INDIAN CYBERLAW AND SECURITY

1
INDIAN CYBERLAW AND SECURITY

2
A PRESENTATION BY PAVAN DUGGAL,ADVOCATE,
SUPREME COURT OF INDIAPRESIDENT,CYBERLAWS.NET
HEAD-PAVAN DUGGAL ASSOCIATES

• INTERNATIONAL CONFERENCE ON e GP, NEW
  DELHI-11-3-2005

3
CYBER LAW IN INDIA

• In India the Information Technology Act, 2000 is
  the legislation that deals with issues related to
  the Internet.

4
THE INFORMATION TECHNOLOGY ACT , 2000

5
I.T. ACT, 2000OBJECTIVES

• Different approaches for controlling, regulating
  and facilitating electronic communication and
  commerce.
• Aim to provide legal infrastructure for
  e-commerce in India.

6
OBJECTIVES (contd.)

• To provide legal recognition for transactions-
• Carried out by means of electronic data
  interchange, and
• Other means of electronic communication, commonly
  referred to as "electronic commerce", involving
  the use of alternatives to paper-based methods of
  communication and storage of information.

7
OBJECTIVES (contd.)

• To facilitate electronic filing of documents with
  the Government agencies
• To amend the Indian Penal Code, the Indian
  Evidence Act, 1872, the Banker's Book Evidence
  Act, 1891 and the Reserve Bank of India Act, 1934
  

8
AUTHENTICATION OF ELECTRONIC RECORDS

• Any subscriber may authenticate an electronic
  record
• Authentication by affixing his digital signature.
  
• Any person by the use of a public key of the
  subscriber can verify the electronic record

9
LEGALITY OF DIGITAL SIGNATURES

• Legal recognition of digital signatures.
• Electronic Signatures not yet legal in India.
• Certifying Authorities for Digital Signatures.
• Scheme for Regulation of Certifying Authorities
  for Digital Signatures

10
CONTROLLER OF CERTIFYING AUTHORITIES

• Shall exercise supervision over the activities of
  Certifying Authorities
• Lay down standards and conditions governing
  Certifying Authorities
• Specify various forms and content of Digital
  Signature Certificates

11
DIGITAL SIGNATURES ELECTRONIC RECORDS

• Use of Electronic Records and Digital Signatures
  in Government Agencies.
• Publications of rules and regulations in the
  Electronic Gazette.

12
INFORMATION SECURITY LAW

• India does not have a dedicated law on
  Information Security

13
IT ACT, 2000

• Not a law dedicated to security
• However, since security is an absolutely
  necessity for e-commerce transactions, the laws
  covers some aspects relating to security

14
DEFINITIONS

• Definitional clause of the Indian Cyberlaw does
  not give a legal definition of security
• Provides the definition of a secure system and
  security procedure

15
Section 79

• For the removal of doubts, it is hereby declared
  that no person providing any service as a network
  service provider shall be liable under this Act,
  rules or regulations made thereunder for any
  third party information or data made available by
  him if he proves that the offence or
  contravention was committed without his knowledge
  or that he had exercised all due diligence to
  prevent the commission of such offence or
  contravention.

16
Network Service ProvidersWhen Not Liable

• Explanation.For the purposes of this section,
• (a) "network service provider" means an
  intermediary
• (b) "third party information" means any
  information dealt with by a network service
  provider in his capacity as an intermediary.

17
SECURE SYSTEM

• secure system means computer hardware,
  software, and procedure that- 
• (a)    are reasonably secure from unauthorized
  access and misuse
• (b)   provide a reasonable level of reliability
  and correct operation
• (c)    are reasonably suited to performing the
  intended function and
• (d) adhere to generally accepted security
  procedures

18
DEFINITTIONS

• security procedure means the security procedure
  prescribed by the Central Government under the IT
  Act, 2000.
• secure electronic record where any security
  procedure has been applied to an electronic
  record at a specific point of time, then such
  record shall be deemed to be a secure electronic
  record from such point of time to the time of
  verification

19
SECURE DIGITAL SIGNATURE

• If by application of a security procedure agreed
  to by the parties concerned, it can be verified
  that a digital signature, at the time it was
  affixed, was
• (a)     unique to the subscriber affixing it
• (b)     capable of identifying such subscriber
• (c)  created in a manner or using a means under
  the exclusive control of the subscriber and is
  linked to the electronic record to which it
  relates in such a manner that if the electronic
  record was altered the digital signature would be
  invalidated,
• then such digital signature shall be deemed to
  be a secure digital signature.

20
POWER TO CENTRAL GOVERNMENT

• Central Government empowered to prescribe the
  security procedure, having regard to the
  commercial circumstances prevailing at the time
  when the procedure was used, including-
• the nature of the transaction
• the level of sophistication of the parties with
  reference to their technological capacity
• the volume of similar transactions engaged in by
  other parties
• the availability of alternatives offered to but
  rejected by any party
• the cost of alternative procedures
• the procedures in general use for similar types
  of transactions or communications.

21
BREACH OF SECURITY

• The Indian Cyberlaw makes breach of security an
  act which attracts consequences of civil
  liability.
• If a person without the permission of owner or
  any other person in charge of a computer,
  computer system or computer network, accesses or
  secures access to such computer, computer system
  or computer network, he is liable to pay
  statutory damages by way of compensation, not
  exceeding one Crore rupees ( Rs 10,000,000/- )
  to the person so affected.

22
BREACH OF SECURITY

• Thus, merely gaining access to any computer,
  computer system or computer network by breaching
  or violating the security processes or mechanisms
  is enough to attract the civil liability.

23
CRIMINAL OFFENCE

• Breach of security is also implicitly recognized
  as a penal offence in the form of hacking
• Section 66 of the IT Act, 2000 makes hacking a
  penal offence punishable with three years
  imprisonment and two lakh rupees ( Rs 200,000/- )
  fine

24
PROTECTED SYSTEM

• The appropriate government, be it the Central or
  State Government, has been given the discretion
  to declare any computer, computer system or
  computer network as a protected system.
• Any person who secures access or attempts to
  secure access to a protected system in
  contravention of the provisions of the law, shall
  be punished with imprisonment of either
  description for a term which may extend to ten
  years and shall be liable to fine.

25
OFFENCES PENALTIES

• Penalties and adjudication for various offences
  involving computers, computer systems and
  computer networks.
• Penalties for damage to computer, computer system
  etc.
• Fixed as damages by way of compensation not
  exceeding Rs. 1,00,00,000/- to affected persons.

26
CYBER OFFENCES

• Various cyber offences defined
• Cyber offences to be investigated only by a
  Police Officer not below the rank of the Deputy
  Superintendent of Police.

27
CYBER OFFENCES (contd.)

• Tampering with computer source documents.
• Publishing of information which is obscene in
  electronic form.
• Breach of confidentiality and privacy.

28
CYBER OFFENCES (contd.)

• Hacking
• Misrepresentation
• Publishing Digital Signature Certificate false
  in certain particulars and publication for
  fraudulent purposes.

29
RETENTION OF INFORMATION IN ELECTRONIC FORMAT

• Can legally retain information in the electronic
  form, if-
• the information contained therein remains
  accessible so as to be usable for a subsequent
  reference

30
RETENTION OF INFORMATION IN ELECTRONIC FORMAT

• (b) the electronic record is retained in the
  format in which it was originally generated, sent
  or received or in a format which can be
  demonstrated to represent accurately the
  information originally generated, sent or
  received

31
RETENTION OF INFORMATION IN ELECTRONIC FORMAT
(contd)

• (c) the details which will facilitate the
  identification of the origin, destination, date
  and time of dispatch or receipt of such
  electronic record are available in the electronic
  record.

32
INVESTIGATION

• For the purpose of investigating the offences
  detailed under the IT Act, 2000, police officers
  not below the rank of Deputy Superintendent of
  Police have been duly authorized and have also
  been given the power of entry, search and arrest
  without warrant in public places.

33
PROVING IT

• Amendments made in the Indian Evidence Act 1872
  by the IT Act, 2000
• In any proceedings involving a secure electronic
  record, the court shall presume, unless contrary
  is proved, that the secure electronic record has
  not been altered since the specific point of
  time, to which the secure status relates

34
PROVING IT

• The law also presumes that in any proceedings,
  involving secure digital signature, the court
  shall presume, unless the contrary is proved,
  that the secure digital signature is affixed by
  the subscriber with the intention of signing or
  approving the electronic record

35
IT SECURITY GUIDELINES

• Information Technology Act, 2000 has come up with
  Information Technology Security Guidelines
• As also Information Technology (Certifying
  Authority) Rules, 2000

36
INFORMATION SECURITY GUIDELINES

• The Information Security guidelines are generic
  and broad and should be followed by all legal
  entities involved in computer, computer systems
  and computer networks
• More relevant in the context of Electronic
  Government Procurement in India as the sectors
  life and spirit is dependant upon the Information
  Security of its systems and networks

37
LITIGATION ALREADY BEGUN

• Litigation already begun in India relation to
  e-procurement.
• Numerous legal issues relating to electronic
  government procurement will continue to emerge in
  the near future.
• Need to adopt a proactive approach in dealing
  with these various legal challenges

38
NEED TO COMPLY

• There is a need to proactively comply with the
  requirements of the Indian Cyberlaw .
• Necessary to limit liability and emergence of
  undesirable consequences.
• The Information Technology Act, 2000 currently
  under review by the Government.
• Need to adopt a flexible approach of due
  diligence.

39
THAT WAS A PRESENTATION BY PAVAN
DUGGAL,ADVOCATE, SUPREME COURT OF
INDIAPRESIDENT, CYBERLAWS.NETHEAD-PAVAN DUGGAL
ASSOCIATES EMAIL pduggal_at_vsnl.compduggal_at_gmail.
com