MODULE 1: LAW AND POLICY IN ‘INDIAN’ CYBERSPACE
Traditional legal systems have had great difficulty in keeping pace with the rapid growth
of the Internet and its impact throughout the world. While some laws and objectives
have been enacted and a few cases have been decided that affect the Internet, they
have left most of the difficult legal issues to the future. Inspire of the recent
proliferation of legislation world-wide, it is unlikely that courts and legislators will be
able to provide sufficient guidance in a timely fashion to business [and lawyers] to
enable them to engage in commerce on, or otherwise take advantage of, the Internet in
a manner that avoids or minimizes unexpected consequences or liabilities.
The Internet has tested the limits of regulation, prompting some to declare
‘independence’1 and yet others to declare it beyond the limits of governance2. One of
the purposes of this text is to build a global community of people who are thinking
about all this in a serious way. As time passes, one aspect of governance is clearly
visible, the will of governments to be seen and ‘felt’ on the Internet. Governments
across the world seem eager to put to rest the notions that cyberspace can't be
governed. This view underestimates the way governments and business figure out how
to change the way things work.
There are four constraints on [human] behavior and freedom. They are the law, norms
(cultural and social influences), markets and -- crucially -- architecture. Architecture is a
regulator in real space as well as cyberspace, and it is essential to think about both.
Napoleon III wanted fewer revolutionaries, for example. So he rebuilt Paris with wide
streets, making it harder for revolutionaries to hide.
1.1 EXAMINING THE NEED FOR REGULATION
In some jurisdictions, the early adoption of legislation on digital signatures [defined in
the Glossary], for example, has not led to the increased take-up of new technology as
anticipated3. Rather, legislation has been bypassed because it has been regarded as not
providing appropriate, market-oriented, non-regulatory solutions. Some of that
legislation is now regarded as a better example of what not to do, than as a model
which should be followed4. A number of laws currently being drafted in the US have
1 In February 1996, John Perry Barlow issued a manifesto called <A Declaration of the
Independence of Cyberspace>.
http://www.eff.org/pub/Publications/John_Perry_Barlow/barlow0296.declaration.
2 Johnson, David R. /Post, David G., Law and Borders - The Rise of Law in Cyberspace, 48
Stanford Law Review 1367 – 1402 [1996].
3 Despite the early enactment of digital signature legislation in the American State of Utah in
1995, the first certification authority to set up under that legislation was not established until late
1997.
4 The Utah Act has been described as of more use dead than alive.
undergone significant changes in the course of the drafting process and more can be
expected before they reach their final form5. As lawyers’ understanding of the
technology grows, and as the uses and applications of the technology develop, in
concert with the development of appropriate business models, appreciation of the need
for legislation and what is required in terms of its form and content have also changed.
It is clear that what needs to be avoided at this early stage is an undue rush towards
legislation where none is needed, or where the need for it has not yet been clearly
demonstrated. This is particularly so in India where there have been, as yet, few cases
decided in the courts dealing with the issues identified as likely to cause problems in
electronic commerce. In other words, it is difficult to judge the magnitude of legal
problems being encountered, at least in terms of measuring them through recourse to
traditional means of resolution through litigation, although it is clear that some action to
remove obvious legal obstacles would certainly facilitate electronic commerce.
A number of international organizations are currently working on projects, which have
the potential to significantly influence the direction of domestic regulation in a number
of areas relevant to electronic commerce6. India is actively engaged in those projects.
This international work should be carefully monitored to ensure that the Indian settings
not only assist India's competitive advantage, but also keep India in conformity with
international norms, while ensuring that the economic, social and cultural benefits of
new technology are maximized.
The UNCITRAL Model Law on Electronic Commerce uses the term “commercial” and
guidance on the meaning of that term may be gained from the definition used in the
Model Law7. To ensure consistency, this definition is identical to the definition used by
UNCITRAL in the Model Law on International Commercial Arbitration8. The UNCITRAL
definition of commercial is, however, very broad and covers a number of areas in which
electronic commerce may raise particular issues. For reasons of time and resources, we
5 Recommendation 92 of the Financial System Inquiry 1997 (Wallis Report) recommended that
Australia should adopt internationally recognised standards for electronic commerce, including for
electronic transactions over the Internet and the recognition of electronic signatures.
6 These include work by: the UN Commission on International Trade Law on digital signatures
and certification authorities; work by the OECD on electronic commerce, digital signatures and
certification authorities; and work by APEC on certification practices and authorities.
7 Footnote **** to the Model Law on Electronic Commerce provides: The term “commercial”
should be given a wide interpretation so as to cover matters arising from all relationships of a
commercial nature, whether contractual or not. Relationships of a commercial nature include, but
are not limited to, the following transactions: any trade transaction for the supply or exchange of
goods or services; distribution agreement; commercial representation or agency; factoring;
leasing; construction of works; consulting; engineering; licensing; investment; financing; banking;
insurance; exploitation agreement or concession; joint venture and other forms of industrial or
business co-operation; carriage of goods or passengers by air, sea, rail or road.
8 The UNCITRAL Model Law on International Commercial Arbitration was adopted by India as a
model during the drafting of the Indian Arbitration and Conciliation Act, 1996.
have not been able to consider specific sectors covered in that definition and the
particular issues raised by the greater use of electronic commerce. This text does not
consider issues specific to the financial sector, but rather has focused upon broader
generic issues of contract formation and statutory form requirements such as
requirements for certain contracts to be in writing or signed.
1.2 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED BY THE NEW MEDIA
The problem of jurisdiction in cyberspace is by far the most complex. The task before
us is to examine section key concepts that are necessary constituents of a tricky issue
and perhaps juxtapose them against an overview of methods and solutions. On an
examination of jurisdiction under the Indian Information Technology Act, 2000,
[hereinafter “the Indian IT Act”]; one is faced with the question: Is section 75 really as
controversial as it seems? The answer is in the negative. The Act, continuing a long
tradition in law and commerce merely seeks to extend the boundaries of
local/municipal law in a logical way; as will be examined in the next chapter on
Jurisdiction.
1.3 JURISDICTION IN CYBERSPACE: PROBLEMS AND PERSPECTIVES
Throughout human history, no regime of regulation or of dispute resolution has ever
pretended to be the sole source to which parties turn to ease business intercourse. In
every culture and in every time, private arrangements as well as governmental activity
have attempted to reduce the occasions of conflict necessitating the exercise of judicial
decision-making. The economic world of cyberspace at the beginning of the 21st
century is no different. Trade depends on confidence: confidence on the part of the
buyer that goods or services will conform to legitimate expectations, and confidence on
the part of the seller that payment will be prompt and complete. Such confidence, in
the interests of all parties, is fostered by industry self-regulation that reflects an honest
attempt to identify and resolve potential conflicts before they arise. The forms of such
regulation are many and are being actively explored, as e-commerce becomes an
increasingly important segment of the global economy. They include voluntary codes
of conduct, the provision of private arbitration for the resolution of disputes, escrow
accounts, agreements between buyers, sellers and credit card companies, amongst
others.
1.4 THE RELEVANCE OF PHYSICAL LOCATION
In determining under what circumstances extraterritorial jurisdictional assertions are
proper, courts and legislatures focused in the last half of the 20th century, as they had
previously, on physical location but at a different temporal point. Most frequently, the
focus was on where certain activities that gave rise to the plaintiff’s claim had occurred.
Where a negligent act took place, where a contract was entered into9 or was to be
performed,10 where a service was performed, a security offered for sale, or a
trademark infringed became the touchstones of both personal and prescriptive
jurisdictional inquiries. As long as such an act occurred within the state’s boundaries,
its assertion of both personal and prescriptive jurisdiction was proper. As long as
activities continue to occur in “real” space, the place of such occurrences remains
relevant.11
Technology, however, reduces and frequently may eliminate the need for physical
contact in the creation of legally significant relationships between parties or between
an actor and the state acting as regulator. The legal system must then decide what
relationship is necessary between the forum and either the conduct occurring outside
the forum or the parties. It is the tie between a party and a forum, not necessarily a
physical connection between the forum and the conduct of that party that is critical. If
the remote party (i.e. the party never physically in the forum) knows that the
proximate party is in (or is a habitual resident of) the forum when the remote party
interacts with the proximate party, the remote party has created a tie between itself
and the forum state. Now it is the remote-party/forum relationship at the time of
interaction,12 not at the time process is served, that matters. Whether such a tie is
sufficient to enable the forum to assert personal and prescriptive jurisdiction depends
on an analysis of additional factors (such as whether the remote party targeted the
forum, discussed below), but its existence is necessary to such assertions.
9 Countries gave much thought to the rules regulating contract formation, presumably at least in
part to guarantee perceived desirable jurisdictional results. In Australia, for example, a contract is
formed at the time and place its acceptance is received by the offeror. The consumer is the
offeror, so the typical consumer contract is “formed” when and where the consumer receives the
seller’s acceptance. Brazil, Columbia, and Romania also look to the residence of the offeror,
although in Brazil a contractual choice of a different law will be upheld if it is not in violation of
public policy. See Nestor Nestor & Kingston Petersen, “Written Remarks,” posted at
<http://www.kentlaw.edu/cyberlaw>.
In Canada, proposed legislation would fix the address of the consumer as the place in which an
on-line contract was formed. See “Canadian Law on Jurisdiction in Cyberspace,” submitted by
Arlan Gates, Paul Tackaberry and Adam Balinsky, posted at <http://www.kentlaw.edu/cyberlaw>
[hereinafter Gates].
10 The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of
another contracting state where the contractual obligation in question is to be performed. Title II,
Section 2, Article 5.
11 Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry.
For example, states continue to assert jurisdiction over their citizens with respect to claims that
arise outside of the state and to regulate conduct that occurs elsewhere which is intended to and
does cause substantial effects in the state. Nonetheless, a concern with where relevant acts took
place is central to many, if not most, decisions.
12 In some contexts, some countries have already implicitly recognised this in the specific context
of electronic commerce. Australia’s Electronic Transactions Act 1999 (Cth) provides default rules
for the place of dispatch and receipt of electronic communications (including the place of an offer
or acceptance of a contract) based on the party’s place of business or ordinary residence.
1.5 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED BY THE NEW MEDIA:
The problem of jurisdiction in cyberspace is by far the most complex. The task before
us is to examine section key concepts that are necessary constituents of a tricky issue
and perhaps juxtapose them against an overview of methods and solutions. On an
examination of jurisdiction under the Indian Information Technology Act, 2000,
[hereinafter “the Indian IT Act”]; one is faced with the question: Is section 75 really as
controversial as it seems? The answer is in the negative. The Act, continuing a long
tradition in law and commerce merely seeks to extend the boundaries of
local/municipal law in a logical way; as will be examined in the next chapter on
Jurisdiction.
1.6 JURISDICTION IN CYBERSPACE: PROBLEMS AND PERSPECTIVES
Throughout human history, no regime of regulation or of dispute resolution has ever
pretended to be the sole source to which parties turn to ease business intercourse. In
every culture and in every time, private arrangements as well as governmental activity
have attempted to reduce the occasions of conflict necessitating the exercise of judicial
decision-making. The economic world of cyberspace at the beginning of the 21st
century is no different. Trade depends on confidence: confidence on the part of the
buyer that goods or services will conform to legitimate expectations, and confidence on
the part of the seller that payment will be prompt and complete. Such confidence, in
the interests of all parties, is fostered by industry self-regulation that reflects an honest
attempt to identify and resolve potential conflicts before they arise. The forms of such
regulation are many and are being actively explored, as e-commerce becomes an
increasingly important segment of the global economy. They include voluntary codes
of conduct, the provision of private arbitration for the resolution of disputes, escrow
accounts, agreements between buyers, sellers and credit card companies, amongst
others.
1.7 THE RELEVANCE OF PHYSICAL LOCATION
In determining under what circumstances extraterritorial jurisdictional assertions are
proper, courts and legislatures focused in the last half of the 20th century, as they had
previously, on physical location but at a different temporal point. Most frequently, the
focus was on where certain activities that gave rise to the plaintiff’s claim had occurred.
Where a negligent act took place, where a contract was entered into13 or was to be
13 Countries gave much thought to the rules regulating contract formation, presumably at least in
part to guarantee perceived desirable jurisdictional results. In Australia, for example, a contract is
formed at the time and place its acceptance is received by the offeror. The consumer is the
offeror, so the typical consumer contract is “formed” when and where the consumer receives the
performed,14 where a service was performed, a security offered for sale, or a
trademark infringed became the touchstones of both personal and prescriptive
jurisdictional inquiries. As long as such an act occurred within the state’s boundaries,
its assertion of both personal and prescriptive jurisdiction was proper. As long as
activities continue to occur in “real” space, the place of such occurrences remains
relevant.15
Technology, however, reduces and frequently may eliminate the need for physical
contact in the creation of legally significant relationships between parties or between
an actor and the state acting as regulator. The legal system must then decide what
relationship is necessary between the forum and either the conduct occurring outside
the forum or the parties. It is the tie between a party and a forum, not necessarily a
physical connection between the forum and the conduct of that party that is critical. If
the remote party (i.e. the party never physically in the forum) knows that the
proximate party is in (or is a habitual resident of) the forum when the remote party
interacts with the proximate party, the remote party has created a tie between itself
and the forum state. Now it is the remote-party/forum relationship at the time of
interaction,16 not at the time process is served, that matters. Whether such a tie is
sufficient to enable the forum to assert personal and prescriptive jurisdiction depends
on an analysis of additional factors (such as whether the remote party targeted the
forum, discussed below), but its existence is necessary to such assertions.
1.8 ESTABLISHING JURISDICTION OVER CYBERSPACE: TOWARDS A ‘SIMPLER’
READING OF THE “ACT”
seller’s acceptance. Brazil, Columbia, and Romania also look to the residence of the offeror,
although in Brazil a contractual choice of a different law will be upheld if it is not in violation of
public policy. See Nestor Nestor & Kingston Petersen, “Written Remarks,” posted at
<http://www.kentlaw.edu/cyberlaw>.
In Canada, proposed legislation would fix the address of the consumer as the place in which an
on-line contract was formed. See “Canadian Law on Jurisdiction in Cyberspace,” submitted by
Arlan Gates, Paul Tackaberry and Adam Balinsky, posted at <http://www.kentlaw.edu/cyberlaw>
[hereinafter Gates].
14 The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of
another contracting state where the contractual obligation in question is to be performed. Title II,
Section 2, Article 5.
15 Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry.
For example, states continue to assert jurisdiction over their citizens with respect to claims that
arise outside of the state and to regulate conduct that occurs elsewhere which is intended to and
does cause substantial effects in the state. Nonetheless, a concern with where relevant acts took
place is central to many, if not most, decisions.
16 In some contexts, some countries have already implicitly recognised this in the specific context
of electronic commerce. Australia’s Electronic Transactions Act 1999 (Cth) provides default rules
for the place of dispatch and receipt of electronic communications (including the place of an offer
or acceptance of a contract) based on the party’s place of business or ordinary residence.
Some provisions of the Act have been deemed controversial. For example, section 75
states that the Act will apply to an offence or contravention committed outside India by
any person irrespective of his nationality, if the act or conduct constituting the offence
or contravention involves a computer, computer system or computer network in India.
A computer is only a medium for communication. The use of a computer is not
materially different from the use of a phone or a car in the commission of a crime
unless the computer has been programmed for automatic action by its owner. It is not
going to be easy to acquire jurisdiction over a person not resident in India if a foreign
country is the scene of the crime and the criminal is not even an Indian citizen, merely
because a computer or a computer system in India has been utilized in some way or
other in connection with the crime. Nevertheless, certainly, if software/hardware in
India is damaged by a hacker based in a foreign country, there can be no dispute about
India’s right to reach him and make him accountable for the crime committed in India
alone.
Where contravention of any provisions of the Act has occurred is a matter of
adjudication for compensation purposes by the adjudicating officer and for criminal
action by the court.
1.9 THE INDIAN ELECTRONIC COMMERCE LEGISLATION: A READING OF THE "ACT"
The Information Technology Act will go a long way in facilitating and regulating
electronic commerce. It has provided a legal framework for smooth conduct of e-
commerce. It has tackled the following legal issues associated with e-commerce:
(a) requirement of writing; (b) requirement of a document; (c) requirement of a
signature; and (d) requirement of legal recognition for electronic messages, records
and documents to be admitted in evidence in a court of law.
However, the Act, has not addressed the following grey areas;
(i) protection for domain names; (ii) infringement of copyrights laws; (iii)
jurisdiction aspect of electronic contracts (viz. Jurisdiction of Courts and tax
authorities); (iv) taxation of goods and services traded through e-commerce;
and (v) stamp duty aspect of electronic contracts.
The main objective of the Act is to provide legal recognition for transactions carried out
by means of electronic data interchange and other means of electronic communication,
commonly referred to as e-commerce, which involve the use of alternatives to paper-
based methods of communication and storage of information to facilitate electronic
filing of documents with the Government agencies. The Act, apart from India, has
extra-territorial jurisdiction to cover any offence or contravention committed outside
India by any person.
1.9.1 EXEMPTION/EXCLUSION
The Act shall not apply to the following categories of transaction:
(a) Any Negotiable Instrument; (b) A Power of Attorney; (c) A Trust; (d) A will including
any other testamentary disposition; (e) Any contract for the sale or conveyance of
immovable property; and (f) Any other documents or transactions as may be
decided by the Central Government.
1.10 DIGITAL SIGNATURES
With the passing of the Act, any subscriber (i.e., a person in whose name the Digital
Signature Certificate is issued) may authenticate electronic record by affixing his Digital
Signature. Electronic record means data record or data generated image or sound,
store, received or sent in an electronic form or microfilm or computer generated
microfiche.
1.11 ELECTRONIC GOVERNANCE
Where any law provides submission of information in writing or in the type written or
printed form, from now onwards it will be sufficient compliance of law, if the same is
sent in an electronic form. Further, if any statute provides for affixation of signature in
any document, the same can be done by means of Digital Signature.
Similarly, the filing of any form, application or any other documents with the
Government Authorities and issue or grant of any license, permit, sanction or approval
and any receipt acknowledging payment can be done by the Government offices by
means of electronic form. From now onwards retention of documents, records, or
information as provided in any law, can be done by maintaining electronic records. Any
rule, regulation, order, by-law or notification can be published in the Official Gazette or
Electronic Gazette.
The Act, however, provides that no Ministry or Department of Central Government or
the State Government or any Authority established under any law can insist upon
acceptance of document only in the form of electronic record.
1.11.1 ACKNOWLEDGEMENT AND DISPATCH OF ELECTRONIC RECORDS
An electronic record can be sent by the addresser himself or by a person acting under
his authority. An acknowledgement may be given by any communication by the
addressee automatic or otherwise. Even any conduct of the addressee is sufficient to
indicate to the addresser that the electronic records have been received which shall be
treated as sufficient acknowledgement.
The dispatch of electronic records occurs when it enters a computer resource outside
the control of the originator (i.e., addresser). Time of receipt of electronic record shall
be determined when electronic record enters the digital computer resource or at the
time when the electronic record is retrieved by the addressee. An electronic record is
deemed to be dispatched at the place where the addresser has his place of business
and is deemed to be received at the place where the addressee has his place of
business.
1.11.2 SECURED ELECTRONIC RECORDS AND DIGITAL SIGNATURE
Under the Act, the Central Government has the power to prescribe the security
procedure in relation to electronic records and Digital Signatures, considering the
nature of the transaction, the level of sophistication of the Parties with reference to
their technological capacity, the volume of transactions and the procedures in general
used for similar types of transactions or communications.
1.11.3 REGULATION OF CERTIFYING AUTHORITIES
The Central Government may appoint a Controller of Certifying Authority who shall
exercise supervision over the activities of Certifying Authorities.
Certifying Authority means a person who has been granted a license to issue a Digital
Signature Certificate. The Controller of Certifying Authority shall have powers to lay
down rules, regulations, duties, responsibilities and functions of the Certifying
Authority issuing Digital Signature Certificates. The Certifying Authority empowered to
issue a Digital Signature Certificate shall have to procure a license from the Controller
of Certifying Authority to issue Digital Signature Certificates. Detailed rules and
regulations have been prescribed in the Act, as to the application for license,
suspension of license and procedure for grant or rejection of license by the Controller
of Certifying Authority.
1.11.4 DIGITAL SIGNATURE CERTIFICATE
Any person may make an application to the Certifying Authority for issue of Digital
Signature Certificate. The Certifying Authority while issuing such certificate shall certify
that it has complied with the provisions of the Act.
The Certifying Authority has to ensure that the subscriber (i.e., a person in whose name
the Digital Signature Certificate is issued) holds the private key corresponding to the
public key listed in the Digital Signature Certificate and such public and private keys
constitute a functioning key pair. The Certifying Authority has the power to suspend or
revoke Digital Signature Certificate.
1.11.5 DUTIES OF SUBSCRIBERS
A subscriber can publish or authorize the publication of Digital Signature Certificate.
Similarly, he can accept such certificate.
It is the responsibility of a subscriber to exercise reasonable care to retain control of
the private key corresponding to the public key listed in his Digital Signature Certificate
and to take all steps to prevent its disclosure to any unauthorized person.
1.11.6 PENALTIES AND ADJUDICATION
If any person without the permission of the owner, accesses the owner's computer,
computer system or computer net-work or downloads copies or any extract or
introduces any computer virus or damages computer, computer system or computer
net work data etc. he shall be liable to pay damage by way of compensation not
exceeding Rupees One Crore to the person so affected.
For the purpose of adjudication, the Central Government can appoint any officer, not
below the rank of Director to the Government of India or any equivalent officer of any
State Government, to be an Adjudicating Officer. The Adjudicating Officer while trying
out cases of this nature shall consider the amount of gain of unfair advantage or the
amount of loss that may be suffered by a person. The aforesaid provisions were not
incorporated in the Information Technology Act, 2000 and the same were suggested by
the Select Committee of Parliament17.
17 In Delhi, the first case under the Act has already been registered by the police based on an FIR
filed by a Retd. Army Officer whose Internet time has been "stolen" by the accused. However,
the accused has been granted bail by the City Court. Interestingly, although passed by the
Parliament, the Act did not come into force until recently and Notification to this effect was issued
by the Central Government in the Official Gazette on June 19, 2000. This was one of the pleas
taken by the accused in the aforesaid case.
1.11.7 THE CYBER REGULATIONS APPELLATE TRIBUNAL
Under the Act, the Central Government has the power to establish the Cyber
Regulations Appellate Tribunal. The Tribunal shall have the power to entertain the
cases of any person aggrieved by the Order made by the Controller of Certifying
Authority or the Adjudicating Officer.
1.11.8 OFFENCES
Tampering with computer source documents shall be punishable with imprisonment up
to three years or fine up to Rs. 2 lakhs or with both. Similarly, hacking with computer
system entails punishment with imprisonment up to three years or with fine upto Rs. 2
lakhs or with both.
Publishing of information, which is obscene in electronic form, shall be punishable with
imprisonment up to five years or with fine up to Rs. 1 lakh and for second conviction
with imprisonment up to ten years and with fine up to Rs. 2 lakhs.
1.11.9 MISCELLANEOUS
Under the Act, any police officer not below the rank of Deputy Superintendent of Police
or any other authorised officer of the Central or State Governments, may enter in
public place and search for arrest without warrant, any person who is reasonably
suspected or having committed or committing or of being about to commit any offence
under the Act. 'Public place', includes any hotel, shop or any other place intended for
use or accessible to public18.
1.12 THE AMENDMENTS: A ‘REACTION’
The amendments to the Information Technology Act to a measurable extent are a
“reaction” to recent developments such as service provider liability issues and auction
sites; sleazy MMS clips and the like. In major part, desirable as most reactions are,
offences under the Act have been made compoundable19; that is to say, the parties can
18 This amendment was suggested by the Select Committee of Parliament. Under the Indian
Penal Code, even a constable has the aforesaid power. However, the power given to the
designated police officer is so wide that even on suspicion or on his conviction that an offence is
about to be committed, he can conduct search and arrest without any warrant. There is a wide
spread fear that this may be misused.
19 Section 77A provides that the ‘offences under sections 66, 66A, 72 and 72A may be
compounded by the aggrieved person.’
.
compound the case i.e. settle it between themselves. This is welcome as most crimes
target specific individuals and it is right for individuals to sort out the situation.
The offences which have been made compoundable are:
• Section 66: If a person dishonestly or fraudulently does any act which damages
the computer or the computer system, he is liable to a fine of up to five lakhs or
be imprisoned for a term of up to two years. A host of new sections have been
added to section 66 as sections 66A to 66F prescribing punishment for offenses
such as obscene electronic message transmissions, identity theft, cheating by
impersonation using computer resource, violation of privacy and cyber
terrorism.
• Section 66A: If any person sends by means of a computer resource or a
communication any content which is grossly offensive or has a menacing
character or which is not true but is sent to create nuisance, annoyance, criminal
intimidation, hatred or ill will etc shall be imprisoned for an imprisonment term
which may be up to two years combined with a fine.
• Section 67 of the old Act is amended to reduce the term of imprisonment for
publishing or transmitting obscene material in electronic form to three years
from five years and increase the fine thereof from Indian Rupees 100,000
(approximately USD 2000) to Indian Rupees 500,000 (approximately USD
10,000). A host of new sections have been inserted as Sections 67 A to 67C.
While Sections 67 A and B insert penal provisions in respect of offenses of
publishing or transmitting of material containing sexually explicit act and child
pornography in electronic form, section 67C deals with the obligation of an
intermediary to preserve and retain such information as may be specified for
such duration and in such manner and format as the central government may
prescribe.
• In view of the increasing threat of terrorism in the country, the new
amendments include an amended section 69 giving power to the state to issue
directions for interception or monitoring of decryption of any information
through any computer resource. Further, sections 69 A and B, two new sections,
grant power to the state to issue directions for blocking for public access of any
information through any computer resource and to authorize to monitor and
collect traffic data or information through any computer resource for cyber
security.
• Section 72: If a person is found in possession of some confidential information
like electronic record, book, register, correspondence and he is found disclosing
it to any third party without the consent of the person concerned, then he shall
be punished with imprisonment for a term which may be up to two years, or a
fine which may extend to One Lakh rupees, or with both.
• Section 72A: If any person while providing services under the terms of the
contract, has secured access to any material containing personal information
about another person, with the intent to cause wrongful loss or wrongful gain
disclosed the information, without the person’s consent or in breach of a lawful
contract, shall be punished with imprisonment for a term which may extend to
two years or with fine which may extend to five lakh rupees or with both.
1.13 THE ‘MEDIUM’ NOT THE ‘MACHINE’/’DEVICE’
It is important to remember that the Internet is principally a medium; which can be
regulated by regulating its “layers”. A law to be effective must apply to (or regulate) one
or more “layer” that is: (a) the physical (the wires, hardware, the ‘device’ itself); (b) the
digital (the code or the “spectrum”) or (c) content (whether prohibited socially censored
comments or proprietary material).
1.14 DATA PRIVACY AND INFORMATION SECURITY
In view of recent concerns about the operating provisions in the IT Act related to “Data
Protection and Privacy” in addition to contractual agreements between the parties the
existing Sections (viz. 43, 65, 66 and 72A) have been revisited and some
amendments/more stringent provisions have been provided for in the Act. Notably
amongst these are:
• Section 43(A) is related to handling of sensitive personal data or information
with reasonable security practices and procedures. This section has been
inserted to protect sensitive personal data or information possessed, dealt or
handled by a body corporate in a computer resource which such body corporate
owns, controls or operates. If such body corporate is negligent in implementing
and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, it shall be liable to pay
damages by way of compensation to the person so affected.
• Gradation of severity of computer related offences under Section 66 has been
amended, now if an offence is committed dishonestly or fraudulently then
punishment is for a term which may extend to two years or a fine which may
extend to Rs 5 lakhs or with both;
• The addition of Section 72 A for breach of confidentiality with the intent to cause
injury to a subscriber. This is recognised as providing sufficient protection under
the EC Directive20
20 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications) available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML>
Contractual agreements are those agreements which are signed between parties where
one party provides services on the basis of the contract signed. There is always a
provision in any contractual agreement of not to disclose any information which is
imperative for the running of the business. According to Section 72 (A) if anyone is
found disclosing any information of a third person, without his consent he shall be
punished with imprisonment or a fine of Rs 500,000.
The problem remains with ambiguous phrases. For instance, the amended Section 43
(A) makes it mandatory for companies to include ‘reasonable security measures’ while
handling data. What precisely does ‘reasonable’ indicate is any one’s guess. We would
recommend organisations to follow the standards prescribed by the Computer
Emergency Response Team (CERT). CERT’s primary role is to raise security awareness
among the cyber community and to provide technical assistance and advice them to
help them recover form computer security incidents.
CERT provides technical advice to System Administrators and users to respond to
computer security incidents. It also identifies trends in intruder activity, works with
other similar institutions and organisations to resolve major security issues, and
disseminates information to the cyber community. CERT also enlightens its constituents
about the security awareness and best practices for various systems and networks by
publishing advice, guidelines and other technical documents. The European Network
and Information Security Agency (ENISA) performs similar functions to the CERT. The
basic regulation which established ENISA is the Regulation (EC) No 460/2004.21
1.15 INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO SERVE AS NATIONAL
NODAL AGENCY
The new amended Act of 2006 provides for an Indian Computer Emergency response
team to act as a central agency in respect of Critical Information Infrastructure22 for
21 See REGULATION (EC) No 460/2004 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 10 March 2004 establishing the European Network and Information Security Agency
available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:077:0001:0011:EN:PDF>
22 “Information infrastructures form an essential part of critical infrastructures. In order effectively
to protect critical infrastructures, therefore, countries must protect critical information
infrastructures from damage and secure them against attack. Effective critical infrastructure
protection includes identifying threats to and reducing the vulnerability of such infrastructures to
damage or attack, minimizing damage and recovery time in the event that damage or attack
occurs, and identifying the cause of damage or the source of attack for analysis by experts and/or
investigation by law enforcement.” G8 Principles for Protecting Critical Information Infrastructures
(Adopted by the G8 Justice & Interior Ministers, May 2003) available at
<http://www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf>
coordinating all actions relating to information security practices, procedures,
guidelines, incident prevention, response and reporting.23
Cert has been operational since January 2004. The main motive for setting up such a
team is to avoid malafide worms from our system. In today’s world where most of the
work is done by the computers, our entire efficiency and national data was initially
risked and left to be tampered by the malicious hackers. To avoid any such problems the
cert was set up. CERT-In is the national nodal agency for responding to computer
security incidents as and when they occur. In the recent Information Technology
Amendment Act 2008, CERT-In has been designated to serve as the national agency to
perform the following functions in the area of cyber security:-
1. Collection, analysis and dissemination of information on cyber incidents.
2. Forecast and alerts of cyber security incidents
3. Emergency measures for handling cyber security incidents
4. Coordination of cyber incidents response activities
5. Issue guidelines, advisories, vulnerability notes and whitepapers relating to
information security practices, procedures, prevention, response and reporting
of cyber incidents.
6. Such other functions relating to cyber security as may be prescribed.24
Whenever a new technology arrives, its misuse is not long in following - the first worm
in the IBM VNET was covered up. Shortly later a worm hit the Internet on the 3
November 1988, when the so-called Morris Worm paralyzed a good percentage of it.
This led to the formation of the first Computer Emergency Response Team at Carnegie
Mellon University under U.S. Government contract.25 The Indian Computer Emergency
Response Team (CERT-In) is assisting the Department of Information Technology in
putting in place a national cyber security strategy and a national information security
governance policy. CERT-In explains how an organization seeks to ensure the safety and
security of the Indian cyber space The purpose of CERT-In is to become the nation's
most trusted referral agency for responding to computer security incidents as and when
they occur.26 With the increasing use of IT, there is an increasing reliance on inter-
dependant and cyber supported infrastructure. Technological advances have created
new vulnerabilities to equipment failure, human error, weather and natural causes, and
intentional physical and cyber attacks. Since the threats to critical national IT
infrastructure through these vulnerabilities are likely to have a crippling effect on the
economy as also safety and well-being of society, addressing them will increasingly
require coordinated efforts between the government and the private sector, both
23 Section 70 A of the Act
24 http://www.cert-in.org.in/
25 http://en.wikipedia.org/wiki/Computer_emergency_response_team
26 http://www.inclusion.in/index.php?option=com_content&view=article&id=427
within the country as well as across other bodies around the world. In view of this, it
was felt necessary to establish CERT-In to ensure the safety and security of the Indian
cyber space.27
The Department of Information Technology, Ministry of Communications and
Information Technology, Government of India, has established the Indian Computer
Emergency Response Team (Cert-In). As part of the CERT-In, each sector needs to set up
a Sub-Cert and IDRBT is the Sub-Cert for the Indian Banking and Financial Sector.
1.16 BASIC ROLE OF CERT28
• Role of CERT-In Infrastructure,
– Computer Security Incident Response (Reactive)
– Computer Security Incident Prevention (Proactive)
– Security Quality Management Services
• Information Exchange
– With sectorial CERTs (CSIRTs), CIOs of Critical
organizations, ISPs, Vendors
• International Collaboration
– Member of FIRST
– Member of APCERT
– Research Partner- APWG
– Functional relationship with US-CERT and CERT/CC
1.16.1 REPORTING
1. Central point for reporting incidents:- the following information should be given
while reporting about any incident
• time of occurrence
• information regarding affected system
• symptoms observed
• relevant technical information such as security system deployed, actions
taken to mitigate the damage.
2. Database of incidents
1.16.2 ANALYSIS
1. Analysis of trends and patterns of intruder activity
2. Develop preventive strategies for the whole constituency
27 http://www.inclusion.in/index.php?option=com_content&view=article&id=427
28 http://www.itu.int/ITU-D/cyb/events/2009/hyderabad/docs/rai-role-of-cert-in-sept-09.pdf
3. In-depth look at an incident report or an incident activity to determine the
scope, priority and threat of the incident.
1.16.3 RESPONSE
1. Incident response is a process devoted to restoring affected systems to
operation
2. Send out recommendations for recovery from, and containment of damage
caused by the incidents.
3. Help the System Administrators take follow up action to prevent recurrence of
similar incidents
1.16.4 REPORTING OF VULNERABILITY
Vulnerability is a bug which enables a hacker to bypass security measures. Any such act
which is done with a bonafide intention or malafide intention should be reported to
cert-in quickly before it is too late.
1.16.5 OTHER SIGNIFICANT ROLES29
1.16.5.1 REACTIVE
1. Provide a single point of contact for reporting local problems- The entire cert
program is run and managed by the Indian government. Its main role is to safe
guard the interest of people in the country and to secure the important national
data from letting it go into wrong hands before they do something unfriendly.
2. Assist the organizational constituency and general computing community in
preventing and handling computer security incidents:-Like we have already
discussed that with every new invention in this world a thread follows. The
thread could also be in the face of vulnerability. Hence to avoid such
catastrophic incident to take place, the threat of vulnerability should be stopped.
3. Share information and lessons learned with CERT/CC, other CERTs, response
teams, organizations and sites:- As in the reporting of such information is
concerned, it is quite evident that the more information about any worm or
about any misshaping is given to cert, the lesser will be its impact on future
endeavours.
4. Incident Response:- Incident response can be given to the team as soon as
possible by any intervention of such type is met. To avoid any such possibility to
breach our secure internet system is fatal to us.
29http://www.cert-in.org.in/
5. Provide a 24 x 7 security service:- CERT provides a 24 /7 security system so that
threat can never dismantle the main server, or to prevent any attacker for any
evil move.
6. Offer recovery procedures:- There are many procedures and guidelines which
are given in the home page of cert. using those and new upgraded law we can
seek for recovery procedures.
1.16.5.2 PROACTIVE
1. Issue security guidelines, advisories and timely advise- there are many guidelines
that are actively working across the system to actually enable a shield to avoid
and prevent any misuse. Few of them are CISG 2010-01, CISG 2011-3, CISG 2011-
2.
2. Vulnerability analysis and response- for any kind of vulnerability response the
first and the foremost thing is to be done is to inform the cert. they have the
technology and authority to track down as such vulnerable person, who hacks in
the system for doing something unfriendly.
3. Risk Analysis- the chances of risk in such a situation is extreme.
4. Profiling attackers- the cert have more or less the profiles of the main attacker
who could come out with a plan to disrupt the free flow of the cyber system of
the country. To avoid this profile of each attacker is kept so that in case the team
can need it.
5. Conduct training, research and development: The team has under gone various
training programs in which they are taught how to eradicate the problem. In lieu
of such eradication many new programs are also made along to fight the day to
day problems.
6. Interact with vendors and others at large to investigate and provide solutions for
incidents:-the team is highly qualified to take cognizance of the cyber offence
and can discuss the gravity of the offence and can direct to investigate the same.
1.17 CYBER CRIME, EVIDENCE AND PUNISHMENT
The Act provides for essentially economic offences or crimes in the medium that are
linked to economic loss or detriment. The Government would do well to take a
proverbial leaf from the OECD Guidelines for the Security of Information Systems and
Networks30 and the Council of Europe’s Convention on Cybercrime.31 Social offences like
pornography when included are superfluous due to the existing provisions in the Indian
Penal Code covering pornography. Though pornography has not been defined under the
30 See OECD Guidelines for the Security of Information Systems and Networks available at
<http://www.oecd.org/dataoecd/16/22/15582260.pdf>
31 Convention on Cybercrime available at
<http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>
code, section 292 clearly states that “a book, pamphlet, paper, writing, drawing,
painting representation, figure or any other object, shall be deemed to be obscene if it is
lascivious or appeals to the prurient interest or if its effect,” Neither has the language or
expression changed from 1860, the year when the Indian Penal Code came into force.
The inclusion of a provision banning child pornography could well be a case of ‘over
legislation’ considering the existing blanket ban on pornography per se; both in the
Information Technology Act, 2000 (section 67) as well as the Indian Penal Code, 1860
(section 292).
A ‘fresh’ Section 68(A) has been proposed for providing modes and methods for
encryption for secure use of the electronic medium. This is a welcome guidance. Section
69, related to power to issue directions for interception or monitoring or decryption of
any information through any computer resource, has been amended to take care of the
concerns of the Ministry of Home Affairs which include the safety, sovereignty, integrity
of India, defence of India, to maintain friendly relations with other nations and
preventing incitement to the commission of any cognizable offence.
A new section 79 A32 (Examiners of Electronic Evidence) has been added to notify the
examiners of electronic evidence by the Central Government. This will help the
Judiciary/Adjudicating officers in handling technical issues.
Section 79 has been revised to bring-out explicitly the extent of liability of intermediary
in certain cases. The EU Directive on E-Commerce 2000/31/EC issued on June 8th 2000
has been used as a guiding document.33
1.18 OTHER AMENDMENTS
• The term “digital signature” has been replaced with “electronic signature”.
• “Communication Device” has been defined as cell phones, personal digital
assistance or combination of both or any other device used to communicate,
send or transmit any text video, audio or image.
• “Cyber café” has been defined as any facility from where the access to the
internet is offered by any person in the ordinary course of business to the
members of the public.
32 Section 79A – ‘The Central Government may, for the purposes of providing expert opinion on
electronic form evidence before any court or other authority specify, by notification in the Official
Gazette, any Department, body or agency of the Central Government or a State Government as
an Examiner of Electronic Evidence.’
33 See Section 4 Article 12 of EU Directive on E-Commerce 2000/31/EC issued on June 8th 2000
available at
<http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&nu
mdoc=32000L0031&model=guichett>
• A new definition has been inserted for “intermediary”. “Intermediary” with
respect to any particular electronic records, means any person who on behalf of
another person receives, stores or transmits that record or provides any service
with respect to that record and includes telecom service providers, network
service providers, internet service providers, web-hosting service providers,
search engines, online payment sites, online-auction sites, online market places
and cyber cafes, but does not include a body corporate referred to in Section
43A.
• A new section 10A has been inserted to the effect that contracts concluded
electronically shall not be deemed to be unenforceable solely on the ground that
electronic form or means was used.
• The damages of Rs. One Crore (approximately USD 200,000) prescribed under
section 43 of the earlier Act for damage to computer, computer system etc has
been deleted and the relevant parts of the section have been substituted by the
words, “he shall be liable to pay damages by way of compensation to the person
so affected”.
• A proviso has been added to Section 81 which states that the provisions of the
Act shall have overriding effect. The proviso states that nothing contained in the
Act shall restrict any person from exercising any right conferred under the
Copyright Act, 1957
1.19 DRAWBACKS OF THE NEW LEGISLATION
The amendments ignore existing international classifications of cyber crimes. The
Council of Europe’s Convention on Cybercrime34 identifies the following as offences
which should be incorporated into substantive criminal law; some of the provisions are
particularly relevant, which are:
I. Computer-related offences
Computer-related fraud (Art. 8)
II. Content-related offences
Racial hatred, obscenity, amongst other classifications
III. Offences related to infringements of copyright and related rights
Offences related to infringements of copyright and related rights (Art. 10)
1.20 TOWARDS A PRIVACY REGIME?
While the amended version of the Act strengthens provisions on confidentiality and
data privacy; the inclusion of a solitary provision on data privacy is quite in contrast to
Europe where data protection provisions are enshrined in Directives at the EU level and
in national legislation. In fact, data protection is sine qua non for aspirant members to
the European Union, and also for companies who receive data from the EU. “Data
34 See Convention on Cybercrime available at
<http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>
subjects” must have rights enshrined in explicit rules with a detailed enforcement
mechanism rather than rather than relying on a lone section to do the task elsewhere
performed by an entire Act! A detailed data protection law is needed; not merely for the
ITES industry but for the citizens of India. The right to know balanced with the right to
privacy is the hallmark of a democracy.
1.21 ‘LEGALESE’ AND LEGAL DRAFTING: CONTROVERSIAL PROVISIONS IN THE ‘ACT’
The Information Technology Act, [“the Act”] as in the case of all legislation, is supposed
to be for every citizen, especially the non-specialist, its language should be
comprehensible to anyone who is likely to be affected by it either as one who provides
any services or conducts any business or as a consumer who avails of any services or
supplies through the electronic medium. The danger of being enveloped in long and
torturous sentences and unnecessary jargon seems to manifest itself in the Act.
It will be no exaggeration to say that the following provisions of the Explanation to sub-
section (2) of section 3 will need a lot of explanation and will not serve any purpose in
the present form: ‘For the purpose of this sub-section, “hash function” means an
algorithm mapping or translation of one sequence of bits into another, generally
smaller set, known as “hash result” such that an electronic record yields the same hash
result every time the algorithm is executed with the same electronic record as its input’
making it computationally infeasible.
(a) to derive or reconstruct the original electronic record from the lash result
produced by the algorithm;
(b) that two electronic records can produce the same lash result using the same
algorithm.
Section 40, unfortunately, is no better:
“Where any digital signature certificate, the public key of which corresponds to the
private key of that subscriber which is to be listed in the digital signature certificate,
has been accepted by the subscriber, then, the subscriber shall generate the key pair
by applying the security procedure’.
1.22 LIABILITY FOR CARRIAGE AND CONTENT
1.22.1 A "LOOK" AT THE EU POSITION
Directive 2000/31/EC of the European Parliament and of the Council of June 8 2000 on
Certain Legal Aspects of Information Society Services, in Particular Electronic
Commerce, in the Internet Market
The largest development involves the European Commission’s adoption on June 8th of
its Electronic Commerce Directive, which aims to remove barriers to e-commerce35.
The Directive includes various provisions affecting search engines such as: (i) a
company providing “information society services” (e.g. selling goods or providing
information on line) will be subject to the law of the Member State in which it is
established, irrespective of where the recipient of the service is based (the “country of
origin" principle); (ii) Internet service providers (ISP) receive some exemption from
liability for infringing material transmitted over their systems by third parties, provided
certain conditions are met; (iii) unsolicited commercial e-mail (“spam”) must be clearly
identifiable as such, and companies sending this kind of e-mail must regularly consult
any relevant opt-out registers.
The Indian Act makes a distinction between an access provider who provides access
and the content provider who provides the content for the sake of determining liability.
It establishes that a network service provider is not subject to criminal or civil liability
for third party material for which or to which the provider merely provides access.
Network service providers will continue to be liable for their own content, or third
party content that they adopt or approve of36. Indian Information Technology Act
immunizes Internet Service Providers against liability arising out of any distressing
content or defamatory statements or such content that is likely to violate any law. By
reducing the liability of service providers, the Act ensures that they are not penalized
for content, which is beyond their control.
The primary issue is whether Section 292 IPC could be invoked for a Web site search
results issue. Section 292 defines obscenity. However, it says that a book, pamphlet,
paper, writing, drawing, painting, representation, figure or any other object, shall be
deemed to be obscene if it is lascivious or appeals to the prurient interest, or (where it
comprises two or more distinct items) the effect of any one of its items, is, if taken as a
whole, tends to deprave and corrupt persons who are likely, having regard to all
relevant circumstances, to read, see or hear the matter contained or embodied in it.
The controversy is as to how define the words "any other object". Section 292 (1) IPC
describes of a book, pamphlet, paper, writing, drawing, painting, representation, figure
or any other object. All the objects defined under Section 292 are corporeal and
material in nature. Can we interpret the word any other object in such a broad manner
such as to include anything and everything in Cyberspace? Can any other object also
35 Member States have until 16 January 2002 to implement the provisions of the Directive into
their national laws.
36 A survey of Latin American countries reveals that at least Brazil, Ecuador, El Salvador,
Uruguay and Venezuela have pending legislation and/or regulations pertaining to electronic
commerce, though none of these pending rules would specifically address a search engine’s
liability for trademark infringement.
mean a virtual object? These issues are very complicated. And any attempt to apply the
provisions of Section 292 IPC to cyber world is an exercise fraught with difficulties.
1.22.2 OVER/UNDER-RIDING REGULATORY ISSUES:
(a) licensing of cross-border telecom systems: a perspective on the Indian
regulatory impasse on telecom. The Indian Telecom Authorities are undecided
on the issues of whether to allow voice over telephony, in the light of resistance
from the Department of Telecommunications (DoT).
(b) Encryption: testing 'legality' in India. A study in the light of section 14 of the
Indian Information Technology Act, 2000. Is encryption allowed under Indian
law? The government says “no”, but the 'Act' appears to say “yes”. As per
government policy as evidenced from periodic notices and circulars, encryption
is illegal in India; however the Act seems to say otherwise. As would appear
from a reading of section 14 of the legislation. Laws are in existence in India
that can be interpreted to read that transmission of data with any form of
encryption is illegal. Onus of prevention is upon the service provider concerned.
However, much of current Internet technology, including secure Web servers,
PGP encrypted Email, and Virtual Private Networks, are based on encryption.
Prevention may be technically impossible, and this could be used as grounds for
revocation of a Private ISP license.
(c) Data protection: the 'absence' of regulatory or legal norms and the impact on
business in India. There is no specific legislation in India for the protection of
data. Unlike, the United Kingdom, India does not have legislation, except that
the protection accorded to electronic data in the Act, juxtaposed with other
legislation can point towards solution.
1.22.3 ARE ONLINE CONTRACTS BINDING?
The problem with an online contract arises from the question of how to enforce a
contract that does not have a document backing it and how this contract is to be proved
in court. The issue is dealt with in a detailed chapter on Electronic Contracts.
1.22.4 REQUIREMENT OF “DOCUMENTS”
Contracts that are written and signed are more certain and therefore easier to enforce.
This is due to the fact that a document lends some degree of authenticity as to the
contract formation and facilitates easier enforcement of the same. Documents are also
required for evidence purpose Section 64 of the Indian Evidence Act, 1872; (the
Evidence Act) states that documents must be proved by primary evidence except in the
cases specifically provided for. The contents of any document which have to be proved
have to be proved by the original of the document itself being produced in Court, except
in a few limited instances.
If a computer printout or any information, which is visible on the screen of the
computer, is included in the definition of document, the question arises as to what is an
original with respect to computer printout, or information contained in a computer. The
Evidence Act lay emphasis on original documents as once any information is reduced to
actual physical fixation in the conventional sense; it is difficult to alter it. On a thorough
examination it is possible to identify any alteration to an original of a document.
The Indian Act seeks to resolve this issue by stating that where the law requires any
record to be presented in original form, that requirement is satisfied by an electronic
record if there exists reliable assurance as to the integrity of the record and where it is
required that a record be presented, that record is capable of being displayed to the
person to whom it is being presented.
1.23 FORMATION OF ONLINE CONTRACTS
Under the Indian Contract Act, 1872, the acceptance of a valid offer results in a valid
contract. It is crucial to know when a contract is concluded online and whether any
difference exists between contacts concluded by traditional modes, such as via post.
Section 4 deals with the rule regarding completion of communication of acceptance. The
communication of acceptance is complete as against the offeree, when it reaches the
knowledge of offeror. But the Supreme Court has held that in the case of
communication by oral means, by telex or by telephone an acceptance is communicated
only when it is actually received by the offeror.
This question has to be addressed in the case of e-commerce, where more often than
not, acceptance is made via email or by pressing the ‘Accept’ or Buy icons. The question
that would arise is when the acceptance has been conveyed, i.e. is it:
a) when the email was sent; or
b) when it was received by addressee; or
c) when it reaches the ‘host computer’ which provides the email facility to the
addressee.
As seen earlier, where the communication is by instantaneous means the court has held
that the acceptance is communicated only when the communication remains open.
Would the acceptance be deemed to have been communicated at the place where the
offeree clicks the “Accept” icon (as the action of clicking the icon is done on the
offeree’s computer)? Or would be deemed to have been communicated where the
server (which actually hosts the ‘Accept’ icon) is located? Or would it be the place where
the offeror actually reads the acceptance on his computer (which can be at different
place than the location of the server)?
In Germany, judicial practice has established that a message sent by email is deemed to
be received when it reaches the host computer of the addressee (if the addressee has
published the email address on his visiting card or letterhead or otherwise makes it
publicly known.)
In South Africa, when the acceptance is by way of post, the contract will be concluded at
the time when, and at the place from where, the acceptance is posted. This is known as
the ‘expedition’ theory. Where the acceptance is notified by means of fax or telegram,
the contract is concluded at the time and place where the offeror learns of the
acceptance. This is called the ‘information theory’. According to the law firm,
Werksmans Attorney, acceptance via email would be based on the information theory.
The Indian Act deals with the issue as to when the receipt and dispatch of electronic
records take place. According to it, a dispatch of an electronic record is deemed to take
place when it reaches an information system outside the control of the person who sent
the electronic record and is deemed to be received when it is received by, or reaches an
information system designated by, the person whom it is sent. This is to be read with
existing Indian law and the correct position interpreted.
The Indian Act specifically excludes from its purview contracts relating to the creation
and execution of wills, execution of negotiable instruments, acts relating to declaration
of trust and power of attorney, immovable property, titles for movable and immovable
property, etc.
1.24 ELECTRONIC PAYMENT SYSTEMS
These systems are considered very secure since it is not possible for third parties to
obtain these details and misuse them. Visa & MasterCard have developed a system for
online payment called Secure Electronic Transaction (SET).
1.24.1 ELECTRONIC CASH
Electronic Cash is more secure and anonymous than credit cards when making
payments for transactions. It is specifically useful for small transactions.
1.24.2 ELECTRONIC CASH PAYMENT MECHANISM – OPEN BANK-ISSUER MODEL
(INTERNATIONAL)
Anyone wishing to use electronic cash can purchase a certain number of units from a
member bank for a particular value in a local currency. He or she can then use it for
making payments over the Internet. The receiver of electronic cash can either use it for
making similar payments over the Internet or redeem it at any member bank for his
country’s own currency.
India should start thinking and debating on introducing electronic cash or something
similar to it. If any party to the transaction is a foreign party, the Exchange Control
Regulations will also come into picture.
1.25 SECURITY
Security is the single biggest obstacle for the growth of e-commerce. There are basically
two kinds of security problems according to a survey, teenage hacking accounts only for
7% of reported violations, while infiltration by competitors account for 39% of the
violations.
Under the Indian Telegraph Act, 1885, “if any person with intention to prevent or
obstruct the transmission or delivery of any message, or to intercept or to acquaint
himself with the contents of any message, or to commit mischief damages, removes
tampers with or touches any battery, machinery, telegraph line, post or any other thing
whatever, being part of or used in or about any telegraph or in the working thereof, he
shall be published with imprisonment for a term which may extend to three years or
with fine or both”. There is a possibility that any attempt of hacking could be punishable
under this section.
1.26 SECURING ELECTRONIC TRANSACTIONS
One of most important conditions for e-commerce’s survival is the ability to safeguard
all electronic transactions. Unless an electronic transaction is secure it would be difficult
to determine its authenticity. Also, users will be hesitant to send confidential
information over the net. Existence of safeguards and an assurance that such
transmissions are foolproof will go a long way towards boosting e-commerce. The most
common way of protecting electronic transactions is through cryptography (i.e.
encryption techniques). Cryptography uses sophisticated mathematical algorithms,
particularly a technology known as “asymmetric cryptography”. Cryptography can be
differentiated between the following:
• Use of cryptography for confidentiality of a message; and.
• Use of cryptography in digital signatures.
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Module_1
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Module_1
- 1 - 26
Pages: