Law related to

Cyber Space

Introduction to Cyber Law

"Cyber" is a prefix used to describe a person, thing,
or idea as part of the computer and information age
derived from kybernetes, Greek word for "steersman"
or "governor," it was first used in cybernetics, a word
coined by American Mathematician Norbert Wiener
and his colleagues.
The virtual world of internet is known as cyberspace
and has universal jurisdiction.
Cyber law is the law governing computers and the
internet.
The growth of Electronic Commerce has propelled
the need for vibrant and effective regulatory
mechanisms which would further strengthen the
legal infrastructure, so crucial to the success of
Electronic Commerce.

History of Internet and World Wide Web

The origins of the Internet dates back to
the 1960s when the United States funded
research projects of its military agencies to
build robust, fault-tolerant and distributed
computer networks called as ARPANET
(Advanced Research Projects Agency Network).
This research and a period of civilian
funding of a new U.S. backbone by the National
Science
Foundation
spawned
worldwide
participation in the development of new
networking technologies and led to the
commercialization of an international network
in the mid 1990s.

Internet and World Wide Web

The
Internet
is
a
global
data
communications system. It is a hardware
and software infrastructure that provides
connectivity between computers.
The Web is one of the services
communicated via the Internet. It is a
collection of interconnected documents
and other resources, linked by hyperlinks
and Uniform Resource Locator [URLs].

Internet and World Wide Web

The World Wide Web was invented in 1989
by the English physicist Tim Berners-Lee,
now the Director of the World Wide Web
Consortium, and later assisted by Robert
Cailliau, a Belgian computer scientist,
while both were working at CERN
(European Organization for Nuclear
Research) in Geneva, Switzerland. In
1990, they proposed building a "web of
nodes" storing "hypertext pages" viewed by
"browsers" on a network and released that
web in December.

Need for Cyber Law

Almost all transactions in shares are in DEMAT
form.
Almost all companies extensively depend upon
their computer networks and keep their valuable
data in electronic form.
Government forms including income tax returns,
company law forms etc. are now filled in
electronic form.
Consumers are increasingly using credit cards for
shopping.
Most people are using email, cell phones and
SMS messages for communication.

Need for Cyber Law (Contd.)

Even in "non-cyber crime" cases, important
evidence is found in computers / cell phones e.g.
in cases of divorce, murder, kidnapping, tax
evasion, organized crime, terrorist operations,
counterfeit currency, etc.
Cyber crime cases such as online banking frauds,
online share trading fraud, source code theft,
credit card fraud, tax evasion, virus attacks,
cyber sabotage, phishing attacks, email hijacking,
denial of service, hacking, pornography etc are
becoming common.
Digital signatures and e-contracts are fast
replacing conventional methods of transacting
business.

Origin and Development of Cyber Law

Telegraph was first installed in 1851 and a
trans-India telegraph was completed three years
later in 1854.
The telegraph had become, in the
intervening thirty years, an important tool for
British dominion over India by quelling
rebellions and consolidating information.
It thus was important for the British to
control of telegraphy and infrastructure across
the subcontinent.
The Indian Telegraph Act, passed in 1885,
was intended to give the Central Government
power to establish telegraph lines on private as
well as public property.

The Indian Telegraph Act, 1885 is a law in

India that governs the use of telegraphy, phones,
communication, radio, telex and fax in India.
It gives the Government of India exclusive
privileges of establishing, maintaining and
working telegraphs. It also authorizes the
government to tap phone lines under appropriate
conditions.
The act came into force on October 1, 1885.
Since that time, numerous amendments have
been passed to update the act to respond to
changes in technology. The latest amendment was
passed in 2006 redefining terms from the original
act.

UNITED NATIONS COMMISSION ON

INTERNATIONAL TRADE LAW
(UNCITRAL)

UNCITRAL Model Law on Electronic

Commerce (1996)
UNCITRAL Model Law on Electronic
Signatures (2001)

E-Commerce in the UNCITRAL Model Law

Objectives of the Model Law:

To facilitate rather than

regulate electronic commerce
To adapt existing legal
requirements
To provide basic legal validity
and raise legal certainty

Basic Principles of the Model

Law

Analyze purposes and functions of

paper-based
requirements
(writing, record, signature,
original)
Consider criteria necessary to
replicate those functions and give
electronic data the same level of
recognition as information on
paper

Basic Principles of the Model Law

Media and technology neutrality
Equal treatment of paperbased and electronic
transactions
Equal treatment of different
techniques (Electronic Data
Interchange, E-mail, Internet,
Telegram, Telex, Fax)

Basic Principles of the Model Law

Party autonomy
Primacy of party agreement
on whether and how to use
e-commerce techniques
Parties free to choose
security level appropriate
for their transactions

Promises and Reality of e-Commerce:

Potential for Developing Countries
Increased efficiency and reduced costs
Government (administrative functions, procurement)
Private sector and banking (B2B,B2C)
New business opportunities
New activities and markets
Data and records processing
Customer service, telemarketing, call centres
Software development
Enhanced access to foreign markets
Internet export sales
Tourism

Non-Technology Factors for

e-Commerce Success
Economic Factors
Economic development
Market size
E-commerce strategy
Institutional and social factors
Political stability
Legal and regulatory framework

E-Commerce and Regulatory

Framework: Two Basic Lessons
Good laws alone wont create the
market but, inadequate laws may
shut the door of a potential
market.
Customers who know you well may
be less concerned about the law
but, the law may help building
trust among those who dont.

E-Commerce and Private Law

E-Commerce creates new issues:

Classification difficulties: the virtual goods

New contract types: web hosting, web server, etc.
but the essence of business transactions
remains the same.

Conventional law has not become

obsolete...

On line contracts are not different from

off line
Medium of a transaction is generally
irrelevant for the law. and nevertheless, it
requires some adaptation.

Legal Obstacles to E-Commerce

Tangible medium

Geographic location

Instrument

Delivery

Document

Receipt

Original

Dispatch

Signature

Surrender

INFORMATION TECHNOLOGY ACT, 2000

AN OVERVIEW

The Information Technology Act, 2000

received the assent of President of India on 9th
June, 2000 and came into force from 17th October
in that same year.
The Act was enacted to provide legal
recognition for transaction carried out by means of
electronic data interchange and other means of
electronic communication, commonly referred to
as Electronic Commerce, to facilitate electronic
filling of documents with governments agencies
which involve the use of alternative to paper based
method
of
communication
and
storage
information.
This law applies to any kind of information
in the form of data message used in the context of
commercial activities.

Objectives of the Act

To grant
legal recognition for transaction
carried out by means
of electronic data
interchange and other means of
electronic
communication;
To give legal recognition to digital signature/
electronic
signature
for
authentication
accepting of any information or matter which
require authentication under any law;
To facilitate electronic of documents with
Government departments;
To facilitate electronic storage of data ;
To facilitate
and give legal sanction to
electronic fund transfer between banks and
financial institution ;
To give legal recognition for keeping books of
account by bankers in electronic form.

Reasons for enacting IT Act

The Act does not apply to 1. A Negotiable Instrument as defined in Section 13 of

the Negotiable Instrument Act, 1881;
2. APower-of-Attorney
asdefinedin
section
1Aof
thePowers-of-Attorney Act, 1882;
3. A Trust as defined in section 3 of the Indian Trusts
Act, 1882;
4. AWillasdefinedinsection2(h)oftheIndian
SuccessionAct,1925
including
any
other
testamentary disposition by whatever name called;
5. Any
contractfor
the
sale
orconveyanceof
immovableproperty or any interest in such property;
6. Any such class ofdocuments or transactions as maybe
notified by the Central Government inthe Official
Gazette.

I.T. (Amendment) Act, 2008

Being the first legislation in the nation on
technology,
computers
and
e-commerce
and
ecommunication, the Act was the subject of extensive
debates, elaborate reviews and detailed criticisms, with
one arm of the industry criticizing some sections of the
Act to be draconian and other stating it is too diluted and
lenient.
There were some conspicuous omissions too
resulting in the investigators relying more and more on
the time-tested (nearly one and half century old) Indian
Penal Code even in technology based cases with the I.T.
Act also being referred in the process and the reliance
more on IPC rather on the ITA.
Thus the need for an amendment a detailed one
was felt for the I.T. Act almost from the year 2003-04
itself. Major industry bodies were consulted and advisory
groups were formed to go into the perceived lacunae in
the I.T. Act and comparing it with similar legislations in
other nations and to suggest recommendations.

I.T. (Amendment) Act, 2008 (Contd)

Such recommendations were analyzed and subsequently
taken up as a comprehensive Amendment Act and after
considerable administrative procedures, the consolidated
amendment called the Information Technology Amendment
Act 2008 was placed in the Parliament and passed without
much debate, towards the end of 2008 (by which time the
Mumbai terrorist attack of 26 November 2008 had taken
place). This Amendment Act got the President assent on 5 th
Feb 2009 and was made effective from 27th October 2009.
124 sections and 14 chapters.
Schedule I and II have been replaced & Schedules III and
IV are deleted.

I.T. (Amendment) Act, 2008 (Contd)

Some of the notable features of the I.T.
(Amendment) Act are as follows:
Focusing on data privacy
Focusing on Information Security
Defining cyber cafe
Making digital signature technology neutral
Defining reasonable security practices to be
followed by corporate
Redefining the role of intermediaries
Recognizing the role of Indian Computer
Emergency Response Team
Inclusion of some additional cyber crimes like
child pornography and cyber terrorism
Authorizing an Inspector to investigate cyber
offences (as against the DSP earlier)

Cyber Law Deals with Electronic or Digital Signatures

Intellectual Property
Data Protection and Privacy
Cyber Crimes

DIGITAL
SIGNATURE

Signature
There is something sacred about the
signature; it makes everything valid, puts
the seal upon all undertakings, makes bonds
real, guarantees securities, cements pacts of
friendship and alliance between States,
provides the ultimate proofs of integrity in
the highest country of law the signature is
all in all. Banks will not honour anything
which does not bear a signature; to them the
signature is omnipotenet, omnipresent,
omniscient and supreme!
- Times of India (Annual), 1940

A TRUE SIGNATURE Is authentic

Cannot be Forged
Cannot be Reused
Proves document has not been
altered
Cannot be Repudiated

DIGITAL SIGNATURE
A digital signatureis an electronic
scheme
for
demonstrating
the
authenticity of a digital message or
document.
A valid digital signature gives recipient a
reason to believe that the message was
created by a known sender and that it
was not altered in transit.
Digital signatures are commonly used for
software
distribution,
financial
transactions, and in other cases where it
is important to detect imitation or
tampering.

Authentication of Digital Signature

A digital signature shall
be created and verified by cryptography that
concerns itself with transforming electronic
records.
use Public Key Cryptography which employs an
algorithm using two different mathematical keys
one for creating a digital signature or
transforming it and another key for verifying the
signature or returning the electronic record to
original form. Hash function shall be used to
create this signature. Software utilizing such
keys are termed as asymmetric cryptography
[Rule 3 of IT Rules, 2000].

Authentication of Digital Signature

(Contd..)
Digital signatures can be used to authenticate
the source of messages. When ownership of a
digital signature secret key is bound to a specific
user, a valid signature shows that the message
was sent by that user. The importance of high
confidence in sender authenticity is obvious in a
financial context.
For example, suppose a bank's branch office
sends instructions to the central office
requesting a change in the balance of an
account. If the central office is not convinced
that such a message is truly sent from an
authorized source, acting on such a request
could be a grave mistake.

Verification of Digital Signature

Verification
whether

means

to

determine

the initial record was affixed with the

digital signature by using the keys
of the subscriber.
the original record is retained intact
or has been altered since such
electronic record was bounded with
the digital signature [Sec.2(1)(zh)].

Digital Signature Certificate

A digital signature certificate is an
electronic document which uses adigital
signatureto bind an identity information
such as the name of a person or an
organization, their address, and so forth.
The certificate can be used to verify that
it belongs to an individual.
Any person can make an application to
the Certifying Authority for the issue of
this digital certificate. The Authority
charges fees (as prescribed by the Central
Government) for the issue of digital
signature certificate.

Generation of Digital Certificate

The generation of digital
certificate shall involve

signature

receipt of an approved and verified

certificate request.
creating
a
new
digital
signature
certificate.
a distinguished name associated with
the digital certificate owner.
a recognized and relevant policy as
defined
in
certification
practice
statement [Rule 24 of the IT rules].

Compromise of Digital Certificate

Digital signature certificate shall be
deemed to be compromised where the
integrity of
The key associated with the certificate is
in doubt.
The certificate owner is in doubt, as to
the attempted use of his key pairs, or
otherwise for malicious or unlawful
purposes.
The digital certificate shall remain in
the compromise state for only such time
as it takes to arrange for revocation.

Expiry of Digital Signature

Certificate
A digital signature certificate shall
be issued with a designated expiry
date. It will expire automatically and
on expiry, it shall not be re-used. The
period for which a digital certificate
has been issued shall not be extended,
but a new digital signature certificate
may be issued after the expiry of such
period [Rules 26 of IT Act, 2000].

Where does E-Signature works?

DIGITAL SIGNATURE
I agree
efcc61c1c03db8d8ea8569545c073c814a0ed755
My place of birth is at Chennai.
fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25
I am 62 years old.
0e6d7d56c4520756f59235b6ae981cdb5f9820a0
I am an Engineer.
ea0ae29b3b2c20fc018aaca45c3746a057b893e7
I am a Engineer.
01f1d8abd9c2e6130870842055d97d315dff1ea3
These are digital signatures of same person on different
document
Digital Signatures are numbers
Same Length 40 digits
They are document content dependent

Paper Signature Vs Digital Signature

Parameter

Paper

Electronic

Authenticity

May be forged

Cannot be copied

Integrity

Signature independent

Nonrepudiation

of the document

Handwriting expert
needed
Error prone

Signature depends on
the contents of the
document

Any computer user

Error free

DIVERSITY OF E-SIGNATURES

CERTIFYING
AUTHORITIES

Certifying Authority
A Certifying Authority is a trusted body whose central
responsibility is to issue, revoke, renew and provide directories
of Digital Certificates. In real meaning, the function of a
Certifying Authority is equivalent to that of the passport
issuing office in the Government. A passport is a citizen's
secure document (a "paper identity"), issued by an appropriate
authority, certifying that the citizen is who he or she claims to
be. Any other country trusting the authority of that country's
Government passport Office will trust the citizen's passport.
Similar to a passport, a user's certificate is issued and
signed by a Certifying Authority and acts as a proof. Anyone
trusting the Certifying Authority can also trust the user's
certificate.
According to Section 24 under Information Technology
Act 2000 "Certifying Authority" means a person who has been
granted a licence to issue Digital Signature Certificates.

Who can be a Certifying

Authority (CA)?
Controller of Certifying
Authority(CCA),
Ministry of Information Technology,
Government of India.

Certification Agencies authorised by the

CCA to issue the Digital Signature
Certificates (DSCs)

TCS

Safe Script CA,

Sify
Communications
Ltd

National
Informatics
Centre

Mahanagar
Telecom Nigam
Limited

n Code
Solutions

Custom and
Central Excise

IDRBT CA

E Mudhra

REGULATION OF CERTIFYING AUTHORITIES

REGULATION STRUCTURE

JUDICIAL STRUCTURE

CCAs role
Licensing Certifying Authorities (CAs) under section
21 of the IT Act and exercising supervision over their
activities.
Controller of Certifying Authorities as the Root
Authority certifies the technologies and practices of
all the Certifying Authorities licensed to issue Digital
Signature Certificates.
Certifying the public keys of the CAs, as Public Key
Certificates (PKCs).
Laying down the standards to be maintained by the
CAs.
Addressing the issues related to the licensing process
including:
Approving the Certification Practice Statement(CPS);
Auditing the physical and technical infrastructure of the
applicants through a panel of auditors maintained by the
CCA.

Controller of Certifying Authorities (CCA)

The Controller of Certifying Authorities (CCA) has
been appointed by the Central Government under
section 17 of the Act for purposes of the IT Act.
The Office of the CCA came into existence on 1st
November, 2000.
It aims at promoting the growth of E-Commerce and
E-Governance through the wide use of digital
signatures.
The Controller of Certifying Authorities (CCA) has
established the Root Certifying Authority (RCAI) of
India under section 18(b) of the IT Act to digitally
sign the public keys of Certifying Authorities (CA) in
the country.
The RCAI is operated as per the standards laid down
under the Act.

Requirements to be fulfilled by the RCAI

1. All public keys corresponding to the signing private
keys of a CA are digitally signed by the CCA.
2. That these keys are signed by the CCA can be verified
by a relying party through the CCAs website or
CAs own website.
3. Authorized CCA personnel initiate and perform Root CA
functions in accordance with the Certification Practice
Statement of Root Certifying Authority of India.
4. The term Root CA is used to refer to the total CA entity,
including the software and its operations.
5. The RCAI root certificate is the highest level of
certification in India. It is used to sign the public keys
of the Licensed CAs in India. The RCAI root certificate
is a self-signed certificate.

Functions and Duties of

Controller of Certifying Authorities
The following are the functions of the Controller as per I.T ACT, 2000 (Section 18)
3.1. Functions of Controller
The Controller may perform all or any of the following functions, namely:
a) Exercising supervision over the activities of the Certifying Authorities;
b) Certifying public keys of the Certifying Authorities;
c) Laying down the standards to be maintained by the Certifying Authorities;
d) Specifying the qualifications and experience, which employees of the Certifying Authorities
should possess;
e) Specifying the conditions subject to which the Certifying Authorities shall conduct their
business;
f) Specifying the contents of written, printed or visual materials and advertisements that may be
distributed or used in respect of a Digital Signature Certificate and the public key;
g) Specifying the form and content of a Digital Signature Certificate and the key;
h) Specifying the form and manner in which accounts shall be maintained by the Certifying
Authorities;
i) Specifying the terms and conditions subject to which auditors may be appointed and the
remuneration to be paid to them;
j) Facilitating the establishment of any electronic system by a Certifying Authority either solely or
jointly with other Certifying Authorities and regulation of such systems;
k) Specifying the manner in which the Certifying Authorities shall conduct their dealings with the
subscribers;
l) Resolving any conflict of interests between the Certifying Authorities and the subscribers;
m) Laying down the duties of the Certifying Authorities;
n) Maintaining a database containing the disclosure record of every Certifying Authority containing
such particulars as may be specified by regulations, which shall be accessible to public.