The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Published by Enhelion, 2021-11-09 00:59:49

Module 1

Module 1


Traditional legal systems have had great difficulty in keeping pace with the
rapid growth of the Internet and its impact throughout the world. While some
laws and objectives have been enacted and a few cases have been decided that
affect the Internet, they have left most of the difficult legal issues to the future.
In spite of the recent proliferation of legislation world-wide, it is unlikely that
courts and legislators will be able to provide sufficient guidance in a timely
fashion to business [and lawyers] to enable them to engage in commerce on, or
otherwise take advantage of, the Internet in a manner that avoids or minimizes
unexpected consequences or liabilities.

The Internet has tested the limits of regulation, prompting some to declare
‘independence’1 and yet others to declare it beyond the limits of governance2.
One of the purposes of this text is to build a global community of people who
are thinking about all this in a serious way. As time passes, one aspect of
governance is clearly visible, the will of governments to be seen and ‘felt’ on
the Internet. Governments across the world seem eager to put to rest the notions
that cyberspace can't be governed. This view underestimates the way
governments and business figure out how to change the way things work.

There are four constraints on [human] behaviour and freedom. They are the law,
norms (cultural and social influences), markets and -- crucially -- architecture.
Architecture is a regulator in real space as well as cyberspace, and it is essential

1 In February 1996, John Perry Barlow issued a manifesto called <A Declaration of the Independence of
2 Johnson, David R. /Post, David G., Law and Borders - The Rise of Law in Cyberspace, 48 Stanford Law Review
1367 – 1402 [1996].


to think about both. Napoleon III wanted fewer revolutionaries, , so, he rebuilt
Paris with wide streets, making it harder for revolutionaries to hide.


In some jurisdictions, the early adoption of legislation on digital signatures
[defined in the Glossary], for example, has not led to the increased take-up of
new technology as anticipated3. Rather, legislation has been bypassed because
it has been regarded as not providing appropriate, market-oriented and non-
regulatory solutions. Some of that legislation is now regarded as a better
example of what not to do, than as a model which should be followed4. A
number of laws currently being drafted in the US have undergone significant
changes in the course of the drafting process and more can be expected before
they reach their final form5. As lawyers’ understanding of the technology grows,
and as the uses and applications of the technology develop, in concert with the
development of appropriate business models, appreciation of the need for
legislation and what is required in terms of its form and content have also
It is clear that what needs to be avoided at this early stage is an undue rush
towards legislation where none is needed, or where the need for it has not yet
been clearly demonstrated. This is particularly so in India where there have
been, as yet, few cases decided in the courts dealing with the issues identified as
likely to cause problems in electronic commerce. In other words, it is difficult to
judge the magnitude of legal problems being encountered, at least in terms of
measuring them through recourse to traditional means of resolution through
litigation, although it is clear that some action to remove obvious legal obstacles
would certainly facilitate electronic commerce.

3 Despite the early enactment of digital signature legislation in the American State of Utah in 1995, the first
certification authority to set up under that legislation was not established until late 1997.
4 The Utah Act has been described as of more use dead than alive.
5 Recommendation 92 of the Financial System Inquiry 1997 (Wallis Report) recommended that Australia should
adopt internationally recognised standards for electronic commerce, including for electronic transactions over the
Internet and the recognition of electronic signatures.


A number of international organizations are currently working on projects,
which have the potential to significantly influence the direction of domestic
regulation in a number of areas relevant to electronic commerce6. India is
actively engaged in those projects. This international work should be carefully
monitored to ensure that the Indian settings not only assist India's competitive
advantage, but also keep India in conformity with international norms, while
ensuring that the economic, social and cultural benefits of new technology are

The UNCITRAL Model Law on Electronic Commerce uses the term
“commercial”, and guidance on the meaning of that term may be gained from
the definition used in the Model Law7. To ensure consistency, this definition is
identical to the definition used by UNCITRAL in the Model Law on
International Commercial Arbitration8. The UNCITRAL definition of
commercial is, however, very broad and covers a number of areas in which
electronic commerce may raise particular issues. For reasons of time and
resources, we have not been able to consider specific sectors covered in that
definition and the particular issues raised by the greater use of electronic
commerce. This text does not consider issues specific to the financial sector, but
rather has focused upon broader generic issues of contract formation and

6 These include work by: the UN Commission on International Trade Law on digital signatures and certification
authorities; work by the OECD on electronic commerce, digital signatures and certification authorities; and work by
APEC on certification practices and authorities.
7 Footnote **** to the Model Law on Electronic Commerce provides: The term “commercial” should be given a wide
interpretation so as to cover matters arising from all relationships of a commercial nature, whether contractual or not.
Relationships of a commercial nature include, but are not limited to, the following transactions: any trade transaction
for the supply or exchange of goods or services; distribution agreement; commercial representation or agency;
factoring; leasing; construction of works; consulting; engineering; licensing; investment; financing; banking;
insurance; exploitation agreement or concession; joint venture and other forms of industrial or business co-operation;
carriage of goods or passengers by air, sea, rail or road.
8 The UNCITRAL Model Law on International Commercial Arbitration was adopted by India as a model during the
drafting of the Indian Arbitration and Conciliation Act, 1996.


statutory form requirements such as requirements for certain contracts to be in
writing or signed.


The problem of jurisdiction in cyberspace is by far the most complex. The task
before us is to examine section key concepts that are necessary constituents of
a tricky issue and perhaps juxtapose them against an overview of methods and
solutions. On an examination of jurisdiction under the Indian Information
Technology Act, 2000, [hereinafter “the Indian IT Act”]; one is faced with the
question: Is Section 75 really as controversial as it seems? The answer is in the
negative. The Act, continuing a long tradition in law and commerce merely
seeks to extend the boundaries of local/municipal law in a logical way; as will
be examined in the next chapter on Jurisdiction.


Throughout human history, no regime of regulation or of dispute resolution has
ever pretended to be the sole source to which parties turn to ease business
intercourse. In every culture and in every time, private arrangements as well as
governmental activity have attempted to reduce the occasions of conflict
necessitating the exercise of judicial decision-making. The economic world of
cyberspace at the beginning of the 21st century was no different. Trade
depends on confidence: confidence on the part of the buyer that goods or
services will conform to legitimate expectations, and confidence on the part of
the seller that payment will be prompt and complete. Such confidence, in the


interests of all parties, is fostered by industry self-regulation that reflects an
honest attempt to identify and resolve potential conflicts before they arise. The
forms of such regulation are many and are being actively explored, as e-
commerce becomes an increasingly important segment of the global economy.
They include voluntary codes of conduct, the provision of private arbitration
for the resolution of disputes, escrow accounts, agreements between buyers,
sellers and credit card companies, amongst others.


In determining under what circumstances extraterritorial jurisdictional
assertions are proper, courts and legislatures focused in the last half of the 20th
century, as they had previously, on physical location but at a different temporal
point. Most frequently, the focus was on where certain activities that gave rise
to the plaintiff’s claim had occurred. Where a negligent act took place, where a
contract was entered into9 or was to be performed,10 where a service was
performed, a security offered for sale, or a trademark infringed became the
touchstones of both personal and prescriptive jurisdictional inquiries. As long
as such an act occurred within the state’s boundaries, its assertion of both
personal and prescriptive jurisdiction was proper. As long as activities
continue to occur in “real” space, the place of such occurrences remains

9 Countries gave much thought to the rules regulating contract formation, presumably at least in part to guarantee
perceived desirable jurisdictional results. In Australia, for example, a contract is formed at the time and place its
acceptance is received by the offeror. The consumer is the offeror, so the typical consumer contract is “formed” when
and where the consumer receives the seller’s acceptance. Brazil, Columbia, and Romania also look to the residence of
the offeror, although in Brazil a contractual choice of a different law will be upheld if it is not in violation of public
policy. See Nestor Nestor & Kingston Petersen, “Written Remarks,” posted at <>.
In Canada, proposed legislation would fix the address of the consumer as the place in which an on-line contract was
formed. See “Canadian Law on Jurisdiction in Cyberspace,” submitted by Arlan Gates, Paul Tackaberry and Adam
Balinsky, posted at <> [hereinafter Gates].
10 The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of another contracting
state where the contractual obligation in question is to be performed. Title II, Section 2, Article 5.



Technology, however, reduces and frequently may eliminate the need for
physical contact in the creation of legally significant relationships between
parties or between an actor and the state acting as regulator. The legal system
must then decide what relationship is necessary between the forum and either
the conduct occurring outside the forum or the parties. It is the tie between a
party and a forum, not necessarily a physical connection between the forum
and the conduct of that party that is critical. If the remote party (i.e. the party
never physically in the forum) knows that the proximate party is in (or is a
habitual resident of) the forum when the remote party interacts with the
proximate party, the remote party has created a tie between itself and the forum
state. Now it is the remote-party/forum relationship at the time of interaction,12
not at the time process is served, that matters. Whether such a tie is sufficient
to enable the forum to assert personal and prescriptive jurisdiction depends on
an analysis of additional factors (such as whether the remote party targeted the
forum, discussed below), but its existence is necessary to such assertions.


Some provisions of the Act have been deemed controversial. For example,
Section 75 states that the Act will apply to an offence or contravention

11 Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry. For example, states
continue to assert jurisdiction over their citizens with respect to claims that arise outside of the state and to regulate
conduct that occurs elsewhere which is intended to and does cause substantial effects in the state. Nonetheless, a
concern with where relevant acts took place is central to many, if not most, decisions.
12 In some contexts, some countries have already implicitly recognised this in the specific context of electronic
commerce. Australia’s Electronic Transactions Act 1999 (Cth) provides default rules for the place of dispatch and
receipt of electronic communications (including the place of an offer or acceptance of a contract) based on the party’s
place of business or ordinary residence.


committed outside India by any person irrespective of his nationality, if the act
or conduct constituting the offence or contravention involves a computer,
computer system or computer network in India. A computer is only a medium
for communication. The use of a computer is not materially different from the
use of a phone or a car in the commission of a crime unless the computer has
been programmed for automatic action by its owner. It is not going to be easy
to acquire jurisdiction over a person not resident in India if a foreign country is
the scene of the crime and the criminal is not even an Indian citizen, merely
because a computer or a computer system in India has been utilized in some
way or other in connection with the crime. Nevertheless, certainly, if
software/hardware in India is damaged by a hacker based in a foreign country,
there can be no dispute about India’s right to reach him and make him
accountable for the crime committed in India alone.

Where contravention of any provisions of the Act has occurred is a matter of
adjudication for compensation purposes by the adjudicating officer and for
criminal action by the court.


The Information Technology Act will go a long way in facilitating and
regulating electronic commerce. It has provided a legal framework for smooth
conduct of e-commerce. It has tackled the following legal issues associated
with e-commerce:

(a) requirement of writing; (b) requirement of a document; (c) requirement of a
signature; and (d) requirement of legal recognition for electronic messages,
records and documents to be admitted in evidence in a court of law.


However, the Act, has not addressed the following grey areas;

(i) protection for domain names; (ii) infringement of copyrights laws; (iii)
jurisdiction aspect of electronic contracts (viz. Jurisdiction of Courts and
tax authorities); (iv) taxation of goods and services traded through e-
commerce; and (v) stamp duty aspect of electronic contracts.

The main objective of the Act is to provide legal recognition for transactions
carried out by means of electronic data interchange and other means of
electronic communication, commonly referred to as e-commerce, which
involve the use of alternatives to paper-based methods of communication and
storage of information to facilitate electronic filing of documents with the
Government agencies. The Act, apart from India, has extra-territorial
jurisdiction to cover any offence or contravention committed outside India by
any person.

1.6.1 Exemption/exclusion

The Act shall not apply to the following categories of transaction:

(a) Any Negotiable Instrument; (b) A Power of Attorney; (c) A Trust; (d) A
will including any other testamentary disposition; (e) Any contract for the
sale or conveyance of immovable property; and (f) Any other documents or
transactions as may be decided by the Central Government.



With the passing of the Act, any subscriber (i.e., a person in whose name the
Digital Signature Certificate is issued) may authenticate electronic record by
affixing his Digital Signature. Electronic record means data record or data
generated image or sound, store, received or sent in an electronic form or
microfilm or computer generated microfiche.


Where any law provides submission of information in writing or in the type
written or printed form, from now onwards it will be sufficient compliance of
law, if the same is sent in an electronic form. Further, if any statute provides
for affixation of signature in any document, the same can be done by means of
Digital Signature.

Similarly, the filing of any form, application or any other documents with the
Government Authorities and issue or grant of any license, permit, sanction or
approval and any receipt acknowledging payment can be done by the
Government offices by means of electronic form. From now onwards retention
of documents, records, or information as provided in any law, can be done by
maintaining electronic records. Any rule, regulation, order, by-law or
notification can be published in the Official Gazette or Electronic Gazette.

The Act, however, provides that no Ministry or Department of Central
Government or the State Government or any Authority established under any
law can insist upon acceptance of document only in the form of electronic



An electronic record can be sent by the addresser himself or by a person acting
under his authority. An acknowledgement may be given by any communication
by the addressee automatic or otherwise. Even any conduct of the addressee is
sufficient to indicate to the addresser that the electronic records have been
received which shall be treated as sufficient acknowledgement.

The dispatch of electronic records occurs when it enters a computer resource
outside the control of the originator (i.e., addresser). Time of receipt of
electronic record shall be determined when electronic record enters the digital
computer resource or at the time when the electronic record is retrieved by the
addressee. An electronic record is deemed to be dispatched at the place where
the addresser has his place of business and is deemed to be received at the
place where the addressee has his place of business.


Under the Act, the Central Government has the power to prescribe the security
procedure in relation to electronic records and Digital Signatures, considering
the nature of the transaction, the level of sophistication of the Parties with
reference to their technological capacity, the volume of transactions and the
procedures in general used for similar types of transactions or communications.



The Central Government may appoint a Controller of Certifying Authority who
shall exercise supervision over the activities of Certifying Authorities.

Certifying Authority means a person who has been granted a license to issue a
Digital Signature Certificate. The Controller of Certifying Authority shall have
powers to lay down rules, regulations, duties, responsibilities and functions of
the Certifying Authority issuing Digital Signature Certificates. The Certifying
Authority empowered to issue a Digital Signature Certificate shall have to
procure a license from the Controller of Certifying Authority to issue Digital
Signature Certificates. Detailed rules and regulations have been prescribed in
the Act, as to the application for license, suspension of license and procedure
for grant or rejection of license by the Controller of Certifying Authority.


Any person may make an application to the Certifying Authority for issue of
Digital Signature Certificate. The Certifying Authority while issuing such
certificate shall certify that it has complied with the provisions of the Act.

The Certifying Authority has to ensure that the subscriber (i.e., a person in
whose name the Digital Signature Certificate is issued) holds the private key
corresponding to the public key listed in the Digital Signature Certificate and
such public and private keys constitute a functioning key pair. The Certifying
Authority has the power to suspend or revoke Digital Signature Certificate.



A subscriber can publish or authorize the publication of Digital Signature
Certificate. Similarly, he can accept such certificate.

It is the responsibility of a subscriber to exercise reasonable care to retain
control of the private key corresponding to the public key listed in his Digital
Signature Certificate and to take all steps to prevent its disclosure to any
unauthorized person.


If any person without the permission of the owner, accesses the owner's
computer, computer system or computer net-work or downloads copies or any
extract or introduces any computer virus or damages computer, computer
system or computer net work data etc. he shall be liable to pay damage by way
of compensation not exceeding Rupees One Crore to the person so affected.

For the purpose of adjudication, the Central Government can appoint any
officer, not below the rank of Director to the Government of India or any
equivalent officer of any State Government, to be an Adjudicating Officer. The
Adjudicating Officer while trying out cases of this nature shall consider the
amount of gain of unfair advantage or the amount of loss that may be suffered
by a person. The aforesaid provisions were not incorporated in the Information
Technology Act, 2000 and the same were suggested by the Select Committee
of Parliament13.

13 In Delhi, the first case under the Act has already been registered by the police based on an FIR filed by a Retd.
Army Officer whose Internet time has been "stolen" by the accused. However, the accused has been granted bail by
the City Court. Interestingly, although passed by the Parliament, the Act did not come into force until recently and



Under the Act, the Central Government has the power to establish the Cyber
Regulations Appellate Tribunal. The Tribunal shall have the power to entertain
the cases of any person aggrieved by the Order made by the Controller of
Certifying Authority or the Adjudicating Officer.


Tampering with computer source documents shall be punishable with
imprisonment up to three years or fine up to Rs. 2 lakhs or with both. Similarly,
hacking with computer system entails punishment with imprisonment up to
three years or with fine upto Rs. 2 lakhs or with both.

Publishing of information, which is obscene in electronic form, shall be
punishable with imprisonment up to five years or with fine up to Rs. 1 lakh and
for second conviction with imprisonment up to ten years and with fine up to
Rs. 2 lakhs.


Under the Act, any police officer not below the rank of Deputy Superintendent
of Police or any other authorized officer of the Central or State Governments,
may enter in public place and search for arrest without warrant, any person
who is reasonably suspected or having committed or committing or of being

Notification to this effect was issued by the Central Government in the Official Gazette on June 19, 2000. This was
one of the pleas taken by the accused in the aforesaid case.


about to commit any offence under the Act. 'Public place', includes any hotel,
shop or any other place intended for use or accessible to public14.


The amendments to the Information Technology Act to a measurable extent are
a “reaction” to recent developments such as service provider liability issues and
auction sites; sleazy MMS clips and the like. In major part, desirable as most
reactions are, offences under the Act have been made compoundable15; that is to
say, the parties can compound the case i.e. settle it between themselves. This is
welcome as most crimes target specific individuals and it is right for individuals
to sort out the situation.

The offences which have been made compoundable are:

• Section 66: If a person dishonestly or fraudulently does any act which
damages the computer or the computer system, he is liable to a fine of up
to five lakhs or be imprisoned for a term of up to two years. A host of
new sections have been added to Section 66 as Sections 66A16 to 66F
prescribing punishment for offenses such as obscene electronic message
transmissions, identity theft, cheating by impersonation using computer
resource, violation of privacy and cyber terrorism.

• Section 67 of the old Act is amended to reduce the term of imprisonment
for publishing or transmitting obscene material in electronic form to three

14 This amendment was suggested by the Select Committee of Parliament. Under the Indian Penal Code, even a
constable has the aforesaid power. However, the power given to the designated police officer is so wide that even on
suspicion or on his conviction that an offence is about to be committed, he can conduct search and arrest without any
warrant. There is a wide spread fear that this may be misused.
15 Section 77A provides that the ‘offences under sections 66, 66A, 72 and 72A may be compounded by the aggrieved
16 Section 66A has been struck down as unconstitutional by the Supreme Court in Shreya Singhal v. Union of


years from five years and increase the fine thereof from Rs. 100,000
(approximately USD 2000) to Rs. 500,000 (approximately USD 10,000).
A host of new sections have been inserted as Sections 67 A to 67C. While
Sections 67 A and B insert penal provisions in respect of offenses of
publishing or transmitting of material containing sexually explicit act and
child pornography in electronic form, Section 67C deals with the
obligation of an intermediary to preserve and retain such information as
may be specified for such duration and in such manner and format as the
central government may prescribe.
• In view of the increasing threat of terrorism in the country, the new
amendments include an amended Section 69 giving power to the state to
issue directions for interception or monitoring of decryption of any
information through any computer resource. Further, Sections 69 A and
B, two new sections, grant power to the state to issue directions for
blocking for public access of any information through any computer
resource and to authorize to monitor and collect traffic data or
information through any computer resource for cyber security.
• Section 72: If a person is found in possession of some confidential
information like electronic record, book, register, correspondence and he
is found disclosing it to any third party without the consent of the person
concerned, then he shall be punished with imprisonment for a term which
may be up to two years, or a fine which may extend to One Lakh rupees,
or with both.
• Section 72A: If any person while providing services under the terms of
the contract, has secured access to any material containing personal
information about another person, with the intent to cause wrongful loss
or wrongful gain disclosed the information, without the person’s consent
or in breach of a lawful contract, shall be punished with imprisonment for


a term which may extend to two years or with fine which may extend to
five lakh rupees or with both.


It is important to remember that the internet is principally a medium; which can
be regulated by regulating its “layers”. A law to be effective must apply to (or
regulate) one or more “layer” that is: (a) the physical (the wires, hardware, the
‘device’ itself); (b) the digital (the code or the “spectrum”) or (c) content
(whether prohibited socially censored comments or proprietary material).


In view of recent concerns about the operating provisions in the IT Act related
to “Data Protection and Privacy” in addition to contractual agreements between
the parties the existing Sections (viz. 43, 65, 66 and 72A) have been revisited
and some amendments/more stringent provisions have been provided for in the
Act. Notably amongst these are:

• Section 43(A) is related to handling of sensitive personal data or
information with reasonable security practices and procedures. This
section has been inserted to protect sensitive personal data or information
possessed, dealt or handled by a body corporate in a computer resource
which such body corporate owns, controls or operates. If such body
corporate is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, it shall be liable to pay damages by way of
compensation to the person so affected.


• Gradation of severity of computer related offences under Section 66 has
been amended, now if an offence is committed dishonestly or
fraudulently, then punishment is for a term which may extend to two
years or a fine which may extend to Rs 5 lakhs or with both;

• The addition of Section 72 A for breach of confidentiality with the intent
to cause injury to a subscriber. This is recognised as providing sufficient
protection under the EC Directive17

Contractual agreements are those agreements which are signed between parties
where one party provides services on the basis of the contract signed. There is
always a provision in any contractual agreement of not to disclose any
information which is imperative for the running of the business. According to
Section 72 (A), if anyone is found disclosing any information of a third person
without his consent, he shall be punished with imprisonment or a fine of Rs

The problem remains with ambiguous phrases. For instance, the amended
Section 43 (A) makes it mandatory for companies to include ‘reasonable
security measures’ while handling data. What precisely does ‘reasonable’
indicate is any one’s guess. We would recommend organisations to follow the
standards prescribed by the Computer Emergency Response Team (CERT).
CERT’s primary role is to raise security awareness among the cyber community
and to provide technical assistance and advice them to help them recover form
computer security incidents.

17 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of

personal data and the protection of privacy in the electronic communications sector (Directive on privacy and

electronic communications) available at



CERT provides technical advice to System Administrators and users to respond
to computer security incidents. It also identifies trends in intruder activity,
works with other similar institutions and organisations to resolve major security
issues, and disseminates information to the cyber community. CERT also
enlightens its constituents about the security awareness and best practices for
various systems and networks by publishing advice, guidelines and other
technical documents. The European Network and Information Security Agency
(ENISA) performs similar functions to the CERT. The basic regulation which
established ENISA is the Regulation (EC) No 460/2004.18


The new amended Act of 2006 provides for an Indian Computer Emergency
response team to act as a central agency in respect of Critical Information
Infrastructure19 for coordinating all actions relating to information security
practices, procedures, guidelines, incident prevention, response and reporting.20

CERT has been operational since January 2004. The main motive for setting up
such a team is to avoid malafide worms from our system. In today’s world
where most of the work is done by the computers, our entire efficiency and
national data was initially risked and left to be tampered by the malicious
hackers. To avoid any such problems the cert was set up. CERT-In is the

March 2004 establishing the European Network and Information Security Agency available at
19 “Information infrastructures form an essential part of critical infrastructures. In order effectively to protect critical
infrastructures, therefore, countries must protect critical information infrastructures from damage and secure them
against attack. Effective critical infrastructure protection includes identifying threats to and reducing the vulnerability
of such infrastructures to damage or attack, minimizing damage and recovery time in the event that damage or attack
occurs, and identifying the cause of damage or the source of attack for analysis by experts and/or investigation by law
enforcement.” G8 Principles for Protecting Critical Information Infrastructures (Adopted by the G8 Justice & Interior
Ministers, May 2003) available at <>
20 Section 70 A of the Act


national nodal agency for responding to computer security incidents as and
when they occur. In the recent Information Technology Amendment Act 2008,
CERT-In has been designated to serve as the national agency to perform the
following functions in the area of cyber security: -

1. Collection, analysis and dissemination of information on cyber incidents.
2. Forecast and alerts of cyber security incidents
3. Emergency measures for handling cyber security incidents
4. Coordination of cyber incidents response activities
5. Issue guidelines, advisories, vulnerability notes and whitepapers relating

to information security practices, procedures, prevention, response and
reporting of cyber incidents.
6. Such other functions relating to cyber security as may be prescribed.21

Whenever a new technology arrives, its misuse is not long in following - the
first worm in the IBM VNET was covered up. Shortly later a worm hit the
Internet on the 3 November 1988, when the so-called Morris Worm paralyzed a
good percentage of it. This led to the formation of the first Computer
Emergency Response Team at Carnegie Mellon University under U.S.
Government contract.22 The Indian Computer Emergency Response Team
(CERT-In) is assisting the Department of Information Technology in putting in
place a national cyber security strategy and a national information security
governance policy. CERT-In explains how an organization seeks to ensure the
safety and security of the Indian cyber space The purpose of CERT-In is to
become the nation's most trusted referral agency for responding to computer
security incidents as and when they occur.23 With the increasing use of IT, there
is an increasing reliance on inter-dependant and cyber supported infrastructure.



Technological advances have created new vulnerabilities to equipment failure,
human error, weather and natural causes, and intentional physical and cyber
attacks. Since the threats to critical national IT infrastructure through these
vulnerabilities are likely to have a crippling effect on the economy as also safety
and well-being of society, addressing them will increasingly require coordinated
efforts between the government and the private sector, both within the country
as well as across other bodies around the world. In view of this, it was felt
necessary to establish CERT-In to ensure the safety and security of the Indian
cyber space.24

The Department of Information Technology, Ministry of Communications and
Information Technology, Government of India, has established the Indian
Computer Emergency Response Team (Cert-In). As part of the CERT-In, each
sector needs to set up a Sub-Cert and IDRBT is the Sub-Cert for the Indian
Banking and Financial Sector.


• Role of CERT-In
– Computer Security Incident Response (Reactive)
– Computer Security Incident Prevention (Proactive)
– Security Quality Management Services

• Information Exchange
– With sectorial CERTs (CSIRTs), CIOs of Critical Infrastructure,
organizations, ISPs, Vendors

• International Collaboration



– Member of FIRST
– Member of APCERT
– Research Partner- APWG
– Functional relationship with US-CERT and CERT/CC


1. Central point for reporting incidents:- the following information should
be given while reporting about any incident
• time of occurrence
• information regarding affected system
• symptoms observed
• relevant technical information such as security system deployed,
actions taken to mitigate the damage.

2. Database of incidents


1. Analysis of trends and patterns of intruder activity
2. Develop preventive strategies for the whole constituency
3. In-depth look at an incident report or an incident activity to determine the

scope, priority and threat of the incident.


1. Incident response is a process devoted to restoring affected systems to

2. Send out recommendations for recovery from, and containment of
damage caused by the incidents.


3. Help the System Administrators take follow up action to prevent
recurrence of similar incidents


Vulnerability is a bug which enables a hacker to bypass security measures. Any
such act which is done with a bonafide intention or malafide intention should be
reported to CERT-Inquickly before it is too late.


1. Provide a single point of contact for reporting local problems- The entire
CERT program is run and managed by the Indian government. Its main
role is to safe guard the interest of people in the country and to secure the
important national data from letting it go into wrong hands before they do
something unfriendly.

2. Assist the organizational constituency and general computing community
in preventing and handling computer security incidents: - Like we have
already discussed that with every new invention in this world a thread
follows. The thread could also be in the face of vulnerability. Hence to
avoid such catastrophic incident to take place, the threat of vulnerability
should be stopped.

3. Share information and lessons learned with CERT/CC, other CERTs,
response teams, organizations and sites:- As in the reporting of such
information is concerned, it is quite evident that the more information



about any worm or about any misshaping is given to cert, the lesser will
be its impact on future endeavours.
4. Incident Response:- Incident response can be given to the team as soon as
possible by any intervention of such type is met. To avoid any such
possibility to breach our secure internet system is fatal to us.
5. Provide a 24 x 7 security service: - CERT provides a 24 /7 security
system so that threat can never dismantle the main server, or to prevent
any attacker for any evil move.
6. Offer recovery procedures:- There are many procedures and guidelines
which are given in the home page of cert. using those and new upgraded
law we can seek for recovery procedures. PROACTIVE

1. Issue security guidelines, advisories and timely advise- there are many
guidelines that are actively working across the system to actually enable a
shield to avoid and prevent any misuse. Few of them are CISG 2010-01,
CISG 2011-3, CISG 2011-2.

2. Vulnerability analysis and response- for any kind of vulnerability
response the first and the foremost thing is to be done is to inform the
cert. they have the technology and authority to track down as such
vulnerable person, who hacks in the system for doing something

3. Risk Analysis- the chances of risk in such a situation is extreme.
4. Profiling attackers- the cert have more or less the profiles of the main

attacker who could come out with a plan to disrupt the free flow of the
cyber system of the country. To avoid this profile of each attacker is kept
so that in case the team can need it.


5. Conduct training, research and development: The team has under gone
various training programs in which they are taught how to eradicate the
problem. In lieu of such eradication many new programs are also made
along to fight the day to day problems.

6. Interact with vendors and others at large to investigate and provide
solutions for incidents: the team is highly qualified to take cognizance of
the cyber offence and can discuss the gravity of the offence and can direct
to investigate the same.


The Act provides for essentially economic offences or crimes in the medium
that are linked to economic loss or detriment. The Government would do well to
take a proverbial leaf from the OECD Guidelines for the Security of Information
Systems and Networks27 and the Council of Europe’s Convention on
Cybercrime.28 Social offences like pornography when included are superfluous
due to the existing provisions in the Indian Penal Code covering pornography.
Though pornography has not been defined under the code, Section 292 clearly
states that “a book, pamphlet, paper, writing, drawing, painting representation,
figure or any other object, shall be deemed to be obscene if it is lascivious or
appeals to the prurient interest or if its effect,” Neither has the language or
expression changed from 1860, the year when the Indian Penal Code came into
force. The inclusion of a provision banning child pornography could well be a
case of ‘over legislation’ considering the existing blanket ban on pornography
per se; both in the Information Technology Act, 2000 (Section 67) as well as the
Indian Penal Code, 1860 (Section 292).

27 See OECD Guidelines for the Security of Information Systems and Networks available at
28 Convention on Cybercrime available at <>


A ‘fresh’ Section 68(A) has been proposed for providing modes and methods
for encryption for secure use of the electronic medium. This is a welcome
guidance. Section 69, related to power to issue directions for interception or
monitoring or decryption of any information through any computer resource,
has been amended to take care of the concerns of the Ministry of Home Affairs
which include the safety, sovereignty, integrity of India, defence of India, to
maintain friendly relations with other nations and preventing incitement to the
commission of any cognizable offence.

A new Section 79A29 (Examiners of Electronic Evidence) has been added to
notify the examiners of electronic evidence by the Central Government. This
will help the Judiciary/Adjudicating officers in handling technical issues.

Section 79 has been revised to bring-out explicitly the extent of liability of
intermediary in certain cases. The EU Directive on E-Commerce 2000/31/EC
issued on June 8th 2000 has been used as a guiding document.30


• The term “digital signature” has been replaced with “electronic

• “Communication Device” has been defined as cell phones, personal
digital assistance or combination of both or any other device used to
communicate, send or transmit any text video, audio or image.

29 Section 79A – ‘The Central Government may, for the purposes of providing expert opinion on electronic form
evidence before any court or other authority specify, by notification in the Official Gazette, any Department, body or
agency of the Central Government or a State Government as an Examiner of Electronic Evidence.’
30 See Section 4 Article 12 of EU Directive on E-Commerce 2000/31/EC issued on June 8th 2000 available at


• “Cyber café” has been defined as any facility from where the access to
the internet is offered by any person in the ordinary course of business to
the members of the public.

• A new definition has been inserted for “intermediary”. “Intermediary”
with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or
provides any service with respect to that record and includes telecom
service providers, network service providers, internet service providers,
web-hosting service providers, search engines, online payment sites,
online-auction sites, online market places and cyber cafes, but does not
include a body corporate referred to in Section 43A.

• A new Section 10A has been inserted to the effect that contracts
concluded electronically shall not be deemed to be unenforceable solely
on the ground that electronic form or means was used.

• The damages of Rs. One Crore (approximately USD 200,000) prescribed
under Section 43 of the earlier Act for damage to computer, computer
system etc has been deleted and the relevant parts of the section have
been substituted by the words, “he shall be liable to pay damages by way
of compensation to the person so affected”.

• A proviso has been added to Section 81 which states that the provisions
of the Act shall have overriding effect. The proviso states that nothing
contained in the Act shall restrict any person from exercising any right
conferred under the Copyright Act, 1957



The amendments ignore existing international classifications of cyber crimes.
The Council of Europe’s Convention on Cybercrime31 identifies the following
as offences which should be incorporated into substantive criminal law; some of
the provisions are particularly relevant, which are:

I. Computer-related offences
Computer-related fraud (Art. 8)

II. Content-related offences
Racial hatred, obscenity, amongst other classifications

III. Offences related to infringements of copyright and related rights
Offences related to infringements of copyright and related

rights (Art. 10)


While the amended version of the Act strengthens provisions on confidentiality
and data privacy; the inclusion of a solitary provision on data privacy is quite in
contrast to Europe where data protection provisions are enshrined in Directives
at the EU level and in national legislation. In fact, data protection is sine qua
non for aspirant members to the European Union, and also for companies who
receive data from the EU.

“Data subjects” must have rights enshrined in explicit rules with a detailed
enforcement mechanism rather than rather than relying on a lone section to do
the task elsewhere performed by an entire Act. A detailed data protection law is
needed; not merely for the ITES industry but for the citizens of India. The right
to know balanced with the right to privacy is the hallmark of a democracy.

31 See Convention on Cybercrime available at <>



The Information Technology Act, [“the Act”] as in the case of all legislation, is
supposed to be for every citizen, especially the non-specialist, its language
should be comprehensible to anyone who is likely to be affected by it either as
one who provides any services or conducts any business or as a consumer who
avails of any services or supplies through the electronic medium. The danger
of being enveloped in long and torturous sentences and unnecessary jargon
seems to manifest itself in the Act.

It will be no exaggeration to say that the following provisions of the
Explanation to sub-section (2) of Section 3 will need a lot of explanation and
will not serve any purpose in the present form: ‘For the purpose of this sub-
section, “hash function” means an algorithm mapping or translation of one
sequence of bits into another, generally smaller set, known as “hash result”
such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input’ making it
computationally infeasible.

(a) to derive or reconstruct the original electronic record from the lash result
produced by the algorithm;

(b) that two electronic records can produce the same lash result using the same

Section 40, unfortunately, is no better:


“Where any digital signature certificate, the public key of which corresponds to
the private key of that subscriber which is to be listed in the digital signature
certificate, has been accepted by the subscriber, then, the subscriber shall
generate the key pair by applying the security procedure’.



Directive 2000/31/EC of the European Parliament and of the Council of June 8
2000 on Certain Legal Aspects of Information Society Services, in Particular
Electronic Commerce, in the Internet Market

The largest development involves the European Commission’s adoption on
June 8th of its Electronic Commerce Directive, which aims to remove barriers
to e-commerce32.

The Directive includes various provisions affecting search engines such as:

(i) a company providing “information society services” (e.g. selling goods or
providing information on line) will be subject to the law of the Member State
in which it is established, irrespective of where the recipient of the service is
based (the “country of origin" principle);

(ii) Internet service providers (ISP) receive some exemption from liability for
infringing material transmitted over their systems by third parties, provided
certain conditions are met;

32 Member States have until 16 January 2002 to implement the provisions of the Directive into their national laws.


(iii) unsolicited commercial e-mail (“spam”) must be clearly identifiable as
such, and companies sending this kind of e-mail must regularly consult any
relevant opt-out registers.

The Indian Act makes a distinction between an access provider who provides
access and the content provider who provides the content for the sake of
determining liability. It establishes that a network service provider is not
subject to criminal or civil liability for third party material for which or to
which the provider merely provides access. Network service providers will
continue to be liable for their own content, or third-party content that they
adopt or approve of33. Indian Information Technology Act immunizes Internet
Service Providers against liability arising out of any distressing content or
defamatory statements or such content that is likely to violate any law. By
reducing the liability of service providers, the Act ensures that they are not
penalized for content, which is beyond their control.

The primary issue is whether Section 292 IPC could be invoked for a Web site
search results issue. Section 292 defines obscenity. However, it says that a
book, pamphlet, paper, writing, drawing, painting, representation, figure or any
other object, shall be deemed to be obscene if it is lascivious or appeals to the
prurient interest, or (where it comprises two or more distinct items) the effect
of any one of its items, is, if taken as a whole, tends to deprave and corrupt
persons who are likely, having regard to all relevant circumstances, to read, see
or hear the matter contained or embodied in it.

The controversy is as to how define the words "any other object". Section 292
(1) IPC describes of a book, pamphlet, paper, writing, drawing, painting,

33 A survey of Latin American countries reveals that at least Brazil, Ecuador, El Salvador, Uruguay and Venezuela
have pending legislation and/or regulations pertaining to electronic commerce, though none of these pending rules
would specifically address a search engine’s liability for trademark infringement.


representation, figure or any other object. All the objects defined under Section
292 are corporeal and material in nature. Can we interpret the word any other
object in such a broad manner such as to include anything and everything in
Cyberspace? Can any other object also mean a virtual object? These issues are
very complicated. And any attempt to apply the provisions of Section 292 IPC
to cyber world is an exercise fraught with difficulties.


(a) licensing of cross-border telecom systems: a perspective on the Indian
regulatory impasse on telecom. The Indian Telecom Authorities are
undecided on the issues of whether to allow voice over telephony, in the
light of resistance from the Department of Telecommunications (DoT).

(b) Encryption: testing 'legality' in India. A study in the light of section 14 of
the Indian Information Technology Act, 2000. Is encryption allowed
under Indian law? The government says “no”, but the 'Act' appears to
say “yes”. As per government policy as evidenced from periodic notices
and circulars, encryption is illegal in India; however, the Act seems to
say otherwise. As would appear from a reading of Section 14 of the
legislation. Laws are in existence in India that can be interpreted to read
that transmission of data with any form of encryption is illegal. Onus of
prevention is upon the service provider concerned. However, much of
current Internet technology, including secure Web servers, PGP
encrypted Email, and Virtual Private Networks, are based on encryption.
Prevention may be technically impossible, and this could be used as
grounds for revocation of a Private ISP license.


(c) Data protection: the 'absence' of regulatory or legal norms and the impact
on business in India. There is no specific legislation in India for the
protection of data. Unlike, the United Kingdom, India does not have
legislation, except that the protection accorded to electronic data in the
Act, juxtaposed with other legislation can point towards solution.


The problem with an online contract arises from the question of how to enforce
a contract that does not have a document backing it and how this contract is to
be proved in court. The issue is dealt with in a detailed chapter on Electronic


Contracts that are written and signed are more certain and therefore easier to
enforce. This is due to the fact that a document lends some degree of
authenticity as to the contract formation and facilitates easier enforcement of the
same. Documents are also required for evidence purpose Section 64 of the
Indian Evidence Act, 1872; (the Evidence Act) states that documents must be
proved by primary evidence except in the cases specifically provided for. The
contents of any document which have to be proved have to be proved by the
original of the document itself being produced in Court, except in a few limited

If a computer printout or any information, which is visible on the screen of the
computer, is included in the definition of document, the question arises as to
what is an original with respect to computer printout, or information contained
in a computer. The Evidence Act lay emphasis on original documents as once


any information is reduced to actual physical fixation in the conventional sense;
it is difficult to alter it. On a thorough examination it is possible to identify any
alteration to an original of a document.

The Indian Act seeks to resolve this issue by stating that where the law requires
any record to be presented in original form, that requirement is satisfied by an
electronic record if there exists reliable assurance as to the integrity of the
record and where it is required that a record be presented, that record is capable
of being displayed to the person to whom it is being presented.


Under the Indian Contract Act, 1872, the acceptance of a valid offer results in a
valid contract. It is crucial to know when a contract is concluded online and
whether any difference exists between contacts concluded by traditional modes,
such as via post.

Section 4 deals with the rule regarding completion of communication of
acceptance. The communication of acceptance is complete as against the
offeree, when it reaches the knowledge of offeror. But the Supreme Court has
held that in the case of communication by oral means, by telex or by telephone
an acceptance is communicated only when it is actually received by the offeror.

This question has to be addressed in the case of e-commerce, where more often
than not, acceptance is made via email or by pressing the ‘Accept’ or Buy icons.
The question that would arise is when the acceptance has been conveyed, i.e. is

a) when the email was sent; or


b) when it was received by addressee; or
c) when it reaches the ‘host computer’ which provides the email facility to

the addressee.

As seen earlier, where the communication is by instantaneous means the court
has held that the acceptance is communicated only when the communication
remains open. Would the acceptance be deemed to have been communicated at
the place where the offeree clicks the “Accept” icon (as the action of clicking
the icon is done on the offeree’s computer)? Or would be deemed to have been
communicated where the server (which actually hosts the ‘Accept’ icon) is
located? Or would it be the place where the offeror actually reads the
acceptance on his computer (which can be at different place than the location of
the server)?

In Germany, judicial practice has established that a message sent by email is
deemed to be received when it reaches the host computer of the addressee (if the
addressee has published the email address on his visiting card or letterhead or
otherwise makes it publicly known.)

In South Africa, when the acceptance is by way of post, the contract will be
concluded at the time when, and at the place from where, the acceptance is
posted. This is known as the ‘expedition’ theory. Where the acceptance is
notified by means of fax or telegram, the contract is concluded at the time and
place where the offeror learns of the acceptance. This is called the ‘information
theory’. According to the law firm, Werksmans Attorney, acceptance via email
would be based on the information theory.

The Indian Act deals with the issue as to when the receipt and dispatch of
electronic records take place. According to it, a dispatch of an electronic record


is deemed to take place when it reaches an information system outside the
control of the person who sent the electronic record and is deemed to be
received when it is received by, or reaches an information system designated by,
the person whom it is sent. This is to be read with existing Indian law and the
correct position interpreted.

The Indian Act specifically excludes from its purview contracts relating to the
creation and execution of wills, execution of negotiable instruments, acts
relating to declaration of trust and power of attorney, immovable property, titles
for movable and immovable property, etc.


These systems are considered very secure since it is not possible for third parties
to obtain these details and misuse them. Visa and MasterCard have developed a
system for online payment called Secure Electronic Transaction (SET).

Electronic payment system is a system which helps the customer or user to
make online payment for their shopping. It facilitates the acceptance of
electronic payment for online transactions. It is also known as sample of
Electronic data inter change, electronic payment systems have become
increasingly popular due to the widespread use of the internet-based shopping
and banking. It enables a customer to pay online for his goods and service
online by using integrated hardware and software system.
Some examples of EPS: -

• Online reservations
• Online Bill payment
• Online order placing
• Online ticket booking

Requirement of Electronic Payment Systems: -


• Reliability: - As in other business activity, even in online payment
methods, the user expects a reliable and an efficient system. Any online
payment system would fail, despite of its advanced technological
features, if it fails to get the user acceptance and pass their reliability

• Atomicity: - Atomicity guarantees that either the user’s online payment
transaction is completed or it doesn’t take place at all. It the current
online transaction fails then it should be possible to recover the last stable
state. This feature resembles the transactional database systems, in which
either a transaction is committed or rolled back.

Types of Electronic Payment System: -
• Payment Cards
• E- cash
• E- wallets
• E- cheque
• Electronic fund transfer
• Micro payment systems

Payment Cards: -
Payment cards are all types of plastic cards which consumer use to make
purchases: -

• Credit Cards: - such as visa or master cards, has a preset spending limit
based on the user’s credit limit.

• Debit Cards: - removes the amount of the charge from the cardholder’s
account and transfers it to the seller’s bank.

• Smart Cards: - It is similar to a credit card. However, it contains an
embedded 8- bit microprocessor and uses electronic cash which transfers
from the consumer’s card to the seller’s device.

Payment acceptance and processing: -
• Open and close loop systems will accept and process payment cards.
• A merchant bank or acquiring bank is a bank that does business with
merchants who want to accept payment cards.
• Software packaged with your electronic commerce software can handle
payment card processing automatically.


Electronic- Cash: -
• Electronic cash is a general term that describes the attempts of several
companies to create a value storage and exchange system that operates
online in the same way that government issued currency operates. It is a
system that allows a person to pay for goods or services by transmitting a
number from one computer to another.
• Like the serial numbers on real currency notes, the e-cash numbers are
unique. It is anonymous and reusable.
• Concerns about electronic payment method include: privacy, security,
Independence, Portability, and convenience.

Electronic- wallets: - An electronic wallet serves a function similar to a
physical wallet. It holds credit cards, electronic cash, owner identification, and
owner identification and contact number. Electronic wallets fall into two
categories based on where they are stored:

Ø Service side electronic wallet
Ø Client-side electronic wallet

Electronic wallets store shipping and billing information, including zip code,
city, state, etc. Example- Microsoft, wallet, etc.

Electronic- cheque: - An e-cheque is an electronic version of paper cheque.
Fast cheque processing and very low transaction. This system is usually
developed based on an electronic payment protocol which supports payment
transaction. Basic attributes are acceptability, guaranteed payment, no
transaction charges and anonymity. These can be used for small and large

Electronic Fund Transfer: -
• Electronic payment transfer is used for transferring money from one bank
account directly to another without any paper money changing hands.
• It can be direct debit payments or electronic bill payment in online


Micro Payment System: - A micropayment is an e-commerce transaction
involving a very small sum of money in exchange for something made available
online, such as an application download, a service or Web-based content.

Micropayments are sometimes defined as anything less than 75 cents and can be
as low as a fraction of a cent. A special type of system is required for such
payments, which are too small to be feasible for processing through credit card
companies. Transaction can become costly when costumers purchase
inexpensive items.

Advantages of Electronic Payment System: -

• Increased speed band convenience.
• Increased sales.
• Reduced transaction costs.

Disadvantages of Electronic Payment System: -

• Security concerns
• Disputed transactions


Electronic Cash is more secure and anonymous than credit cards when making
payments for transactions. It is specifically useful for small transactions.


Anyone wishing to use electronic cash can purchase a certain number of units
from a member bank for a particular value in a local currency. He or she can
then use it for making payments over the Internet. The receiver of electronic
cash can either use it for making similar payments over the Internet or redeem it
at any member bank for his country’s own currency.


India should start thinking and debating on introducing electronic cash or
something similar to it. If any party to the transaction is a foreign party, the
Exchange Control Regulations will also come into picture.


Security is the single biggest obstacle for the growth of e-commerce. There are
basically two kinds of security problems according to a survey, teenage hacking
accounts only for 7% of reported violations, while infiltration by competitors
account for 39% of the violations.

Under the Indian Telegraph Act, 1885, “if any person with intention to prevent
or obstruct the transmission or delivery of any message, or to intercept or to
acquaint himself with the contents of any message, or to commit mischief
damages, removes tampers with or touches any battery, machinery, telegraph
line, post or any other thing whatever, being part of or used in or about any
telegraph or in the working thereof, he shall be published with imprisonment for
a term which may extend to three years or with fine or both”.

There is a possibility that any attempt of hacking could be punishable under this


One of most important conditions for e-commerce’s survival is the ability to
safeguard all electronic transactions. Unless an electronic transaction is secure it
would be difficult to determine its authenticity. Also, users will be hesitant to
send confidential information over the net. Existence of safeguards and an


assurance that such transmissions are foolproof will go a long way towards
boosting e-commerce. The most common way of protecting electronic
transactions is through cryptography (i.e. encryption techniques). Cryptography
uses sophisticated mathematical algorithms, particularly a technology known as
“asymmetric cryptography”. Cryptography can be differentiated between the
• Use of cryptography for confidentiality of a message; and
• Use of cryptography in digital signatures


Click to View FlipBook Version