MODULE 1
LAW REGULATING THE CYBERSPACE: AN OVERVIEW
Traditional legal systems have had great difficulty in keeping pace with the
rapid growth of the Internet and its impact throughout the world. While
some laws and objectives have been enacted and a few cases have been
decided that affect the Internet, they have left most of the difficult legal
issues to the future. In spite of the recent proliferation of legislation world-
wide, it is unlikely that courts and legislators will be able to provide
sufficient guidance in a timely fashion to business [and lawyers] to enable
them to engage in commerce on, or otherwise take advantage of, the Internet
in a manner that avoids or minimizes unexpected consequences or liabilities.
The Internet has tested the limits of regulation, prompting some to declare
‘independence’1 and yet others to declare it beyond the limits of
governance2. One of the purposes of this text is to build a global community
of people who are thinking about all this in a serious way. As time passes,
one aspect of governance is clearly visible, the will of governments to be
seen and ‘felt’ on the Internet. Governments across the world seem eager to
put to rest the notions that cyberspace can't be governed. This view
1 In February 1996, John Perry Barlow issued a manifesto called <A Declaration of the Independence of
Cyberspace>.
http://www.eff.org/pub/Publications/John_Perry_Barlow/barlow0296.declaration.
2 Johnson, David R. /Post, David G., Law and Borders - The Rise of Law in Cyberspace, 48 Stanford Law Review
1367 – 1402 [1996].
underestimates the way governments and business figure out how to change
the way things work.
There are four constraints on [human] behaviour and freedom. They are the
law, norms (cultural and social influences), markets and -- crucially --
architecture. Architecture is a regulator in real space as well as cyberspace,
and it is essential to think about both. Napoleon III wanted fewer
revolutionaries, for example. So he rebuilt Paris with wide streets, making
it harder for revolutionaries to hide.
1.1 EXAMINING THE NEED FOR REGULATION
In some jurisdictions, the early adoption of legislation on digital signatures
[defined in the Glossary], for example, has not led to the increased take-up
of new technology as anticipated3. Rather, legislation has been bypassed
because it has been regarded as not providing appropriate, market-oriented,
non-regulatory solutions. Some of that legislation is now regarded as a better
example of what not to do, than as a model which should be followed4. A
number of laws currently being drafted in the US have undergone significant
changes in the course of the drafting process and more can be expected
before they reach their final form5. As lawyers’ understanding of the
technology grows, and as the uses and applications of the technology
develop, in concert with the development of appropriate business models,
3 Despite the early enactment of digital signature legislation in the American State of Utah in 1995, the first
certification authority to set up under that legislation was not established until late 1997.
4 The Utah Act has been described as of more use dead than alive.
5 Recommendation 92 of the Financial System Inquiry 1997 (Wallis Report) recommended that Australia should
adopt internationally recognised standards for electronic commerce, including for electronic transactions over the
Internet and the recognition of electronic signatures.
appreciation of the need for legislation and what is required in terms of its
form and content have also changed.
It is clear that what needs to be avoided at this early stage is an undue rush
towards legislation where none is needed, or where the need for it has not
yet been clearly demonstrated. This is particularly so in India where there
have been, as yet, few cases decided in the courts dealing with the issues
identified as likely to cause problems in electronic commerce. In other
words, it is difficult to judge the magnitude of legal problems being
encountered, at least in terms of measuring them through recourse to
traditional means of resolution through litigation, although it is clear that
some action to remove obvious legal obstacles would certainly facilitate
electronic commerce.
A number of international organizations are currently working on projects,
which have the potential to significantly influence the direction of domestic
regulation in a number of areas relevant to electronic commerce6. India is
actively engaged in those projects. This international work should be
carefully monitored to ensure that the Indian settings not only assist India's
competitive advantage, but also keep India in conformity with international
norms, while ensuring that the economic, social and cultural benefits of new
technology are maximized.
The UNCITRAL Model Law on Electronic Commerce uses the term
“commercial” and guidance on the meaning of that term may be gained from
6 These include work by: the UN Commission on International Trade Law on digital signatures and certification
authorities; work by the OECD on electronic commerce, digital signatures and certification authorities; and work
by APEC on certification practices and authorities.
the definition used in the Model Law7. To ensure consistency, this definition
is identical to the definition used by UNCITRAL in the Model Law on
International Commercial Arbitration8. The UNCITRAL definition of
commercial is, however, very broad and covers a number of areas in which
electronic commerce may raise particular issues. For reasons of time and
resources, we have not been able to consider specific sectors covered in that
definition and the particular issues raised by the greater use of electronic
commerce. This text does not consider issues specific to the financial sector,
but rather has focused upon broader generic issues of contract formation and
statutory form requirements such as requirements for certain contracts to be
in writing or signed.
1.2 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED
BY THE NEW MEDIA
The problem of jurisdiction in cyberspace is by far the most complex. The
task before us is to examine section key concepts that are necessary
constituents of a tricky issue and perhaps juxtapose them against an
overview of methods and solutions. On an examination of jurisdiction
under the Indian Information Technology Act, 2000, [hereinafter “the
Indian IT Act”]; one is faced with the question: Is section 75 really as
controversial as it seems? The answer is in the negative. The Act,
7 Footnote **** to the Model Law on Electronic Commerce provides: The term “commercial” should be given a
wide interpretation so as to cover matters arising from all relationships of a commercial nature, whether
contractual or not. Relationships of a commercial nature include, but are not limited to, the following transactions:
any trade transaction for the supply or exchange of goods or services; distribution agreement; commercial
representation or agency; factoring; leasing; construction of works; consulting; engineering; licensing;
investment; financing; banking; insurance; exploitation agreement or concession; joint venture and other forms of
industrial or business co-operation; carriage of goods or passengers by air, sea, rail or road.
8 The UNCITRAL Model Law on International Commercial Arbitration was adopted by India as a model during
the drafting of the Indian Arbitration and Conciliation Act, 1996.
continuing a long tradition in law and commerce merely seeks to extend
the boundaries of local/municipal law in a logical way; as will be examined
in the next chapter on Jurisdiction.
1.3 JURISDICTION IN CYBERSPACE: PROBLEMS AND
PERSPECTIVES
Throughout human history, no regime of regulation or of dispute resolution
has ever pretended to be the sole source to which parties turn to ease
business intercourse. In every culture and in every time, private
arrangements as well as governmental activity have attempted to reduce the
occasions of conflict necessitating the exercise of judicial decision-making.
The economic world of cyberspace at the beginning of the 21st century is
no different. Trade depends on confidence: confidence on the part of the
buyer that goods or services will conform to legitimate expectations, and
confidence on the part of the seller that payment will be prompt and
complete. Such confidence, in the interests of all parties, is fostered by
industry self-regulation that reflects an honest attempt to identify and
resolve potential conflicts before they arise. The forms of such regulation
are many and are being actively explored, as e-commerce becomes an
increasingly important segment of the global economy. They include
voluntary codes of conduct, the provision of private arbitration for the
resolution of disputes, escrow accounts, agreements between buyers, sellers
and credit card companies, amongst others.
1.4 THE RELEVANCE OF PHYSICAL LOCATION
In determining under what circumstances extraterritorial jurisdictional
assertions are proper, courts and legislatures focused in the last half of the
20th century, as they had previously, on physical location but at a different
temporal point. Most frequently, the focus was on where certain activities
that gave rise to the plaintiff’s claim had occurred. Where a negligent act
took place, where a contract was entered into9 or was to be performed,10
where a service was performed, a security offered for sale, or a trademark
infringed became the touchstones of both personal and prescriptive
jurisdictional inquiries. As long as such an act occurred within the state’s
boundaries, its assertion of both personal and prescriptive jurisdiction was
proper. As long as activities continue to occur in “real” space, the place of
such occurrences remains relevant.11
Technology, however, reduces and frequently may eliminate the need for
physical contact in the creation of legally significant relationships between
parties or between an actor and the state acting as regulator. The legal
system must then decide what relationship is necessary between the forum
9 Countries gave much thought to the rules regulating contract formation, presumably at least in part to guarantee
perceived desirable jurisdictional results. In Australia, for example, a contract is formed at the time and place its
acceptance is received by the offeror. The consumer is the offeror, so the typical consumer contract is “formed”
when and where the consumer receives the seller’s acceptance. Brazil, Columbia, and Romania also look to the
residence of the offeror, although in Brazil a contractual choice of a different law will be upheld if it is not in
violation of public policy. See Nestor Nestor & Kingston Petersen, “Written Remarks,” posted at
<http://www.kentlaw.edu/cyberlaw>.
In Canada, proposed legislation would fix the address of the consumer as the place in which an on-line contract
was formed. See “Canadian Law on Jurisdiction in Cyberspace,” submitted by Arlan Gates, Paul Tackaberry and
Adam Balinsky, posted at <http://www.kentlaw.edu/cyberlaw> [hereinafter Gates].
10 The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of another
contracting state where the contractual obligation in question is to be performed. Title II, Section 2, Article 5.
11 Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry. For example,
states continue to assert jurisdiction over their citizens with respect to claims that arise outside of the state and to
regulate conduct that occurs elsewhere which is intended to and does cause substantial effects in the state.
Nonetheless, a concern with where relevant acts took place is central to many, if not most, decisions.
and either the conduct occurring outside the forum or the parties. It is the
tie between a party and a forum, not necessarily a physical connection
between the forum and the conduct of that party that is critical. If the
remote party (i.e. the party never physically in the forum) knows that the
proximate party is in (or is a habitual resident of) the forum when the
remote party interacts with the proximate party, the remote party has
created a tie between itself and the forum state. Now it is the remote-
party/forum relationship at the time of interaction,12 not at the time process
is served, that matters. Whether such a tie is sufficient to enable the forum
to assert personal and prescriptive jurisdiction depends on an analysis of
additional factors (such as whether the remote party targeted the forum,
discussed below), but its existence is necessary to such assertions.
1.5 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED
BY THE NEW MEDIA
The problem of jurisdiction in cyberspace is by far the most complex. The
task before us is to examine section key concepts that are necessary
constituents of a tricky issue and perhaps juxtapose them against an
overview of methods and solutions. On an examination of jurisdiction
under the Indian Information Technology Act, 2000, [hereinafter “the
Indian IT Act”]; one is faced with the question: Is section 75 really as
controversial as it seems? The answer is in the negative. The Act,
continuing a long tradition in law and commerce merely seeks to extend
12 In some contexts, some countries have already implicitly recognised this in the specific context of electronic
commerce. Australia’s Electronic Transactions Act 1999 (Cth) provides default rules for the place of dispatch
and receipt of electronic communications (including the place of an offer or acceptance of a contract) based on
the party’s place of business or ordinary residence.
the boundaries of local/municipal law in a logical way; as will be examined
in the next chapter on Jurisdiction.
1.6 JURISDICTION IN CYBERSPACE: PROBLEMS AND
PERSPECTIVES
Throughout human history, no regime of regulation or of dispute resolution
has ever pretended to be the sole source to which parties turn to ease
business intercourse. In every culture and in every time, private
arrangements as well as governmental activity have attempted to reduce the
occasions of conflict necessitating the exercise of judicial decision-making.
The economic world of cyberspace at the beginning of the 21st century is
no different. Trade depends on confidence: confidence on the part of the
buyer that goods or services will conform to legitimate expectations, and
confidence on the part of the seller that payment will be prompt and
complete. Such confidence, in the interests of all parties, is fostered by
industry self-regulation that reflects an honest attempt to identify and
resolve potential conflicts before they arise. The forms of such regulation
are many and are being actively explored, as e-commerce becomes an
increasingly important segment of the global economy. They include
voluntary codes of conduct, the provision of private arbitration for the
resolution of disputes, escrow accounts, agreements between buyers, sellers
and credit card companies, amongst others.
1.7 THE RELEVANCE OF PHYSICAL LOCATION
In determining under what circumstances extraterritorial jurisdictional
assertions are proper, courts and legislatures focused in the last half of the
20th century, as they had previously, on physical location but at a different
temporal point. Most frequently, the focus was on where certain activities
that gave rise to the plaintiff’s claim had occurred. Where a negligent act
took place, where a contract was entered into13 or was to be performed,14
where a service was performed, a security offered for sale, or a trademark
infringed became the touchstones of both personal and prescriptive
jurisdictional inquiries. As long as such an act occurred within the state’s
boundaries, its assertion of both personal and prescriptive jurisdiction was
proper. As long as activities continue to occur in “real” space, the place of
such occurrences remains relevant.15
Technology, however, reduces and frequently may eliminate the need for
physical contact in the creation of legally significant relationships between
parties or between an actor and the state acting as regulator. The legal
system must then decide what relationship is necessary between the forum
13 Countries gave much thought to the rules regulating contract formation, presumably at least in part to guarantee
perceived desirable jurisdictional results. In Australia, for example, a contract is formed at the time and place its
acceptance is received by the offeror. The consumer is the offeror, so the typical consumer contract is “formed”
when and where the consumer receives the seller’s acceptance. Brazil, Columbia, and Romania also look to the
residence of the offeror, although in Brazil a contractual choice of a different law will be upheld if it is not in
violation of public policy. See Nestor Nestor & Kingston Petersen, “Written Remarks,” posted at
<http://www.kentlaw.edu/cyberlaw>.
In Canada, proposed legislation would fix the address of the consumer as the place in which an on-line contract
was formed. See “Canadian Law on Jurisdiction in Cyberspace,” submitted by Arlan Gates, Paul Tackaberry and
Adam Balinsky, posted at <http://www.kentlaw.edu/cyberlaw> [hereinafter Gates].
14 The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of another
contracting state where the contractual obligation in question is to be performed. Title II, Section 2, Article 5.
15 Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry. For example,
states continue to assert jurisdiction over their citizens with respect to claims that arise outside of the state and to
regulate conduct that occurs elsewhere which is intended to and does cause substantial effects in the state.
Nonetheless, a concern with where relevant acts took place is central to many, if not most, decisions.
and either the conduct occurring outside the forum or the parties. It is the
tie between a party and a forum, not necessarily a physical connection
between the forum and the conduct of that party that is critical. If the
remote party (i.e. the party never physically in the forum) knows that the
proximate party is in (or is a habitual resident of) the forum when the
remote party interacts with the proximate party, the remote party has
created a tie between itself and the forum state. Now it is the remote-
party/forum relationship at the time of interaction,16 not at the time process
is served, that matters. Whether such a tie is sufficient to enable the forum
to assert personal and prescriptive jurisdiction depends on an analysis of
additional factors (such as whether the remote party targeted the forum,
discussed below), but its existence is necessary to such assertions.
1.8 ESTABLISHING JURISDICTION OVER CYBERSPACE:
TOWARDS A ‘SIMPLER’ READING OF THE “ACT”
Some provisions of the Act have been deemed controversial. For example,
section 75 states that the Act will apply to an offence or contravention
committed outside India by any person irrespective of his nationality, if the
act or conduct constituting the offence or contravention involves a
computer, computer system or computer network in India. A computer is
only a medium for communication. The use of a computer is not materially
different from the use of a phone or a car in the commission of a crime
unless the computer has been programmed for automatic action by its
owner. It is not going to be easy to acquire jurisdiction over a person not
16 In some contexts, some countries have already implicitly recognised this in the specific context of electronic
commerce. Australia’s Electronic Transactions Act 1999 (Cth) provides default rules for the place of dispatch
and receipt of electronic communications (including the place of an offer or acceptance of a contract) based on
the party’s place of business or ordinary residence.
resident in India if a foreign country is the scene of the crime and the
criminal is not even an Indian citizen, merely because a computer or a
computer system in India has been utilized in some way or other in
connection with the crime. Nevertheless, certainly, if software/hardware in
India is damaged by a hacker based in a foreign country, there can be no
dispute about India’s right to reach him and make him accountable for the
crime committed in India alone.
Where contravention of any provisions of the Act has occurred is a matter
of adjudication for compensation purposes by the adjudicating officer and
for criminal action by the court.
1.9 THE INDIAN ELECTRONIC COMMERCE LEGISLATION:
A READING OF THE "ACT"
The Information Technology Act will go a long way in facilitating and
regulating electronic commerce. It has provided a legal framework for
smooth conduct of e-commerce. It has tackled the following legal issues
associated with e-commerce:
(a) requirement of writing; (b) requirement of a document; (c) requirement
of a signature; and (d) requirement of legal recognition for electronic
messages, records and documents to be admitted in evidence in a court of
law.
However, the Act, has not addressed the following grey areas;
(i) protection for domain names;
(ii) infringement of copyrights laws;
(iii) jurisdiction aspect of electronic contracts (viz. Jurisdiction of Courts
and tax authorities);
(iv) taxation of goods and services traded through e-commerce;
(v) stamp duty aspect of electronic contracts.
The main objective of the Act is to provide legal recognition for
transactions carried out by means of electronic data interchange and other
means of electronic communication, commonly referred to as e-commerce,
which involve the use of alternatives to paper-based methods of
communication and storage of information to facilitate electronic filing of
documents with the Government agencies. The Act, apart from India, has
extra-territorial jurisdiction to cover any offence or contravention
committed outside India by any person.
1.9.1 Exemption/exclusion
The Act shall not apply to the following categories of transaction:
(a)Any Negotiable Instrument;
(b)A Power of Attorney;
(c)A Trust;
(d)A will including any other testamentary disposition;
(e)Any contract for the sale or conveyance of immovable property; and
(f) Any other documents or transactions as may be decided by the Central
Government.
1.10 DIGITAL SIGNATURES
With the passing of the Act, any subscriber (i.e., a person in whose name
the Digital Signature Certificate is issued) may authenticate electronic
record by affixing his Digital Signature. Electronic record means data
record or data generated image or sound, store, received or sent in an
electronic form or microfilm or computer generated microfiche.
1.11 ELECTRONIC GOVERNANCE
Where any law provides submission of information in writing or in the type
written or printed form, from now onwards it will be sufficient compliance
of law, if the same is sent in an electronic form. Further, if any statute
provides for affixation of signature in any document, the same can be done
by means of Digital Signature.
Similarly, the filing of any form, application or any other documents with
the Government Authorities and issue or grant of any license, permit,
sanction or approval and any receipt acknowledging payment can be done
by the Government offices by means of electronic form. From now
onwards retention of documents, records, or information as provided in any
law, can be done by maintaining electronic records. Any rule, regulation,
order, by-law or notification can be published in the Official Gazette or
Electronic Gazette.
The Act, however, provides that no Ministry or Department of Central
Government or the State Government or any Authority established under
any law can insist upon acceptance of document only in the form of
electronic record.
1.11.1 Acknowledgement and dispatch of electronic records
An electronic record can be sent by the addresser himself or by a person
acting under his authority. An acknowledgement may be given by any
communication by the addressee automatic or otherwise. Even any conduct
of the addressee is sufficient to indicate to the addresser that the electronic
records have been received which shall be treated as sufficient
acknowledgement.
The dispatch of electronic records occurs when it enters a computer
resource outside the control of the originator (i.e., addresser). Time of
receipt of electronic record shall be determined when electronic record
enters the digital computer resource or at the time when the electronic
record is retrieved by the addressee. An electronic record is deemed to be
dispatched at the place where the addresser has his place of business and is
deemed to be received at the place where the addressee has his place of
business.
1.11.2 Secured electronic records and digital signature
Under the Act, the Central Government has the power to prescribe the
security procedure in relation to electronic records and Digital Signatures,
considering the nature of the transaction, the level of sophistication of the
Parties with reference to their technological capacity, the volume of
transactions and the procedures in general used for similar types of
transactions or communications.
1.11.3 Regulation of certifying authorities
The Central Government may appoint a Controller of Certifying Authority
who shall exercise supervision over the activities of Certifying Authorities.
Certifying Authority means a person who has been granted a license to
issue a Digital Signature Certificate. The Controller of Certifying
Authority shall have powers to lay down rules, regulations, duties,
responsibilities and functions of the Certifying Authority issuing Digital
Signature Certificates. The Certifying Authority empowered to issue a
Digital Signature Certificate shall have to procure a license from the
Controller of Certifying Authority to issue Digital Signature Certificates.
Detailed rules and regulations have been prescribed in the Act, as to the
application for license, suspension of license and procedure for grant or
rejection of license by the Controller of Certifying Authority.
1.11.4 Digital signature certificate
Any person may make an application to the Certifying Authority for issue
of Digital Signature Certificate. The Certifying Authority while issuing
such certificate shall certify that it has complied with the provisions of the
Act.
The Certifying Authority has to ensure that the subscriber (i.e., a person in
whose name the Digital Signature Certificate is issued) holds the private
key corresponding to the public key listed in the Digital Signature
Certificate and such public and private keys constitute a functioning key
pair. The Certifying Authority has the power to suspend or revoke Digital
Signature Certificate.
1.11.5 Duties of subscribers
A subscriber can publish or authorize the publication of Digital Signature
Certificate. Similarly, he can accept such certificate.
It is the responsibility of a subscriber to exercise reasonable care to retain
control of the private key corresponding to the public key listed in his
Digital Signature Certificate and to take all steps to prevent its disclosure
to any unauthorized person.
1.11.6 Penalties and adjudication
If any person without the permission of the owner, accesses the owner's
computer, computer system or computer net-work or downloads copies or
any extract or introduces any computer virus or damages computer,
computer system or computer net work data etc. he shall be liable to pay
damage by way of compensation not exceeding Rupees One Crore to the
person so affected.
For the purpose of adjudication, the Central Government can appoint any
officer, not below the rank of Director to the Government of India or any
equivalent officer of any State Government, to be an Adjudicating Officer.
The Adjudicating Officer while trying out cases of this nature shall consider
the amount of gain of unfair advantage or the amount of loss that may be
suffered by a person. The aforesaid provisions were not incorporated in the
Information Technology Act, 2000 and the same were suggested by the
Select Committee of Parliament17.
1.11.7 The cyber regulations appellate tribunal
Under the Act, the Central Government has the power to establish the
Cyber Regulations Appellate Tribunal. The Tribunal shall have the power
to entertain the cases of any person aggrieved by the Order made by the
Controller of Certifying Authority or the Adjudicating Officer.
1.11.8 Offences
Tampering with computer source documents shall be punishable with
imprisonment up to three years or fine up to Rs. 2 lakhs or with both.
17 In Delhi, the first case under the Act has already been registered by the police based on an FIR filed by a Retd.
Army Officer whose Internet time has been "stolen" by the accused. However, the accused has been granted bail
by the City Court. Interestingly, although passed by the Parliament, the Act did not come into force until recently
and Notification to this effect was issued by the Central Government in the Official Gazette on June 19, 2000.
This was one of the pleas taken by the accused in the aforesaid case.
Similarly, hacking with computer system entails punishment with
imprisonment up to three years or with fine upto Rs. 2 lakhs or with both.
Publishing of information, which is obscene in electronic form, shall be
punishable with imprisonment up to three years or with fine up to Rs. 5
lakhs and for second conviction with imprisonment up to 5 years and with
fine up to Rs. 10 lakhs.18
1.11.9 Miscellaneous
Under the Act, any police officer not below the rank of Deputy
Superintendent of Police or any other authorized officer of the Central or
State Governments, may enter in public place and search for arrest without
warrant, any person who is reasonably suspected or having committed or
committing or of being about to commit any offence under the Act. 'Public
place', includes any hotel, shop or any other place intended for use or
accessible to public19.
1.12 THE AMENDMENTS: A ‘REACTION’
The amendments to the Information Technology Act to a measurable extent
are a “reaction” to recent developments such as service provider liability
issues and auction sites; sleazy MMS clips and the like. In major part,
desirable as most reactions are, offences under the Act have been made
18 Information Technology Act, 2000, s. 67.
19 This amendment was suggested by the Select Committee of Parliament. Under the Indian Penal Code, even a
constable has the aforesaid power. However, the power given to the designated police officer is so wide that even
on suspicion or on his conviction that an offence is about to be committed, he can conduct search and arrest
without any warrant. There is a wide spread fear that this may be misused.
compoundable20; that is to say, the parties can compound the case i.e. settle
it between themselves. This is welcome as most crimes target specific
individuals and it is right for individuals to sort out the situation.
The offences which have been made compoundable are:
• Section 66: If a person dishonestly or fraudulently does any act which
damages the computer or the computer system, he is liable to a fine of
up to five lakhs or be imprisoned for a term of up to three years. A
host of new sections have been added to section 66 as sections 66A to
66F prescribing punishment for offenses such as obscene electronic
message transmissions, identity theft, cheating by impersonation
using computer resource, violation of privacy and cyber terrorism.
• Section 66A21: If any person sends by means of a computer resource
or a communication any content which is grossly offensive or has a
menacing character or which is not true but is sent to create nuisance,
annoyance, criminal intimidation, hatred or ill will etc shall be
imprisoned for an imprisonment term which may be up to three years
combined with a fine.
• Section 67 of the old Act is amended to reduce the term of
imprisonment for publishing or transmitting obscene material in
electronic form to three years from five years and increase the fine
thereof from Indian Rupees 100,000 (approximately USD 2000) to
20 Section 77A provides that the ‘offences under sections 66, 66A, 72 and 72A may be compounded by the
aggrieved person.’
21 Section 66A of the I.T Act, 2000 has been struck down by the Supreme Court in Shreya Singhal v Union of
India, (2013) 12 S.C.C. 73.
Indian Rupees 500,000 (approximately USD 10,000). A host of new
sections have been inserted as Sections 67 A to 67C. While Sections
67 A and B insert penal provisions in respect of offenses of publishing
or transmitting of material containing sexually explicit act and child
pornography in electronic form, section 67C deals with the obligation
of an intermediary to preserve and retain such information as may be
specified for such duration and in such manner and format as the
central government may prescribe.
• In view of the increasing threat of terrorism in the country, the new
amendments include an amended section 69 giving power to the state
to issue directions for interception or monitoring of decryption of any
information through any computer resource. Further, sections 69 A
and B, two new sections, grant power to the state to issue directions
for blocking for public access of any information through any
computer resource and to authorize to monitor and collect traffic data
or information through any computer resource for cyber security.
• Section 72: If a person is found in possession of some confidential
information like electronic record, book, register, correspondence and
he is found disclosing it to any third party without the consent of the
person concerned, then he shall be punished with imprisonment for a
term which may be up to two years, or a fine which may extend to
One Lakh rupees, or with both.
• Section 72A: If any person while providing services under the terms
of the contract, has secured access to any material containing personal
information about another person, with the intent to cause wrongful
loss or wrongful gain disclosed the information, without the person’s
consent or in breach of a lawful contract, shall be punished with
imprisonment for a term which may extend to three years or with fine
which may extend to five lakh rupees or with both.
1.13 THE ‘MEDIUM’ NOT THE ‘MACHINE’/’DEVICE’
It is important to remember that the Internet is principally a medium; which
can be regulated by regulating its “layers”. A law to be effective must apply
to (or regulate) one or more “layer” that is: (a) the physical (the wires,
hardware, the ‘device’ itself); (b) the digital (the code or the “spectrum”) or
(c) content (whether prohibited socially censored comments or proprietary
material).
1.14 DATA PRIVACY AND INFORMATION SECURITY
In view of recent concerns about the operating provisions in the IT Act
related to “Data Protection and Privacy” in addition to contractual
agreements between the parties the existing Sections (viz. 43, 65, 66 and
72A) have been revisited and some amendments/more stringent provisions
have been provided for in the Act. Notably amongst these are:
• Section 43(A) is related to handling of sensitive personal data or
information with reasonable security practices and procedures. This
section has been inserted to protect sensitive personal data or
information possessed, dealt or handled by a body corporate in a
computer resource which such body corporate owns, controls or
operates. If such body corporate is negligent in implementing and
maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, it shall be liable
to pay damages by way of compensation to the person so affected.
• Gradation of severity of computer related offences under Section 66
has been amended, now if an offence is committed dishonestly or
fraudulently then punishment is for a term which may extend to three
years or a fine which may extend to Rs 5 lakhs or with both;
• The addition of Section 72 A for breach of confidentiality with the
intent to cause injury to a subscriber. This is recognised as providing
sufficient protection under the EC Directive22
Contractual agreements are those agreements which are signed between
parties where one party provides services on the basis of the contract signed.
There is always a provision in any contractual agreement of not to disclose
any information which is imperative for the running of the business.
According to Section 72 (A) if anyone is found disclosing any information
of a third person, without his consent he shall be punished with
imprisonment for a term which may extend to three years or a fine of Rs
500,000.
The problem remains with ambiguous phrases. For instance, the amended
Section 43 (A) makes it mandatory for companies to include ‘reasonable
22 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications) available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML>
security measures’ while handling data. What precisely does ‘reasonable’
indicate is any one’s guess. We would recommend organisations to follow
the standards prescribed by the Computer Emergency Response Team
(CERT). CERT’s primary role is to raise security awareness among the
cyber community and to provide technical assistance and advice them to
help them recover form computer security incidents.
CERT provides technical advice to System Administrators and users to
respond to computer security incidents. It also identifies trends in intruder
activity, works with other similar institutions and organisations to resolve
major security issues, and disseminates information to the cyber
community. CERT also enlightens its constituents about the security
awareness and best practices for various systems and networks by
publishing advice, guidelines and other technical documents. The European
Network and Information Security Agency (ENISA) performs similar
functions to the CERT. The basic regulation which established ENISA is
the Regulation (EC) No 460/2004.23
23 See REGULATION (EC) No 460/2004 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of
10 March 2004 establishing the European Network and Information Security Agency available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:077:0001:0011:EN:PDF>
1.15 INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO
SERVE AS NATIONAL NODAL AGENCY
The new amended Act of 2006 provides for an Indian Computer Emergency
response team to act as a central agency in respect of Critical Information
Infrastructure24 for coordinating all actions relating to information security
practices, procedures, guidelines, incident prevention, response and
reporting.25
Cert has been operational since January 2004. The main motive for setting
up such a team is to avoid malafide worms from our system. In today’s
world where most of the work is done by the computers, our entire
efficiency and national data was initially risked and left to be tampered by
the malicious hackers. To avoid any such problems the cert was set up.
CERT-In is the national nodal agency for responding to computer security
incidents as and when they occur. In the recent Information Technology
Amendment Act 2008, CERT-In has been designated to serve as the national
agency to perform the following functions in the area of cyber security:-
1. Collection, analysis and dissemination of information on cyber
incidents.
24 “Information infrastructures form an essential part of critical infrastructures. In order effectively to protect
critical infrastructures, therefore, countries must protect critical information infrastructures from damage and
secure them against attack. Effective critical infrastructure protection includes identifying threats to and reducing
the vulnerability of such infrastructures to damage or attack, minimizing damage and recovery time in the event
that damage or attack occurs, and identifying the cause of damage or the source of attack for analysis by experts
and/or investigation by law enforcement.” G8 Principles for Protecting Critical Information Infrastructures
(Adopted by the G8 Justice & Interior Ministers, May 2003) available at
<http://www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf>
25 Section 70 A of the Act
2. Forecast and alerts of cyber security incidents
3. Emergency measures for handling cyber security incidents
4. Coordination of cyber incidents response activities
5. Issue guidelines, advisories, vulnerability notes and whitepapers
relating to information security practices, procedures, prevention,
response and reporting of cyber incidents.
6. Such other functions relating to cyber security as may be prescribed.26
Whenever a new technology arrives, its misuse is not long in following - the
first worm in the IBM VNET was covered up. Shortly later a worm hit the
Internet on the 3 November 1988, when the so-called Morris Worm
paralyzed a good percentage of it. This led to the formation of the first
Computer Emergency Response Team at Carnegie Mellon University under
U.S. Government contract.27 The Indian Computer Emergency Response
Team (CERT-In) is assisting the Department of Information Technology in
putting in place a national cyber security strategy and a national information
security governance policy. CERT-In explains how an organization seeks to
ensure the safety and security of the Indian cyber space The purpose of
CERT-In is to become the nation's most trusted referral agency for
responding to computer security incidents as and when they occur.28 With
the increasing use of IT, there is an increasing reliance on inter-dependant
and cyber supported infrastructure. Technological advances have created
26 http://www.cert-in.org.in/
27 http://en.wikipedia.org/wiki/Computer_emergency_response_team
28 http://www.inclusion.in/index.php?option=com_content&view=article&id=427
new vulnerabilities to equipment failure, human error, weather and natural
causes, and intentional physical and cyber attacks. Since the threats to
critical national IT infrastructure through these vulnerabilities are likely to
have a crippling effect on the economy as also safety and well-being of
society, addressing them will increasingly require coordinated efforts
between the government and the private sector, both within the country as
well as across other bodies around the world. In view of this, it was felt
necessary to establish CERT-In to ensure the safety and security of the
Indian cyber space.29
The Department of Information Technology, Ministry of Communications
and Information Technology, Government of India, has established the
Indian Computer Emergency Response Team (Cert-In). As part of the
CERT-In, each sector needs to set up a Sub-Cert and IDRBT is the Sub-Cert
for the Indian Banking and Financial Sector.
1.16 BASIC ROLE OF CERT30
• Role of CERT-In
– Computer Security Incident Response (Reactive)
– Computer Security Incident Prevention (Proactive)
– Security Quality Management Services
29 http://www.inclusion.in/index.php?option=com_content&view=article&id=427
30 http://www.itu.int/ITU-D/cyb/events/2009/hyderabad/docs/rai-role-of-cert-in-sept-09.pdf
• Information Exchange
– With sectorial CERTs (CSIRTs), CIOs of Critical
Infrastructure, organizations, ISPs, Vendors
• International Collaboration
– Member of FIRST
– Member of APCERT
– Research Partner- APWG
– Functional relationship with US-CERT and CERT/CC
1.16.1 Reporting
1. Central point for reporting incidents:- the following information
should be given while reporting about any incident
• time of occurrence
• information regarding affected system
• symptoms observed
• relevant technical information such as security system
deployed, actions taken to mitigate the damage.
2. Database of incidents
1.16.2 Analysis
1. Analysis of trends and patterns of intruder activity
2. Develop preventive strategies for the whole constituency
3. In-depth look at an incident report or an incident activity to determine
the scope, priority and threat of the incident.
1.16.3 Response
1. Incident response is a process devoted to restoring affected systems to
operation
2. Send out recommendations for recovery from, and containment of
damage caused by the incidents.
3. Help the System Administrators take follow up action to prevent
recurrence of similar incidents
1.16.4 Reporting of vulnerability
Vulnerability is a bug which enables a hacker to bypass security measures.
Any such act which is done with a bonafide intention or malafide intention
should be reported to cert-in quickly before it is too late.
1.16.5 Other significant roles31
1.16.5.1 Reactive
1. Provide a single point of contact for reporting local problems- The
entire cert program is run and managed by the Indian government. Its
main role is to safe guard the interest of people in the country and to
secure the important national data from letting it go into wrong hands
before they do something unfriendly.
2. Assist the organizational constituency and general computing
community in preventing and handling computer security incidents:-
Like we have already discussed that with every new invention in this
world a thread follows. The thread could also be in the face of
vulnerability. Hence to avoid such catastrophic incident to take place,
the threat of vulnerability should be stopped.
3. Share information and lessons learned with CERT/CC, other CERTs,
response teams, organizations and sites:- As in the reporting of such
information is concerned, it is quite evident that the more information
about any worm or about any misshaping is given to cert, the lesser
will be its impact on future endeavours.
4. Incident Response:- Incident response can be given to the team as
soon as possible by any intervention of such type is met. To avoid any
such possibility to breach our secure internet system is fatal to us.
31http://www.cert-in.org.in/
5. Provide a 24 x 7 security service:- CERT provides a 24 /7 security
system so that threat can never dismantle the main server, or to
prevent any attacker for any evil move.
6. Offer recovery procedures:- There are many procedures and
guidelines which are given in the home page of cert. using those and
new upgraded law we can seek for recovery procedures.
1.16.5.2 Proactive
1. Issue security guidelines, advisories and timely advise- there are many
guidelines that are actively working across the system to actually
enable a shield to avoid and prevent any misuse. Few of them are
CISG 2010-01, CISG 2011-3, CISG 2011-2.
2. Vulnerability analysis and response- for any kind of vulnerability
response the first and the foremost thing is to be done is to inform the
cert. they have the technology and authority to track down as such
vulnerable person, who hacks in the system for doing something
unfriendly.
3. Risk Analysis- the chances of risk in such a situation is extreme.
4. Profiling attackers- the cert have more or less the profiles of the main
attacker who could come out with a plan to disrupt the free flow of
the cyber system of the country. To avoid this profile of each attacker
is kept so that in case the team can need it.
5. Conduct training, research and development: The team has under
gone various training programs in which they are taught how to
eradicate the problem. In lieu of such eradication many new programs
are also made along to fight the day to day problems.
6. Interact with vendors and others at large to investigate and provide
solutions for incidents:-the team is highly qualified to take cognizance
of the cyber offence and can discuss the gravity of the offence and can
direct to investigate the same.
1.17 CYBER CRIME, EVIDENCE AND PUNISHMENT
The Act provides for essentially economic offences or crimes in the medium
that are linked to economic loss or detriment. The Government would do
well to take a proverbial leaf from the OECD Guidelines for the Security of
Information Systems and Networks32 and the Council of Europe’s
Convention on Cybercrime.33 Social offences like pornography when
included are superfluous due to the existing provisions in the Indian Penal
Code covering pornography. Though pornography has not been defined
under the code, section 292 clearly states that “a book, pamphlet, paper,
writing, drawing, painting representation, figure or any other object, shall
be deemed to be obscene if it is lascivious or appeals to the prurient interest
or if its effect,” Neither has the language or expression changed from 1860,
the year when the Indian Penal Code came into force. The inclusion of a
provision banning child pornography could well be a case of ‘over
32 See OECD Guidelines for the Security of Information Systems and Networks available at
<http://www.oecd.org/dataoecd/16/22/15582260.pdf>
33 Convention on Cyber crime avalable at. <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>
legislation’ considering the existing blanket ban on pornography per se; both
in the Information Technology Act, 2000 (section 67) as well as the Indian
Penal Code, 1860 (section 292).
A ‘fresh’ Section 68(A) has been proposed for providing modes and
methods for encryption for secure use of the electronic medium. This is a
welcome guidance. Section 69, related to power to issue directions for
interception or monitoring or decryption of any information through any
computer resource, has been amended to take care of the concerns of the
Ministry of Home Affairs which include the safety, sovereignty, integrity of
India, defence of India, to maintain friendly relations with other nations and
preventing incitement to the commission of any cognizable offence.
A new section 79 A34 (Examiners of Electronic Evidence) has been added
to notify the examiners of electronic evidence by the Central Government.
This will help the Judiciary/Adjudicating officers in handling technical
issues.
Section 79 has been revised to bring-out explicitly the extent of liability of
intermediary in certain cases. The EU Directive on E-Commerce
2000/31/EC issued on June 8th 2000 has been used as a guiding document.35
34 Section 79A – ‘The Central Government may, for the purposes of providing expert opinion on electronic form
evidence before any court or other authority specify, by notification in the Official Gazette, any Department, body
or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.’
35 See Section 4 Article 12 of EU Directive on E-Commerce 2000/31/EC issued on June 8th 2000 available at
<http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32000
L0031&model=guichett>
1.18 OTHER AMENDMENTS
• The term “digital signature” has been replaced with “electronic
signature”.
• “Communication Device” has been defined as cell phones, personal
digital assistance or combination of both or any other device used to
communicate, send or transmit any text video, audio or image.
• “Cyber café” has been defined as any facility from where the access
to the internet is offered by any person in the ordinary course of
business to the members of the public.
• A new definition has been inserted for “intermediary”. “Intermediary”
with respect to any particular electronic records, means any person
who on behalf of another person receives, stores or transmits that
record or provides any service with respect to that record and includes
telecom service providers, network service providers, internet service
providers, web-hosting service providers, search engines, online
payment sites, online-auction sites, online market places and cyber
cafes, but does not include a body corporate referred to in Section
43A.
• A new section 10A has been inserted to the effect that contracts
concluded electronically shall not be deemed to be unenforceable
solely on the ground that electronic form or means was used.
• The damages of Rs. One Crore (approximately USD 200,000)
prescribed under section 43 of the earlier Act for damage to computer,
computer system etc has been deleted and the relevant parts of the
section have been substituted by the words, “he shall be liable to pay
damages by way of compensation to the person so affected”.
• A proviso has been added to Section 81 which states that the
provisions of the Act shall have overriding effect. The proviso states
that nothing contained in the Act shall restrict any person from
exercising any right conferred under the Copyright Act, 1957
1.19 DRAWBACKS OF THE NEW LEGISLATION
The amendments ignore existing international classifications of cyber
crimes. The Council of Europe’s Convention on Cybercrime36 identifies the
following as offences which should be incorporated into substantive
criminal law; some of the provisions are particularly relevant, which are:
I. Computer-related offences
Computer-related fraud (Art. 8)
II. Content-related offences
Racial hatred, obscenity, amongst other classifications
III. Offences related to infringements of copyright and related rights
36 See Convention on Cybercrime available at <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>
Offences related to infringements of copyright and related
rights (Art. 10)
1.20 TOWARDS A PRIVACY REGIME?
While the amended version of the Act strengthens provisions on
confidentiality and data privacy; the inclusion of a solitary provision on data
privacy is quite in contrast to Europe where data protection provisions are
enshrined in Directives at the EU level and in national legislation. In fact,
data protection is sine qua non for aspirant members to the European Union,
and also for companies who receive data from the EU. “Data subjects” must
have rights enshrined in explicit rules with a detailed enforcement
mechanism rather than rather than relying on a lone section to do the task
elsewhere performed by an entire Act! A detailed data protection law is
needed; not merely for the ITES industry but for the citizens of India. The
right to know balanced with the right to privacy is the hallmark of a
democracy.
1.21 ‘LEGALESE’ AND LEGAL DRAFTING: CONTROVERSIAL
PROVISIONS IN THE ‘ACT’
The Information Technology Act, [“the Act”] as in the case of all
legislation, is supposed to be for every citizen, especially the non-specialist,
its language should be comprehensible to anyone who is likely to be
affected by it either as one who provides any services or conducts any
business or as a consumer who avails of any services or supplies through
the electronic medium. The danger of being enveloped in long and
torturous sentences and unnecessary jargon seems to manifest itself in the
Act.
It will be no exaggeration to say that the following provisions of the
Explanation to sub-section (2) of section 3 will need a lot of explanation
and will not serve any purpose in the present form: ‘For the purpose of this
sub-section, “hash function” means an algorithm mapping or translation of
one sequence of bits into another, generally smaller set, known as “hash
result” such that an electronic record yields the same hash result every time
the algorithm is executed with the same electronic record as its input’
making it computationally infeasible.
(a) to derive or reconstruct the original electronic record from the lash
result produced by the algorithm;
(b) that two electronic records can produce the same lash result using the
same algorithm.
Section 40, unfortunately, is no better:
“Where any digital signature certificate, the public key of which
corresponds to the private key of that subscriber which is to be listed in the
digital signature certificate, has been accepted by the subscriber, then, the
subscriber shall generate the key pair by applying the security procedure’.
1.22 LIABILITY FOR CARRIAGE AND CONTENT
1.22.1 A "look" at the EU position
Directive 2000/31/EC of the European Parliament and of the Council of
June 8 2000 on Certain Legal Aspects of Information Society Services, in
Particular Electronic Commerce, in the Internet Market
The largest development involves the European Commission’s adoption on
June 8th of its Electronic Commerce Directive, which aims to remove
barriers to e-commerce37. The Directive includes various provisions
affecting search engines such as: (i) a company providing “information
society services” (e.g. selling goods or providing information on line) will
be subject to the law of the Member State in which it is established,
irrespective of where the recipient of the service is based (the “country of
origin" principle); (ii) Internet service providers (ISP) receive some
exemption from liability for infringing material transmitted over their
systems by third parties, provided certain conditions are met; (iii)
unsolicited commercial e-mail (“spam”) must be clearly identifiable as
such, and companies sending this kind of e-mail must regularly consult any
relevant opt-out registers.
The Indian Act makes a distinction between an access provider who
provides access and the content provider who provides the content for the
sake of determining liability. It establishes that a network service provider
is not subject to criminal or civil liability for third party material for which
37 Member States have until 16 January 2002 to implement the provisions of the Directive into their national laws.
or to which the provider merely provides access. Network service
providers will continue to be liable for their own content, or third party
content that they adopt or approve of38. Indian Information Technology
Act immunizes Internet Service Providers against liability arising out of
any distressing content or defamatory statements or such content that is
likely to violate any law. By reducing the liability of service providers, the
Act ensures that they are not penalized for content, which is beyond their
control.
The primary issue is whether Section 292 IPC could be invoked for a Web
site search results issue. Section 292 defines obscenity. However, it says
that a book, pamphlet, paper, writing, drawing, painting, representation,
figure or any other object, shall be deemed to be obscene if it is lascivious
or appeals to the prurient interest, or (where it comprises two or more
distinct items) the effect of any one of its items, is, if taken as a whole,
tends to deprave and corrupt persons who are likely, having regard to all
relevant circumstances, to read, see or hear the matter contained or
embodied in it.
The controversy is as to how define the words "any other object". Section
292 (1) IPC describes of a book, pamphlet, paper, writing, drawing,
painting, representation, figure or any other object. All the objects defined
under Section 292 are corporeal and material in nature. Can we interpret
the word any other object in such a broad manner such as to include
anything and everything in Cyberspace? Can any other object also mean a
38 A survey of Latin American countries reveals that at least Brazil, Ecuador, El Salvador, Uruguay and Venezuela
have pending legislation and/or regulations pertaining to electronic commerce, though none of these pending rules
would specifically address a search engine’s liability for trademark infringement.
virtual object? These issues are very complicated. And any attempt to apply
the provisions of Section 292 IPC to cyber world is an exercise fraught with
difficulties.
1.22.2 Over/under-riding regulatory issues
(a) licensing of cross-border telecom systems: a perspective on the
Indian regulatory impasse on telecom. The Indian Telecom
Authorities are undecided on the issues of whether to allow voice
over telephony, in the light of resistance from the Department of
Telecommunications (DoT).
(b) Encryption: testing 'legality' in India. A study in the light of section
14 of the Indian Information Technology Act, 2000. Is encryption
allowed under Indian law? The government says “no”, but the 'Act'
appears to say “yes”. As per government policy as evidenced from
periodic notices and circulars, encryption is illegal in India; however
the Act seems to say otherwise. As would appear from a reading of
section 14 of the legislation. Laws are in existence in India that can
be interpreted to read that transmission of data with any form of
encryption is illegal. Onus of prevention is upon the service provider
concerned. However, much of current Internet technology, including
secure Web servers, PGP encrypted Email, and Virtual Private
Networks, are based on encryption. Prevention may be technically
impossible, and this could be used as grounds for revocation of a
Private ISP license.
(c) Data protection: the 'absence' of regulatory or legal norms and the
impact on business in India. There is no specific legislation in India
for the protection of data. Unlike, the United Kingdom, India does
not have legislation, except that the protection accorded to electronic
data in the Act, juxtaposed with other legislation can point towards
solution.
1.22.3 Are online contracts binding?
The problem with an online contract arises from the question of how to
enforce a contract that does not have a document backing it and how this
contract is to be proved in court. The issue is dealt with in a detailed chapter
on Electronic Contracts.
1.22.4 Requirement of “documents”
Contracts that are written and signed are more certain and therefore easier
to enforce. This is due to the fact that a document lends some degree of
authenticity as to the contract formation and facilitates easier enforcement
of the same. Documents are also required for evidence purpose Section 64
of the Indian Evidence Act, 1872; (the Evidence Act) states that documents
must be proved by primary evidence except in the cases specifically
provided for. The contents of any document which have to be proved have
to be proved by the original of the document itself being produced in Court,
except in a few limited instances.
If a computer printout or any information, which is visible on the screen of
the computer, is included in the definition of document, the question arises
as to what is an original with respect to computer printout, or information
contained in a computer. The Evidence Act lay emphasis on original
documents as once any information is reduced to actual physical fixation in
the conventional sense; it is difficult to alter it. On a thorough examination
it is possible to identify any alteration to an original of a document.
The Indian Act seeks to resolve this issue by stating that where the law
requires any record to be presented in original form, that requirement is
satisfied by an electronic record if there exists reliable assurance as to the
integrity of the record and where it is required that a record be presented,
that record is capable of being displayed to the person to whom it is being
presented.
1.23 FORMATION OF ONLINE CONTRACTS
Under the Indian Contract Act, 1872, the acceptance of a valid offer results
in a valid contract. It is crucial to know when a contract is concluded online
and whether any difference exists between contacts concluded by traditional
modes, such as via post.
Section 4 deals with the rule regarding completion of communication of
acceptance. The communication of acceptance is complete as against the
offeree, when it reaches the knowledge of offeror. But the Supreme Court
has held that in the case of communication by oral means, by telex or by
telephone an acceptance is communicated only when it is actually received
by the offeror.
This question has to be addressed in the case of e-commerce, where more
often than not, acceptance is made via email or by pressing the ‘Accept’ or
Buy icons. The question that would arise is when the acceptance has been
conveyed, i.e. is it:
a) when the email was sent; or
b) when it was received by addressee; or
c) when it reaches the ‘host computer’, which provides the email facility
to the addressee.
As seen earlier, where the communication is by instantaneous means the
court has held that the acceptance is communicated only when the
communication remains open. Would the acceptance be deemed to have
been communicated at the place where the offeree clicks the “Accept” icon
(as the action of clicking the icon is done on the offeree’s computer)? Or
would be deemed to have been communicated where the server (which
actually hosts the ‘Accept’ icon) is located? Or would it be the place where
the offeror actually reads the acceptance on his computer (which can be at
different place than the location of the server)?
In Germany, judicial practice has established that a message sent by email
is deemed to be received when it reaches the host computer of the addressee
(if the addressee has published the email address on his visiting card or
letterhead or otherwise makes it publicly known.)
In South Africa, when the acceptance is by way of post, the contract will be
concluded at the time when, and at the place from where, the acceptance is
posted. This is known as the ‘expedition’ theory. Where the acceptance is
notified by means of fax or telegram, the contract is concluded at the time
and place where the offeror learns of the acceptance. This is called the
‘information theory’. According to the law firm, Werksmans Attorney,
acceptance via email would be based on the information theory.
The Indian Act deals with the issue as to when the receipt and dispatch of
electronic records take place. According to it, a dispatch of an electronic
record is deemed to take place when it reaches an information system
outside the control of the person who sent the electronic record and is
deemed to be received when it is received by, or reaches an information
system designated by, the person whom it is sent. This is to be read with
existing Indian law and the correct position interpreted.
The Indian Act specifically excludes from its purview contracts relating to
the creation and execution of wills, execution of negotiable instruments, acts
relating to declaration of trust and power of attorney, immovable property,
titles for movable and immovable property, etc.
1.24 ELECTRONIC PAYMENT SYSTEMS
These systems are considered very secure since it is not possible for third
parties to obtain these details and misuse them. Visa & MasterCard have
developed a system for online payment called Secure Electronic Transaction
(SET).
1.24.1. Electronic cash
Electronic Cash is more secure and anonymous than credit cards when
making payments for transactions. It is specifically useful for small
transactions.
1.24.2. Electronic cash payment mechanism – open bank-issuer model
(international)
Anyone wishing to use electronic cash can purchase a certain number of
units from a member bank for a particular value in a local currency. He or
she can then use it for making payments over the Internet. The receiver of
electronic cash can either use it for making similar payments over the
Internet or redeem it at any member bank for his country’s own currency.
India should start thinking and debating on introducing electronic cash or
something similar to it. If any party to the transaction is a foreign party, the
Exchange Control Regulations will also come into picture.
1.25 SECURITY
Security is the single biggest obstacle for the growth of e-commerce. There
are basically two kinds of security problems according to a survey, teenage
hacking accounts only for 7% of reported violations, while infiltration by
competitors account for 39% of the violations.
Under the Indian Telegraph Act, 1885, “if any person with intention to
prevent or obstruct the transmission or delivery of any message, or to
intercept or to acquaint himself with the contents of any message, or to
commit mischief damages, removes tampers with or touches any battery,
machinery, telegraph line, post or any other thing whatever, being part of or
used in or about any telegraph or in the working thereof, he shall be
published with imprisonment for a term which may extend to three years or
with fine or both”. There is a possibility that any attempt of hacking could
be punishable under this section.
1.26 SECURING ELECTRONIC TRANSACTIONS
One of most important conditions for e-commerce’s survival is the ability
to safeguard all electronic transactions. Unless an electronic transaction is
secure it would be difficult to determine its authenticity. Also, users will be
hesitant to send confidential information over the net. Existence of
safeguards and an assurance that such transmissions are foolproof will go a
long way towards boosting e-commerce. The most common way of
protecting electronic transactions is through cryptography (i.e. encryption
techniques). Cryptography uses sophisticated mathematical algorithms,
particularly a technology known as “asymmetric cryptography”.
Cryptography can be differentiated between the following:
• Use of cryptography for confidentiality of a message; and
• Use of cryptography in digital signatures
Cyberspace spans worldwide, but it has “no formal framework”. It has no
definite metes and bounds except the capacity of the hardware used for
access. The lack of formal framework makes cyberspace nobody’s domain.
No single individual, entity, or government owns or controls cyberspace. In
property law, cyberspace may be considered res nullius; it is incapable of
private appropriation just like outer space.39
Regulation in cyberspace is an emerging challenge. According to professor
Lawrence Lessig of Harvard Law School, the default in cyberspace is
anonymity. “Anonymity” encourages and enhances the exercise of
freedom. A child too shy to express himself in the physical space can feign
to be somebody else in virtual space, and express himself freely.
The internet also provides speed and ease of transmission of both voice and
data. The facility in communication greatly enhances global trade. Goods
are traded over cyberspace in lieu of the traditional person-to-person mode.
Huge amount of money is transacted through computers and even cellular
phones.
“Paperless transaction has become common.” Even court filings are shifted
to electronic means. The volume generated by electronic business is
39 https://opinion.inquirer.net/107924/regulating-cyberspace
enormous even as the temptation for white collar crimes is likewise
immense.
Facility of publication and the potential of anonymity, however, can also be
detrimental to the dignity or reputation of third parties. The internet is also
a medium for “character assassination, and purveyors of bogus news at no
harm to the perpetrators.”
“Crimes of global repercussion” are also committed with the use of the
internet. Trafficking of persons, child pornography, kidnapping for ransom,
and terrorism are perpetrated with the use of cyberspace. Freedom thus in
cyberspace should not be exercised without the concomitant responsibility
of its users.
1.27. PRACTICAL PROBLEMS IN EXTENDING THE
TRADITIONAL LAWS TO CYBERSPACE
The existing laws and regulation have their bases on physical world
activities. "Consequence of digitization and automation is that many
Internet activities are widely distributed, both among actors and
jurisdictions thus making it difficult or impossible to apply existing laws to
the Internet analogous of physical world activities." The major problems
and challenges are as follows:
1. Multiple Jurisdictions-Because of anonymity of the Internet user,
absence of geographical boundaries in the cyberspace, and the cross-
border effect of Internet transactions, all legal systems face legal
uncertainty.
2. Legal Vacuum-The legal draftsman and the legislator have to, in some
way, find a solution to the existing problems in cyberspace. But there
are no appropriate model laws.
3. Problem of Policing-The lack of technical knowledge, non-co-
operation among different police organization etc., make the problem
too difficult to be solved.
4. Expensive Process-Training of law enforcement officers to solve the
issue of cybercrime is very expensive.
5. Obtaining Digital Evidence- Another instance where the policing of
cybercrime becomes difficult is with regard to obtaining the digital
evidence.40
6. E-CONTRACT - Various loopholes in e-contract are:
a) Contracts by minors
b) Misrepresentation through Online advertisements
c) Mistake of law and mistake of fact
d) Problem of enforcement
e) Problem of being cost effective
40http://dspace.cusat.ac.in/jspui/bitstream/123456789/11058/1/Regulating%20Cyberspace%20%20The%20Eme
rging.PDF
1.28. CONCLUSION
The internet is a dynamic or ever-evolving work-in-process. What is in
vogue today may be passé tomorrow. Such dynamism characterizes the
architecture of cyberspace. Thus, it is indeed difficult for the government to
regulate cyberspace based on its architecture. The best, and perhaps utmost,
that the government can do is to regulate use of cyberspace. The emphasis
of the regulation would be on the conduct of the user, and its consequent
effect.
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Module 1
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Module 1
- 1 - 49
Pages: