The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Enhelion, 2021-11-09 00:27:44

Module_1

Module_1

MODULE 1
REGULATION OF CYBERSPACE- AN OVERVIEW

Traditional legal systems have had great difficulty in keeping pace with the
rapid growth of the Internet and its impact throughout the world. While some
laws and objectives have been enacted and a few cases have been decided that
affect the Internet, they have left most of the difficult legal issues to the future.
In spite of the recent proliferation of legislation world-wide, it is unlikely that
courts and legislators will be able to provide sufficient guidance in a timely
fashion to business [and lawyers] to enable them to engage in commerce on, or
otherwise take advantage of, the Internet in a manner that avoids or minimizes
unexpected consequences or liabilities.

The Internet has tested the limits of regulation, prompting some to declare
‘independence’1 and yet others to declare it beyond the limits of governance2.
One of the purposes of this text is to build a global community of people who
are thinking about all this in a serious way. As time passes, one aspect of
governance is clearly visible, the will of governments to be seen and ‘felt’ on
the Internet. Governments across the world seem eager to put to rest the notions
that cyberspace can't be governed. This view underestimates the way
governments and business figure out how to change the way things work.

There are four constraints on [human] behaviour and freedom. They are the law,
norms (cultural and social influences), markets and -- crucially -- architecture.
Architecture is a regulator in real space as well as cyberspace, and it is essential

1 In February 1996, John Perry Barlow issued a manifesto called <A Declaration of the Independence of
Cyberspace>.
http://www.eff.org/pub/Publications/John_Perry_Barlow/barlow0296.declaration.
2 Johnson, David R. /Post, David G., Law and Borders - The Rise of Law in Cyberspace, 48 Stanford Law
Review 1367 – 1402 [1996].

1

to think about both. Napoleon III wanted fewer revolutionaries, for example. So
he rebuilt Paris with wide streets, making it harder for revolutionaries to hide.

1.1 EXAMINING THE NEED FOR REGULATION

In some jurisdictions, the early adoption of legislation on digital signatures
[defined in the Glossary], for example, has not led to the increased take-up of
new technology as anticipated3. Rather, legislation has been bypassed because
it has been regarded as not providing appropriate, market-oriented, non-
regulatory solutions. Some of that legislation is now regarded as a better
example of what not to do, than as a model which should be followed4. A
number of laws currently being drafted in the US have undergone significant
changes in the course of the drafting process and more can be expected before
they reach their final form5. As lawyers’ understanding of the technology grows,
and as the uses and applications of the technology develop, in concert with the
development of appropriate business models, appreciation of the need for
legislation and what is required in terms of its form and content have also
changed.

It is clear that what needs to be avoided at this early stage is an undue rush
towards legislation where none is needed, or where the need for it has not yet
been clearly demonstrated. This is particularly so in India where there have
been, as yet, few cases decided in the courts dealing with the issues identified as
likely to cause problems in electronic commerce. In other words, it is difficult to
judge the magnitude of legal problems being encountered, at least in terms of
measuring them through recourse to traditional means of resolution through

3 Despite the early enactment of digital signature legislation in the American State of Utah in 1995, the first
certification authority to set up under that legislation was not established until late 1997.
4 The Utah Act has been described as of more use dead than alive.
5 Recommendation 92 of the Financial System Inquiry 1997 (Wallis Report) recommended that Australia should
adopt internationally recognised standards for electronic commerce, including for electronic transactions over
the Internet and the recognition of electronic signatures.

2

litigation, although it is clear that some action to remove obvious legal obstacles
would certainly facilitate electronic commerce.

A number of international organizations are currently working on projects,
which have the potential to significantly influence the direction of domestic
regulation in a number of areas relevant to electronic commerce6. India is
actively engaged in those projects. This international work should be carefully
monitored to ensure that the Indian settings not only assist India's competitive
advantage, but also keep India in conformity with international norms, while
ensuring that the economic, social and cultural benefits of new technology are
maximized.

The UNCITRAL Model Law on Electronic Commerce uses the term
“commercial” and guidance on the meaning of that term may be gained from the
definition used in the Model Law7. To ensure consistency, this definition is
identical to the definition used by UNCITRAL in the Model Law on
International Commercial Arbitration8. The UNCITRAL definition of
commercial is, however, very broad and covers a number of areas in which
electronic commerce may raise particular issues. For reasons of time and
resources, we have not been able to consider specific sectors covered in that
definition and the particular issues raised by the greater use of electronic
commerce. This text does not consider issues specific to the financial sector, but

6 These include work by: the UN Commission on International Trade Law on digital signatures and certification
authorities; work by the OECD on electronic commerce, digital signatures and certification authorities; and
work by APEC on certification practices and authorities.
7 Footnote **** to the Model Law on Electronic Commerce provides: The term “commercial” should be given a
wide interpretation so as to cover matters arising from all relationships of a commercial nature, whether
contractual or not. Relationships of a commercial nature include, but are not limited to, the following
transactions: any trade transaction for the supply or exchange of goods or services; distribution agreement;
commercial representation or agency; factoring; leasing; construction of works; consulting; engineering;
licensing; investment; financing; banking; insurance; exploitation agreement or concession; joint venture and
other forms of industrial or business co-operation; carriage of goods or passengers by air, sea, rail or road.
8 The UNCITRAL Model Law on International Commercial Arbitration was adopted by India as a model during
the drafting of the Indian Arbitration and Conciliation Act, 1996.

3

rather has focused upon broader generic issues of contract formation and
statutory form requirements such as requirements for certain contracts to be in
writing or signed.

1.2 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED BY
THE NEW MEDIA

The problem of jurisdiction in cyberspace is by far the most complex. The task
before us is to examine section key concepts that are necessary constituents of
a tricky issue and perhaps juxtapose them against an overview of methods and
solutions. On an examination of jurisdiction under the Indian Information
Technology Act, 2000, [hereinafter “the Indian IT Act”]; one is faced with the
question: Is section 75 really as controversial as it seems? The answer is in the
negative. The Act, continuing a long tradition in law and commerce merely
seeks to extend the boundaries of local/municipal law in a logical way; as will
be examined in the next chapter on Jurisdiction.

1.3 JURISDICTION IN CYBERSPACE: PROBLEMS AND
PERSPECTIVES

Throughout human history, no regime of regulation or of dispute resolution has
ever pretended to be the sole source to which parties turn to ease business
intercourse. In every culture and in every time, private arrangements as well as
governmental activity have attempted to reduce the occasions of conflict
necessitating the exercise of judicial decision-making. The economic world of
cyberspace at the beginning of the 21st century is no different. Trade depends
on confidence: confidence on the part of the buyer that goods or services will
conform to legitimate expectations, and confidence on the part of the seller that
payment will be prompt and complete. Such confidence, in the interests of all

4

parties, is fostered by industry self-regulation that reflects an honest attempt to
identify and resolve potential conflicts before they arise. The forms of such
regulation are many and are being actively explored, as e-commerce becomes
an increasingly important segment of the global economy. They include
voluntary codes of conduct, the provision of private arbitration for the
resolution of disputes, escrow accounts, agreements between buyers, sellers
and credit card companies, amongst others.

1.4 THE RELEVANCE OF PHYSICAL LOCATION

In determining under what circumstances extraterritorial jurisdictional
assertions are proper, courts and legislatures focused in the last half of the 20th
century, as they had previously, on physical location but at a different temporal
point. Most frequently, the focus was on where certain activities that gave rise
to the plaintiff’s claim had occurred. Where a negligent act took place, where a
contract was entered into9 or was to be performed,10 where a service was
performed, a security offered for sale, or a trademark infringed became the
touchstones of both personal and prescriptive jurisdictional inquiries. As long
as such an act occurred within the state’s boundaries, its assertion of both
personal and prescriptive jurisdiction was proper. As long as activities
continue to occur in “real” space, the place of such occurrences remains

9 Countries gave much thought to the rules regulating contract formation, presumably at least in part to
guarantee perceived desirable jurisdictional results. In Australia, for example, a contract is formed at the time
and place its acceptance is received by the offeror. The consumer is the offeror, so the typical consumer
contract is “formed” when and where the consumer receives the seller’s acceptance. Brazil, Columbia, and
Romania also look to the residence of the offeror, although in Brazil a contractual choice of a different law will
be upheld if it is not in violation of public policy. See Nestor Nestor & Kingston Petersen, “Written Remarks,”
posted at <http://www.kentlaw.edu/cyberlaw>.
In Canada, proposed legislation would fix the address of the consumer as the place in which an on-line contract
was formed. See “Canadian Law on Jurisdiction in Cyberspace,” submitted by Arlan Gates, Paul Tackaberry
and Adam Balinsky, posted at <http://www.kentlaw.edu/cyberlaw> [hereinafter Gates].
10 The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of another
contracting state where the contractual obligation in question is to be performed. Title II, Section 2, Article 5.

5

relevant.11

Technology, however, reduces and frequently may eliminate the need for
physical contact in the creation of legally significant relationships between
parties or between an actor and the state acting as regulator. The legal system
must then decide what relationship is necessary between the forum and either
the conduct occurring outside the forum or the parties. It is the tie between a
party and a forum, not necessarily a physical connection between the forum
and the conduct of that party that is critical. If the remote party (i.e. the party
never physically in the forum) knows that the proximate party is in (or is a
habitual resident of) the forum when the remote party interacts with the
proximate party, the remote party has created a tie between itself and the forum
state. Now it is the remote-party/forum relationship at the time of interaction,12
not at the time process is served, that matters. Whether such a tie is sufficient
to enable the forum to assert personal and prescriptive jurisdiction depends on
an analysis of additional factors (such as whether the remote party targeted the
forum, discussed below), but its existence is necessary to such assertions.

1.5 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED BY
THE NEW MEDIA:

The problem of jurisdiction in cyberspace is by far the most complex. The task
before us is to examine section key concepts that are necessary constituents of

11 Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry. For example,
states continue to assert jurisdiction over their citizens with respect to claims that arise outside of the state and to
regulate conduct that occurs elsewhere which is intended to and does cause substantial effects in the state.
Nonetheless, a concern with where relevant acts took place is central to many, if not most, decisions.
12 In some contexts, some countries have already implicitly recognised this in the specific context of electronic
commerce. Australia’s Electronic Transactions Act 1999 (Cth) provides default rules for the place of dispatch
and receipt of electronic communications (including the place of an offer or acceptance of a contract) based on
the party’s place of business or ordinary residence.

6

a tricky issue and perhaps juxtapose them against an overview of methods and
solutions. On an examination of jurisdiction under the Indian Information
Technology Act, 2000, [hereinafter “the Indian IT Act”]; one is faced with the
question: Is section 75 really as controversial as it seems? The answer is in the
negative. The Act, continuing a long tradition in law and commerce merely
seeks to extend the boundaries of local/municipal law in a logical way; as will
be examined in the next chapter on Jurisdiction.

1.6 JURISDICTION IN CYBERSPACE: PROBLEMS AND
PERSPECTIVES

Throughout human history, no regime of regulation or of dispute resolution has
ever pretended to be the sole source to which parties turn to ease business
intercourse. In every culture and in every time, private arrangements as well as
governmental activity have attempted to reduce the occasions of conflict
necessitating the exercise of judicial decision-making. The economic world of
cyberspace at the beginning of the 21st century is no different. Trade depends
on confidence: confidence on the part of the buyer that goods or services will
conform to legitimate expectations, and confidence on the part of the seller that
payment will be prompt and complete. Such confidence, in the interests of all
parties, is fostered by industry self-regulation that reflects an honest attempt to
identify and resolve potential conflicts before they arise. The forms of such
regulation are many and are being actively explored, as e-commerce becomes
an increasingly important segment of the global economy. They include
voluntary codes of conduct, the provision of private arbitration for the
resolution of disputes, escrow accounts, agreements between buyers, sellers
and credit card companies, amongst others.

We live in a world where global communications are increasingly dependent
on the Internet, the traditional, geographic and territorial borders are

7

disappearing, leaving behind important questions. Cyberspace differs from the
“real world” as it doesn’t have boundaries. This absence of well-defined,
territorial borders has made it vital to venture into new areas of law which are
evolving to regulate this technological arena. Jurisdiction is a major issue and
comes to the forefront of a conflict when a legal dispute happens in a world
without borders. To understand the problems which the Internet imposes on
traditional concepts of Jurisdiction, we need to have basic knowledge of the
Internet i.e. what it is and where it came from. Internet is a product of the
United States Department of Defence Advanced Research Projects Agency
(ARPANET)13. The basic model comprises of local computer networks which
are connected to regional networks that come together to form national and
international systems14. These systems form “webs” that are connected to each
other, essentially creating an “information superhighway” commonly known as
the Internet. The rise of internet has also paved way for internet based crimes
or as we call it cybercrimes. Although there are jurisdiction procedures laid in
our statutes to deal with conventional crimes same is not the case for
cybercrimes.

Jurisdiction refers to the authority of a court to hear a case and resolve a
dispute involving person, property and subject matter. These principles of
jurisdiction are given in the Constitution of a State and part of its jurisdictional
sovereignty. All sovereign independent States, have jurisdiction over all
persons and things present within its territorial limits and all causes be it civil
and criminal taking place within its territory15. Jurisdiction in cyber-crime
includes the power to legislate and hear, personal jurisdiction, ability to serve
notice, subject-matter jurisdiction, the power to adjudicate, governing law or
choice of law and the enforcement of judgments.

13 Juliet M. Oberding & Terije Norderhaug, A Seperater Jurisdiction for Cyberspace, at
http://www.ascusc.org/jcmc/ vol2/issuel/juris.html
14 Dan L Burk, Jurisdiction in a World without Boarders, 1. Va. J.L & Tech. 3 (Spring 1997), available at
http://vjot.student.virgina.edu/graphics/voll/voll-art3.html
15 Lord Macmillan in Gimpania Naviera Vascongado v. Steamship ’Cristina'[1938] AC 485

8

Jurisdiction is one of the controversial issues in the case of cybercrime due to
the widespread nature of the cybercrime. As the cyber space is growing
continuously the territorial concept seems to vanish. New methods of dispute
resolution needs to give way to the conventional methods. The Information
Technology Act, 2000 doesn’t speak on these issues.

Though S. 7516 of the Information Technology Act,2000 provides for extra-
territorial operations, but they can only be meaningful when backed with
provisions recognizing orders and warrants for Information given by competent
authorities outside their jurisdiction cooperation’s for exchange of material and
evidence of computers crimes between law enforcement agencies.

In case the cybercrimes are committed either against the integrity,
confidentiality and availability of the computer systems and telecommunication
networks or they involve the use of services of such networks to commit
traditional offences, then one may find himself in the legal dilemma. The
problem is not only regarding multiple jurisdictions but also of issues of
procedural law connected with information technology. The requirement is to
have a broad based convention dealing with criminal substantive law matters,
criminal procedural questions as well as with international criminal law
procedures and agreements. As specified earlier, cyber-attacks are not bound
by any boundaries. They involve multiple players hence raise serious concerns
about the exercise of jurisdiction. Since the issue is collective, hence, an
amicable cure needs to be developed without differing from the target of
curbing cyber-crime. The Information Technology Act, 2000, also appears to
be deficient and unless its provisions are properly updated, it might not prove
to be an effective to cover all the legal issues connected to cyber-crimes. Even

16 S. 75 states of IT Act 2000 states: “Act to apply for offence or contravention committed outside India.-
(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or
contravention committed outside India by any person irrespective of his nationality
(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside
India by any person if the act or conduct constituting the offence or contravention involves a computer,
computer system or computer network located in India.”

9

the recent amendment of 2008 is quiet on the issue of jurisdiction.

Since the scope of cyber-crime inclines to extend to the international sphere, it
is consequently vital that international conventions and agreements are ratified
by maximum number of nations to promote international cooperation,
extradition is one such example of the same. But currently it is also plagued
with various flaws. Extradition is not legalised unless the act constitutes a
crime under both states i.e. the state which is making the request and the state
to which it is made. The domestic law fails when the crime is not recognised
under the wrongdoer’s country.

In case of The People of the State of New York vs. Gaming Corporation17, an
online gaming company based in Antigua (where online gambling is legal)
maintained corporate offices in New York, a state where online gambling is
illegal. The issue was whether the State of New York had the authority to bring
the online gambling company under its jurisdiction and prosecute it for offering
gambling to internet users in the state. The court held that the State of New
York had the jurisdiction to prosecute the gambling company as it was in
personam located in New York, and thus came within the jurisdiction of a
competent court in New York. This example provides the core of the problem
regarding jurisdiction. A company that has its base primarily in a foreign land,
Antigua, which doesn’t lookout to cater specifically to the people of New
York, was prosecuted successfully in New York merely for having an office in
the state. It also points out that what would have been the outcome of the case
if the company did not have an office in the state. Could the company have
absconded the liability even if it provided online gambling facilities to the
people of the state of New York?

There are several different theories on the number of problems that
jurisdictional issues will cause in cyberspace. There are also several theories as

17 714 NYS 2d 844

10

to what the solutions to those problems should be. Current international law is
not well equipped to handle all of the complex issues that will arise from
conflicts based in cyberspace. However, the current law is a good basis from
which to mould laws that will fit questions ofjurisdiction on the Internet. India
needs to strengthen the domestic laws by making significant changes for
making a strong claim over jurisdiction. Establishment of specialised courts
which deal with cyber issues exclusively at the domestic as well as
international level is vital. If there is mutual legal assistance and international
cooperation then it would provide way for swift disposal of cybercrimes and
disputes. It is important that jurisdictional issues be harmonised between
nations, ensuring a strong emphasis is laid on retaliating against cyber-crimes
collectively and effectively. If the issues regarding jurisdiction are ignored,
then it will become a herculean task to prevent cyber-crimes in the
international criminal law system in the coming years.

1.7 THE RELEVANCE OF PHYSICAL LOCATION

In determining under what circumstances extraterritorial jurisdictional
assertions are proper, courts and legislatures focused in the last half of the 20th
century, as they had previously, on physical location but at a different temporal
point. Most frequently, the focus was on where certain activities that gave rise
to the plaintiff’s claim had occurred. Where a negligent act took place, where a
contract was entered into18 or was to be performed,19 where a service was

18 Countries gave much thought to the rules regulating contract formation, presumably at least in part to
guarantee perceived desirable jurisdictional results. In Australia, for example, a contract is formed at the time
and place its acceptance is received by the offeror. The consumer is the offeror, so the typical consumer
contract is “formed” when and where the consumer receives the seller’s acceptance. Brazil, Columbia, and
Romania also look to the residence of the offeror, although in Brazil a contractual choice of a different law will
be upheld if it is not in violation of public policy. See Nestor Nestor & Kingston Petersen, “Written Remarks,”
posted at <http://www.kentlaw.edu/cyberlaw>.
In Canada, proposed legislation would fix the address of the consumer as the place in which an on-line contract
was formed. See “Canadian Law on Jurisdiction in Cyberspace,” submitted by Arlan Gates, Paul Tackaberry
and Adam Balinsky, posted at <http://www.kentlaw.edu/cyberlaw> [hereinafter Gates].

11

performed, a security offered for sale, or a trademark infringed became the
touchstones of both personal and prescriptive jurisdictional inquiries. As long
as such an act occurred within the state’s boundaries, its assertion of both
personal and prescriptive jurisdiction was proper. As long as activities
continue to occur in “real” space, the place of such occurrences remains
relevant.20

Technology, however, reduces and frequently may eliminate the need for
physical contact in the creation of legally significant relationships between
parties or between an actor and the state acting as regulator. The legal system
must then decide what relationship is necessary between the forum and either
the conduct occurring outside the forum or the parties. It is the tie between a
party and a forum, not necessarily a physical connection between the forum
and the conduct of that party that is critical. If the remote party (i.e. the party
never physically in the forum) knows that the proximate party is in (or is a
habitual resident of) the forum when the remote party interacts with the
proximate party, the remote party has created a tie between itself and the forum
state. Now it is the remote-party/forum relationship at the time of interaction,21
not at the time process is served, that matters. Whether such a tie is sufficient
to enable the forum to assert personal and prescriptive jurisdiction depends on
an analysis of additional factors (such as whether the remote party targeted the
forum, discussed below), but its existence is necessary to such assertions.

19 The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of another
contracting state where the contractual obligation in question is to be performed. Title II, Section 2, Article 5.
20 Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry. For example,
states continue to assert jurisdiction over their citizens with respect to claims that arise outside of the state and to
regulate conduct that occurs elsewhere which is intended to and does cause substantial effects in the state.
Nonetheless, a concern with where relevant acts took place is central to many, if not most, decisions.
21 In some contexts, some countries have already implicitly recognised this in the specific context of electronic
commerce. Australia’s Electronic Transactions Act 1999 (Cth) provides default rules for the place of dispatch
and receipt of electronic communications (including the place of an offer or acceptance of a contract) based on
the party’s place of business or ordinary residence.

12

1.8 ESTABLISHING JURISDICTION OVER CYBERSPACE:
TOWARDS A ‘SIMPLER’ READING OF THE “ACT”

Some provisions of the Act have been deemed controversial. For example,
section 75 states that the Act will apply to an offence or contravention
committed outside India by any person irrespective of his nationality, if the act
or conduct constituting the offence or contravention involves a computer,
computer system or computer network in India. A computer is only a medium
for communication. The use of a computer is not materially different from the
use of a phone or a car in the commission of a crime unless the computer has
been programmed for automatic action by its owner. It is not going to be easy
to acquire jurisdiction over a person not resident in India if a foreign country is
the scene of the crime and the criminal is not even an Indian citizen, merely
because a computer or a computer system in India has been utilized in some
way or other in connection with the crime. Nevertheless, certainly, if
software/hardware in India is damaged by a hacker based in a foreign country,
there can be no dispute about India’s right to reach him and make him
accountable for the crime committed in India alone.

Where contravention of any provisions of the Act has occurred is a matter of
adjudication for compensation purposes by the adjudicating officer and for
criminal action by the court.

1.9 THE INDIAN ELECTRONIC COMMERCE LEGISLATION: A
READING OF THE "ACT"

The Information Technology Act will go a long way in facilitating and
regulating electronic commerce. It has provided a legal framework for smooth

13

conduct of e-commerce. It has tackled the following legal issues associated
with e-commerce:

(a) requirement of writing; (b) requirement of a document; (c) requirement of a
signature; and (d) requirement of legal recognition for electronic messages,
records and documents to be admitted in evidence in a court of law.

However, the Act, has not addressed the following grey areas;

(i) protection for domain names; (ii) infringement of copyrights laws; (iii)
jurisdiction aspect of electronic contracts (viz. Jurisdiction of Courts and
tax authorities); (iv) taxation of goods and services traded through e-
commerce; and (v) stamp duty aspect of electronic contracts.

The main objective of the Act is to provide legal recognition for transactions
carried out by means of electronic data interchange and other means of
electronic communication, commonly referred to as e-commerce, which
involve the use of alternatives to paper-based methods of communication and
storage of information to facilitate electronic filing of documents with the
Government agencies. The Act, apart from India, has extra-territorial
jurisdiction to cover any offence or contravention committed outside India by
any person.

1.9.1 EXEMPTION/EXCLUSION

The Act shall not apply to the following categories of transaction:

(a) Any Negotiable Instrument; (b) A Power of Attorney; (c) A Trust; (d) A
will including any other testamentary disposition; (e) Any contract for the

14

sale or conveyance of immovable property; and (f) Any other documents or
transactions as may be decided by the Central Government.

1.10 DIGITAL SIGNATURES

With the passing of the Act, any subscriber (i.e., a person in whose name the
Digital Signature Certificate is issued) may authenticate electronic record by
affixing his Digital Signature. Electronic record means data record or data
generated image or sound, store, received or sent in an electronic form or
microfilm or computer generated microfiche.

1.11 ELECTRONIC GOVERNANCE

Where any law provides submission of information in writing or in the type
written or printed form, from now onwards it will be sufficient compliance of
law, if the same is sent in an electronic form. Further, if any statute provides
for affixation of signature in any document, the same can be done by means of
Digital Signature.

Similarly, the filing of any form, application or any other documents with the
Government Authorities and issue or grant of any license, permit, sanction or
approval and any receipt acknowledging payment can be done by the
Government offices by means of electronic form. From now onwards retention
of documents, records, or information as provided in any law, can be done by
maintaining electronic records. Any rule, regulation, order, by-law or
notification can be published in the Official Gazette or Electronic Gazette.

The Act, however, provides that no Ministry or Department of Central
Government or the State Government or any Authority established under any

15

law can insist upon acceptance of document only in the form of electronic
record.

1.11.1ACKNOWLEDGEMENT AND DISPATCH OF ELECTRONIC
RECORDS

An electronic record can be sent by the addresser himself or by a person acting
under his authority. An acknowledgement may be given by any communication
by the addressee automatic or otherwise. Even any conduct of the addressee is
sufficient to indicate to the addresser that the electronic records have been
received which shall be treated as sufficient acknowledgement.

The dispatch of electronic records occurs when it enters a computer resource
outside the control of the originator (i.e., addresser). Time of receipt of
electronic record shall be determined when electronic record enters the digital
computer resource or at the time when the electronic record is retrieved by the
addressee. An electronic record is deemed to be dispatched at the place where
the addresser has his place of business and is deemed to be received at the
place where the addressee has his place of business.

1.11.2 SECURED ELECTRONIC RECORDS AND DIGITAL
SIGNATURE

Under the Act, the Central Government has the power to prescribe the security
procedure in relation to electronic records and Digital Signatures, considering
the nature of the transaction, the level of sophistication of the Parties with
reference to their technological capacity, the volume of transactions and the
procedures in general used for similar types of transactions or communications.

16

1.11.3REGULATION OF CERTIFYING AUTHORITIES

The Central Government may appoint a Controller of Certifying Authority who
shall exercise supervision over the activities of Certifying Authorities.

Certifying Authority means a person who has been granted a license to issue a
Digital Signature Certificate. The Controller of Certifying Authority shall have
powers to lay down rules, regulations, duties, responsibilities and functions of
the Certifying Authority issuing Digital Signature Certificates. The Certifying
Authority empowered to issue a Digital Signature Certificate shall have to
procure a license from the Controller of Certifying Authority to issue Digital
Signature Certificates. Detailed rules and regulations have been prescribed in
the Act, as to the application for license, suspension of license and procedure
for grant or rejection of license by the Controller of Certifying Authority.

1.11.4DIGITAL SIGNATURE CERTIFICATE

Any person may make an application to the Certifying Authority for issue of
Digital Signature Certificate. The Certifying Authority while issuing such
certificate shall certify that it has complied with the provisions of the Act.

The Certifying Authority has to ensure that the subscriber (i.e., a person in
whose name the Digital Signature Certificate is issued) holds the private key
corresponding to the public key listed in the Digital Signature Certificate and
such public and private keys constitute a functioning key pair. The Certifying
Authority has the power to suspend or revoke Digital Signature Certificate.

1.11.5DUTIES OF SUBSCRIBERS

17

A subscriber can publish or authorize the publication of Digital Signature
Certificate. Similarly, he can accept such certificate.

It is the responsibility of a subscriber to exercise reasonable care to retain
control of the private key corresponding to the public key listed in his Digital
Signature Certificate and to take all steps to prevent its disclosure to any
unauthorized person.

1.11.6PENALTIES AND ADJUDICATION

If any person without the permission of the owner, accesses the owner's
computer, computer system or computer net-work or downloads copies or any
extract or introduces any computer virus or damages computer, computer
system or computer net work data etc. he shall be liable to pay damage by way
of compensation not exceeding Rupees One Crore to the person so affected.

For the purpose of adjudication, the Central Government can appoint any
officer, not below the rank of Director to the Government of India or any
equivalent officer of any State Government, to be an Adjudicating Officer. The
Adjudicating Officer while trying out cases of this nature shall consider the
amount of gain of unfair advantage or the amount of loss that may be suffered
by a person. The aforesaid provisions were not incorporated in the Information
Technology Act, 2000 and the same were suggested by the Select Committee
of Parliament22.

1.11.7THE CYBER REGULATIONS APPELLATE TRIBUNAL

22 In Delhi, the first case under the Act has already been registered by the police based on an FIR filed by a
Retd. Army Officer whose Internet time has been "stolen" by the accused. However, the accused has been
granted bail by the City Court. Interestingly, although passed by the Parliament, the Act did not come into force
until recently and Notification to this effect was issued by the Central Government in the Official Gazette on
June 19, 2000. This was one of the pleas taken by the accused in the aforesaid case.

18

Under the Act, the Central Government has the power to establish the Cyber
Regulations Appellate Tribunal. The Tribunal shall have the power to entertain
the cases of any person aggrieved by the Order made by the Controller of
Certifying Authority or the Adjudicating Officer.

1.11.8 OFFENCES

Tampering with computer source documents shall be punishable with
imprisonment up to three years or fine up to Rs. 2 lakhs or with both. Similarly,
hacking with computer system entails punishment with imprisonment up to
three years or with fine upto Rs. 2 lakhs or with both.

Publishing of information, which is obscene in electronic form, shall be
punishable with imprisonment up to three years or with fine up to Rs. 5 lakhs
and for second conviction with imprisonment up to 5 years and with fine up to
Rs. 10 lakhs.23

1.11.9 MISCELLANEOUS

Under the Act, any police officer not below the rank of Deputy Superintendent
of Police or any other authorized officer of the Central or State Governments,
may enter in public place and search for arrest without warrant, any person
who is reasonably suspected or having committed or committing or of being
about to commit any offence under the Act. 'Public place', includes any hotel,
shop or any other place intended for use or accessible to public24.

23 Information Technology Act, 2000, s. 67.
24 This amendment was suggested by the Select Committee of Parliament. Under the Indian Penal Code, even a
constable has the aforesaid power. However, the power given to the designated police officer is so wide that

19

1.12 THE AMENDMENTS: A ‘REACTION’

The amendments to the Information Technology Act to a measurable extent are
a “reaction” to recent developments such as service provider liability issues and
auction sites; sleazy MMS clips and the like. In major part, desirable as most
reactions are, offences under the Act have been made compoundable25; that is to
say, the parties can compound the case i.e. settle it between themselves. This is
welcome as most crimes target specific individuals and it is right for individuals
to sort out the situation.

The offences which have been made compoundable are:

• Section 66: If a person dishonestly or fraudulently does any act which
damages the computer or the computer system, he is liable to a fine of up
to five lakhs or be imprisoned for a term of up to three years. A host of
new sections have been added to section 66 as sections 66A to 66F
prescribing punishment for offenses such as obscene electronic message
transmissions, identity theft, cheating by impersonation using computer
resource, violation of privacy and cyber terrorism.

• Section 66A26: If any person sends by means of a computer resource or a
communication any content which is grossly offensive or has a menacing
character or which is not true but is sent to create nuisance, annoyance,
criminal intimidation, hatred or ill will etc shall be imprisoned for an
imprisonment term which may be up to three years combined with a fine.

even on suspicion or on his conviction that an offence is about to be committed, he can conduct search and
arrest without any warrant. There is a wide spread fear that this may be misused.
25 Section 77A provides that the ‘offences under sections 66, 66A, 72 and 72A may be compounded by the
aggrieved person.’
26 Section 66A of the I.T Act, 2000 has been struck down by the Supreme Court in Shreya Singhal v Union of
India, (2013) 12 S.C.C. 73.

20

• Section 67 of the old Act is amended to reduce the term of imprisonment
for publishing or transmitting obscene material in electronic form to three
years from five years and increase the fine thereof from Indian Rupees
100,000 (approximately USD 2000) to Indian Rupees 500,000
(approximately USD 10,000). A host of new sections have been inserted
as Sections 67 A to 67C. While Sections 67 A and B insert penal
provisions in respect of offenses of publishing or transmitting of material
containing sexually explicit act and child pornography in electronic form,
section 67C deals with the obligation of an intermediary to preserve and
retain such information as may be specified for such duration and in such
manner and format as the central government may prescribe.

• In view of the increasing threat of terrorism in the country, the new
amendments include an amended section 69 giving power to the state to
issue directions for interception or monitoring of decryption of any
information through any computer resource. Further, sections 69 A and
B, two new sections, grant power to the state to issue directions for
blocking for public access of any information through any computer
resource and to authorize to monitor and collect traffic data or
information through any computer resource for cyber security.

• Section 72: If a person is found in possession of some confidential
information like electronic record, book, register, correspondence and he
is found disclosing it to any third party without the consent of the person
concerned, then he shall be punished with imprisonment for a term which
may be up to two years, or a fine which may extend to One Lakh rupees,
or with both.

• Section 72A: If any person while providing services under the terms of
the contract, has secured access to any material containing personal
information about another person, with the intent to cause wrongful loss
or wrongful gain disclosed the information, without the person’s consent

21

or in breach of a lawful contract, shall be punished with imprisonment for
a term which may extend to three years or with fine which may extend to
five lakh rupees or with both.

1.13 THE ‘MEDIUM’ NOT THE ‘MACHINE’/’DEVICE’

It is important to remember that the Internet is principally a medium; which can
be regulated by regulating its “layers”. A law to be effective must apply to (or
regulate) one or more “layer” that is: (a) the physical (the wires, hardware, the
‘device’ itself); (b) the digital (the code or the “spectrum”) or (c) content
(whether prohibited socially censored comments or proprietary material).

1.14 DATA PRIVACY AND INFORMATION SECURITY

In view of recent concerns about the operating provisions in the IT Act related
to “Data Protection and Privacy” in addition to contractual agreements between
the parties the existing Sections (viz. 43, 65, 66 and 72A) have been revisited
and some amendments/more stringent provisions have been provided for in the
Act. Notably amongst these are:

• Section 43(A) is related to handling of sensitive personal data or
information with reasonable security practices and procedures. This
section has been inserted to protect sensitive personal data or information
possessed, dealt or handled by a body corporate in a computer resource
which such body corporate owns, controls or operates. If such body
corporate is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, it shall be liable to pay damages by way of
compensation to the person so affected.

22

• Gradation of severity of computer related offences under Section 66 has
been amended, now if an offence is committed dishonestly or
fraudulently then punishment is for a term which may extend to three
years or a fine which may extend to Rs 5 lakhs or with both;

• The addition of Section 72 A for breach of confidentiality with the intent
to cause injury to a subscriber. This is recognised as providing sufficient
protection under the EC Directive27

Contractual agreements are those agreements which are signed between parties
where one party provides services on the basis of the contract signed. There is
always a provision in any contractual agreement of not to disclose any
information which is imperative for the running of the business. According to
Section 72 (A) if anyone is found disclosing any information of a third person,
without his consent he shall be punished with imprisonment for a term which
may extend to three years or a fine of Rs 500,000.

The problem remains with ambiguous phrases. For instance, the amended
Section 43 (A) makes it mandatory for companies to include ‘reasonable
security measures’ while handling data. What precisely does ‘reasonable’
indicate is any one’s guess. We would recommend organisations to follow the
standards prescribed by the Computer Emergency Response Team (CERT).
CERT’s primary role is to raise security awareness among the cyber community
and to provide technical assistance and advice them to help them recover form
computer security incidents.

27 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML>

23

CERT provides technical advice to System Administrators and users to respond
to computer security incidents. It also identifies trends in intruder activity,
works with other similar institutions and organisations to resolve major security
issues, and disseminates information to the cyber community. CERT also
enlightens its constituents about the security awareness and best practices for
various systems and networks by publishing advice, guidelines and other
technical documents. The European Network and Information Security Agency
(ENISA) performs similar functions to the CERT. The basic regulation which
established ENISA is the Regulation (EC) No 460/2004.28

1.15 INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO
SERVE AS NATIONAL NODAL AGENCY

The new amended Act of 2006 provides for an Indian Computer Emergency
response team to act as a central agency in respect of Critical Information
Infrastructure29 for coordinating all actions relating to information security
practices, procedures, guidelines, incident prevention, response and reporting.30

Cert has been operational since January 2004. The main motive for setting up
such a team is to avoid malafide worms from our system. In today’s world
where most of the work is done by the computers, our entire efficiency and
national data was initially risked and left to be tampered by the malicious

28 See REGULATION (EC) No 460/2004 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of
10 March 2004 establishing the European Network and Information Security Agency available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:077:0001:0011:EN:PDF>
29 “Information infrastructures form an essential part of critical infrastructures. In order effectively to protect
critical infrastructures, therefore, countries must protect critical information infrastructures from damage and
secure them against attack. Effective critical infrastructure protection includes identifying threats to and
reducing the vulnerability of such infrastructures to damage or attack, minimizing damage and recovery time in
the event that damage or attack occurs, and identifying the cause of damage or the source of attack for analysis
by experts and/or investigation by law enforcement.” G8 Principles for Protecting Critical Information
Infrastructures (Adopted by the G8 Justice & Interior Ministers, May 2003) available at
<http://www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf>
30 Section 70 A of the Act

24

hackers. To avoid any such problems the cert was set up. CERT-In is the
national nodal agency for responding to computer security incidents as and
when they occur. In the recent Information Technology Amendment Act 2008,
CERT-In has been designated to serve as the national agency to perform the
following functions in the area of cyber security:-

1. Collection, analysis and dissemination of information on cyber incidents.
2. Forecast and alerts of cyber security incidents
3. Emergency measures for handling cyber security incidents
4. Coordination of cyber incidents response activities
5. Issue guidelines, advisories, vulnerability notes and whitepapers relating

to information security practices, procedures, prevention, response and
reporting of cyber incidents.
6. Such other functions relating to cyber security as may be prescribed.31

Whenever a new technology arrives, its misuse is not long in following - the
first worm in the IBM VNET was covered up. Shortly later a worm hit the
Internet on the 3 November 1988, when the so-called Morris Worm paralyzed a
good percentage of it. This led to the formation of the first Computer
Emergency Response Team at Carnegie Mellon University under U.S.
Government contract.32 The Indian Computer Emergency Response Team
(CERT-In) is assisting the Department of Information Technology in putting in
place a national cyber security strategy and a national information security
governance policy. CERT-In explains how an organization seeks to ensure the
safety and security of the Indian cyber space The purpose of CERT-In is to
become the nation's most trusted referral agency for responding to computer

31 http://www.cert-in.org.in/
32 http://en.wikipedia.org/wiki/Computer_emergency_response_team

25

security incidents as and when they occur.33 With the increasing use of IT, there
is an increasing reliance on inter-dependant and cyber supported infrastructure.
Technological advances have created new vulnerabilities to equipment failure,
human error, weather and natural causes, and intentional physical and cyber
attacks. Since the threats to critical national IT infrastructure through these
vulnerabilities are likely to have a crippling effect on the economy as also safety
and well-being of society, addressing them will increasingly require coordinated
efforts between the government and the private sector, both within the country
as well as across other bodies around the world. In view of this, it was felt
necessary to establish CERT-In to ensure the safety and security of the Indian
cyber space.34

The Department of Information Technology, Ministry of Communications and
Information Technology, Government of India, has established the Indian
Computer Emergency Response Team (Cert-In). As part of the CERT-In, each
sector needs to set up a Sub-Cert and IDRBT is the Sub-Cert for the Indian
Banking and Financial Sector.

1.16 BASIC ROLE OF CERT35

• Role of CERT-In
– Computer Security Incident Response (Reactive)
– Computer Security Incident Prevention (Proactive)
– Security Quality Management Services

• Information Exchange
– With sectorial CERTs (CSIRTs), CIOs of Critical Infrastructure,
organizations, ISPs, Vendors

33 http://www.inclusion.in/index.php?option=com_content&view=article&id=427
34 http://www.inclusion.in/index.php?option=com_content&view=article&id=427
35 http://www.itu.int/ITU-D/cyb/events/2009/hyderabad/docs/rai-role-of-cert-in-sept-09.pdf

26

• International Collaboration
– Member of FIRST
– Member of APCERT
– Research Partner- APWG
– Functional relationship with US-CERT and CERT/CC

1.16.1 REPORTING

1. Central point for reporting incidents:- the following information should
be given while reporting about any incident
• time of occurrence
• information regarding affected system
• symptoms observed
• relevant technical information such as security system deployed,
actions taken to mitigate the damage.

2. Database of incidents

1.16.2 ANALYSIS

1. Analysis of trends and patterns of intruder activity
2. Develop preventive strategies for the whole constituency
3. In-depth look at an incident report or an incident activity to determine the

scope, priority and threat of the incident.

1.16.3 RESPONSE

1. Incident response is a process devoted to restoring affected systems to
operation

27

2. Send out recommendations for recovery from, and containment of
damage caused by the incidents.

3. Help the System Administrators take follow up action to prevent
recurrence of similar incidents

1.16.4REPORTING OF VULNERABILITY

Vulnerability is a bug which enables a hacker to bypass security measures. Any
such act which is done with a bonafide intention or malafide intention should be
reported to cert-in quickly before it is too late.

1.16.5OTHER SIGNIFICANT ROLES36

1.16.5.1 REACTIVE

1. Provide a single point of contact for reporting local problems- The entire
cert program is run and managed by the Indian government. Its main role
is to safe guard the interest of people in the country and to secure the
important national data from letting it go into wrong hands before they do
something unfriendly.

2. Assist the organizational constituency and general computing community
in preventing and handling computer security incidents:-Like we have
already discussed that with every new invention in this world a thread
follows. The thread could also be in the face of vulnerability. Hence to
avoid such catastrophic incident to take place, the threat of vulnerability
should be stopped.

3. Share information and lessons learned with CERT/CC, other CERTs,
response teams, organizations and sites:- As in the reporting of such

36http://www.cert-in.org.in/

28

information is concerned, it is quite evident that the more information
about any worm or about any misshaping is given to cert, the lesser will
be its impact on future endeavours.
4. Incident Response:- Incident response can be given to the team as soon as
possible by any intervention of such type is met. To avoid any such
possibility to breach our secure internet system is fatal to us.
5. Provide a 24 x 7 security service:- CERT provides a 24 /7 security system
so that threat can never dismantle the main server, or to prevent any
attacker for any evil move.
6. Offer recovery procedures:- There are many procedures and guidelines
which are given in the home page of cert. using those and new upgraded
law we can seek for recovery procedures.

1.16.5.2 PROACTIVE

1. Issue security guidelines, advisories and timely advise- there are many
guidelines that are actively working across the system to actually enable a
shield to avoid and prevent any misuse. Few of them are CISG 2010-01,
CISG 2011-3, CISG 2011-2.

2. Vulnerability analysis and response- for any kind of vulnerability
response the first and the foremost thing is to be done is to inform the
cert. they have the technology and authority to track down as such
vulnerable person, who hacks in the system for doing something
unfriendly.

3. Risk Analysis- the chances of risk in such a situation is extreme.
4. Profiling attackers- the cert have more or less the profiles of the main

attacker who could come out with a plan to disrupt the free flow of the
cyber system of the country. To avoid this profile of each attacker is kept
so that in case the team can need it.

29

5. Conduct training, research and development: The team has under gone
various training programs in which they are taught how to eradicate the
problem. In lieu of such eradication many new programs are also made
along to fight the day to day problems.

6. Interact with vendors and others at large to investigate and provide
solutions for incidents:-the team is highly qualified to take cognizance of
the cyber offence and can discuss the gravity of the offence and can direct
to investigate the same.

1.17 CYBER CRIME, EVIDENCE AND PUNISHMENT

The Act provides for essentially economic offences or crimes in the medium
that are linked to economic loss or detriment. The Government would do well to
take a proverbial leaf from the OECD Guidelines for the Security of Information
Systems and Networks37 and the Council of Europe’s Convention on
Cybercrime.38 Social offences like pornography when included are superfluous
due to the existing provisions in the Indian Penal Code covering pornography.
Though pornography has not been defined under the code, section 292 clearly
states that “a book, pamphlet, paper, writing, drawing, painting representation,
figure or any other object, shall be deemed to be obscene if it is lascivious or
appeals to the prurient interest or if its effect,” Neither has the language or
expression changed from 1860, the year when the Indian Penal Code came into
force. The inclusion of a provision banning child pornography could well be a
case of ‘over legislation’ considering the existing blanket ban on pornography
per se; both in the Information Technology Act, 2000 (section 67) as well as the
Indian Penal Code, 1860 (section 292).

37 See OECD Guidelines for the Security of Information Systems and Networks available at
<http://www.oecd.org/dataoecd/16/22/15582260.pdf>
38 Convention on Cyber crime avalable at. <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>

30

A ‘fresh’ Section 68(A) has been proposed for providing modes and methods
for encryption for secure use of the electronic medium. This is a welcome
guidance. Section 69, related to power to issue directions for interception or
monitoring or decryption of any information through any computer resource,
has been amended to take care of the concerns of the Ministry of Home Affairs
which include the safety, sovereignty, integrity of India, defence of India, to
maintain friendly relations with other nations and preventing incitement to the
commission of any cognizable offence.

A new section 79 A39 (Examiners of Electronic Evidence) has been added to
notify the examiners of electronic evidence by the Central Government. This
will help the Judiciary/Adjudicating officers in handling technical issues.

Section 79 has been revised to bring-out explicitly the extent of liability of
intermediary in certain cases. The EU Directive on E-Commerce 2000/31/EC
issued on June 8th 2000 has been used as a guiding document.40

1.18 OTHER AMENDMENTS

• The term “digital signature” has been replaced with “electronic
signature”.

• “Communication Device” has been defined as cell phones, personal
digital assistance or combination of both or any other device used to
communicate, send or transmit any text video, audio or image.

39 Section 79A – ‘The Central Government may, for the purposes of providing expert opinion on electronic form
evidence before any court or other authority specify, by notification in the Official Gazette, any Department,
body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.’
40 See Section 4 Article 12 of EU Directive on E-Commerce 2000/31/EC issued on June 8th 2000 available at
<http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32000
L0031&model=guichett>

31

• “Cyber café” has been defined as any facility from where the access to
the internet is offered by any person in the ordinary course of business to
the members of the public.

• A new definition has been inserted for “intermediary”. “Intermediary”
with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or
provides any service with respect to that record and includes telecom
service providers, network service providers, internet service providers,
web-hosting service providers, search engines, online payment sites,
online-auction sites, online market places and cyber cafes, but does not
include a body corporate referred to in Section 43A.

• A new section 10A has been inserted to the effect that contracts
concluded electronically shall not be deemed to be unenforceable solely
on the ground that electronic form or means was used.

• The damages of Rs. One Crore (approximately USD 200,000) prescribed
under section 43 of the earlier Act for damage to computer, computer
system etc has been deleted and the relevant parts of the section have
been substituted by the words, “he shall be liable to pay damages by way
of compensation to the person so affected”.

• A proviso has been added to Section 81 which states that the provisions
of the Act shall have overriding effect. The proviso states that nothing
contained in the Act shall restrict any person from exercising any right
conferred under the Copyright Act, 1957

1.19 DRAWBACKS OF THE NEW LEGISLATION

32

The amendments ignore existing international classifications of cyber crimes.
The Council of Europe’s Convention on Cybercrime41 identifies the following
as offences which should be incorporated into substantive criminal law; some of
the provisions are particularly relevant, which are:

I. Computer-related offences
Computer-related fraud (Art. 8)

II. Content-related offences
Racial hatred, obscenity, amongst other classifications

III. Offences related to infringements of copyright and related rights
Offences related to infringements of copyright and related

rights (Art. 10)

1.20 TOWARDS A REGIME DRIVEN BY PRIVACY?

While the amended version of the Act strengthens provisions on confidentiality
and data privacy; the inclusion of a solitary provision on data privacy is quite in
contrast to Europe where data protection provisions are enshrined in Directives
at the EU level and in national legislation. In fact, data protection is sine qua
non for aspirant members to the European Union, and also for companies who
receive data from the EU. “Data subjects” must have rights enshrined in explicit
rules with a detailed enforcement mechanism rather than rather than relying on
a lone section to do the task elsewhere performed by an entire Act! A detailed
data protection law is needed; not merely for the ITES industry but for the
citizens of India. The right to know balanced with the right to privacy is the
hallmark of a true democracy.

41 See Convention on Cybercrime available at <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>

33

1.21 ‘LEGALESE’ AND LEGAL DRAFTING: CONTROVERSIAL
PROVISIONS IN THE ‘ACT’

The Information Technology Act, [“the Act”] as in the case of all legislation, is
supposed to be for every citizen, especially the non-specialist, its language
should be comprehensible to anyone who is likely to be affected by it either as
one who provides any services or conducts any business or as a consumer who
avails of any services or supplies through the electronic medium. The danger
of being enveloped in long and torturous sentences and unnecessary jargon
seems to manifest itself in the Act.

It will be no exaggeration to say that the following provisions of the
Explanation to sub-section (2) of section 3 will need a lot of explanation and
will not serve any purpose in the present form: ‘For the purpose of this sub-
section, “hash function” means an algorithm mapping or translation of one
sequence of bits into another, generally smaller set, known as “hash result”
such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input’ making it
computationally infeasible.

(a) to derive or reconstruct the original electronic record from the lash result
produced by the algorithm;

(b) that two electronic records can produce the same lash result using the same
algorithm.

Section 40, unfortunately, is no better:

“Where any digital signature certificate, the public key of which corresponds to
the private key of that subscriber which is to be listed in the digital signature

34

certificate, has been accepted by the subscriber, then, the subscriber shall
generate the key pair by applying the security procedure’.

1.22 LIABILITY FOR CARRIAGE AND CONTENT

1.22.1 A LOOK AT THE EU POSITION

Directive 2000/31/EC of the European Parliament and of the Council of June 8
2000 on Certain Legal Aspects of Information Society Services, in Particular
Electronic Commerce, in the Internet Market

The largest development involves the European Commission’s adoption on
June 8th of its Electronic Commerce Directive, which aims to remove barriers
to e-commerce42. The Directive includes various provisions affecting search
engines such as: (i) a company providing “information society services” (e.g.
selling goods or providing information on line) will be subject to the law of the
Member State in which it is established, irrespective of where the recipient of
the service is based (the “country of origin" principle); (ii) Internet service
providers (ISP) receive some exemption from liability for infringing material
transmitted over their systems by third parties, provided certain conditions are
met; (iii) unsolicited commercial e-mail (“spam”) must be clearly identifiable
as such, and companies sending this kind of e-mail must regularly consult any
relevant opt-out registers.

The Indian Act makes a distinction between an access provider who provides
access and the content provider who provides the content for the sake of
determining liability. It establishes that a network service provider is not

42 Member States have until 16 January 2002 to implement the provisions of the Directive into their national
laws.

35

subject to criminal or civil liability for third party material for which or to
which the provider merely provides access. Network service providers will
continue to be liable for their own content, or third party content that they
adopt or approve of43. Indian Information Technology Act immunizes Internet
Service Providers against liability arising out of any distressing content or
defamatory statements or such content that is likely to violate any law. By
reducing the liability of service providers, the Act ensures that they are not
penalized for content, which is beyond their control.

The primary issue is whether Section 292 IPC could be invoked for a Web site
search results issue. Section 292 defines obscenity. However, it says that a
book, pamphlet, paper, writing, drawing, painting, representation, figure or any
other object, shall be deemed to be obscene if it is lascivious or appeals to the
prurient interest, or (where it comprises two or more distinct items) the effect
of any one of its items, is, if taken as a whole, tends to deprave and corrupt
persons who are likely, having regard to all relevant circumstances, to read, see
or hear the matter contained or embodied in it.

The controversy is as to how define the words "any other object". Section 292
(1) IPC describes of a book, pamphlet, paper, writing, drawing, painting,
representation, figure or any other object. All the objects defined under Section
292 are corporeal and material in nature. Can we interpret the word any other
object in such a broad manner such as to include anything and everything in
Cyberspace? Can any other object also mean a virtual object? These issues are
very complicated. And any attempt to apply the provisions of Section 292 IPC
to cyber world is an exercise fraught with difficulties.

43 A survey of Latin American countries reveals that at least Brazil, Ecuador, El Salvador, Uruguay and
Venezuela have pending legislation and/or regulations pertaining to electronic commerce, though none of these
pending rules would specifically address a search engine’s liability for trademark infringement.

36

1.22.2OVER/UNDER-RIDING REGULATORY ISSUES:

(a) licensing of cross-border telecom systems: a perspective on the Indian
regulatory impasse on telecom. The Indian Telecom Authorities are
undecided on the issues of whether to allow voice over telephony, in the
light of resistance from the Department of Telecommunications (DoT).

(b) Encryption: testing 'legality' in India. A study in the light of section 14 of
the Indian Information Technology Act, 2000. Is encryption allowed
under Indian law? The government says “no”, but the 'Act' appears to
say “yes”. As per government policy as evidenced from periodic notices
and circulars, encryption is illegal in India; however the Act seems to say
otherwise. As would appear from a reading of section 14 of the
legislation. Laws are in existence in India that can be interpreted to read
that transmission of data with any form of encryption is illegal. Onus of
prevention is upon the service provider concerned. However, much of
current Internet technology, including secure Web servers, PGP
encrypted Email, and Virtual Private Networks, are based on encryption.
Prevention may be technically impossible, and this could be used as
grounds for revocation of a Private ISP license.

(c) Data protection: the 'absence' of regulatory or legal norms and the impact
on business in India. There is no specific legislation in India for the
protection of data. Unlike, the United Kingdom, India does not have
legislation, except that the protection accorded to electronic data in the
Act, juxtaposed with other legislation can point towards solution.

1.22.3 NATURE OF ONLINE

The problem with an online contract arises from the question of how to enforce
a contract that does not have a document backing it and how this contract is to

37

be proved in court. The issue is dealt with in a detailed chapter on Electronic
Contracts.

1.22.4 REQUIREMENT OF “DOCUMENTS”

Contracts that are written and signed are more certain and therefore easier to
enforce. This is due to the fact that a document lends some degree of
authenticity as to the contract formation and facilitates easier enforcement of the
same. Documents are also required for evidence purpose Section 64 of the
Indian Evidence Act, 1872; (the Evidence Act) states that documents must be
proved by primary evidence except in the cases specifically provided for. The
contents of any document which have to be proved have to be proved by the
original of the document itself being produced in Court, except in a few limited
instances.

If a computer printout or any information, which is visible on the screen of the
computer, is included in the definition of document, the question arises as to
what is an original with respect to computer printout, or information contained
in a computer. The Evidence Act lay emphasis on original documents as once
any information is reduced to actual physical fixation in the conventional sense;
it is difficult to alter it. On a thorough examination it is possible to identify any
alteration to an original of a document.

The Indian Act seeks to resolve this issue by stating that where the law requires
any record to be presented in original form, that requirement is satisfied by an
electronic record if there exists reliable assurance as to the integrity of the
record and where it is required that a record be presented, that record is capable
of being displayed to the person to whom it is being presented.

38

1.23 FORMATION OF ONLINE CONTRACTS

Under the Indian Contract Act, 1872, the acceptance of a valid offer results in a
valid contract. It is crucial to know when a contract is concluded online and
whether any difference exists between contacts concluded by traditional modes,
such as via post.

Section 4 deals with the rule regarding completion of communication of
acceptance. The communication of acceptance is complete as against the
offeree, when it reaches the knowledge of offeror. But the Supreme Court has
held that in the case of communication by oral means, by telex or by telephone
an acceptance is communicated only when it is actually received by the offeror.

This question has to be addressed in the case of e-commerce, where more often
than not, acceptance is made via email or by pressing the ‘Accept’ or Buy icons.
The question that would arise is when the acceptance has been conveyed, i.e. is
it:

a) when the email was sent; or
b) when it was received by addressee; or
c) when it reaches the ‘host computer’, which provides the email facility to

the addressee.

As seen earlier, where the communication is by instantaneous means the court
has held that the acceptance is communicated only when the communication
remains open. Would the acceptance be deemed to have been communicated at
the place where the offeree clicks the “Accept” icon (as the action of clicking
the icon is done on the offeree’s computer)? Or would be deemed to have been
communicated where the server (which actually hosts the ‘Accept’ icon) is

39

located? Or would it be the place where the offeror actually reads the
acceptance on his computer (which can be at different place than the location of
the server)?

In Germany, judicial practice has established that a message sent by email is
deemed to be received when it reaches the host computer of the addressee (if the
addressee has published the email address on his visiting card or letterhead or
otherwise makes it publicly known.)

In South Africa, when the acceptance is by way of post, the contract will be
concluded at the time when, and at the place from where, the acceptance is
posted. This is known as the ‘expedition’ theory. Where the acceptance is
notified by means of fax or telegram, the contract is concluded at the time and
place where the offeror learns of the acceptance. This is called the ‘information
theory’. According to the law firm, Werksmans Attorney, acceptance via email
would be based on the information theory.

The Indian Act deals with the issue as to when the receipt and dispatch of
electronic records take place. According to it, a dispatch of an electronic record
is deemed to take place when it reaches an information system outside the
control of the person who sent the electronic record and is deemed to be
received when it is received by, or reaches an information system designated by,
the person whom it is sent. This is to be read with existing Indian law and the
correct position interpreted.

The Indian Act specifically excludes from its purview contracts relating to the
creation and execution of wills, execution of negotiable instruments, acts
relating to declaration of trust and power of attorney, immovable property, titles
for movable and immovable property, etc.

40

1.24 ELECTRONIC PAYMENT SYSTEMS

These systems are considered very secure since it is not possible for third parties
to obtain these details and misuse them. Visa & MasterCard have developed a
system for online payment called Secure Electronic Transaction (SET).

1.24.1 ELECTRONIC CASH

Electronic Cash is more secure and anonymous than credit cards when making
payments for transactions. It is specifically useful for small transactions.

1.24.2 ELECTRONIC CASH PAYMENT MECHANISM – OPEN BANK-
ISSUER MODEL (INTERNATIONAL)

Anyone wishing to use electronic cash can purchase a certain number of units
from a member bank for a particular value in a local currency. He or she can
then use it for making payments over the Internet. The receiver of electronic
cash can either use it for making similar payments over the Internet or redeem it
at any member bank for his country’s own currency.

India should start thinking and debating on introducing electronic cash or
something similar to it. If any party to the transaction is a foreign party, the
Exchange Control Regulations will also come into picture.

1.25 SECURITY

Security is the single biggest obstacle for the growth of e-commerce. There are
basically two kinds of security problems, teenage hacking accounts only for 7%

41

of reported violations, while infiltration by competitors account for 39% of the
violations.

Under the Indian Telegraph Act, 1885, “if any person with intention to prevent
or obstruct the transmission or delivery of any message, or to intercept or to
acquaint himself with the contents of any message, or to commit mischief
damages, removes tampers with or touches any battery, machinery, telegraph
line, post or any other thing whatever, being part of or used in or about any
telegraph or in the working thereof, he shall be published with imprisonment for
a term which may extend to three years or with fine or both”. There is a
possibility that any attempt of hacking could be punishable under this section.

1.26 SECURING ELECTRONIC TRANSACTIONS

One of most important conditions for e-commerce’s survival is the ability to
safeguard all electronic transactions. Unless an electronic transaction is secure it
would be difficult to determine its authenticity. Also, users will be hesitant to
send confidential information over the net. Existence of safeguards and an
assurance that such transmissions are foolproof will go a long way towards
boosting e-commerce. The most common way of protecting electronic
transactions is through cryptography (i.e. encryption techniques). Cryptography
uses sophisticated mathematical algorithms, particularly a technology known as
“asymmetric cryptography”. Cryptography can be differentiated between the
following:

• Use of cryptography for confidentiality of a message; and
• Use of cryptography in digital signatures

42


Click to View FlipBook Version