IT Act 2000

By K. K. Mookhey, NII Consulting

The Information Technology Act 2000 is India’s only act dealing with computer crime. For companies doing business in India, it is worthwhile to know the legal framework which provides for the protection of information. This article describes the important sections of the IT Act. It also looks at some of the more high-profile cases where the Act has been applied. Not always has the Law been an ally of the good, and there have been cases of its more Draconian sections being misused to settle scores. The Act can be downloaded here

Background

The IT Act 2000 is based on the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law General Assembly of the United Nations. In this respect, the IT Act takes many of its sections on sending/receiving of electronic messages directly from the Model Law, but focuses a little too much on Digital Signatures, Digital Certificates, and Certifying Authorities, which we shall ignore for the purposes of the current discussion. One of the most high-profile cases where the IT Act came into picture was with the arrest of Avnish Bajaj, CEO of Baazee.com (the Indian arm of Ebay). A student of one of India’s premier engineering colleges – IIT – put up for auction a pornographic clip of two high-school students. When the police was informed of this, they arrested not just the IIT student, but also Bajaj under section 67 of the IT Act – “Publishing of information, which is obscene in electronic form”. This raised a furore in various circles where the opinion was that it was completely unjustified to arrest Bajaj, since he had not actually published the clip on his website. Another controversial case involved the arrest of the owners of the cyber café from where some youth had emailed Members of Parliament about a bomb threat, which later turned out to be a hoax. Given this rocky start, it is an interesting exercise to analyze the various sections of the Act and their business and technology implications.

Incidentally, there have been a number of discussions on revisions to the IT Act, but these have not been scheduled for inclusion yet. Some of the welcome changes include stringent punishment for child pornography, increased emphasis on data privacy and security of personal data, specific punishment for violation of confidentiality of data, as well as a new section granting validity to electronic contracts.

Overview

The IT Act has 12 chapters, and 4 schedules. The chapters are divided as follows:

No. Title Description
1. Preliminary Definitions of terms used in the rest of the document
2. Digital Signature Very brief authorization for use of digital signatures for electronic records
3. Electronic Governance Provides for the legal recognition of electronic records – especially by Govt. agencies
4. Attribution, Acknowledgement, and Despatch of Electronic Records Discusses when an electronic message shall be considered to be “sent” and when it will be considered to be “received”
5. Secure Electronic Records and Secure Digital Signatures Discusses (a bit vaguely) what is considered as “secure” electronic records and digital signatures
6. Regulation of Certifying Authorities Discusses who can be appointed as a CA, and what their responsibilities and authorities are
7. Digital Signature Certificates Who can issue Digital Certificates, and what they should contain and rules for revocation
8. Duties of Subscribers Generation or acceptance of the key pair, and reasonable care for securely using it
9. Penalties and Adjudication Penalties for damage to computer systems – INR 1 crore Failure to furnish information – INR 1,50,000 Failure to maintain records – INR 10,000 per day Residuary penalty – INR 25,000
10. Cyber Regulations Appellate Tribunal Establishment, composition and powers of a Cyber Appellate Tribunal to adjudicate in matters related to this Act.
11. Offences Tampering with computer source documents – 3 years imprisonment, or fine of INR 200,000 or both Hacking with computer system – as above Publishing of obscene information – as above
12. Network Service Providers not to be Liable in Certain Cases If offence committed without his knowledge or due diligence was exercised.
13. Miscellaneous Power of police officer Offences by companies Power of Central and State Governments

These are followed by four Schedules, which are essentially modifications to relevant sections of other Acts. These are as follows:
The First Schedule – Amendments to the Indian Penal Code “Primarily related to changes of the word “document” to “document and electronic record” The Second Schedule – Amendment to the Indian Evidence Act “Admissibility of electronic evidence “Most relevant to current discussions The Third Schedule – Amendment to the Banker’s Book Evidence Act “Definition of “banker’s books” expanded to include electronic records “Legitimacy of print outs The Fourth Schedule – Amendment to the RBI Act “Regulation of fund transfer through electronic means

Brief Analysis

The first point to note is the definitions for terms that are used within the various sections:

Access

“access” with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;

Computer

“computer” means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;

Sections of note:

43: Penalty for damage to computer

Sets the penalty for damage to a computer or network at INR 10 million for any damage or unauthorized access to a computer system. This definition is pretty wide ranging, and port scanning also seems to be covered, especially if you cross-reference with the definition of “access”.

46: Power to adjudicate

For the purpose of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made thereunder the Central Government shall, subject to the provisions of sub-section (3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the manner prescribed by the Central Government..[]

66: Hacking with computer system

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack: (2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend upto INR 200,000, or with both.

67: Publishing of information which is obscene

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons…[]

72: Penalty for breach of confidentiality and privacy

Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

76: Confiscation

Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act. rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation…[]

78: Power to investigate offences

Notwithstanding anything contained in the Code of Criminal Procedure, 1973, a police officer not below the rank of Deputy Superintendent of Police shall investigate any offence under this Act.

79: Network service providers not to be liable in certain cases

For the removal of doubts, it is hereby declared that no person providing any service as a network service provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention.

85: Offences by companies

(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly: Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.

Amendments to Indian Evidence Act “Admissibility of electronic records”

Serious issues

  1. Does not mandate the forensics procedure to be adopted for the evidence to be admissible in court.
  2. Is too Draconian in some respects, especially sections related to Offences by companies, Confiscation, Hacking, and Publishing of Obscene information
  3. Setting up of the Cyber Appellate Tribunal or posting of the adjudicating officer as mandated in section 46 and 57
  4. Too much of a focus on digital signatures, digital certificates and certifying authorities – very few sections deal with actual cyber crimes
  5. Data privacy is not addressed in either the Indian IT Act or anywhere else.
  6. Does not address practical issues of actually implementing the measures it lists out
  7. Although, cyber security cells have been set up in the major cities around the country, they’re often under-staffed and under-equipped

References

  • What’s wrong with our cyber laws
  • IT Act languishes thanks to government negligence
  • Loopholes in IT Act nags Indian corporates

    Author


3 comments

Dear Sir,

Its a pleasure reading your article. I wish to raise a small question:

Under Section 43 of the IT Act 2000, if an employee does the Port Scanning of his own computer assigned to him by the organisation, will it be the unauthorized access?
Here we assume that the employee did not take the permission of the managemnt..

Hi Poonam,

I am just a reader, and saw ur query,

Well,

It depends on few things:
1> What is the employee’s job profile, is he into Security Analyst/ Security Engineer.

2>Assuming that the employee has not taken any permission from his employer/management/IR team, then this is Illegal,
the other point is If he is not in a profile of any Security related position, then he should not have any such access to these tools, it also means that Internet Usage policy is not in place,
Also, If an employee is scanning his own PC today, may also try scanning other hosts on his subnet or maybe Live systems on the Internet, so traffic monitoring should be in place,

Since after the launch of CEH courses and many others, students who either enroll or just got hold of some of these tools may like to try these tools. so it is Illegal.

Also, the names of such tools are very well documented at EC-Council’s site for education purpose, but may be mis-used by some-one.

So bottom line is,

If any Un-Authorised or a person not in charge of Security Ops is doing a scan of a local or remote PC is considered Illegal,

Readers, Please correct me if I am wrong.

Thanks

Nitin Kushwaha

dear sir
sir i want to all the cases which is decided on the information technology act 2000.
can u give me a list of all cases and related court who decided.
or can u seggest me website from where we can collect those cases.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.