVERSITY
INFORMATION
Indira Gandhi National Open University
School of Vocational Education and Training TECHNOLOGY SECURITY
Information Technology Act 3

-
J
V \
''ftmr.liACf ciT~ ~ ~ qmft t ~ 3lT\iT
'$ "PT it "ffi- w ffl Cfid ?l1 ctT ~ C1iT 3l'1'aR.qr -,
t I~ ~ ~ Cfil<on ~ ~ \iOta ~ cniml
f4qiidlait ciT·~qr@ ~~ ciT~~ '3)tR
"3ORfr t 1" ~
- $A: 'lj mt1t
"Education is a liberating force, and in

our age it is also a democratising force,
cutting across the barriers of caste and
class, smoothing out inequalities imposed
by birth and other circumstances. "
- Indira Gandhi
y
V J)I
OSE-043
l§) ignou THE PEOPLE'S
UNIVERSITY
Information
Technology Security
Indira Gandhi National Open University
School of Vocational Education and Training
•.
Block
.1 3
INFORMATION TECHNOLOGY ACT
UNIT 1
Introduction to Information Technology Amendment

Act 2008 5
UNIT 2
Legal Implications of Personal Security 21
UNIT 3
Common Cyber Crimes and Government Laws and
Rules in Information Security 32
/
I
I
Programme Expert/Design Committee of Advanced
Certificate in Information Security (ACISE)
Prof. K.R. Srivathsan Mr. Anup Girdhar, CEO, Sedulity Solutions &
Pro Vice-Chancellor, IGNOU Technologies, New Delhi
Mr. BJ.Srinath, Sr. Director & Scientist 'G', Prof. A.K. Saini, Professor, University
CERf-ln, Department of In ormation School of Management Studies, Guru Gobind
Technology, Ministry of Communication and Singh Indraprastha University, Delhi
Information Technology, Govt. of India
Mr. e.S. Rao, Technical Director in Cyber
Mr. A.S.A Krishnan, Director, Department of
Security Division, National Informatics Centre
Information Technology, Cyber-Laws and
Ministry of Communication and Information
E-Security Group, Ministry of Comniunication
Technology
and information Technology, Govt of India
Mr. S. Balasubramony, Dy. Superintendent of Prof. e.n Naidu, Director, School of

Police, CBI, Cyber Crime Investigation Cell Vocational Education & Training, IGNOU
Delhi
Prof. K. Subramanian, Director, ACIIL
Mr. B.V.e. Rao, Technical Director, National IGNOU, Former Deputy Director General,
J Informatics Centre. Ministry of
Communication and Information Technology
National Informatics Centre, Ministry of
Govt of India
Mr. Omveer Singh, Scientist, CERT-In
Department of Information Technology, Cyber- Dr. A. Murali M Rao, Joint Director
Laws and E-Security Group, Ministry of Computer Division, IGNOU
Govt of India Mr. P.V. Suresh, Sr. Assistant Professor,
School of Computer and Information Science
Dr. Vivek Mudgil, Director, Eninov Systems
IGNOU
Noida
Prof. Manohar Lal, Director, School of Ms. Urshla Kant

Computer and Information Science, IGNOU Assistant Professor, School of Vocational
Education & Training, IGNOU
Prof. K. Elumalai, Director, School of Law Programme Coordinator
IGNOU
Block Preparation
Unit Writer Block Editors Proof Reading
Adv. Vaishali Kant Mr. S. Balasubramony, Ms. Urshla Kant
B.A.LL.B, LLM Dy. Superintendent of Police, Assistant Professor,
National Law School of CBI, Cyber Crime School of Vocational
India University, Bangalore Investigation Cell, Delhi Education & Training,
(Unit 1, 2, & 3) IGNOU
Ms. Urshla Kant
Assistant Professor, School of
Vocational Education &
Training, IGNOU
Production
Mr. B. Natrajan Mr. J itender Sethi Mr. Hemant Parida
Dy. Registrar (Pub.) Asstt. Registrar (Pub.) Proof Reader
MPDD, IGNOU, New Delhi MPDD, IGNOU, New Delhi MPDD, IGNOU, New Delhi
July, 2011
© lndira Gandhi National Open University, 2011
ISBN: 978-81-266-5528-1
All rights reserved. No part of this work may be reproduced in any form, by mimeograph or any
other means, without permission in writing from the lndira Gandhi National Open University.
Further information about the School of Vocational Etlucation and Training and the lndira Gandhi
National Open University courses may be obtained from the University's office at Maidan Garhi,
New Delhi-110068. or the website of IGNOU www.ignou.ac.in
Printed and published on behalf of the Indira Gandhi National Open University, New Delhi, by
the Registrar, MPDD .
Laser typeset by Mctronics Printographics, 27/3 Ward No. 1, Opp. Mother Dairy, Mehrauli,
New Delhi-30
Printed at A-One Offset Printers, 5/34, Kirti Nagar Indl. Area, New..Delhi-ll0015
/
/
BLOCK INTRODUCTION
Information Technology Act is very important in this digital age. Digital technology
and new communication system have made dramatic changes in our lives. Business
.community as well as individuals is increasingly using computers to create, transmit
and store information in the electronic form instead of traditional paper documents.
It came into force on 17th October, 2000. The IT Act is the first cyber law in India.
It is mainly based on the UNCITRAL Model Law on electronic commerce. The IT
Act has been designed to give boost to electronic commerce, e-transactions and
similar activities associated with commerce and trade and also to facilitate electronic
governance by means of reliable electronic records. Due to the rapid change in the
technology, there is a need for bringing in suitable amendments in the existing law
in our country to facilitate e-commerce. This block comprises of three units and is
designed In the following way.
The Unit One aims to introduce India's Information Technology Amendment Act
.~ 2008 which resolve many practical difficulties faced in the implementation of the
Act. It strengthens data protection regime, and makes cyberspace more trustworthy
since cyber criminals, whether engaging in data and identity theft, fmancial frauds
or posing threat to national security through acts of cyber terrorism, will be brought
to justice. The IT Amendment Bill 2008 aims to bring significant changes in extant
cyber laws in India, interalia, introducing legal recognition to electronic signatures,
data protection obligations and mechanisms, provisions to combat emerging cyber
security threats such as cyber terrorism, identity theft, spamrning, video voyeurism,
pornography on internet, and other crimes.
The Unit two attempted to introduce you to Privacy which involves proper control
. and protection of personal information and the ability to determine if and how that
information should be obtained and used and to what extent. Until specific
legislation is enacted on providing data security and privacy in India, a legal
controversy that arises in this sphere has to be resolved, to a large' extent, through
the Information Technology (Amendment) Act, 2008. Contractual liabilities and
exercise of best security practices may be quite helpful in ensuing data protection
and privacy. •
The Unit three describes the effort towards answering some of the fundamental
queries about the cyber crimes related to the information security. The. IT Act has
dealt with both 'cyber contraventions'and 'cyber offences'. It has identified the
criminal conduct vis-a-vis computer network, computer system or computer. It
introduces power to prosecute those that deliberately and without authorization,
misuse computer systems. The Government has passed certain rules in relation to
provide data security and privacy.
Hope you benefit from this block.
ACKNOWLEDGEMENT
The material we have used is purely for educational purposes. Every effort has
been made to trace the copyright holders of material reproduced in this book.
Should any infringement have occurred, the publishers and editors apologize and
will be pleased to make the necessary corrections in future editions of this book.
/ I
Introduction to Information
UNIT 1 INTRODUCTION TO Technology Amendment
Act 2008
INFORMATION TECHNOLOOY
AMENDMENT ACT 2008.
l
Structure
1.0 Introduction
1.1 Objectives
1.2 Need of IT Amendment Act, 2008
1.3 Evolution of IT Amendment Act
1.4 Amendments to IT Act
1.5 UID
Ji 1.6 Let Us Sum Up
1.7 Check Your Progress: The Key
1.8 Suggested Readings
1.0 INTRODUCTION
The new amendments to the Information Technology Act, 2000 were passed by
the Lok Sabha on December 2008. It has introduced various positive developments.
It is an attempt by the Government to create a dynamic policy that is..technology
neutral.
1.1 OBJECTIVES
After studying this unit, you should be able to:
• Identify how the IT Amendment Act came into force;
• Explain different provisions of IT Amendment Act;
• Recognize reasons behind such amendments;
• Elucidate the purpose of amendments; and
• To understand UID.
1.2 NEED OF IT AMENDMENT ACT, 2008

The Information Technology Amendment Act, 2008 (IT Act 2008) is a substantial
addition to India's Information Technology Act (ITA-2000), The IT Amendment
Act was passed by the Indian Parliament in October 2008 and came into force a
year later. The Act is administered by the Indian Computer Emergency Response
Team (CERT-In).
The original Act was developed to promote the IT industry, regulate e-commerce,
facilitate e-governance and prevent .ybercrime: The Act also sought to provide
legal recognition to the transaction carried out by means of electronic data
interchange or other means of. electronic communication.. commonly' referred as
e-commerce, to facilitate electronic filing of documents with the government
agencies, to amend IPC, Evidence Act, Bankers' Book Evidence Act and Reserve 5
/
/
I
Information Technology Act Bank of India in order to bring electronic documentation withiri the puryi~w ef'the
respective enactments, to bring the cyber criminals within/the purview of law and
to punish them, to bring the regime of digital signatures and to foster security
practices within India that would serve the country in a global context.
At the same time, there is lots of criticism 'suffered by this Act like as: 1) It is still
inadequate in providing sdfficient data protection provisions 2) It does not offer
much in terms of protection of Intellectual property on the net 3) It does not prohibit
spams and unsolicited e-mails that flood one's inbox 4) It is silent on issues relating
to cross border taxation arising out of international trade 5) A single section 79
devoted to the network service providers in the Act is highly inadequate.
The Amendment was made to address issues that the original bill failed to cover
and to accommodate further development of IT and related security concerns since
the original law was passed.
Changes in the Amendment include: redefining terms such as "communication

device" to reflect current use; validating electronic signatures and contracts; making
the owner of a given IP address responsible for content accessed or distributed
through it; and making corporations responsible for implementing effective data
security practices and liable for breaches. This amendment has focused on the
major changes in the part i.e. offences 1) It has substituted the words "computer
related offences" instead of "hacking with computer system" and thereby broaden
the horizon of sec 66 by involving all the acts as mentioned in sec 43 (exposed
only to civil penalty) under the scope of criminal consequences, if done dishonestly
or fraudulently. 2) Under sec 67, penalty term has been changed. 3) various new
sections were introduced to cover the new offences such as cyber terrorism, identity
theft, cheating by personation etc. 4) Introducing the vital change in sec 78 that
instead of police officer not below the rank of Deputy Superintendent of Police, a
police officer not below the rank of inspector shall investigate any offence under
this Act.
The Amendment has been criticized for decreasing the penalties for some
cybercrimes and for lacking sufficient safeguards to protect the civil rights of
individuals. Section 69, for example, authorizes the Indian government to intercept,
monitor, decrypt and block data at its discretion. According to Pavan Duggal, a
cyber law consultant and advocate at the Supreme Court of India, "The Act has
provided Indian government with the power of surveillance, monitoring and
blocking data traffic. The new powers under the amendment act tend to give Indian
government a texture and color of being a surveillance state".
The Information Technology Amendment Bill 2008 was passed by the Lok Sabha
and the Rajya Sabha in the last week of December 2008 and received the President's
assent on 5th February 2009. The Bill aims to make sweeping changes in the existing
Indian cyber law framework, including inserting new express provisions to bring
more cyber offences within the purview of the Information Technology Act, 2000.
1.3 EVOLUTION OF IT AMENDMENT ACT

A rapid increase in the use of computer and Internet has given rise to new forms
of crimes like, sending offensive emailsandmultimediamessages.child
pornography, cyber terrorism, publishing sexually explicit materials in electronic
form, video voyeurism, breach of confidentiality and leakage of data by
intermediary, e-commerce frauds like cheating by personation - commonly known
as phishing, identity theft, frauds on on line auction sites, etc. So, penal provisions
were required to be included in the Information Technology Act, 2000. Also, the
Act needed to be technology-neutral to provide for alternative technology of
6 electronic signature for bringing harmonization with Model Law on Electronic
/
/
Signatures adopted by United Nations Commission on International Trade Law Introduction to Information
(UNCITRAL). . Technology Amendment
Act 2008
Keeping in view the above, Government had introduced the Information Technology
(Amendment) Bill, 2006 in the Lok Sabha on 15th December 2006. Both Houses
of Parliament passed the Bill on 23rd December 2008. Subsequently the Information
Technology (Amendment) Act, 2008 received the assent of President on 5th
February 2009' and was notified in the Gazette of India.
1.4 AMENDMENTS TO IT ACT

Amendments to the IT Act have addressed industry's concerns on data protection
issues. It creates an enabling legal environment in India that address breaches of
confidentiality and integrity of data.
The amendments to the IT Act are broadly categorized as follows:

J 1) New definitions include 'communication device', 'cyber cafe', 'cyber security',
'electronic signature', and 'Indian Computer Emergency Response Team'.
a) Communication device is defined as "cell phones, personal digital

assistants or combination of both or any other device used to communicate,
send or transmit any text, video, audio or image}. It is thus a very general
term.
b) Cyber cafe is defined as "any facility from where access to the Internet is
offered by any person in the ordinary course of business to the members
of the public.
c) Some of the earlier definitions in the Act that have been redefined Include:
'computer network', 'information', and 'intermediary' to make them more
precise .
. d) Revised definition of intermediary in sub-section 2(w) is as follows:

'intermediary' with respect to any particular electronic records, means
any person who on behalf of another person receives, stores or transmits
that record or provides any service with respect to that record and includes
telecom service providers, network service providers, internet service
providers, web-hosting service providers, search engines, online payment
sites, online-auction sites, online-market places and cyber cafes. All service
providers are thus clearly identified as intermediaries.
2) Intermediaries: Chapter XII on network service providers has been renamed

as "Intermediaries not to be liable in certain cases". Section 79 in this chapter
sets out conditions explicitly under which an intermediary will not be liable
for any third party information, data, or communication link made available
or hosted by him. As long as an intermediary's function is limited to providing
access to a communication system over which information is transmitted or
temporarily stored or hosted; and the intermediary does not initiate transmission
or select or modify the information; and observes due diligence and also
observes guidelines prescribed by the central government, he will not be liable
for any information. However, if the intermediary conspires or abets or induces
an unlawful act; or does not take steps to remove or disable access to a material
on being notified by a government agency that it is being used to commit an
unlawful act, then he will be held liable. This is certainly much more transparent
since exemption from liability for any unlawful content/information using an
intermediary's infrastructure is clearly stated; government is mandated to
prescribe any guidelines' that it may require intermediaries to follow; conditions
under which he will be held liable for unlawful acts are also stated. 7
/
Information Technology Act a) An intermediary has to comply with the central government guidelines,
under section 67C, for preservation and retention of information as may
be specified for such duration and in such manner and format. Failure to
do so shall be punished with imprisonment of up to three years and of a
fine.
Once again the duties of intermediaries are expected to be clearly known

since the government will make the procedure transparent through issuance
of guidelines.
b) Finally, under section 69B, an intermediary, when called upon by a

designated government agency, has to provide technical assistance and
extend all facilities to such an agency to enable online access or to secure
and provide online access to the computer resource generating,
transmitting, receiving or storing such traffic data or information. Failure
to do so shall make an intermediary liable for punishment with
imprisonment of up to three years and a fine.
J
c) Under section 70A on critical infrastructure protection, service providers,
intermediaries, companies and others will have to provide information to
the agency (Indian Computer Emergency Response Team) as may be
required by it in discharge of its functions, in accordance with procedures
that shall be prescribed by this nodal agency.
3) Data protection new clause 43A: The existing Act provides for penalty for
damage to computers, computer systems under the title 'Penalty and
Adjudication' in section 43 that is widely interpreted as a clause to provide
data protection in the country. Unauthorized access to a computer, computer
system or computer network is punishable with a compensation of up to one
crore rupees. This section has been improved to include stealing of computer
source code for which compensation can be claimed. (Computer source has
been defined) Data protection has now been made more explicit through
insertion of a new clause 43A that provides for compensation to an aggrieved
person whose personal data including sensitive personal data may be
compromised by a company, during the time it was under processing with the
company, for failure to protect such data whether because of negligence in
implementing or maintaining reasonable security practices. Further, 'reasonable
security practices and procedures' will constitute those practices and procedures
that protect such information from unauthorized access, damage, use,
modification, disclosure or impairment a~ may be specified in an agreement
between the parties or as may be specified in any law in force. In the absence
of such an agreement or any law, the central government will prescribe security
practices and procedures in consultation with professional bodies or
associations.
a) This explanation gives scope for recognition of security professional bodies

such as Data Security Council of India (DSCI), which is an industry
initiative promoted by NASSCOM. The best practices and standards for
security that DSCI may prescribe to the IT and BPO companies may be
accepted by the government. Regulation of companies for compliance
with such standards and practices can fall within the ambit of DSC!.
b) Sensitive personal information may be prescribed by the central

government in consultation with professional bodies or associations. In
the context of outsourcing to India, this can be defined to be in line with
compliance requirements of the EU Data Protection Directive and US
laws such as HIPAA or GLBA.
8
/
r
4) Penalty for breach of confidentiality and privacy: Under section 72 it is Introduction to Information
presently restricted to those who gain access to an electronic record or Technology Amendment
Act 2008
document under the powers conferred under this Act. A new section 72A has
been added that provides for punishment for disclosure of information in breach
of a lawful contract. Any person including an intermediary who has access to
any material containing personal information about another person, as part of
a lawful contract, discloses it without the con ent of the subject person will
constitute a breach and attract punishment with imprisonment of up to three
years, and/or a fine of five lakh rupees. This is a strong deterrent, and also
will bring those responsible for breaching data confidentiality, under lawful
contracts, to justice. Along with section 43A, section 72A strengthens the data
protection regime in the country. It will go a long way in promoting trust in
trans-border data-flows to India.
5) Cyber crimes: Existing sections 66 and 67 on hacking and obscene material

have been updated by dividing them into more crime-specific subsections
thereby making cyber crimes punishable. Section 69 has also been rewritten
to include cyber terrorism through new clauses 69A and 69B. Moreover,
J requirement of a DSP to investigate cyber crimes has been relaxed - an
inspector is now competent to investigate crimes under this Act. Traffic data,
logs and information will be required to be maintained by intermediaries for
cyber security, under sections 67C, 69B and 70A; as per procedures and
safeguards that will be prescribed by the central government. This will ensure
availability of cyber forensic data, which is essential for investigation and
prosecution of cyber crimes.
a) Section 66: hacking as a term has been removed. This section has been
aligned with section 43 on compensation against damage. In addition to
the compensation u/s 43, a person who dishonestly or fraudulently gains
access to a computer system and damages it or diminishes its value or
causes disruption, will also be punished with imprisonment of up to three
years and/or a fine of five lakh rupees.
b) Sub-section 66A: provides for punishment for sending offensive messages,

including attachments, through communications service up to three years
imprisonment, and/or a fine.
c) Sub-section 66B: provides for punishment for dishonestly receiving stolen

computer resource or communication device up to three years
imprisonment, and/or a fine of onelakh rupees.
d) Sub-section 66C: provides for punishment for identity theft up to three

years imprisonment, and/or a fine of one lakh rupees.
e) Sub-section 66D: provides for punishment for cheating by personation -

up to three years imprisonment, and/or a fine of one lakh rupees.
f) Sub-section 66E: provides for punishment for violation of privacy - up

to three years imprisonment, and/or a fine of two lakh rupees (for
intentionally capturing, publishing or transmitting the image of a private
area of any person without his or her consent).
g) Sub-section 66F: provides for punishment for cyber terrorism - up to

life imprisonment. Cyber terrorism isdefined as causing denial of service,
illegal access, introducing a virus in any of the critical information
infrastructure of the country defined uls 70 with the intent to threaten the
unity, integrity, security or sovereignty of India or strike terror in the people
or any section of the people; or gaining illegal access to data or database
that is restricted for reasons of the security of state or friendly relations
with foreign states. 9
/ I
Information Technology Act h) Section 67: it has been revised to include the transmission of obscene
material in electronic form in addition to its publishing. Punishment for
publishing or transmitting obscene material in electronic form has,
however, been reduced from five to three years, while the fine has been
increased from one to five lakh rupees. For second offence, imprisonment
has been reduced from ten to. five years, and fine increased from two to
ten lakh mpers.
i) Section 67A: provides for punishment for publishing or transmitting of
material containing sexually explicit act in electronic form - imprisonment
of up to five years and a fine of ten lakh rupees; for second offence
imprisonment of up to seven years and a fine of ten lakh rupees.
j) Section 67B: provides for punishment for publishing or transmitting of ~"I
material depicting children in sexually explicit act in electronic form -

imprisonment of up to five years and a fine of ten lakh rupees; for second
offence imprisonment of up to seven years and a fine of ten lakh rupees,
'1 I
k) Section 67C: provides for preservation and retention of information by i
intermediaries as may be specified for such duration and in such manner I
and format as the central government may prescribe. Failure comply shall
be punishable by imprisonment of up to three years and a fine.
1) Section 69: the earlier provision has been revised while two new sub-
sections have been added, namely 69A, and 69B. Powers under section
69 were earlier vested with the Controller of Certifying Authorities for
directing any agency of the government to intercept any information
transmitted through a computer resource. The revised section empowers
the central government or a state government to direct any agency of the
government to intercept, monitor or decrypt; or cause to be intercepted,
monitored or decrypted; any information generated, transmitted, received
or stored in any computer resource under conditions of threat to national
security or friendly relations with foreign states. The procedure and
safeguards for such interception or monitoring shall be prescribed by the.
government. This will make the application of section 69 more transparent
unlike the same section in the previous version since such procedures
were not mandated for the government to prescribe. An intermediary not
complying with such directions shall be punished with an imprisonment
of up to seven years and a fme.
m) Sub-section 69A: This is a new provision that empowers the central t,
government to issue directions for blocking of websites (blocking for public
access of any information through any computer resource). Conditions
under which this may be done are similar to those under section 69A, and
j
procedures and safeguards subject to which such blocking for access by
the public may be carried out, shall be prescribed by the central
government. It may be noted that blocking can only be ordered by the
central government unlike interception and monitoring that can be ordered
by the central or a state government. An intermediary not complying with
such directions shall be punished with an imprisonment of up to seven
years and a fine. .
n) Sub-section 69B: This is yet another provision that empowers the central
government to authorize to monitor and collect traffic data or information
through any computer resource for cyber security. Any government agency
can be authorized to monitor and collect traffic data or information
generated, transmitted, received or stored in any computer resource. An
intermediary not complying with such directions for enabling online access
10 or to secure and provide online access to the computer resource generating,
/
transmitting, receiving or storing such traffic data or information; shall Introduction to Information
be punished with an imprisonment of up to three years and a fine. Technology Amendment
Act 2008
0) Section 77: Compensation, penalties or confiscation awarded under the
IT Act do not preclude awards of compensation or imposition of penalty
or punishment under any other law. However, sub-section 77A does provide
for compounding of offences except for the award of punishment for life
imprisonment or for a term exceeding three years under 'this Act.
6) Critical Information Infrastructure Protection: Earlier section 70 on

protected systems has been revised to include any computer as part of critical
information infrastructure (with a clear definition) through an appropriate
notification, and two new sub-sections 70A and 70B have been added to
designate a national nodal agency in respect of critical information
infrastructure, called Indian Computer Emergency Response Team. This agency
will be responsible for all measures including R&D relating to protection of
critical information infrastructure. It will discharge wide ranging functions
related to cyber security incidents, responding to them, and perform all
functions relating to cyber security. Service providers, intermediaries,
companies and others will have to provide information to the agency as may
be required by it in discharge of its functions, in accordance with procedures
that shall be prescribed by this nodal agency.
7) Examiner of Electronic Evidence: Cyber forensic evidence is critical to trial

of cyber criminals. The felt need of an Examiner of Electronic Evidence has
been satisfied through section 79A under which the central government may
specify any department, body or agency of the central government as an
Examiner of Electronic Evidence, for the purposes of providing expert opinion
on electronic form evidence before any court.
8) Electronic Signature: The Act has been made technology neutral. Earlier
only digital signatures based on asymmetric cryptography were recognized as
electronic signatures to sign electronic documents/records. Section 3 on digital
signatures has been replaced by electronic signatures. Nbw the central
government is empowered to issue any other types of signatures ba~ed on
.
new, mature technologies under section 15 and 16.
9) Electronic Contract Formation: Section lOA has been added that provides
for validity of contracts formed through electronic means.
10) Audit of Electronic Records: Section 7A has been added that provides for
audit of documents maintained in electronic form.
11) Encryption: Section 84C has been added that enables the central government
to prescribe the modes or methods of encryption for secure use of the electronic
medum and for promotion of egovernance and e-commerce.
Check Your Progress 1
Notes: a) Space is given below for writing your answer.
b) Compare your answer with the one given at the end of this ·Unit.
1) What ate the reasons for IT Amendment Act, 2008?
11
/
(
Information Technology Act 2) Explain the evolutionary process for IT Amendment Act, 2008?
·································i···················· .
3) What are the major changes made in IT Amendment Act?
1.5 DID
"
The Unique Identification Authority of India (UIDAI) is an agency of the
Government of India responsible for implementing the envisioned ADHAAR a
Multipurpose National Identity Card or Unique Identification card (UID Card)
project in India. It was established in February 2009, and will own and operate the
Unique Identification Number database. The authority will aim at providing a unique
number to all Indians, but not smart cards. The authority would provide a database
of residents containing very simple data in biometrics.
The agency is headed by a chairman, who holds a cabinet rank. The UIDAI is part
of the Planning Commission of India. NandanNilekani, a former eo-chairman of
Infosys Technologies, was appointed as the first Chairman of the authority in June
2009. Ram Sewak Sharma, an IAS Officer of Jharkhand Government cadre has
been appointed as the Director General and Mission Director of the Authority. He
is known for his best effort in e-Governance project for Jharkhand State and working
. as an IT secretary he received a number of awards for best Information Technology
Trends State in India. The UIDAI no. is a 12 digit number.
Launch
UIDAI launched AADHAAR program in the tribal village, Tembhli, in Shahada,

Nandurbar, Maharashtra on 29 September 2010. The program was inaugurated by
Prime Minister, Manmohan Singh along with UPA chairperson Sonia Gandhi. The
first resident to receive an AADHAAR was Rajana Sonawane of Tembhli village.
Coverage, goals and logistics
It is believed that Unique National IDs will help address the rigged state elections,
widespread embezzlement that affects subsidies and poverty alleviation programs ..
such as NREGA. Addressing illegal immigration into India and terrorist threats is
another goal of the program.
Most reports suggest that the plan is for each Indian citizen to have a unique
identification number with associated identifying biometric data and photographs
by 2011. However, other reports claim that obtaining a unique number would be
voluntary, but those that opt to stay out of the system "will find it very inconvenient:
they will not have access to facilities that require you to cite your ID number".
Government issued IDs are fragmented by purpose and region in India, which
results in widespread bribery, denial of public services and loss of income, especially
12 afflicting poor citizens. As the unique identity database comes into existence, the
/
/
.various identity databases (voter ID, passports, ration cards, licenses, fishing permits, Introduction to Information
border area id cards) that already exist in India are planned to be linked to it. The Technology Amendment
Act 2008
Authority is liaising with various national, state and local government entities to
begin this process. The Union Labor Ministry has offered its verified Employment
Provident Fund (EPFO) database of 42 million citizens as the first database to be
integrated into the unique ID system.
Other UID projects implemented on a smaller scale in India can also facilitate in
the development of the national project. An example is a project developed by
Wolf Frameworks Cloud Computing vendor and Social Education and Development
Society (SEDS) for profiling and generating Unique Identification for more than
40,000 members in the Anantapur district of Andhra Pradesh.
The UID will link a person's Passport Number, Driving License, PAN card, Bank
Accounts, Address, Voter ID, etc. and all this information will be checked through
a database. So, for example, if someone has different addresses on PAN and driving
license, is liable to get caught. Those who will opt out of this program will have_
much inconvenience in doing business, operating bank accounts and other offices
which will require a UID.
UIDAI has headquarters in Delhi and a technology centre in Bangalore. It also has
8 regional offices in Chandigarh, Delhi, Lucknow, Ranchi, Guwahati, Mumbai,
Hyderabad and Bangalore.
Name and logo
UID project is known as AADHAAR meaning 'support' or 'foundation', and its

logo is a yellow sun with a fingerprint embedded in its centre- The logo was
designed by Atul Sudhakar Rao Pande.
Projected costs and business opportunities
One estimate of the cost to completely roll-out National IDs to all Indian residents
above the age of 18 has been placed at 150,000 crore (US$33.45 billion). A different
estimate puts it at US$ 6 billion. A sum of 100 crore (US$22.3 million) was
approved in the 2009-2010 union budget to fund the agency for its first year of
existence. UID has received a huge boost with Dr Pranab Mukherjee, Minister of
Finance, allocating Rs 1900 crore to the Unique Identification Authority of India
(UIDAI) for 2010-11.
Initial estimates project that the initiative will create 1000 new jobs in the country,
and business opportunities worth 6,500 crore (US$1.45 billion) in the first phase
of implementation.
Risks "
According to the UIDAI Model, Aadhaar is dependent on biometrics being reliable

enough to guarantee that there is a one-for-one correspondence between real people
and electronic identities on the CIDR (central ID repository). UIDAI face a risk.
Suppose the biometrics let them down?
In December 2010, UIDAI published the report on their proof of concept trial
designed to test, among other things, whether biometrics are reliable enough to
guarantee that every entry on the CIDR is unique. UIDAI's figures published in
the report suggest that no, the biometrics are not reliable enough, Aadhaar will
drown in a sea of false positives.
Earlier, in March 2010, three academics published a paper, Fundamental issues in

biometric performance testing: A modem statistical and philosophical framework
for uncertainty assessment arguing that the level of uncertainty in biometrics is so 13
/
Information Technology Act great that tests tell you nothing, they cannot be used to predict how well biometrics
technology will perform in the real world, they cannot support a valid argument to
invest in biometrics. All three academics advise governments the world over. One
of them, Antonio Possolo, is head of the statistical engineering division at the US
National Institute of Standards and Technology (NIST), an organisation that has
advised UIDAI in the past. On this occasion, UIDAI have not followed NIST's
advice that tests like their proof of concept trial are pointless.
With its academic support now withdrawn, the outlook for the global mass consumer
biometrics industry has darkened, throwing the towel in. At the same time,
governments elsewhere are abandoning ship. NSTIC, the US National Strategy for
Trusted Identities in Cyberspace makes no mention of using biometrics. Neither
does IdA, the UK plan for digital delivery identity assurance. And Holland has
suspended its plan to develop a:centralised population register including everyone's
biometrics. India may find itself the last adherent of this receding faith.
Criticism
There are many potential privacy fallouts of this project, not the least of which is
triggered by the Government's official plan to link the databases together.
Although there is sometimes a tension between individual privacy rights and

national security, international law and India's domestic law expressly set a standard
in tort law and through constitutional law to protect an individual's privacy from
unlawful invasion. Under the International Covenant on Civil and Political Rights
(ICCPR), ratified by India, an individual's right to privacy is protected from arbitrary
or unlawful interference by the state.
The Supreme Court also held the right to privacy to be implicit under article 21 of
the Indian Constitution in Rajgopal v. State of Tamil Nadu. Moreover, India has
enacted a number of laws that provide some protection for privacy. For example
the Hindu Marriage Act, the Copyright Act, Juvenile Justice (Care and Protection
of Children) Act, 2000 and the Code of Criminal Procedure all place restrictions
on the release of personal information. Privacy is a key concern with respect to
the Multipurpose National Identity Card (MNIC) scheme as all of an individual's
personal information will be stored in one database where the possibility of
corruption and exploitation of data is far greater than when having the information
disbursed.
Risks that arise from this centralization include possible errors in the collection of
information, recording of inaccurate data, corruption of data from anonymous
sources, and unauthorized access to or disclosure of personal information. Other J
countries with national identification systems have confronted numerous problems J
with similar risks such as trading and selling of information, and India, which has
no generally established data protection laws such as the U.S. Federal Privacy
Statute or the European Directive on Data Protection, is ill-equipped to deal with
such problems. The centralized nature of data collection inherent in the MNIC
proposal only heightens the risk of misuse of personal information and therefore
potentially violates privacy rights. In consideration of the risks involved in the
creation of a centralized database of personal information, it is imperative that
such a programme not be established without the proper mechanisms to ensure the
security of each individual privacy rights. Unfortunately, Indials proposed MNIC
programme lacks any provision for judicial review at the present time. Without
credible and independent oversight, there is a risk of 'mission creep' for MNICs;
the government may add features and additional data to the MNIC database
bureaucratically and reflexively, without reevaluating the effects on privacy in each
instance.
14
/
/
1.6 LET US SUM UP Technology Amendment
Act 2008
India's Information Technology Act, 2000 is comprehensive legislation but contains
many lacunae. The passage of the IT Amendment Act 2008 will resolve many
practical difficulties faced in the implementation of the Act. It strengthens data
protection regime, and makes cyberspace more trustworthy since eyber criminals,
whether engaging in data and identity theft, financial frauds or posing threat to
. national security through acts of cyber terrorism, will be brought to justice. The IT
Amendment Bill 2008 aims to bring significant changes in extant cyber laws in
India, interalia, introducing legal recognition to electronic signatures, data protection
obligations and mechanisms, provisions to combat emerging cyber security threats
such as cyber terrorism, identity theft, spamming, video voyeurism, pornography
on internet, and other crimes. There may be still some lacunae which will surface
with passage of time.Hence, constant amendments in the legal statutory framework
will always be essential. With growing dynamics of technology in India, the legal
matrix needs to be strengthened at every milestone to fill up lacunae that remain
in ,Information technology laws.To cope with the multifarious challenges that
technological advancement may bring, be it issues of cyber security, privacy or
·" cybercrimes, India will call for more efficacious and stricter regime of cyberlaws.
1.7 CHECK YOUR PROGRESS: THE KEY

1) Amendment was created to address issues that the original IT Act failed to
cover and to accommodate further development of IT and related -security
concerns since the original law was passed.
2) Government had introduced the Information Technology (Amendment) Bill,

2006 in the Lok Sabha on 15th December 2006. Both Houses of Parliament
passed the Bill on 23rd December 2008. Subsequently the Information
Technology (Amendment) Act, 2008 received the assent of President on 5th
February 2009 and was notified in the Gazette of India.
3) For easy reference, a brief overview of the significant changes brought out by
the IT Amendment bill, 2008 is as given below:
Section Change Proposed
1 Section 1(4) list of excluded documents removed. To be

notified through Gazette
2 Section 2(d) modified, and the term "Digital Signature"

replaced with "Electronic Signature" in the Act.
Section 2(ha) added to define "Communication Device" which

will include mobile phones, ATM, PDAs etc
Section 2(j) "Computer Systems" and "Communication

Devices", "Wire" "Wireless" added.
Section 2(k) "Communication Device" added
Section 2 (na) introduced to define the term "Cyber Cafe"
Section 2(nb) introduced to define the term "Cyber Security"

Section 2(ta) and 2(tb) introduces the term of "Electronic
Signature" and "Electronic Signature Certificate"
15
/
/
Information Technology Act
Section 2(ua) defines "Indian Computer Emergency Response
Team"
Section 2(v) "Message" included in the' definition of
"Information"
Section 2(w) "Intermediary" defined .It includes telecom
servtce providers, network service providers, internet service

providers, webhosting service providers, search engines, online
payment sites, online-auction sites, online-market places and
cyber cafes;
3 Section 3 now refers to legal recognition of electronic

documents
New Section 3 A introduced to define Electronic Signature

1
4,5 No Significant Change
J 6 New Section 6A introduced to provide for appointment of
·. Service Providers in e-Governance services and enable delivery
of services by private service providers.
7 No Change
New Section 7A introduced to make audit of Electronic

documents mandatory wherever the legally physical records
were subject to audit.
8,9 No Change
-
10 No significant Change
New Section 10 A specifies that contract formation is possible

with offer and acceptance being in. electronic form.
11.12,13,14 No significant change
15,16 Defines "Secured Electronic Signature" and redefines "Security

Procedure"
17,18,19 No significant change
20 Section Omitted.
21 No significant change
22,23 The amount of specified upper limit on the fees Omitted.
24,25,26,27 No significant change
28,29 The powers of Controller have been restricted to contraventions

under chapter VI.
30 Consequential Changes with introduction of Electronic

Signatures
31,32,33,34 No significant change
35 Sub section 35 (4) modified
36 Additional points to be added in the certificate indicated
37,38,39 No change
40 No change in 40.
16
/
/
New Section 40A specifies the duties of the subscriber of Technology Amendment
Electronic Signatures certificate. Act 2008
41,42 No Change
43 Two new contraventions added-contraventions corresponding

to earlier Sections 65 and 66 added for Civil liability.
compensation limit removed. ~
NewSection 43 A included for "Data Protection" need.-

specifies liability for a body corporate handling sensitive data,
introduces concept of "reasonable security practices" and
sensitive personal data. No limit for compensation.
44,45 No significant change
46 The powers of the Adjudicator limited for claims upto Rs 5

crores .. Civil Court's authority introduced for claims beyond
Rs 5 crores
48 Changes name of Cyber Regulations Appellate Tribunal to

Cyber Appellate Tribunal.
49 Cyber Appellate Tribunal (CAT) is made a multi member entity.

Provision for benches introduced, non judicial members can
be members of the Tribunal.
50 Specifies qualifications for appointment of Chairperson and

Members of the CAT.
51,52 Specifies terms and other conditions of appointment of

Chairman and Members of CAT
New Sections 52 A, B C and D introduced defining powers

of the Chairperson of CAT for conduct of business.
53 ,54,55,56 No significant change
57.58,59,60 No Change
61 Amended to accommodate jurisdiction of Civil Courts for

disputes involving claims of over RS 5 crores.
62 No Change
63 No Change
65 No change
66 The clause has been re written with significant changes.

Applies to all contraventions listed in Section 43. and shall be
punishable with imprisonment for a term which may extend
to three(3) years or with fine which may extent up to Rs 5
lakhs and both. The Section applies if act is done 'Dishonestly'
or 'fraudulently' as defined in CrPC.
New Sections added under 66A, 66B,66 C,66D, 66E and 66 F

to cover new offences.
66A: Sending offensive Messages

Punishment: Imprisonment for a term which may extend to
three years and Fine. 17
/ I
66B: Receiving a Stolen Computer Resource

three years or with Fine which may extend to rupees one lakh.
or with both.
66C: Identity Theft

three years also be liable to fine which may extend to rupees
one lakh.
66D: Cheating by personation

three years and shall also be liable to fine which may extend
to one lakh rupee.
66E: Violation of Privacy

J
three years or with fine not exceeding two lakh rupees or with
both.
66F: Cyber Terrorism
Punishment: Imprisonment which may extent to imprisonment

for life.
67 Fine increased to Rs 5 lakhs for first instance and Rs 10 lakhs

for subsequent instance. Imprisonment reduced to three years
for first instance and 5 years for subsequent instance.
New Section 67 A introduced to cover material containing

"Sexually Explicit Act"
Punishment: On first conviction with imprisonment for a term

which may extend to five years and with fine which may extent
to ten lakhs.
In the event of Second and subsequent conviction with

imprisonment for a term which may extend to seven years and
also with fine which may extent to ten lakhs.
New Section 67B introduced to cover Child explicit act or

conduct,
I
Punishment: On first conviction with imprisonment for a term
which may extend to five years and with fine which may extent
to ten lakhs.
In the event of Second and subsequent conviction with

imprisonment for a term which may extend to seven years and
also with fine which may extent to ten lakhs.
New Section 67C: This provision will require Intermediaries

to preserve and retain certain records for a stated period

three years and also be liable to pay fine
68 Refers to the powers of the Controller to direct Certifying

Authorities for compliance. No significant change. Penal
powers to be applicable only on intentional violation ,
18
/
/
i
69 Scope extended from decryption to interception, monitoring Technology Amendment
also. Power lies with the authorized Government agency of Act 2008
the Central Government.
New Section 69A: Introduced to enable blocking of websites.If

an Intermediary is not cooperative-
Punishment: Imprisonment for a term which may extent to

seven years and also be liable to fine
New section 69B: that provides powers for monitoring and

collecting traffic data etc. If an Intermediary is not cooperative-
Punishment: Imprisonment for a term which may extent to

three years and also be liable to fine.
70 Critical Infrastructure System defined and section restricted

to only such systems. Security practices to be notified
New Section 70A: added to define National Nodal Agency
.
,
for Critical Information Infrastructure protection
70B Indian Computer Emergency Response Team to be the Nodal

agency for incident response
71,72 No Change
New Section 72A: introduced for punishment for disclosure

of information in breach of lawful Contract. (Data Protection
purpose)
73,74,75,76 No change
77 No Significant Change
New Section 77 A: introduced to provide for Compounding of

offences other than offences for which imprisonment for life
or imprisonment for a term exceeding three years has been
provided.
.
New Section 77B: introduced to consider all offences
punishable with imprisonment of three years and above under
the Act as Cognizable offence and offence punishable with
imprisonment foe 3 years as bailable
78 Power to investigate any cognizable offence vested with

Inspectors instead of DSPs
79 Exemption from liability of intermediary in certain cases- some

exceptions have been added-no liability if intermediary
provides only Internet access, observed due diligence, had no
actual knowledge of offence, etc
New Section 79 A: introduced to provide for the Government

to designate any government body as an Examiner of Electronic
Evidence
80 The powers earlier available to DSP is riow made available to

Inspectors
81 Amended to keep the Copyright and Patent Acts fully

applicable
8l-A No Change
82 No Significant Change 19
,
/
83,84 No Change
84 A: New Section introduced to enable the Government to

prescribe encryption methods
New Section 84 B: i~troduced to make "abetment" punishable

as the offence itself under the IT Act,2000
New Section 84 C: introduced to make an "attempt to commit

an offence" punishable with half of the punishment meant for
the offence.
85,86 No Change
87 Consequential Changes made
88,89 No 1Changes
· 90 No significant change
J 91-94 omitted
1.8 SUGGESTED READINGS

• Alexis Leon and Mathews Leon (1999), Fundamentals of Information
Technology, Leon TechWorld publication.
• Dr. Larry Leng (2004), Computer Fundamental, Wiley Dreamtech Publication.
• Information Technology Amendment Act; 2008.
• Suresh.K.Basandra (2003), Computer. Today, Galgotia publication.
• http://www.cis-india.org
• http://www.cyberlaws.net
• http://www.mit.gov.in
20
/
Legal Implications of
UNIT 2 LEGAL IMPLICATIONS OF Personal Security
PERSONAL SECURITY
Structure
2.0 Introduction
2.1 Objectives
2.2 Need of Data Protection and Privacy
2.2.1 Preventing Data Misuse
2.2.2 Rapidly Changing Technology
2.2.3 Globalizations
2.2.4 Complex Regulatory Environments at the Local, National and Global Levels
2.2.5 Accountability
2.2.6 Client's Confidence
.1. 2.3 Indian Laws related to Data Protection and Privacy
2.3.1 . Indian Constitution
2.3.2 Information Technology Act, 2000
2.3.3 IT (Amendment) Act, 2008
2.4 Suggestions to tackle the ,Issue of D~ta Protection and Privacy
2.5 Let Us Sum Up
2.6 CheckYour Progress: The Key
2.0 INTRODUCTION
No doubt, India is one of the best outsourcing destinations due to its significant
skills, cost and other advantages. As we all know that the phenomenal growth and
expansion in the IT and BPO sectors, which are continuously providing cost efficient
services to the world across has given India a global success in the world. But,
outsourcing services involve working in an environment requiring compliance with
multiple laws of different countries from where the personal data originates. The
problem may continue for the service providers due to the lack of data privacy
laws in India. At the same time, they may not be able to deal with all the laws
present across the world in an effective manner. This means that there is a great
need of placing uniform framework in place for the data protection. It would not
help in the outsourcing services but also in all kinds of services where data is
involved or stored. Presently, there is no way to .give assurance about the data
security and privacy to anyone. It may cause high losses and disruption in the IT
and Outsourcing Industry and lead to the loss of foreign investment as well.
Therefore, this unit focuses on the data protection and privacy issues involved
which need to be tackled. There is an urgent need to strengthen the data protection
environment.
2.1 OBJECTIVES
After studying this unit, you should be able to:
• identify the need.for protecting personal data;
• explain different provisions under IT Act providing data security; and
• recognise different issues involved in the data protection and privacy. 21
/
I
· Information Technology Act
2.2 NEED OF DATA PROTECTION AND PRIVACY
Much of the increased attention is attributed to the technological advancements
that have moved society from the industrial age to the informational age and toward
the interactive age. The evolution of the information superhighway which is the
infrastructure for the virtual place called· 'cyberspace' is of great significance. This
era of cyber clouding has enhanced the ability to collect, accumulate, assimilate
and disseminate large amounts of personal information.
Generally, there are three social concerns that drive the issue of Privacy. These
include individual's fear about; how personal information is used or shared, how it
is protected and who is accountable. The growing focus on privacy is mainly driven
by two forces:
1) The advancement of technological capabilities which have provided new

applications for information storage and retrieval.
2) The increasing value of Information.
For an organization to be successful as an outsourcer, what is primarily required is

to use the information assets effectively and efficiently without any risk of loss or
breach. The processing of the client's data has to be performed in a confidential
manner with the zero tolerance as to the data loss. However, there is a complex
range of standards to meet, both in terms of regulatory requirements and arising
from customer and employee expectations. Therefore, the outsourcing company
have to strike a balancing act to make sure that the information's value is realized
while ensuring stakeholders such as customer's, markets and regulators remain
satisfied.
Reasons for the need of data security
The following are the reasons for demanding the best data security practices to be";
followed in an Indian Outsourcing Industry. They are:
2.2.1 Preventing Data Misuse
Personal information security and privacy measures should be designed to prevent

any data misuses. Specific measures should take account of any risk of individual
harm and adequate remedial measures should be implemented for collection, use
and transfer of personal information. Remember, the data has a very high
commercial value. I4Js considered to be a commodity on which the whole
outsourcing services depends. Therefore, it is very necessary to protect the data at
any cost. Although, the Companies do have safeguards and security practices in
place, but the issue is that whether those safeguards and security practices are
sufficient enough to assure the Clients about the protection of their Data for
outsourcing?
2.2.2 Rapidly Changing Technology
Technology is advancing day by day. Enterprises today face a threat of compromise

of sensitive Customer Data by authorized and unauthorized users, by means of
available channels like the web, email, USB devices, Laptops etc. These breaches
can result in heavy penalties due to lack of regulatory compliance, loss of customer's
loyalty, law suits and the compromise of company confidential data which can
benefit the competition. There would be the great risk to the brand. Therefore, the
data protection system should be updated with the day-to-day technical
advancements so that at least the technology would not become a burden for our
outsourcing industry.
22
/
/
2.2.3 Globalizations Legal Implications of
Personal Security
Today businesses are compelled to interact beyond the traditional market borders.
Increasing competition has made the outsourcing industry to expand globally. What
success demands is to remove the walls around the business and broaden access
and open the working wings all over the world. Again, the expansion of the business
is' largely depends on the Data security and privacy measures' practiced by the
outsourcing company. t
2.2.4 Complex Regulatory Environments at the Local, National

and Global Levels
Many laws, regulations and guidelines for the Data protection and privacy exist
across the globe. Some of these include European Union (EU) Data Protection
Directive (DPD), Canadian personal Information Protection and Electronic
Documents Act (PIPEDA), U.S. Gramm-Leach-BlileyAct (GLBA), Health
Insurance Port ability and Accountability Act of 1996 (HIPAA), Asia-Pacific
Economic Cooperation's (APEC) Privacy Framework and Organization for
Economic Cooperation and Development (OECD) Privacy guidelines. In fact, many
countries do have their own separate Data protection and privacy laws. In this
sense, privacy and data protection laws, customs and practices vary dramatically
from country to country by which the trans border data flows. Processing of personal
information of citizens of these countries by service providers. in India through
outsourcing raises concerns about regulatory compliance. A service provider in
India should be able to demonstrate compliance with data protection requirements
similar to those of the Country where the client is located, and/or where the data
is originated, by following the best security and privacy practices and standards.
But, the problem is that the Indian outsourcing Industry is not able to deal with
these laws in an efficient manner, might be because there is no uniform framework
for the data protection in our Country.
2.2.5 Accountability
Service providers act as the third party; performs the back office work on behalf
of the client/customer, and perform the processing when instructed to do so by the
latter. Performance of this outsourced processing involves a<;cess to information
and its processing by the Service Provider, as if it were carried out directly by the
client. Therefore, the processing performed by the Service Provider must comply
with the applicable privacy principles. Although when personal information is to
be transferred to the service provider, the data collector (i.e. client) should obtain
the consent of the individual or exercise due diligence and take reasonable steps
to ensure that the service provider will protect the information consistently with
these principles. However, this would not prevent the accountability of the Service
Provider.
2.2.6 Client's Confidence

Of course, the need of Data protection and privacy arises primarily t~ earn the
Client's confidence which is the most ultimate motive of every businessman.
2.3 INDIAN LAWS RELATED TO DATA

PROTECTION AND PRIVACY
In regard to Outsourcing industry, it is informational privacy that becomes material.
The varying nature and volume of information, which is generated, stored and
retrieved in computers renders the data protection and privacy very important.
There is no comprehensive legislation on privacy in India. We do not have even a
23
/
Information Technology Act . specific law on privacy like some other countries. As such, it has been left to the
Judiciary to interpret privacy within the realm of existing legislations.
2.3.1 Indian Constitution

/
The Supreme Court of India has articulated 'Right to Privacy' as an inte/ated
part of the fundamental right to life l1nd~r Article 21 of the Constitution of India.
Thereby, the right to privacy could be read into Article 21 which states that "No
person shall be deprived of his life or personal liberty except according to
procedures established by law"
In the famous easel, the Supreme Court held that Article 21 of the Constitution
include "Right to Privacy" as a part of the 'Right to protection of life and personal
liberty'. It was observed that the concept of liberty in Article 21 was comprehensive
enough to include privacy and that a person's house, where he lives with his family
is his castle and that nothing is more deleterious and healthy than a calculated
interference with his privacy.
J In anothercase", the Supreme Court observed that privacy primarily concerns the
individual. It therefore, relates to and overlaps with the concept of liberty. Any
right to privacy must encompass and protect the personal intimacies of the home,
the family, marriage, motherhood, procreation and child rearing .... Right to privacy
in terms of Article 21 of Constitution is not an absolute right if there were a
conflict between fundamental rights of two parties, that right which advances public
morality would prevail. Hence, in the light of above judgments given by Supreme
Court, we can point out that-
1) The individual's right to privacy exists.

2) Any unlawful invasion of privacy would make the 'offender' liable for the
consequences in accordance with law.
3) There is constitutional recognition given to the right to privacy which protects
personal privacy against unlawful governmental invasion.
4) The person's 'right to be alone' is not an absolute right and may be lawfully
restricted for the prevention of crime, disorder or protection of health or morals
or protection of rights and freedom of others.
Although; Indian Constitution has enhanced the right to privacy as a fundamental

right but this right can be enforceable only against the State and not against the
private enterprise. Therefore, we cannot find any remedy for the protection of the
client's Data against the service provider. It does not have any relevance with
respect to the personal data protection and privacy of the clients.
2.3.2 Information Technology Act, 2000

It is quite unfortunate that while legislating India's first Cyberlaw, namely the
Information Technology Act, 2000, Parliament has omitted to deal with the crucial
issue of privacy. Nowhere, in the IT Act, 2000 the term 'privacy' has been defined.
It only refers to privacy under its Sec 723• But this section has been drafted in a
I ·Kharak Singh v, State of U.P., AIR 1963 se 1295
2 Gobind v. State of Madhya Pradesh, AIR 1975
3 72. Penalty for breach of confidentiality and privacy: Save as otherwise provided in this Act or
any other law for the time being in force, if any person who, in pursuance of any of the powers
conferred under this Act, rules or regulations made thereunder, has secured access to any electronic
record, book" register, correspondence, information, document or other material without the consent
of the person concerned discloses such electronic record, book, register, correspondence,
information, document or other material to any other person shall be punished with imprisonment
for a term which may extend to two years, or with fine which may extend to one lakh rupees, or
24 with both.
/
/
I
restricted manner. It refers to those persons who have an access to information Legal Implications of
only in pursuance of power given under the IT Act, 2000 or rules or regulations Personal Security
made thereunder. It does not have any bearing on violation of an individual's privacy
in cyberspace. Section 72 is, therefore, limited to information being obtained by
virtue of a "power granted under the IT Act". This section mainly applies to the
Certifying Authorities as well who obtained information from subscribers.
~
2.3.3 IT (Amendment) Act, 2008
In the light of the latest technological developments and with an objective to review
the IT Act, 2000; Hon'ble Minister for Communications and Information
Technology has set-up an Expert Committee in 2005 under the Chairmanship of
Shri Brijesh Kumar, Secretary, Department of Information Technology with
representatives like Shri Kiran Karnik, President, Nasscom from the IT industry.
The Expert Committee has completed its deliberations and submitted its report to
Thiru Dayanidhi Maran, Hon'ble Minister for Communications and Information
Technology then.
In view of recent concerns about the operating provisions in IT Act related to

"Data Protection and Privacy", in addition to contractual agreements between the
parties, the existing sections have been revisited and some' amendments/more
stringent provisions have been provided for. Notably, amongst these are:
a) Proposal related to handling of sensitive personal data or information with

reasonable security practices and procedures thereto;
b) Gradation of severity of computer related offences, committed dishonestly or

fraudulently and punishment thereof; and
c) Additional section for breach of confidentiality with intent to cause injury to

a subscriber.
d) For a country like India where we are trying to enhance the positive use of
Internet and working towards reducing the digital divide, it needs to be ensured
that new users do not get scared away because of publicity of computer related
offences. At the same time, it must be ensured that offenders do not go
unpunished. This balancing spirit has been incorporated in the proposed
amendments in relevant sections.
e) The section related to obscenity in electronic form has been revised to bring
in line with Indian Penal Code (IPC) and other laws but fine has been increased
because of ease of such operation in electronic form. A new section has been
added to address child pornography with higher punishment.
f) A new phenomenon of video voyeurism has emerged in recent times where

images of private area of an individual are captured without his knowledge
and then transmitted widely without his consent thus violating privacy rights.
This has been specifically addressed' in a new proposed sub-section.
g) Emergence of electronic evidence as anew discipline for handling computer

related offences and its uses thereof in the judiciary have been recognized
through a new provision in the IT Act.
h) Sections related to the extent of liability of intermediaries in .certain cases

have been revised and certain amendments recommended using European
Union directives on e-commerce as guiding principles.' ,
The IT Amendment Act, 2008 pas strengthened the data protection regime in the
country which is expected to enhance trustworthiness of the Indian ITIBPO service
4 Expert Committee on amendments to IT Act 25
/
/
Information Technology Act providers. It inter-alia include prQVISlOnSfor addressing protection of critical
information infrastructure; privacy of information held in computer system and
networks, breach of confidentiality and privacy, audit of electronic records, enabling
public-private partnership in the area of e-Governance, conclusion of contract
through electronic means, dishonestly stolen computers or communication device,
spam, identity, theft, cheating by personality, violation of privacy, cyber terrorism
and child pornography. ~The provisions also empower Government tQ prescribe
guidelines for making service providers and intermediaries accountable and
responsible towards consumers/subscribers,
Mainly, the fQCUSof amendments in the Information Technology Act is to strengthen

security and privacy of data. Presently, we do not have any separate "Privacy Act"
or Data protection act in India. The Bill "Personal data protection bill, 2006" was
introduced in Rajya Sabha in its 209 session for the protection of the personal
data of the individual collected by the Organization fQr some purpQse and tQprevent
its misuse by the third Organization for commercial or any other purpose without
the consent of an individual but till nQW,this bill has not been passed. Therefore,
J the sole responsibility of providing data protection regime in our Country falls on
The Information Technology (Amendment) Act, 2008. .
The Information Technology (Amendment) Act,· 2008 provides for the privacy of
information held in the computer systems and networks for customer/client
confidence. Sections 43, 43A, 72 and 72A of the Act address the issue of breach of
confidentiality and privacy. In fact, implementation of sec 43A and 72A will surely
make a mark in the data security. Section 43A5 fixes the responsibility on the
body corporate and companies to adequately protect the sensitive data or
information which they own, possess, control or operate by implementing and
maintaining "reasonable security procedures and practices". The need to protect
an indi vidual data is reflected in this new restrictions imposed on collection, storage
and handling of that data. Even, under the sec 43A, a person can ask for the
compensation in case his data of any type has been compromised by the Company,
within the time of data processing ..
The IT Act nQWrequires Body Corporates to maintain and implement 'reasonable

security practices and procedures' to adequately protect the sensitive personal data
or information, but does not define the phrase "reasonable security practices and
procedures". As understood from the section, I can say that "Reasonable Security
Practice and Procedures" is tQ be determined in the following ways:
As defined between the parties by mutual agreement or
1
5 '43A. Compensation for failure to protect data: Where a body corporate, possessing, dealing or
handling any sensitive personal data or information in a computer resource which it owns, controls
or operates, is negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate
shall be liable to pay damages by way of compensation to the person so affected.
Explanation.-For the purposes of this section,-
i) "body corporate" means any company and includes a firm, sole proprietorship or other
association of individuals engaged in commercial or professional activities;
ii) "reasonable security practices and procedures" means security practices and procedures
designed to protect such information from unauthorized access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement between the parties or as may
be specified in. any law for the time being in force and in the absence of such agreement or
any law, such reasonable security practices and procedures, as may be prescribed by the
Central Government in consultation with such professional bodies or associations as it may·
deem fit;
iii) "sensitive personal data or information" means such personal information as may be prescribed
by the Central Government in consultation with such professional bodies or associations as
26 it may deem fit.'.
I
/
I ,1
As specified in any law for the time being in force or Legal Implications of
Personal Security
To be specified by the Central Government in consultation with such
professional bodies or associations as it may deem fit.
However till date there is no law specifying reasonable security practice nor has
the Central government defined the security practices to be impl.emented in order
to securing vital data. In the absence of such defined security practices and
procedures, it is open for the parties to enter intb agreements and lay down their
own methods of protecting their sensitive information. This has lead to many issues,
such as:
a) Whether the methods as incorporated in the agreement by the parties themselves

for protecting data are really reasonable methods as per section 43A?
b) Who will be monitoring over the proper implementation of those methods?
c) For the purpose of procuring more and more business, do these Outsourcing
Companies are been made to enter into an agreement which are imposing too
much obligations on them?
d) What would be reasonable security practices for one industry may not be
applicable to another industry. It has to be pointed out that one set of security
practices will not fit the entire nation.
Depending upon the industry, compliance with business requirements such as ISO
27001, DPA, Basel 11, HIPAA etc. may be enforced by means of agreements between
the parties. And failure on the part of any party to maintain such contractual
obligation can lead to legal consequences by virtue of this section. It is to be noted
that there is no upper limit for compensation that can be claimed by the affected
party in such circumstances.
Section 72A6 provides further for strengthening the data protection regime in our
Country. It deals with the punishment for breach of lawful contract which will
prevent any intermediary and service provider, who has secured any material or
information from a user, from passing it on to other persons, without the consent
of user. The purview of section 72A is wider than the existing section 72 and
extends to disclosure of personal information of a person (without consent) while
providing services under a lawful contract and not merely disclosure of information
obtained by virtue of "powers granted under the IT Act". Section 72A also covers
the intermediary who would be punishable for disclosure of information in breach
of lawful contract. The term "intermediary"? has been defined to mean (with
respect to any particular electronic record) a person, who on behalf of another
person receives, stores or transmits that record or provides any service with respect
to that record and includes telecom service providers, network service providers,
Internet service providers, Web-hosting service providers, search engines, online
payment sites, on line auction sites, online market places and cyber cafes. Therefore,
this section provides upto three years imprisonment or with a fine which may
extend to five lakh rupees as a punishment for disclosure of any information as
that is deemed the breach of a lawful act. It provide a better functioning system
6 72A. Punishment for disclosure of information in breach of lawful contract: Save as otherwise
provided in this Act or any other law for the time being in force, any person including an
intermediary who, while providing services under the terms of lawful contract, has secured access
. to any material containing personal information about another person, with the intent to cause or
knowing that-be is likely to cause wrongful loss or wrongful gain discloses, without the consent
of the person concerned, or in breach of a lawful contract, such material to any other person,
shall be punished with imprisonment for a term which may extend to three years, or with fine
which may extend to five lakh rupees, or with both.".
7 Sec 2(1)(w) of Information Technology Amendment Act, 2008 27
/
/
Information Technology Act for the Outsourcing industry, enabling them to develop the data security system
under strict vigilance for avoiding internal and external threats to ensure better e-
governance.
While the provisions of the amendment Act may not be as stringent as the data
protection laws in other jurisdictions in protecting the rights of individuals/clients
in relation to their personal data, the amendment Act has attempted to make
organizations handling sensitive and personal information liable for any misuse of
such data and has definitely set the ball rolling in the right direction.The Information
Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna
of data protection laws in the country. The provisions are however not adequate to
meet the needs of the corporate India.
b) Compare your answer with the one given at the end of this Unit.
1) Why do we need data protection and privacy?
2) Provide the details of Indian laws related to data protection and privacy?
2.4 SUGGESTIONS TO TACKLE THE ISSUE OF .

DATA PROTECTION AND PRIVACY 1
1) There should be a data-centric model in the public offices or outsourcing
companies. There is an urgent need to implement the stringent measures to
protect information assets. The effective security culture, awareness,
technological controls, comprehensive privacy policy, fair processes play a
major role in providing the data secured infrastructure to the service providers.
2) Government should legislate properly in relation to data protection and privacy.

Exhaustive Legislation on data security and privacy seems to be the only answer
to protect the personal data or information. They should be as clear as possible
without leaving any room for doubt.
3) Proper implementation of the "reasonable security practices and procedures"

to prevent unauthorized access to personal data of customers being processed
by them. Standards of best practices in data security and data. privacy proposed
by DSCI can be complied for this reason.
28
/
4) There is an urgent need to develop or codify the law of tort in India. This Legal Implications of
would enable individual clients from different territorial jurisdictions to move Personal Security
courts in our country, for monetary damages for violation of their privacy.
5) Service providers in India must be mandated to follow strict guidelines and

standards for data security and privacy to enhance their trustworthiness.
6) Any company, public office or service providers in India must give a clear
notice that they are collecting information and also what is the kind of
information being collected and for what purpose.
7) Where databases are created by collecting personal information should not be

used for any other purpose, except for fulfilling the transaction or task, for
which the information is being collected.
8) It is also essential to ensure that the collected information should be properly

handled to rule out unauthorized access of the same or its theft.
9) The privacy policy followed by organizations should be corresponding with

the IT Act. DSCI proposed certification system (both for security and privacy)
could be useful for acting asa seal of trust and reflect maturity on security
and privacy practices in their operations.
10) Contractual clauses should explicitly provide for data protection and security.
11) Appointment of the Data Security Officers to independently ensure that data
is processed properly and with security.
12) Training and awareness on data security and privacy to the employees of the
Outsourcing Companies, public offices and other organizations.
13) Adopt alternate dispute resolution mechanism to resolve any disputes arises
with regard to data protection and privacy
Notes: a) Space .is given below for writing your answer.
1) Give your own suggestions to tackle the issue of data protection and privacy .
•••••••• •••••••• •••••• •• •• ••••••• •• •••••••••••••••• ••••••••••• ~ •••••••••••••••••••••••• 0 •••••••••••••••••••••••••••••••••••••••
2.5 LET US SUM UP

Privacy involves proper control and protection of personal information and the
ability to determine if and how that information should be obtained and used and
to what extent. Until specific legislation is enacted on providing data security and
privacy in India, a legal controversy that arises in this sphere has to be resolved, to
a large extent, through the Information Technology (Amendment) Act, 2008. DSCI
is also in the process of framing the data security and privacy standards to follow
for the company in order to have uniformity of practices in Indian domain. It is
encouraging companies to go with self checks, and undergo compliance checks by
29
/
Information. Technology Act DSCI for certification that will provide further assurance about the requirements
followed to maintain data security and privacy and could be trusted. Moreover, in
addition to this, grievance redressal should be encouraged through alternative
dispute resolution mechanisms such as mediation and conciliation for the quick
redressal of related disputes. Hence, contractual liabilities and exercise of best
security practices may be quite helpful in ensuing data protection and privacy.
At the end of the day, le!s hope that the evolving cyber law will win the battle for
data security and privacy so that India remains as a trustworthy secured destination
for providing data protection and security.

1) Preventing data misuse: Personal information security and privacy measures
should be designed to prevent any data misuses. Specific measures should
take account of any risk of individual harm and adequate remedial measures
should be implemented for collection, use and transfer of personal information.
Remember, the data has a very high commercial value. It is considered to be
a commodity on which the whole outsourcing services depends. Therefore, it
is very necessary to protect the data at any cost. Although, the Companies do
have safeguards and security practices in place, but the issue is that whether
those safeguards and security practices are sufficient enough to assure the
Clients about the protection of their Data for outsourcing?
Rapidly changing Technology: Technology is advancing day by day.

Enterprises today face a threat of compromise of sensitive Customer Data by
authorized and unauthorized users, by means of available channels like the
web, email, USB devices, Laptops etc. These breaches can result in heavy
penalties due to lack of Regulatory compliance, loss of customer's loyalty,
law suits and the compromise of company confidential data which can benefit
the competition. There would be the great risk to the brand. Therefore, the
data protection system should be updated with the day-to-day technical
advancements so that at least the technology would not become a bane for our
Outsourcing Industry.
Globalizations: Today businesses are compelled to interact beyond the

traditional market borders. Increasing competition has made the Outsourcing
Industry to expand globally. What success demands is to remove the walls
around the business and broaden access and open the working wings all over
the world. Again, the expansion of the business is largely depends on the Data
security and privacy measures practiced by the Outsourcing Company.
Complex regulatory environments at the local, national and global levels:

Many laws, regulations and guidelines for the Data protection and privacy
exist across the globe. Some of these include European Union (EU) Data
Protection Directive (DPD), Canadian personal Information Protection and
Electronic Documents Act (PIPEDA), U.S. Gramm-Leach-Bliley Act (GLBA),
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Asia-
Pacific Economic Cooperation's (APEC) Privacy Framework and Organization
for Economic Cooperation and Development (OECD) Privacy guidelines.
Infact, many countries do have their own separate Data protection and privacy
laws. In this sense, privacy and data protection laws, customs and practices
vary dramatically from country to country by which the trans border data
flows. Processing of personal information of citizens of these countries by
service providers in India through outsourcing raises concerns about regulatory
30 compliance. A service provider in India should be able to demonstrate
I
/
compliance with data protection requirements similar to those of the Country Legal Implications of
where the client is located, and/or where the data is originated, by following Personal Security
the best security and privacy practices and standards. But, the problem is that
the Indian outsourcing Industry is not able to deal with these laws in an efficient
manner, might be because there is no uniform framework for the data protection
in our Country.
l
Accountability: Service providers act as the third party, performs the back
office work on behalf of the client/customer, and perform the processing when
instructed to do so by the latter. Performance of this outsourced processing
involves access to information and its processing by the Service Provider, as
if it were carried out directly by the client. Therefore, the processing performed
by the Service Provider must comply with the applicable privacy principles.
Although when personal information is to be transferred to the service provider,
the data collector (i.e. client) should obtain the consent of the individual or
exercise due diligence and take reasonable steps to ensure that the service
provider will protect the information consistently with these principles.
However, this would not prevent the accountability of the Service Provider.
Client's confidence: Of course, the need of Data protection and privacy arises
primarily to earn the Client's confidence which is the most ultimate motive of
every businessman.
2) Refer section 2.3
1) Give your own suggestions for providing data protection and privacy virtually.

• Carey Peter, "Data Protection -A practical Guide to UK and EU law", Second
Edition, 2004, Oxford University Press, New York.
• Colin J. Bennett, "Regulating Privacy: Data protection and public policy in

Europe and the United States", published by Comell University Press, 1992.
• Cronin Weikers, "Data Security and privacy law, Combating cyberthreats",

West, a Thomson business, 9/2004.
• Expert Committee on Amendments to IT Act 2000, 29.08.2005.
• Frank Bott, Allison Coleman, Jack Eaton, Diane Rowland, "Professional issues
in Software Engineering", Third Edition, published by CRC Press, 2001.
• Giannis Stamatellos, "Computer ethics: a Global Perspective", Published by

Jones & Bartlett Publishers, 2007.
• Jacqueline Klosek, "Data privacy in the information age", Published by

'. Greenwood Publishing Group, 2000.
• Philip E. Agre, Marc Rotenberg Contributor Marc Rotenberg, "Technology

and Privacy: the new landscape" (Cambridge, published by MIT, 1998).
• Serge Gutwirth, Rathenau Instituut, Raf Casert; Translated by Raf Casert,

"Privacy And The Information ARe", Published by Rowman & Littlefield,
2002.
31
/
/
UNIT 3 COMMON CYBER CRIMES
AND GOVERNMENT LAWS
AND RULES IN INFORMATION
SECURITY
Structure
3.0 Introduction
3.1 Objectives
3.2 Nature of Cyber Crimes
3.3 Reasons behind Cyber Crimes
3.4 Kinds of Cyber Crime
J 3.5 Prevention of Cyber Crime
3.6 Government Rules
3.7 Let Us Sum Up
3.8 Check Your Progress: The Key
3.0 INTRODUCTION
The Information Technology Act, 2000 has been substantially amended by the
Information Technology (Amendment) Act, 2008 whereby numerous cyber crimes
with regard to information security has been added to the law. Infact, IT Act has
penal character which defines various offences and punishments to reduce cyber
crimes. As we know that intemet is a global network of millions of computers
with one another. It permits instant communication through e-mail or online chat
or buying or selling of goods through auction websites etc. Moreover, datal
information is so volatile as it can be easily erased, modified, transmitted and
concealed through electronic techniques. In this digital world, the flow of
information is so easy and quick that the possibility or probability of misusing
personal information is much high. There are no geographical constraints as such.
With the growing invasion of information technology in our lives, the injury and
losses caused by cyber crimes are of significant magnitude.
3.1 OBJECTIVES
After studyingthis unit, you should be able to:
• identify how the digital information is misused;

• explain different cyber crimes related to the information security; and
• recognise different laws and rules for the prevention of such cyber crimes.
3.2 NATURE OF'CYBER CRIMES

"Who's stealing your information? In today's enterprise, the answer is everyone."
The term 'cyber crime' is a misnomer. This term has nowhere been defined in any
32 statute /Act passed or enacted by the Indian Parliament. The concept of cyber
/
crime is not radically different from the concept of conventional crime. Both include Common Cyber Crimes and
con dud whether act or omission, which cause breach of rules of law and Government Laws and Rules
in Information Security
counterbalanced by the sanction of the state. The word 'cyber' is synonymous
with computer, computer system or computer network. Thus, cyber crime may be
defined as any illegal act that involves a computer, computer system or computer
network.
Cyber crimes are technology based crimes and, thet computer or internet itself can
be used as a weapon or means to do such crimes quite freely. They are organized
and white collar crimes like cyber frauds, hacking, data theft, phishing, identity
theft etc. Cyber crimes are committed with the help of technology and cyber
criminals have deep understanding of technology. Infact, cyber criminals are
technocrats who understand the intricacies of information technology. Cyber crimes
do not consider any boundaries or territorial barriers.
Such crimes are quite different from the traditional crimes due to the use of digital
platform. The demarcation lies in the involvement of the medium in cases of cyber
crime. The sine qua non for cyber crime is that there should be an involvement, at
any stage, of the virtual cyber medium. Due to their peculiar nature, cyber crime
investigation is technical. IUs quite difficult to collect direct evidence. Cyber crime
is the latest and perhaps the most complicated problem in the cyber world. "Cyber
crime may be said to be those species, of which, genus is the conventional crime,
. and where either the computer is an object or subject of the conduct constituting
crime". "Any criminal activity that uses a computer either as an instrumentality,
target or a means for perpetuating further crimes comes within the ambit of cyber
crime".
A generalized definition of cyber crime may be "unlawful acts wherein the computer
is either a tool or target or both". The computer may be used as a tool in the
following kinds of activity- financial crimes, sale of illegal articles, pornography,
online gambling, intellectual property crime, e-mail spoofing, forgery, cyber
defamation, cyber stalking. The computer may however be target for unlawful acts
in the following cases- unauthorized access to computer/ computer system! computer
networks, theft of information contained in the electronic form, e-mail bombing,
data didling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web
jacking, theft of computer system, physically damaging the computer system.
The important elements of cyber crime are 1) There must be intent to secure access
to any programme or data held in any computer, computer system or computer
network. 2) The person must know at the time that he commits the actus reus that
the access he intends to secure is unauthorized.
3.3 REASONS BEHIND CYBER CRIMES

Hart in his work "The Concept of.Law" has said 'human beings are vulnerable so
rule of law is required to protect them'. Applying this to the cyberspace we may
say that computers are vulnerable so rule of law is required to protect and safeguard
them against cyber crime. The reasons for the vulnerability of computers are the
following:
1) Capacity to store data in comparatively small space: The computer has unique
characteristic of storing data in a very small space. This affords to remove or
derive information either through physical or virtual medium makes it much
more easier.
2) Easy to access: The problem encountered in guarding a computer system from

unauthorised access is that there is every possibility of breach not due to human
error but due to the complex technology. By secretly implanted logic bomb, 33
/ I
Information Technology Act key loggers that can steal access codes, advanced voice recorders; retina
imagers etc. that can fool biometric systems and bypass firewalls can be utilized
to get past many a security system.
3) Complex: The computers work on operating systems arid these operating

systems in turn are composed of millions of codes. Human mind is fallible
and it is not possible that there might not be a lapse at any stage. The cyber
criminals take advantage of these lacunas and penetrate into the computer
~
system.
4) Negligence: Negligence is very closely connected with human conduct. It is
therefore very probable that while protecting the computer system there might
• be any negligence, which in turn provides a cyber criminal to gain access and
control over the computer system.
5) Loss of evidence: Loss of evidence is a very common & obvious problem as
all the data are routinely destroyed. Further collection of data outside the
territorial extent also paralyses this system of crime investigation.
J Check Your Progress 1
1
1) What are the cyber crimes?
2) How are they different from conventional crimes?
3) Explain the reasons for cyber crimes?
34
/
/
Common Cyber Crimes and
3.4 KINDS OF CYBER CRIME Government Laws and Rules
Cybercrime ranges across a spectrum of activities. At one .end are crimes that
involve fundamental breaches of personal or corporate privacy, such as assaults
on the integrity of information held in digital depositories and the use of illegally
obtained digital information to blackmail a firm or individual. Also at this end of
the spectrum is the growing crime of identity theft. Midway along the spectrum lie
transaction based 'crimes such as fraud, trafficking in child pornography, digital
piracy, money laundering, and counterfeiting. These are specific victims, but the
criminal hides in the relative anonymity provided by the internet. The following
are the crimes, which can be committed against the following groups:
Against Individuals
i) Harassment via e-mails
ii) Cyber-stalking
iii) Dissemination of obscene material

J
iv) Defamation
v) Unauthorized control/access over computer system
vi) Indecent exposure
vii) Email spoofing
viii) Cheating & Fraud
Against Individual Property
i) Computer vandalism
ii) Transmitting virus
iii) Netrespass
iv) Unauthorized control/access over computer system
v) Intellectual Property crimes
vi) Internet time thefts
Against Organization
i) Unauthorized control/access over computer system
ii) Possession of unauthorized information
iii) Cyber terrorism against the government organization
iv) Distribution of pirated software etc.
Against Society at large
i) Pornography (basically child pornography)
ii) Polluting the youth through indecent exposure
iii) Trafficking
iv) Financial crimes
v) Sale of illegal articles
vi) Online gambling
vii) Forgery 35
/
/
I
Information Technology Act The above mentioned offences are discussed in brief as follows:
1) Harassment via e-mails: Harassment .through e-mails is not a new concept.

It is very similar to harassing through letters. Emotional blackmail and
threatening is a very common type of harassment via e-mails.
2) Cyber-stalking: The Oxford dictionary defines stalking as "pursuing

stealthily". Cyber stalking involves following a person's movements across
the Internet by posting messages (sometimes threatening) on the bulletin boards
frequented by the victim, entering the chat-rooms frequented by the victim,
constantly bombarding the victim with emails etc.
3) Dissemination of obscene material/Indecent exposure/Pornography

(basically child pornography)lPolluting through indecent exposure:
Pornography on the net may take various forms. It may include the hosting of
web site containing these prohibited materials. Use of computers for producing
these obscene materials. Downloading through the Internet, obscene materials.
These obscene matters may cause harm to the mind of the adolescent and
J tend to deprave or corrupt their mind. Two known cases of pornography are
the Delhi Bal Bharati case and the Bombay case wherein two Swiss couple
used to force the shim children for obscene photographs. The Mumbai police
later arrested them.
4) Defamation: It is an act of imputing any person with intent' to lower the

person in the estimation of the right-thinking members of society generally or
to cause him to be shunned or avoided or to expose him to hatred, contempt
or ridicule. Cyber defamation is not different from conventional defamation
except the involvement of a virtual medium. E.g. the mail account of Rohit
was hacked and some mails were sent from his account to some of his batch
mates regarding his affair with a girl with intent to defame him.
5) Unauthorized control/access over computer system: This activity is

commonly referred to as hacking. The Indian law has however given a different
connotation to the term hacking, so we will not use the term "unauthorized
access" interchangeably with the term "hacking" to prevent confusion as the
term used in the Act of 2000 is much wider than hacking.
6) E mail spoofing: A spoofed e-mail may be said to be one, which misrepresents

its origin. It shows it's origin to be different from which actually it originates.
Recently spoofed mails were sent on the name of Mr. Na.Vijayashankar, which
contained virus. Another example is that Rajesh Manyar, a graduate student at
Purdue University in Indiana, was arrested for threatening to detonate a nuclear
device in the college campus. The alleged e- mail was. sent from the account
of another student to the vice president for student services. However the mail
was traced to be sent ~rom the account of Rajesh Manyar.
7) Computer vandalism: Vandalism means deliberately destroying or damaging

property of another. Thus computer vandalism may include within its purview
any kind of physical harm done to the computer of any person. These acts
may take the form of the theft of a computer, some part of a computer or a
peripheral attached to the computer or by physically damaging a computer or
its peripherals.
8) Transmitting virus/worms: This topic has been adequately dealt herein above. 1
9) Intellectual Property crimes/Distribution of pirated software: Intellectual
property consists of a bundle of rights. Any unlawful act by which the owner
is deprived completely or partially of his rights is an offence. The common
I
I
form of IPR violation may be said to be software piracy, copyright infringement,

trademark and service mark violation, theft of computer source code, etc. ~
36
/
/
The Hyderabad Court has in a land mark judgement has convicted three people Common Cyber Crimes and
and sentenced them to six months imprisonment and fine of 50,000 each for Government Laws and Rules
. in Information Security
unauthorized copying and sell of pirated software:
la) Cyber terrorism against the government organization: At this juncture a

necessity may be felt that what is the need to distinguish. between cyber
terrorism and cyber crime. Both are criminal acts. How~ver there is a
compelling need to distinguish between both these crimes. A cyber crime is
generally a domestic issue, which may have international consequences,
however cyber terrorism is a global concern, which has domestic as well as
international consequences. The common form of these terrorist attacks on
the Internet is by distributed denial of service attacks, hate websites and hate
emails, attacks on sensitive computer networks, etc. Technology savvy
terrorists are using 512-bit encryption, which is next to impossible to decrypt.
The recent example may be cited of ...:..Osama Bin Laden, the LITE, attack on
America's army deployment system during Iraq war.
Cyber terrorism may be defined to be "the premeditated use of disruptive

.
, activities, or the threat thereof, in cyber space, with the intention to further'
social, ideological, religious, political or similar objectives, or to intimidate
any person in furtherance of such objectives"
Another definition may be attempted to cover within its ambit every act of
cyber terrorism.
A terrorist means a person who indulges in wanton killing of persons or in

violence or in disruption of services or means of communications essential to
the community or in damaging property with the view to:
1) putting the public or any section of the public in fear; or
2) affecting adversely the harmony between different religious, racial,

language or regional groups or castes or communities; or
3) coercing or overawing the government established by law; or
4) endangering the sovereignty and integrity of the nation and a cyber terrorist
is the person who uses the computer system as a means or ends to achieve
the above objectives. Every act done in pursuance thereof is an act of
cyber terrorism.
11) Trafficking: Trafficking may assume different forms. It may be trafficking in

drugs, human beings, arms weapons etc. These forms of trafficking are going
unchecked because they are carried on under pseudonyms. A racket was busted
in Chennai where drugs were being sold under the pseudonym of honey.
12) Fraud & Cheating: Online fraud and cheating is one ofthe most lucrative
businesses that are growing today in the cyber space. It may assume different
forms. Some of the cases of online fraud and cheating that have come to light
are those pertaining to credit card crimes, contractual crimes, offering jobs,
etc. Intangible assets represented in data format, such as money on deposit or
hours of work, are the most common targets of computer related fraud.
Recently the Court of Metropolitan Magistrate Delhi found guilty a 24-year-

old engineer working in a call centre, of fraudulently gaining the details of
Campa's credit card and bought a television and a cordless phone from Sony
website. Metropolitan magistrate Gulshan Kumar convicted Azim for cheating
under IPC, but did not send him to jail. Instead, Azim was asked to furnish a
personal bond of Rs 20,000,and was released on a year's probation.
37
/
/
Information Technology Act Check Your Progress 2 /
Notes: .a) Space is given below forwriting your answer.
1) Explain the different kinds of cyber crimes.
2) How do cyber crimes are affecting the government?
3.5 PREVENTION OF CYBER CRIME

Prevention is always better than cure. It is always better to take certain precaution
while operating the net. One should make them his part of cyber life. A netizen
should keep in mind the following things - precaution, prevention, protection,
perseverance and preservation. The following can be taken care of -
1) To prevent cyber stalking avoid disclosing any information pertaining to

oneself. This is as good as disclosing your identity to strangers in public place.
2) Always avoid sending any photograph online particularly to strangers and chat
friends as there have been incidents of misuse of the photographs.
3) Always use latest and up date anti virus software to guard against virus attacks.
4) Always keep back up volumes so that one may not suffer data loss in case of
virus contamination.
5) Never send your credit card number to any site that is not secured, to guard
against frauds.
6) Always keep a watch on the sites that your children are accessing to prevent
any kind of harassment or depravation in children.
7) It is better to use a security programme that gives control over the cookies
and send information back to the site as leaving the cookies unguarded might
prove fatal.
8) Website owners should watch traffic and check any irregularity on the site.
Putting host based intrusion detection devices on servers may do this.
9) Use of firewalls may be beneficial.
10) Web servers running public sites must be physically separate protected from
38 internal corporate network.
/
/
3.6 GOVERNMENT RULES / Government Laws and Rules
Recently, the Central Government made the rules in the exercise of the powers
conferred by sec 87(2)(ca), read with sec 6A(2) of the Information Technology
Act, 2000. Such rules are called the Information Technology (Electronic Service
Delivery) Rules, 2011. These rules are designed to support or elaborate the
provisions of the IT Act.
For bringing information security, rules are incorporated to properly deliver public
services through electronically by the appropriate Government or by its agency. It
is provided that the appropriate Government may specify the form and manner of
Electronic Service Delivery and determine the manner of encrypting sensitive
electronic records requiring confidentiality, while they electronically signed. Also
all authorities that issue any license, permit, certificate, sanction or approval
electronically, shall create, achieve and maintain a repository of electronically signed
electronic records. The appropriate Government specify the security procedures in
J respect of the electronic data, information, applications, repository of digitally
.
,
signed electronic records. The appropriate Government may direct every service
provider and authorised agent to keep an updated and accurate account of the
transactions, receipts, vouchers and specify the formats for maintaining accounts
of transactions and receipt of payment in respect of the electronic services delivered
and the said records shall be produced for inspection and audit before an agency
or person nominated by the appropriate Government.
The appropriate Government may also cause an audit to be conducted of the affairs
of the service providers and authorised agents in the State. Such audit may cover
aspects such as the security, confidentiality and the privacy of information, the
functionality and performance of any software application used in the electronic
service delivery and the accuracy of accounts kept by the service providers and
authorised agents.
In the same manner, Central Government has made the rules with regard to the
protection of sensitive personal data or information under the Information
Technology (Reasonable Security Practices and procedures and sensitive personal
data or information) Rules, 2011. For the first time, the definition for the 'personal
information' has been incorporated under its rule 2(1)(i) as "Personal information"
means any information that relates to a natural person, which, either directly or
indirectly, in combination with other information available or likely to be available
with a body corporate, is capable of identifying such person. Also Rule '3 defines
the sensitive personal data or information as Sensitive personal data or information
of a person means such personal information which consists of information relating
to;- (i) password; (ii) financial information such as Bank account or credit card or
debit card or other payment instrument details ; (iii) physical, physiological and
mental health condition; (iv) sexual orientation; (v) medical records and history;
(vi) Biometric information; (vii) any detail relating to the above clauses as provided
to body corporate for providing service; and (viii) any of the information received
under above clauses by body corporate for processing, stored or processed under
lawful contract or otherwise provided that, any information that is freely available
or accessible in public domain or furnished under the Right to Information Act,
2005 or any other law for the time being in force shall not be regarded as sensitive
personal data or information for the purposes of these rules.
Further, the body corporate or any person who on behalf of body corporate collects,
receives, possess, stores, deals or handle information of provider of information,
shall provide a privacy policy for handling of or dealing in personal information
including sensitive personal data or information and ensure that the same are
available for view by such providers of information who has provided such
39
/
1
Information Technology Act information under lawful contract. Such policy shall be published on website of
body' corporate or any person on its behalf and shall provide for-
i) Clear and easily accessible statements of its practices and policies;
ii) type of personal or sensitive personal data or information collected under rule
3; .
~
iii) purpose of collection and usage of such information;
iv) disclosure of information including sensitive personal data or information as

provided in rule 6;
v) reasonable security practices and procedures as provided under rule 8.
Moreover, Body corporate or any person on its behalf shall obtain consent in writing
through letter or Fax or email from the provider of the sensitive personal data or
information regarding purpose of usage before collection of such information. Body
corporate or any person on its behalf shall not collect sensitive personal data or
J information unless:
a) the information is collected for a lawful purpose connected with a function or

activity of the body corporate or any person on its behalf; and
b) the collection of the sensitive personal data or information is considered

necessary for that purpose.
While collecting information directly from the person concerned, the body corporate
or any person on its behalf shall take such steps as are, in the circumstances,
reasonable to ensure that the person concerned is having the knowledge of:
. .
a) the fact that the information is being collected;
b) the purpose for which the information is being collected;
c) the intended recipients of the information; and
d) the name and address of:
i) the agency that is collecting the information; and
ii) the agency that will retain the information.
Body corporate or any person on its behalf holding sensitive personal data or
information shall not retain that information for longer than is required for the
purposes for which the information may lawfully be used or is otherwise required
under any other law for the time being in force. The information collected shall be
used for the purpose for which it has been collected. Body corporate or any person
on its behalf permit the providers of information, as and when requested by them,
to review the information they had provided and ensure that any personal
information or sensitive personal data or information found to be inaccurate or
deficient shall be corrected or amended as feasible provided that a body corporate
shall not be responsible for the authenticity of the personal information or sensitive
personal data or information supplied by the provider of information to such body
corporate or any other person acting on behalf of such body corporate.
Body corporate or any person on its behalf shall, prior to the collection of
information including sensitive personal data or information, provide an option to
the provider of the information to not to provide the data or information. sought to
be collected. The provider of information shall, at any time while availing the
services or otherwise, also have an option to withdraw its consent given earlier to
the body corporate. Such withdrawal of the consent shall be sent in writing to the
40 body corporate. In the case of provider of information not providing or later on
/
withdrawing his consent, the body corporate shall have the option not to provide Common Cyber Crimes and
goods or services for which the said information was sought. Government Laws and Rules
-
Body corporate or any person on its behalf shall keep the information secure.
Body corporate shall address any discrepancies and grievances of their provider of
the information with respect to processing of information in a time bound manner.
For this purpose, the body corporate shall designate a Grievance Officer and publish
his name and contact details on its website. The Qrievance Officer shall redress
the grievances or provider of information expeditiously but within one month'
from the date of receipt of grievance.
At the time of disclosure of information, it is essential to follow the rules as follows.

Disclosure of sensitive personal data or information by body corporate to any
third' party shall require prior permission from the provider of such information,
who has provided. such information under lawful contract or otherwise, unless
such disclosure has been agreed to in the contract between the body corporate and
provider of information, or where the disclosure is necessary for compliance of a .
. legal obligation: Provided that the information shall be shared, without obtaining
prior consent from provider of information, with Government agencies mandated
under the law to obtain information including sensitive personal data or information
for the purpose of verification of identity, or for prevention, detection, investigation
including cyber incidents, prosecution, and punishment of offences. The
Government agency shall send a request in writing to the body corporate possessing
the sensitive personal data or information stating clearly the purpose of seeking
such information. The Government agency shall also state that the information so
obtained shall not be published or shared with any other person. Although, such
sensitive personal data on Information shall be disclosed to any third party by an
order under the law for the time being in force. The body corporate or any person
on its behalf shall not publish the sensitive personal data or information. The third.
party receiving the sensitive personal data or information from body corporate or
any person shall not disclose it further.
A body corporate or any person on its behalf may transfer sensitive personal data
or information including any information, to any other body corporate or a person
in India, or located in any other country, that ensures the same level of data
protection that is adhered to by the=bcdy corporate as provided for under these
Rules. The transfer may be allowed only if it is necessary for the performance of
the lawful contract between the body corporate or any person on its behalf and
provider of information or where such person has consented to data transfer.
A body corporate or a person on its behalf shall be considered to have complied

with reasonable security practices and procedures, if they have implemented such
security practices and standards and have a comprehensive documented information
security programme and information security policies that contain managerial,
technical, operational and physical security control measures that are commensurate
with the information assets being protected with the nature of business. In the
event of an information security breach, the body corporate or a person on its
behalf shall be required to demonstrate, as and when called upon to do so by the
agency mandated under the law, that they have implemented security control
measures as per their documented information security programme and information
security policies.
The International Standard IS/ISO/IEC 27001 on "Information Technology

- Security Techniques - Information Security Management System - Requirements"
is one such standard to follow. Any industry association or an entity formed by
such an association, whose members are self-regulating by following other than
ISIISO/IEC codes of best practices for data protection, shall get its codes of best
practices duly approved and notified by the Central Government for effective
implementation. 41
/
Information Te_~~ologyAct> ----The body corporate or a person on its behalf who have implemented either IS/
ISO/lEe 27001 standard or the codes of best practices for data protection as
approved and notified shall be deemed to have complied with reasonable security
. practices and procedures provided that such standard or the codes of best practices
have been certified or audited on a regular basis by entities through independent
auditor, duly approved by the Central Government. The audit of reasonable security
practices and procedures shall be carried out by an auditor at least once a year or
as and when the body'corporate or a person on its behalf undertakes significant
upgradation of its process and computer resource.

1) Explain the government rules made for information security?
2) Explain the procedure to disclose the information in public.
3) Explain the process to secure electronic records.
4) Explain reasonable security practices?
............................................................................................................................. /
/
•••••••••••••••••••••••••••••••••••••••••••••••• 0." ••••••••••••••••••••••••••••••••••• ~ ••• l••.•••••••
/.•••••.••••••....•.•••...
42
/
3.7 LET US SUM UP Government Laws and Rules
This unit is an effort towards answering some of the fundamental queries about
the cyber crimes related to the information security. The IT Act has dealt with
both 'cyber contraventions' and 'cyber offences'. It has identified the criminal
conduct vis-a-vis computer network, computer system or computer. It introduces
power to prosecute those that deliberately an without authorization, misuse
computer systems. The Government has passed certain rules in relation to provide
data security and privacy.

1) Cyber crime is the latest and perhaps the most complicated problem in the
cyber world. "Cyber crime may be said to be those species, of which, genus is
the conventional crime, and where either the computer is an object or subject
of the conduct constituting crime". "Any criminal activity that uses a'comp~ter
either as an instrumentality, target or a means for perpetuating further crimes
comes within the ambit of cyber crime".
2) Such crimes are quite different from the traditional crimes due to the use of
digital platform. The demarcation lies in the involvement of the medium in
cases of cyber crime. The sine qua non for cyber crime is that there should be '
an involvement, at any stage, of the virtual cyber medium. Due to their peculiar
nature, cyber crime investigation is technical. It is quite difficult to collect
direct evidence.
3) Capacity to store data in comparatively small space, Easy to access, Complex,

Negligence, Loss of evidence
1) Against Individuals:
i) Harassment via e-mails.
ii) Cyber-stalking.
iii) Dissemination of obscene material.
iv) Defamation.
v) Unauthorized control/access over computer system.
vi) Indecent exposure
vii) Email spoofing
viii) Cheating & Fraud
Against Individual Property:
i) Computer vandalism
ii) Transmitting virus
,iii) Netrespass
iv) Unauthorized control/access over computersystem
v) Intellectual Property crimes

43
/
/
, Information Technology Act vi) Internet time- thefts -
Against Organization:
i) Unauthorized control/access over computer system
ii) Possession of unauthorized information.
iii) Cyber terrorism against the government organization.

to
iv) Distribution of pirated software etc.
Against Society at large:
i) Pornography (basically child pornography).
ii) Polluting, the youth through indecent exposure.
iii) Trafficking
iv) Financial crimes

.f
.. v) Sale of illegal articles
vi) Online gambling
vii) Forgery
2) Cyber terrorism, Hacking, Information theft

Refer Information Technology (Electronic Service Delivery) Rules, 2011 mentioned
in section 3.6 for all questions.

• Cyberlaw: The Indian Perspective by Pavan Duggal
• CyberLaw: Text and cases by Gerald R. Ferrera.
• CyberLaw: The law of the Internet by J. Rosenoer.
• Information Technology (Electronic Service Delivery) Rules, 2011.
• www.naavi.org
• www.cyberlawsindia.net
• www.cybercellmumbai.com
44
/
MPDD-IGNOU/P.O. 1T1 July 2011
ISBN: 978-81-266-5528-1
/
/

Block-3 Information Technology Act 46

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Block-3 Information Technology Act 46

Caricato da

Copyright:

Formati disponibili

I~I ~~~o~~

Information Technology Act 3

"Education is a liberating force, and in

Introduction to Information Technology Amendment

Mr. S. Balasubramony, Dy. Superintendent of Prof. e.n Naidu, Director, School of

Prof. Manohar Lal, Director, School of Ms. Urshla Kant

Hope you benefit from this block.

• Identify how the IT Amendment Act came into force;

• Explain different provisions of IT Amendment Act;

• Recognize reasons behind such amendments;

• Elucidate the purpose of amendments; and

1.2 NEED OF IT AMENDMENT ACT, 2008

Changes in the Amendment include: redefining terms such as "communication

1.3 EVOLUTION OF IT AMENDMENT ACT

1.4 AMENDMENTS TO IT ACT

The amendments to the IT Act are broadly categorized as follows:

a) Communication device is defined as "cell phones, personal digital

. d) Revised definition of intermediary in sub-section 2(w) is as follows:

2) Intermediaries: Chapter XII on network service providers has been renamed

Once again the duties of intermediaries are expected to be clearly known

b) Finally, under section 69B, an intermediary, when called upon by a

a) This explanation gives scope for recognition of security professional bodies

b) Sensitive personal information may be prescribed by the central

5) Cyber crimes: Existing sections 66 and 67 on hacking and obscene material

b) Sub-section 66A: provides for punishment for sending offensive messages,

c) Sub-section 66B: provides for punishment for dishonestly receiving stolen

d) Sub-section 66C: provides for punishment for identity theft up to three

e) Sub-section 66D: provides for punishment for cheating by personation -

f) Sub-section 66E: provides for punishment for violation of privacy - up

g) Sub-section 66F: provides for punishment for cyber terrorism - up to

j) Section 67B: provides for punishment for publishing or transmitting of ~"I

material depicting children in sexually explicit act in electronic form -

6) Critical Information Infrastructure Protection: Earlier section 70 on

7) Examiner of Electronic Evidence: Cyber forensic evidence is critical to trial

Check Your Progress 1

Notes: a) Space is given below for writing your answer.

1) What ate the reasons for IT Amendment Act, 2008?

3) What are the major changes made in IT Amendment Act?

UIDAI launched AADHAAR program in the tribal village, Tembhli, in Shahada,

Coverage, goals and logistics

Name and logo

UID project is known as AADHAAR meaning 'support' or 'foundation', and its

Projected costs and business opportunities

According to the UIDAI Model, Aadhaar is dependent on biometrics being reliable

Earlier, in March 2010, three academics published a paper, Fundamental issues in

Although there is sometimes a tension between individual privacy rights and

1.7 CHECK YOUR PROGRESS: THE KEY

2) Government had introduced the Information Technology (Amendment) Bill,

Section Change Proposed

1 Section 1(4) list of excluded documents removed. To be

2 Section 2(d) modified, and the term "Digital Signature"

Section 2(ha) added to define "Communication Device" which

Section 2(j) "Computer Systems" and "Communication

Section 2(k) "Communication Device" added

Section 2 (na) introduced to define the term "Cyber Cafe"

Section 2(nb) introduced to define the term "Cyber Security"

Section 2(w) "Intermediary" defined .It includes telecom

servtce providers, network service providers, internet service

3 Section 3 now refers to legal recognition of electronic

New Section 3 A introduced to define Electronic Signature

New Section 7A introduced to make audit of Electronic

New Section 10 A specifies that contract formation is possible

15,16 Defines "Secured Electronic Signature" and redefines "Security

17,18,19 No significant change

I~I ~o