A BRIEF OVERVIEW OF INFORMATION TECHNOLOGY ACT, 2000.

This Article is written by Arijit Kundu of 5^th Semester of Heritage Law College, Kolkata, West Bengal.

Abstract.

In 1996, the United Nations Commission on International Trade Law adopted contemporary legislation regarding electronic trade and cyberspace. The Commission’s goal was to have cyber rules that were accepted worldwide. In order to safeguard its population from cybercrime, India approved the Information Technology Act in 2000, moving it up to the 12th-ranked nation in the world. The Information Technology Act covers both domestic and international offences.

One will learn about the Information Technology Act, 2000’s application, objectives, key characteristics, fines, changes made, and loopholes in this article.

Keywords: Electronic Signature, Digital Signature, Electronic Signature Certificate, Intermediaries, Preservation and Retention.

Introduction:

What would you do if one day your social media accounts were suddenly hijacked or someone used your digital signature to fraudulently withdraw money from your bank account? The Information Technology Act is applicable in this situation. The Act outlines a number of penalties relating to data breaches in cyberspace, on social media , and in e-commerce. With the aid of alternatives to paper-based methods of communication and information storage, transactions made through electronic data interchange, or “electronic commerce,” are given legal recognition under the Information Technology Act of 2000.

Other than that, the Information Technology Act of 2000, which amends the Indian Evidence Act of 1872, the Indian Penal Code of 1872, the Banker’s Books Evidence Act of 1891, and other laws. The Information Technology Act is essential in protecting the nation’s interests from cyber threats.

Schedule of The Information Technology Act.

The IT Act consists of 13 chapters, 90 sections and 2 schedules. The following are the chapters of the Act.

The Act’s applicability and the definitions of the numerous terms used throughout the Act are covered in Chapter 1.

Electronic and digital signatures are covered in Chapter 2.

Electronic records are provided under Chapter 4 and electronic governance is provided under Chapter 3.

The security of these documents is covered in Chapter 5, and the rules governing certifying authorities are covered in Chapter 6.

The credentials required to create an electronic signature are also provided in Chapter 7.

Subscriber obligations are outlined in Chapter 8, and different fines are covered in Chapter 9.

Sections of Chapter 10 are dedicated to the Appellate Tribunal.

Chapter 11 lists different data breach charges and their associated penalties.

Chapter 12 outlines the situations in which intermediaries are exempt from liability for any violation of the law or breach of data privacy.

The Chapter 13 is the Miscellaneous Chapter.

The Act is divided into 2 schedules

•  Schedule 1 lists the documents and data to which the Act does not apply.
• Schedule 2 covers electronic signatures and authentication techniques.

The 2002 Information Technology Act’s scope of application.

Every region of India, including Jammu and Kashmir, is covered by the Act. The Act also has extraterritorial jurisdiction, which implies that anybody who commits this crime outside of the nation’s borders is subject to its penalties.

The Act also applies if the offending object, or device, is situated on Indian soil. In this case, a person will still be penalised regardless of their country.

The papers or transactions to which the Act shall not apply are as follows:

▪ Negotiable Instrument(Other than a cheque) as defined in The Negotiable

Instruments Act, 1881;

▪ A power-of-attorney as defined in The Powers of Attorney Act, 1882;

▪ A trust as defined in The Indian Trusts Act, 1882;

▪ A will as defined in The Indian Succession Act, 1925 including any other testamentary disposition;

▪ Any contract for the sale or conveyance of immovable property or any interest in such property;

▪ Any such class of documents or transactions as maybe notified by the Central Government.

Objectives of Information Technology Act. 2000.

1. With the growth of information technology-enabled services like e-commerce, e-government, and e-transactions, the protection of personal information, and the adoption of security practises, and these electronic communication applications now have more weight and they need to be by the Information Technology Act’s rules. Additionally, national security depends critically on protecting critical information infrastructure. It has become important to proclaim to limit access, such infrastructure should be treated as a protected system.
2. The growth of Internet usage brings new challenges in the forms of video voyeurism, leakage of data, breach of confidentiality, and phishing. Thus, penal provisions are required to be inculcated in the Information Technology Act, the Indian Penal Code, the Indian Evidence Act and the Code of Criminal Procedure to prevent such crimes.
3. The United Nations Commission on International Trade Law (UNCITRAL) in the year 2001 adopted the Model Law on Electronic Signatures, on 12^th December 2001. The Information Technology Act’s current requirements link digital signatures to a certain technology; hence it has become necessary to provide for alternative technology of electronic signatures for harmonizing with the aforementioned modern law.
4. The Central Government or the state governments can direct the service providers to set up, maintain and upgrade the computerized facilities and also to collect specified fees as provided by the Central and State Governments.
5. It has significantly reduced the need for paper required for communication purposes.
6. Assists in protecting invaluable data in the hands of Social Media giants and Intermediaries
7. It gives respect to electronic books of accounts maintained by the 1934 Reserve Bank of India Act.

Salient Features of Information Technology Act, 2000.

1. Electronic Signatures have replaced Digital Signatures to make them more technology-neutral.
2. It elaborately describes offences, penalties and breaches.
3. It provides a Justice Dispensation System for Cybercrime.
4. The Information Technology Act in its new section has defined the term Cyber Café as a facility from where Internet Service is provided by a person to the general public in the ordinary course of business.
5. It provided a framework for the constitution of the Cyber Regulation Advisory Committee.

6. The Information Technology Act is based on The Indian Penal Code, of 1860, The Indian Evidence Act, of 1872, The Bankers’ Books Evidence Act, of 1891, The Reserve Bank of India Act, of 1934, etc.
7. It added a provision to section 81 which says that the provision of the act has an overriding effect. The provision specifically states that nothing contained in the act will restrict any person from exercising any right contained under the Copyright Act, 1957.

Electronic Signature and Digital Signature

Electronic Signature.

The Information Technology Act of 2000’s Section 2(ta) defines an electronic signature as:

Using the electronic method listed in the second schedule, a subscriber must “authenticate any electronic record using the electronic technique and includes a digital signature.”

Electronic record authentication by a subscriber using electronic techniques is what is meant by an electronic signature because it encompasses digital signatures and other electronic techniques that may be listed in the second schedule of the Act. The use of “electronic signature” has rendered the Act technologically neutral because it accepts both electronic signatures created with other technologies as well as digital signatures based on cryptography.

Digital Signature.

A digital signature is defined as the authentication of any electronic record by a person who has subscribed for a digital signature by the procedure outlined under section 3 of the Information Technology Act, 2000, in section 2(1)(p).

The Information Technology Act of 2000’s Section 5 recognises digital signatures as legal documents.

Features of Digital Signature.

1. Check the Authenticity of the Sender: The person who receives the digital signature can check the authenticity of the sender. It helps to verify the name of the person signing the message directly.

2. Upholds the Integrity of the message: The receiver of the message is sure about the originality of the document without fear of any forgery or alteration in the document.

3. No- Repudiation: The sender of the message cannot refute the sending of the message at a later date.

Benefits of Digital Signature.

The advantages of digital signature are–

1. Authenticity.
2. Non-deniability.
3. A message cannot be changed mid-transmission.

Problems of Digital Signature:

1. It Functions Online thus it has to be either Downloaded or purchased.
2. It is also not 100% safe.

Digital Signature Certification :

1. Helps in proving the authenticity of any document.
2. It is used to prove the identity, to access information or to sign documents digitally.
3. The Controller of Certifying Authorities, designated by the Central Government, authorises the Certifying Authorities to provide the Subscriber with digital signature certifications.

A DSC is valid for a maximum period of 3 years.

Elements of Digital Certificate :

1. Name of the Issuer.
2. Owner’s Name.
3. Owner’s Public key.
4. Serial number of the Certificate.
5. Digital Signature of the User.
6. The expiration date of Public key.

Digital Signature Certificate under Information Technology Act, 2000.

Section 35: Anyone who wishes to obtain a digital signature certificate may submit an application to the certifying authority for the issuance of the electronic certificate along with the payment of the necessary fees, which shall not exceed Rs. 25,000, and a statement of certification practise or other information as may be required by the certifying authority.

Section 36: Representations made after the DSC is issued.

 Section 37 provides for a suspension in the public interest for 15 days, in case an opportunity is not given to present the case.

Section 38: Revocation on death, request, or dissolution of the company or firm.

Intermediaries under Information Technology Act, 2000.

 The Information Technology Act gave intermediaries responsibility for Retention and Preservation of Information. The term information includes data, storage, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche as per section 2(1)(v) of the Act.

Section 2(1)(w) of the said Act defined the Term Intermediaries, an “intermediary” means a person who on behalf of any other person receives, stores and transmits the record or provides any service concerning that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online auction sites, online marketplaces and cyber cafes.

As there is a wide array of intermediaries, essentially there can’t be one set of laws that will apply to all intermediaries.

Section 67C of the said Act focuses on the Preservation and Retention of information by intermediaries—

1. The intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
2. Any intermediary who intentionally or knowingly contravenes the provisions of subsection (1) shall be punished with imprisonment for a term that may extend to three years and shall be liable to a fine.

Thus, it can be safely said that the onus is on the intermediaries to preserve and retain information.

The terms “preservation” and “retention” are independent as one follows the other. Reservation of information is meant to be for effective, efficient and purposeful use. Digitisation is often seen as one of the means to preserve records. In order to preserve information which may exist electronic form, this section makes it mandatory to have a backup file on backup media.

Conditions for Retention of Electronic Records —

1. Accessibility so that it can be used as a reference in the future
2. Retention in the format it was created, sent, or received in the first place, or in a format that can be shown to accurately represent the information that was first created, sent, or received.
3. The information will make it easier to identify the electronic record’s origin, destination information, and time of despatch or reception. Any information that is automatically created simply to make it possible to obtain or download an electronic record will not be covered by this provision.

Preservation and Retention vs. Privacy Issue.

 Privacy concerns versus preservation and retention.

According to Section 43 A of the Act, any corporate body processing, dealing, or handling sensitive personal data or information in a computer resource that it owns, controls, or manages is negligent in putting into place and maintaining reasonable security practises and procedures, and this negligence results in any wrongful gain or loss to any person will be held liable to pay compensation for the said negligence.

The Intermediaries have two Responsibilities

1. To Retain and Preserve the Information.
2. To Implement and Maintain reasonable security practices and procedures.

Not complying with these provisions may bring criminal liabilities under sections 43A and 67C respectively.

Section 79 of the Act mentions times when the Intermediaries won’t be held liable, and those are—

1. Intermediaries won’t be held liable in cases of third party information or communication.
2. The intermediary is also not held accountable for any offences if their sole purpose was to grant users access to a communication system.
3. The intermediary cannot be held accountable if it does not start such transmissions, choose the recipient, or alter any information sent during a transmission.
4. The intermediary won’t be held liable if it does it’s work with due diligence.

Responsibilities of Subscriber:

Sec 2(1)(z g) says that subscriber is a person in whose name Digital Signature Certificate has been issued. A DSC holder is eligible to digitally sign his electronic records.

Articles (40-42) describes the duties of a subscriber.

Creating key pairs is covered in Section 40.

If a subscriber accepts a digital signature certificate whose public key matches the subscriber’s private key that is to be listed in the digital signature certificate, the subscriber must then build the key pair by using the security method.

Acceptance of Digital Signature Certificate, Section 41.

(1) If a subscriber publishes or permits the publication of a digital signature certificate to one or more people, stores it in a repository, or otherwise shows his approval of the certificate, that subscriber is deemed to have accepted the certificate.

(2) By accepting a digital signature certificate, the subscriber certifies to anyone who reasonably relies on the information contained in the certificate that:

(a) the subscriber holds the private key that corresponds to the public key listed in the certificate and is authorised to hold the same.

(b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the certificate are true.

(c) the information contained in the certificate is accurate.

Section 42: Private key management.

(1) Each subscriber shall take all necessary precautions to ensure that the private key that corresponds to the public key specified in his digital signature certificate is kept under his control and it is not disclosed to anybody who is not authorised to use the subscriber’s digital signature.

(2) The subscriber must notify the Certifying Authority as soon as possible in the manner required by the regulations if the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised.

The subscriber shall be liable until he has notified the Certifying Authority that the private key has been compromised, it is hereby proclaimed to clear up any confusion.

Appellant Tribunal :

Section 48 of the Act notifies and establishes the Appellant Tribunal called Cyber Regulation Appellant Tribunal. Section 57 says that a person may appeal to a cyber appellant tribunal who is not satisfied with the order of the Controller or Adjudicating Officer. If, the order is decided with the consent of parties then there lies no appeal. The tribunal will dispose of the appeal as soon as possible but not more than 6 months with the date of that appeal.

If the person is not satisfied with the appellant tribunal’s decision, then he may file a suit in High Court within 60 days of the appellant tribunal’s verdict. The High Court can extend the duration further by another 60 days if it deems fit necessary.

Section 58 of the Cyber Appellant Tribunal says that the Code of Civil Procedure will not apply here, but the principal of natural justice will be followed and it is subject to other provisions of the Act. The Tribunal has the power to regulate its own procedure.

In order to discharge it’s function effectively a Tribunal enjoys same power as City Civil Court, under code of Civil Procedure.

Power of Police Officers

The IT Act’s Section 80 (1), which states that, notwithstanding any provision of the Code of Criminal Procedure, 1973, any police officer not below the rank of Inspector or any other officer of the Central Government or State Government authorised by the Central Government in this regard, may enter any public place, search without a warrant and arrest without a warrant any person who is reasonable, grants the police office and other officers the right to enter, search, etc.

According to Section 80 (2) of the IT Act, any person who is detained in accordance with subsection (1) by an officer other than a police officer must be taken or sent before a magistrate with relevant jurisdiction or the officer-in-charge of a police station without undue delay.

Offences and their Punishments Under Information Technology Act, 2000.

Sec 65 : In case of Tampering with the document in stored in the computer System, the punishment is imprisonment for a time period of 3 years or fine of ₹ 2 Lakhs or Both.

Section 66 : Defines offences related to computer or any act, mentioned in section 43 for which imprisonment extends to 3 years or fine up to ₹ 5 lakhs or both.

Section 66 B : Defines the offence of receiving a stolen computer source or device dishonestly for which imprisonment extends to 3 years or fine up to ₹ 1 lakh or both.

Section 66 C : Defines Identity Theft for which imprisonment extends to 3 years or fine of ₹1lakh or both.

Section 66 D : Defines Cheating by Personation, for which imprisonment extends to 3 years or a fine of ₹ 2 lakhs or both.

Section 66 E : Defines Violation of Privacy for which imprisonment extends to 3 years or a fine of ₹ 2 lakhs or both.

Section 66 F : Defines Cyber Terrorism for which punishment is life Imprisonment.

Section 67 : Defines the Transmitting of obscene material through electronic form for which imprisonment may extend up to 5  and a fine ₹ 10 lakhs.

Section 67 B : Penalises Depicting children in sexually explicit form and transmitting such material through electronic mode for which imprisonment extends up to  7 years and fine up to ₹10 Lakhs is charged.

Section 67 C : Defines failure to preserve and retain information by intermediaries for which imprisonment extends up to 3 years with fine.

Penalties under Information Technology Act, 2000

Section 43 defines that if any person other than the owner used the computer system and damages it then he will be liable to pay compensation.

Other justifications for sanctions and remuneration include:

• Whenever he copies or downloads any system-stored data.
• Contaminates the computer system with any virus.
• Messes up the system.
• Denies access to the computer’s owner or other permitted users.
• Manipulates or tampers with the computer system.
• Destroys, removes, or modifies in any way the data that has been saved in the system.
• Steals the data that is kept there.

In event of failure to protect data, a corporation or business is liable for damages under Section 43A if it stores sensitive data, including that of its customers, workers, or other citizens, on its computer system without taking the necessary precautions to keep it safe from hackers and other undesirable acts.

Not Providing the Necessary Information.

Any person who is asked to provide information, a specific document, or maintain books of accounts is required to comply or face a fine. The fine for mishandling reports and papers is between Rs. 1 lakh and Rs. 50,000. The fine for records or books of accounts is Rs. 5000. (Article 44).

Landmark Case on Information Technology Act.

In the case of Shreya Singhal vs. Union of India(2015)[i],a two judge bench of Supreme Court struck down the draconian provision of section 66 A under Information Technology Act. It violated freedom of speech guaranteed under 19(1)a of Constitution of India and was not saved by virtue of being reasonable restriction under Article 19(2).

Judgement :

Justice Nariman speaking for the court said that section 66 A is vague and therefore falls foul of Article 19(1)a since the statute was not narrowly tailored to specific instances of speech which it sought to curb. Further the court held that reasonable restriction under Article 19(2) is failed to validate here as it applies to cases of incitement not advocacy. As the word ” offensive ” is not described here thus it has been interpreted differently in different cases giving unfettered power to the police.

Criticism of Information Technology Act, 2000

1. There is no provision for data breach.

The Act’s provisions are limited to discussing acquiring and disseminating citizen information and data. It makes no mention of the responsibility or accountability of anyone if it is breached by a company or a government agency, nor does it offer any redress for the breach and leak of data. It only stipulates a fine if a person or intermediary refuses to assist the government in surveillance.

2.  No mention of privacy concerns

The Act fell short in addressing a person’s privacy concerns. Any middleman could keep any delicate personal information about a person and submit it to the authorities for surveillance. This amounts to an invasion of the privacy of an individual. The creators have disregarded this issue.

3. Simple penalties

Although the Act lists specific violations committed using electronic devices, the penalties provided therein are far more straightforward. Punishments must be severe in order to deter such offences.

4. Inadequately trained officers

One can easily avoid responsibility with the aid of money and power. Because of a social stigma that police will not handle such accusations, these situations may go unreported. According to a report, police personnel need to be tech-savvy and prepared to handle cybercrimes in order to swiftly investigate a case and send it for prompt resolution.

5. There is no regulation of cybercrime

The speed at which cybercrimes are growing is accelerating due to technological improvement. The Act’s list of offences is short, but there are already many other kinds of cybercrimes that, if adequately dealt in a timely manner, might pose a threat. These crimes don’t directly harm any human beings, but they may do so through exploiting someone else’s private information improperly. Thus, regulating such crimes is urgently needed. The Act falls short in this area.

Social Usefulness of  Information Technology in India.

1. Khajane and Bhoomi Project of the state of Karnataka, Khajane project involves the computerization of 225 treasuries all across the state. The Bhoomi Project is about computerization of land record system and is already operational in talukas.
2. The state of Tamil Nadu has implemented STAR ( Simplified and Transport Administrative of Registration ) project in a  phased manner in all 600 sub register office and 50 district registrar offices to provide encumbrance certificate, marriage certificate, property valuation, etc, facilities.
3. Indian Railway has started the Internet reservation facility where one can reserve tickets through credit cards.

Conclusion:

The Information Technology Act, is significant in holding the Intermediaries accountable for the storage, and retention of data. It also provided various provisions to protect the misuse of data of the users. But the Act need to enforce more stringent laws and hefty fines on body corporates for any breach and take more seriously the issue of privacy of the users. The IT Act also must evolve to combat new types of Cyber Crimes and provide adequate Protection against them.

---

[i] Shreya Singhal vs Union of India ,(2015), SC 1523    

ii. Information Technology Law and Practice

Sixth Edition Book, Vakul Sharma and Seema Sharma.

iii. India’s IT Act 2000 a toothless tiger? | CSO Online https://www.csoonline.com/article/3453078/india-s-it-act-2000-a-toothless-tiger-that-needs-immediate-amendment.htmliv.  

iv. Information Technology Act,2000 https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY=