- In India, the Information Technology Act, 2000, as amended from time to time, governs all activities related to the use of computer resources.
Why the Information Technology Act, 2000 was enacted?
- The Act was enacted to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce.”
What mandate has been given under the Act to electronic governance?
- The Act is also meant to facilitate electronic filing of documents with the Government agencies and to promote efficient delivery of Government services by means of reliable electronic records.
What is the jurisdictional extent of this Act?
- The Act extends to the whole of India (including the State of Jammu & Kashmir).
- It applies also to any offence or contravention there under committed outside India (extra-territorial jurisdiction) by any person, irrespective of his nationality, if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.
What is meant by the term Functional Equivalent Approach?
- The functional equivalent approach extended notions such as “writing”, “signature” and “original” of traditional paper-based requirements to electronic form.
What are the various cyber offences listed under the Act?
- The Act has categorised cyber offences under following categories:
- Computer related offences, including unauthorized access, disruption, damage, destruction, etc. of computer resource.
- Obscenity in electronic form (including child pornography).
- Non-compliance of directions, cyber terrorism etc. (including cyber security).
- Breach of confidentiality, privacy etc.
- Offences related to Electronic Signatures Certificate.
Is hacking an offence under the Act?
- Yes, hacking is an offence under the Act though the term “hacking” per se is not defined by the Act.
Is ethical hacking an offence under the Act?
- The Act does not distinguish between ‘hacking’ and ‘ethical hacking’.
- Both ‘hacking’ and ‘ethical hacking’ could be treated as computer related offences as articulated under section 66 of the Act.
Whether section 66A covers telemarketers, or any such service providers whose business models include sending bulk SMSs, Emails etc.?
- Yes, it is clear from section 66A that any person who sends, by means of a computer resource or a communication device any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience shall be punishable with imprisonment for a term which may extend to three years and with fine.
Whether cyber terrorism has been defined under the Act?
- Section 66F defines cyber terrorism. It is an intention to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by using computer resource to access restricted information, data or computer database with reasons to believe that such restricted information, data or computer database may cause or likely to cause injury to:
- The interests of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation, or incitement to an offence, or the advantage of any foreign nation, group of individuals or otherwise.
- The offence of cyber terrorism is punishable with imprisonment which may extend to imprisonment for life.
Whether data theft is classified as cyber contravention or cyber offences or both?
- Data theft is being classified as both cyber contravention as well as cyber offences.
- The difference between ‘cyber contravention’ and ‘cyber offence’ is more of the degree and extent of criminal activity than anything else.
What are digital signatures?
- It is a block of data at the end of an electronic message that attests to the authenticity of the message.
- Digital signatures are an actual transformation of an electronic message using public key cryptography.
- It requires a key pair (private key for encryption and public key for decryption) and a hash function (algorithm).
- Digital signature is a two-way process, involving two parties: signer (creator of the digital signature) and the recipient (verifier of the digital signature).
- A digital signature is complete, if and only if, the recipient successfully verifies it.
How digital signatures are different from electronic signatures?
- Digital signature is a sub-set of electronic signature.
- The Amendment Act, 2008, in order to maintain continuity with the regime of the digital signature has introduced the concept of ‘electronic signature’.
- Examples of electronic signatures may include biometric signatures, passwords, PINs, encryption applications etc.
- Digital signatures are never issued in the name of the company, partnership, association etc. These can only be issued to company personnel individually, but never collectively.
What is meant by the term PKI?
- Public Key Infrastructure (PKI) is about the management and regulation of key pairs by allocating duties between contracting parties (Controller of Certifying Authorities /Certifying Authorities/ Subscribers), laying down the licensing and business norms for CAs and establishing business processes/ applications to construct contractual relationships in a digitized world.
- The idea is to develop a sound public key infrastructure for an efficient allocation and verification of digital signatures certificates.
What is meant by the term “Critical Information Infrastructure”?
- The term “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.
Who is responsible under the Act to issue directions for interception or monitoring or decryption of any information through any computer resource?
- The Secretary in the Ministry of Home Affairs, in case of the Central Government; or the Secretary in charge of the Home Department, in case of a State Government or Union Territory, as the case may be, to act as the “Competent Authority” to issue directions for interception or monitoring or decryption of any information through any computer resource under section 69 of the Act.
What are the roles of CERT-In?
- The Indian Computer Emergency Response Team (CERT-In) to serve as the national agency for performing the following functions in the area of Cyber Security–
- Collection, analysis and dissemination of information on cyber security incidents;
- Forecast and alerts of cyber security incidents;
- Emergency measures for handling cyber security incidents;
- Coordination of cyber incidents response activities;
- Issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; and
- Such other functions relating to cyber security as may be prescribed.
Whether CERT-In plays any role in blocking the websites?
- No, CERT-In no longer plays any role in blocking the websites
What are the Centre’s powers vis-à-vis intermediaries?
- The Act covers all ‘intermediaries’ who play a role in the use of computer resources and electronic records.
- The term ‘intermediaries’ includes providers of telecom service, network service, Internet service and web hosting, besides search engines, online payment and auction sites, online marketplaces and cyber cafes.
- It includes any person who, on behalf of another, “receives, stores or transmits” any electronic record. Social media platforms would fall under this definition.
- Section 69 of the Act confers on the Central and State governments the power to issue directions “to intercept, monitor or decrypt…any information generated, transmitted, received or stored in any computer resource”.
- The grounds on which these powers may be exercised are: in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states, public order, or for preventing incitement to the commission of any cognisable offence relating to these, or for investigating any offence.
How does the government block websites and networks?
- Section 69A, for similar reasons and grounds on which it can intercept or monitor information, enables the Centre to ask any agency of the government, or any intermediary, to block access to the public of any information generated, transmitted, received or stored or hosted on any computer resource.
- Any such request for blocking access must be based on reasons given in writing.
- Failure to comply with a direction to block access to the public on a government’s written request attracts a prison term of up to seven years, besides a fine.
What are the obligations of intermediaries under Indian law?
- Intermediaries are required to preserve and retain specified information in a manner and format prescribed by the Centre for a specified duration.
- Contravention of this provision may attract a prison term that may go up to three years, besides a fine.
Is the liability of the intermediary absolute?
- No. Section 79 of the Act makes it clear that “an intermediary shall not be liable for any third-party information, data, or communication link made available or hosted by him”.
- This protects intermediaries such as Internet and data service providers and those hosting websites from being made liable for content that users may post or generate.
National Critical Information Infrastructure Protection Centre (NCIIPC)
- National Critical Information Infrastructure Protection Centre (NCIIPC), an organization under the National Technical Research Organization (NTRO), is created under Sec 70A of the Information Technology Act, 2000 (amended 2008).
- Under the NCIIPC Rules, a “critical sector” has been defined to mean sectors, which are critical to the nation and whose incapacitation or destruction will have a debilitating impact on national security, economy, public health or safety.
- These sectors have been classified into five main groups:
- Power and energy;
- Banking, financial services and insurance (“BSFI”);
- Transportation and
- E-governance and strategic public enterprises.
- Unlike the critical sectors identified under the Strategic Approach of the Ministry of Electronics and Information Technology, the sectors identified by the NCIIPC do not include the defence sector.
Functions and Duties
- National nodal agency for all measures to protect nation’s critical information infrastructure.
- The basic responsibility for protecting CII system shall lie with the agency running that CII.
- Protect and deliver advice that aims to reduce the vulnerabilities of critical information infrastructure, against cyber terrorism, cyber warfare and other threats.
- Identification of all critical information infrastructure elements for approval by the appropriate Government for notifying the same.
- Calling for information and giving directions to the critical sectors or persons serving or having a critical impact on Critical Information Infrastructure.