17. Information Technology Act 2000 – Business Law


Information Technology Act 2000

Learning Objectives

After reading this chapter, the students will come to know about the Information Technology Act, 2000 especially on the following aspects:

  • Scope of the Act.

  • Electronic records and its validity.

  • Digital signatures.

  • Authentication of electronic records.

  • E-governance.

  • Electronic offences and penalty.


The Information Technology Act is divided into 13 Chapters, 94 Sections and 5 Schedules.


Chapter 1: Scope and Definitions

Chapter 2: Authentication of Electronic Records using Digital Signature

Chapter 3: Electronic Governance

Chapter 4: Attribution, Receipt and Dispatch of Electronic Records

Chapter 5: Secure Electronic Records and Secure Digital Signature

Chapter 6: Regulation of Certifying Authorities

Chapter 7: Digital Signature Certification

Chapter 8: Duties of Subscriber

Chapter 9: Penalties and Adjudication

Chapter 10: Cyber Regulation Appellate Tribunal

Chapter 11: Offences

Chapter 12: Network Service Provider not be Liable in certain Cases

Chapter 13: Miscellaneous (described the power of various government bodies to make the rules under the IT Act 2000).

17.1.1 Cyber Laws

Businessmen nowadays are increasingly using computers to manage their affairs in electronic form instead of the traditional paper form. The information kept in electronic form is cheaper, easier to store, can be retrieved and is speedier to communicate. Nowadays people are using a new communication system and digital technologies for transacting their business electronically. Although people are aware of the advantages which the electronic form of business provides but people are reluctant to conduct business or conclude transactions in the electronic form due to a lack of a proper legal frame work.

The electronic commerce eliminates the needs for the paper based transactions. The two principal hurdles which stand in the way of facilitating electronic commerce and electronic governance are the requirements of writing and the signature for legal recognitions.

At present many legal provisions assume the existence of paper based records which should bear the signatures. The law of evidence is traditionally based upon the paper-based records and oral testimony.

To facilitate the e-commerce, the need for legal changes has become an urgent necessity. The Government of India realized the need for introducing a new law and for making suitable amendments to the existing laws to facilitate the e-commerce and give legal recognitions to electronic records and digital signature. The legal recognitions to the electronic records and digital signatures in turn, will facilitate the conclusions of the contract and the creations of legal rights and obligations through the electronic communications like Internet. This need of legal recognitions to the electronic commerce gave birth to Information Technology Bill, 1999.

In 2000, both the house of parliament passed the Information Technology Bill. The Bill received the assent of the President in August 2000 and came to be known as the Information Technology Act, 2000. The Cyber Laws are contained in the Information Technology Act, 2000.


The objectives of the act are as under.

  1. To grant legal recognitions for the transactions carried out by means of Electronic Data Interchange and other means of communication commonly referred to as—‘Electronic Commerce’, in place of paper based method communications.
  2. To give legal recognitions to digital signature for authentication of any information or matter which require authentication under any law.
  3. To facilitate the electronic filing of documents with the government departments.
  4. To facilitate electronic storage of data.
  5. To facilitate and give legal sanctions to electronic fund transfer between the banks and financial institutions.
  6. To give legal recognitions for keeping the books of account by bankers in electronic form.
  7. To Amend the Indian Penal Code, The Indian Evidence Act, 1872, The Banker's Book Evidence Act, 1891 and The Reserve Bank of India Act, 1934.

Information Technology Act, 2000 extends to the whole of India. It applies also to any offence or contravention there under committed outside India. However, the act does not apply to the following category of transactions.

  1. A negotiable instrument other than cheque. It means the Information Technology Act is applicable to cheque.
  2. A power-of-attorney.
  3. A trust as defined in India Trusts Act.
  4. A will.
  5. Any contract for sale or conveyance of immovable property.
  6. Any such class of documents or transactions as may be notified by Central Government in the Official Gazette.

17.4.1 Access

An ‘access’ with its grammatical variations and cognate expressions means gaining entry into instructing or communicating with the logical arithmetical or memory function resources of a computer, computer system or computer network.

17.4.2 Computer

A ‘computer’ means any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses and includes all input, output, processing, storage, computer software or communication facilities which are connected or related to the computer in a computer system or computer network.

17.4.3 Computer System

A ‘computer system’ means a device or collection of devices including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with the external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions.

17.4.4 Communication Device

A ‘communication device’ means cell phones, personal digital assistance (Sic) or combination of both or any other device used to communicate, send or transmit any text, video, audio or image.

17.4.5 Computer Network

It means interconnection of one of more computers, using satellite, microwave or other communication channels.

17.4.6 Function

A ‘function’ in relation to a computer includes the following.

  • Logic
  • Control
  • Arithmetical process
  • Deletion
  • Storage and retrieval
  • Communication, or
  • Telecommunication from or within a computer.

17.4.7 Information

An ‘information’ includes the following.

  • Data
  • Message
  • Text
  • Images
  • Sound
  • Voice
  • Codes
  • Computer programmes
  • Software
  • And databases
  • Micro film
  • Computer generated micro fiche.

17.4.8 Data

A ‘data’ means:

  • a representation of information, knowledge, facts, concepts or instructions.
  • which are being prepared or have been prepared in a formalized manner.
  • and is intended to be processed, is being processed or has been processed in a computer system or computer network.

It may be in any form including computer printouts, magnetic or optical storage media, punched cards, punched tapes or stored internally in the memory of the computer.

17.4.9 Digital Signature

It means the authentication of any electronic record by a subscriber by electronic method.

17.4.10 Electronic Signature

An ‘Electronic Signature’ means the authentication of any electronic record by a subscriber by means of the electronic technique, specified in the second schedule and includes digital signature.

17.4.11 Asymmetric Crypto System

It means a system consisting of secure key pair, private key and public key.



Figure 17.1 Asymmetric crypto system.


A message that is signed (encrypted) with the private key can be verified (decrypted) with the public key. Since the public key is public anyone can verify the signature. The public key cannot create such signatures. The validity depends on the private key security.

Key Pair: It is a private key and the corresponding mathematically related public key.

Private Key: It means the key of key pair used to create digital signature.

Public Key: It means the key of key pair used to verify digital signature.

17.4.12 Secure System

A ‘secure system’ means computer hardware, software and procedure that

  1. are reasonably secure from unauthorized access and misuse,
  2. provide a reasonable level of reliability and correct operation,
  3. are reasonably suited to performing the intended functions, and
  4. adhere to generally accepted security procedures.

17.4.13 Cyber Security

A ‘Cyber Security’ means protecting


17.4.14 Cyber Café

A ‘cyber café’ means any facility from where access to the Internet is offered by any person in the ordinary course of business to the members of the public.

17.4.15 Originator

An ‘originator’ means a person who sends, generates stores or transmits any electronic messages or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary.


A digital signature is like a handwritten signature. It should be difficult for the sender to forge and difficult for the receiver to repudiate (reproduce). Generation of digital signature uses a technology known as key pair (public key and private key). The users who want to enter into electronic agreement should have key pair. The public key is for distribution where as the private key is for user himself.

For any legal valid electronic document two requirements are there, one is integrity of the document, i.e., document has not changed and authentication, i.e., document is signed.

So an electronic document to be a legal valid document is a two step process.

  1. Hash function is used for integrity of document.
  2. Digital signature used for authentication of documents.

17.5.1 Hash Function

The hash function is an algorithm which is run over the message or content of agreement and it generates a big alphanumeric number known as message digest.

This message digest is of unique value for one message or content. If someone will change even a character in the original message and then if the hash function will run over this message again, it will not generate the same number. This change in value will indicate that the original message has been changed. And there will always be the same number generated when the hash function algorithm will run over the original message.

The hash function technique is used for checking the integrity of the message. After generating the message digest from the message with the hash function, the message digest is encrypted with the private key of the sender and it again generate a value and this value is known as the digital signature. And this value is transmitted along with the original document in encrypted or direct form. And at the receiving end, the receiver uses the public key of the sender to decrypt the digital signature and it generates the message digest. The receiver again generates the message digest by running the hash function over the actual message and if it generates the same message digest which the receiver has obtained after decrypting the digital signature, then it will ensure that the message content has not been changed and the digital signature belongs to the person who has given the public key to the receiver.

For transmitting the public key safely and providing a proof that the public key with the receiver, belongs to the person who has claimed for this, a certificate is obtained from a certifying authority who gives a digital certificate and ensure that the public key actually belongs to a person who has claimed for it. The most popular certifying authority who issues the digital certificate is known as VeriSign.


Figure 17.2 Mechanism of digital signatures.*



The message digest encrypted with the private key of sender generate digital signature which are affixed on the agreement send to receiver. At the receiver end the digital signature are decrypted with the sender public key and it generate message digest.

The receiver again generates the message digest by running the hash function algorithm over the original content of message and if the message digest the matches with the message digest generated after the decrypting digital signature of the sender with the sender public key, it proves that the contents are not changed and the signature belongs to the sender.

The Central Government has the power to make rules from time to time in respect of the digital signature like the type of digital signature, manner and format procedure for affixing the digital signature.

17.5.2 Electronic Signature—Section 3(A)

The subscriber may authenticate any electronic records by the electronic signature or electronic authentication technique which is considered reliable and specified by the government. The Central Government is authorized to fix the procedure for affixing such signature.


17.6.1 What Is Electronic Governance?

The e-governance means the filing of any form, application or other document with the government department in the electronic form and similarly issue or grant of any licence or permit or receipt or payment from the government offices and its agencies through the electronic means or electronic form.

17.6.2 Benefits of Electronic Governance

The e-governance will help in low cost, efficient and transparent working of the government department. The issue of man power shortage at the government office and bribe can be avoided easily. Accuracy and record maintenance will be faster and smoother.

17.6.3 Rules of Electronic Governance

The Information technology Act provides a legal recognition for electronic records. It means the government department or government offices can accept the document in the electronic form and these will be treated as legal valid documents.

The Act also provides for legal recognition for the digital signature. It means any document or data digital signed will be treated as valid and authenticated electronic records. Filing of any form and application to government can be done through electronic mean and similarly the government department can issue or grant any licence and permission through electronic means.


e-filing of company incorporation, and related documents—www.mca.gov.in

e-filing related income tax—https://incometaxindiaefiling.gov.in

e-filing for patent application—http://ipindiaonline.gov.in/on_line

17.6.4 Legal Recognition of Electronic Records—Section 4

Where any act requires that the information should be in writing and if such information or form is stored or saved in the electronic form the requirement of the act is satisfied if the information or matter is—

  1. Rendered or made available in an electronic records.
  2. Accessible so as to be usuable for a subsequent reference.

17.6.5 Retention of Electronic Records

If any act provides that the documents, records or information shall be retained for any specific period, then requirement of act is said to be satisfied if such documents, records or information are retained in the electronic form—

  1. The information contained in the electronic form remains accessible and useable for future.
  2. The electronic record is retained in the format in which it was originally sent or received or generated.
  3. The details of identification of origin, destination, date and time of dispatch or receipt of records are available.

17.6.6 Validity of Electronic Contract—Section 10(A)

Where any contract is made by the electronic mode (i.e., communication of proposal, the acceptance of proposals, revocation of proposals and acceptances) or expressed in the electronic forms or by means of electronic records, such contract is valid, enforceable and binding to parties.


The certifying authority will issue the digital certificate to the subscriber on the payment of a certain fees not exceeding 25,000 after satisfying itself that the subscriber holds the private key for the corresponding public key to be listed in the digital certificate and private key is capable for creating digital signature.

17.7.1 Procedure for Obtaining Digital Certificate

The sender sends his public key to the certification authority along with the information, specific to his identification and other relevant information. The application should be accompanied by the certificate of practice statement.

The certification authority uses this information to verify the sender and his public key if every thing is ok the certification authority returns the sender, a digital certificate that confirms the validity of the sender public key.

Actually the certifying authority certifies the public key by digitally signing the sender public key with the authority private key and the authority puts this sign on the digital certificate. And any user who wants to use some one's public key can verify its validity by applying the certification authority public key to the digital signature of the certifying authority on certificate. In this way, the user would get the actual public key of the sender and can tally this public key with the public key on digital certificate.

No application can be rejected without giving a reasonable opportunity.

17.7.2 Suspension of Digital Signature Certificates

The certifying authority may suspend the digital signature certificate in public interest for a period not exceeding 15 days. The certifying authority may suspend the digital signature if request in this regard is received from the subscriber. On suspension of the digital signature communication should be made to the subscriber.

17.7.3 Revocation of Digital Signature Certificates

The certifying authority may revoke the digital signature issued by it.

  1. Where the subscriber or any other person authorized by him, makes a request to that effect.
  2. Upon the death of the subscriber.
  3. Upon the dissolution of the firm or winding of the company.

The certifying authority may revoke the digital signature if the material fact represented in the digital signature certificate is false or concealed or where the requirement of the digital signature certificate was not satisfied or the subscriber has become insolvent. On revocation of the digital signature, communication should be made to the subscriber.


The civil courts have been barred from entering any suit or proceeding in respect of any matter which an adjudicating officer or tribunal is empowered to handle. The provisions relating to the tribunal and the adjudicating officer are given under.

17.8.1 Appellate Tribunal

The Cyber Regulation Appellate Tribunal shall be the appellate body where appeals against the orders passed by the adjudicating officers shall be preferred.

The tribunal shall not be bound by the principle of code of civil procedure but shall follow the principles of natural justice and shall have the same powers as those are vested in a civil court.

Against an order or decision of the Cyber Appellate Tribunal, an appeal shall be made to the high court within 60 days.

17.8.2 Adjudicating Officer

The affected party report for offences to the Cyber Regulations Appellate Tribunal shall consist of one person only, known as the presiding officer who shall be appointed by the Central Government. Such a person is equivalent to a high court judge.

Appeal against the adjudicating officer's order within 45 days can be made to the Appellate Tribunal. The adjudicating officer passes the order for the reported offence.


The adjudicating officer has the power for holding an inquiry, in relation to certain computer crimes and for awarding compensation. The penalties can be imposed by the adjudicating officer for the damage of computer or computer network for—

  1. Copy or extract any data from the database without permission.
  2. Unauthorized access and downloading.
  3. Introduction of virus.
  4. Damage to computer system and computer network.
  5. Disruption of computer, computer network.
  6. Denial to authorized person to access computer.
  7. Providing assistance to any person to facilitate unauthorized access to the computer.
  8. Charging the service availed by a person to an account of another person by tampering and manipulation of other computer.

Section 43 provides for a penalty of compensation, not exceeding 1,00,00,000 ( 1 crore) to the affected persons for damage to the computer system as decided by the adjudicating officer.


The offences and penalties under the Information Technology Act are the following.

17.10.1 Offences

  1. Tampering with the computer source documents—imprisonment upto three years or fine upto 2,00,000 or both.
  2. Hacking computer system—imprisonment upto 3 years or fine upto 2,00,000 or both.
  3. Publishing of information which is obscene in electronic form.
  4. Electronic forgery, i.e., affixing of false digital signature making false electronic record.
  5. Punishment for cyber terrorism.
  6. Electronic forgery for the purpose of cheating.
  7. Electronic forgery for the purpose of harming reputation.
  8. Using as genuine a forged electronic record.
  9. Publication of the digital signature certificate for fraudulent purpose.
  10. Offences by companies.
  11. Breach of confidentiality and privacy.
  12. Publishing false digital signature certificate.
  13. Misrepresentation or suppressing of material fact.

17.10.2 Penalty for Offences

  1. The penalty and compensation for damage to the computer and computer system the company and body corporate which collect the sensitive information or personal information is liable to pay compensation for the failure to the protect data.
  2. The penalty for the failure to furnish information and return is 1,50,000 for each failure.
  3. The punishment for publishing false digital signature certificate is imprisonment up to two years or with fine up to 1 lakh or both.
  4. The punishment for fraudulent publishing is imprisonment up to two years or with fine up to 1 lakh or both.
  5. The punishment for hacking is imprisonment upto three years or with fine that may extend to 2,00,000 or both.
  6. The punishment for publishing obscene information may extend to five years imprisonment and with a fine which may extend to 1 lakh in the event of first conviction and which may extend to 10 years and the fine may extend 2 lakhs.
  7. The punishment for misrepresentation is imprisonment up to two years with a fine up to 1 lakh or both.

The Network Service Providers shall not be liable for the third parties information or the data made available by him if he proves that the offence was committed without his knowledge or consent.


Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates.

  1. Is negligent in implementing and maintaining reasonable security practices and procedures.
  2. Thereby causes wrongful loss or wrongful gain to any person.

Such body corporate shall be liable to pay damages by way of compensation to the person so affected.

The body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

The reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

The sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.


The duties of the controllers of certifying authority can be regarded as functions of controller. The controller may perform all or any of following functions.

  1. Exercise supervision over the activities of the certifying authorities.
  2. Certifying public keys of certifying authorities.
  3. Laying down standards to be maintained by certifying authorities.
  4. Specifying the qualifications and experience which the employees of certifying authorities should posses.
  5. Specifying the conditions subject to which the certifying authorities shall conduct their business.
  6. Specify the contents of written or visual material and advertisement that may be distributed or used in respect of the digital signature certificate and the public key.
  7. Specifying the form and content of a digital signature certificate.
  8. Specifying the form and manner in which accounts shall be maintained by the certifying authorities.
  9. Specifying the terms and conditions subject to which the auditors may be appointed and remuneration paid to them.
  10. Facilitating the establishment of any electronic system by the certifying authority either solely or jointly with other certifying authority and the regulation of such system.
  11. Specifying the manner in which the certifying authorities shall conduct their dealings with the subscriber.
  12. Resolving any conflict of interests between the certifying authorities and the subscriber.
  13. Laying down the duties of certifying authorities.
  14. Maintaining a database containing the records of every certifying authority like containing such particulars as may be specified by regulations which shall be accessible to the public.

17.12.1 Licence to Issue Electronic Signature Certificates

Any person may apply to the controller to obtain the licence to issue the electronic signature certificate. The licence is granted to issue the electronic signature certificates on the fulfillment of certain conditions like qualification, expertise, manpower and financial resources. The licence granted is valid for specified period and not transferable or heritable.

Every application for the licence made shall be accompanied by the certificate practice statement and identification of the applicant. The licence can be renewed by application and on payment of the prescribed fees.

The controller on the receipt of application may grant or reject the application. But when the application is rejected the applicant should be given reasonable opportunity of being heard.

The controller may revoke the licence on the grounds of incorrect or false material information or on the ground of contravention of any provisions of act. No licence can be revoked without the show cause notice.

The licence can be suspended for a period not exceeding 10 days after giving reasonable opportunity of being heard. On suspension, the controller shall publish a notice of suspension or the revocation of licences in the database maintained by him on the website maintained by him.


The duties of the certifying authorities can be summarized.

  1. The certifying authorities to follow certain rules for providing the services of issuance of the digital certificate to the subscribers like.
  2. Make use of the hardware, software and procedures that are secure from intrusion and misuse.
  3. Provide a reasonable level of reliability in its services.
  4. Adhere to the security procedures to ensure that the secrecy and privacy of the digital signatures are assured.
  5. Observe such other standards as may be specified by the regulations.
  6. The certifying authority shall ensure the compliance of Act.
  7. The certifying authority shall display its licence at the place of business.
  8. The certifying authority whose licence is suspended or revoked, shall immediately surrender the licence to the controller.
  9. Disclosure every certifying authority shall disclose its digital signature certificate which contains the public key, corresponding to its private key which is used by the certifying authority to sign the digital signature certificate of the subscriber.
  10. Act in accordance with the procedure specified in its certification practice statement.

In respect of the electronic and digital signature, the subscriber has the following duties.

  1. Generate the key pair, i.e., public key and private key.
  2. Publish the digital signature certificate on the acceptance of the digital signature certificate.
  3. By accepting the digital signature certificate, the subscriber certifies to all who reasonably rely on the information contained in the digital signature certificate that—
    • The subscriber holds the private key corresponding to the public key listed in the digital signature certificate.
    • All representations made by the subscriber to the certifying authority and all material relevant to the information contained in the digital signature certificate are true.
    • All information in the digital signature certificate that is within the knowledge of the subscriber is true.
  4. Control the private key.

Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his digital signature certificate and take all steps to prevent its disclosure to a person not authorized to affix the digital signature of the subscriber.

If the private key related to the digital signature certificate has been compromized then, the subscriber shall communicate the same without any delay to the certifying authority.


The Central Government has the power to make rules by notifying in the Official Gazette in respect of certain matters.

  1. Specify the manner for the matter or electronic records which may be authenticated by a digital signature.
  2. Specify the format by which electronic records shall be filed or issued.
  3. Specify the type of digital signature and the manner and format in which it may be affixed.
  4. Specify the security procedure for the purpose of creating same electronic record and secure digital signature.
  5. Specify the qualifications, experience and terms and conditions of service of the controller, deputy controller and assistant controller.
  6. Specify the requirements, manner and form in which the application is to be made for a licence to issue the digital signature certificates.
  7. Specify the period of validity of the licence.
  8. Specify the qualifications and the experience of an adjudicating officer as well as the other officers.
  9. Specify the salary, allowances and terms and conditions of the service of the presiding officers.

The Information Technology Act has not addressed the followings areas.

  1. Jurisdiction aspects of electronic contracts.
  2. Jurisdiction of courts and tax authorities.
  3. Taxation of goods and services traded through e-commerce.
  4. Stamp duty aspects of electronic contracts.
  5. Protection of domain name.
  6. Infringement of the copy right law.
  1. State vs. Amit Prasad

    State vs. Amit Prasad, was India's first case of hacking registered under Section 66 of the Information Technology Act, 2000. A case with unique facts this case demonstrated how the provisions of the Indian Information Technology Act could be interpreted in any manner depending on which side of the offence you were on.

  2. State of Chattisgarh vs. Prakash Yadav and Manoj Singhania

    This was a case registered on the complaint of the State Bank of India Raigarh branch. Clearly a case of Spyware and Malware this case demonstrated in early days how the IT Act could be applicable to constantly different scenarios.

  3. State of Tamilnadu vs. Dr L. Prakash

    State of Tamilnadu vs. Dr L. Prakash was the landmark case in which Dr L. Prakash was sentenced to life imprisonment in a case pertaining to online obscenity. This case was also a landmark in a variety of ways since it demonstrated the resolve of the law enforcement and the judiciary not to let off the hook one of the very educated and sophisticated professionals of India.

  4. NAASCOM vs. Ajay Sood and Others (2005)

    The Delhi High Court declared ‘phishing’ on the Internet to be an illegal act entailing an injunction and recovery of the damages. It is a form of Internet fraud where a person pretends to be in a legitimate association such as a bank or an insurance company in order to extract personal data from a customer, such as access codes and passwords. The personal data so collected by misrepresenting the identity of the legitimate party is commonly used for the collecting party's advantage. The court held the act of phishing as passing off and tarnishing the plaintiff's image.

  5. SMC Pneumatics (India) Pvt Ltd vs. Jogesh Kwatra

    The ex-employee of the company had forwarded several emails to the managing director of the company and its other several subsidiary company which are considered by the court as distinctly obscene, vulgar, abusive, intimidating, humiliating and defamatory in nature. The prima facie case of defamation has been observed by the Hon’able Delhi High Court and the restrain order has been issued for not publishing this kind of email in the cyber world.

  6. State of Tamilnadu vs. Suhas kaati (2004)

    The case related to posting of the obscene defamatory and annoying message about a divorcee woman in the yahoo message group by Suhas Kaati. The e-mails were also forwarded to the victim for information by the accused through a false e-mail account opened by him in the name of the victim. The posting of the message resulted in annoying phone calls to the lady in the belief that she was soliciting. The court has ordered the imprisonment and fine, under Section 67 of the Information Technology Act, for harassing by using Internet as medium.


Pune Citibank MphasiS Call Centre Fraud

The US $3,50,000 from the accounts of four US customers were dishonestly transferred to bogus accounts. This will give a lot of ammunition, to those lobbying against outsourcing in the US. Such cases happen all over the world but when it happens in India, it is a serious matter and we cannot ignore it. It is a case of sourcing engineering. Some employees gained the confidence of the customer and obtained their PIN numbers to commit fraud. They got these under the guise of helping the customers out of difficult situations. The highest security prevails in the call centres in India as they know that they will lose their business. There was not as much of a breach of security but of sourcing engineering. The call centre employees are checked when they go in and out so they can not copy down the numbers and therefore, they could not have noted these down. They must have remembered these numbers, gone out immediately to a Cyber Café and accessed the Citibank accounts of the customers. All accounts were opened in Pune and the customers complained that the money from their accounts was transferred to the Pune accounts and that's how the criminals were traced. The police has been able to prove the honesty of the call centre and has frozen the accounts where the money was transferred. There is a need for a strict background check of the call centre executives. However, the best of background checks can not eliminate the bad elements from coming in and breaching security. We must still ensure such checks when a person is hired. There is a need for a national ID and a national data base where a name can be referred to. In this case the preliminary investigations do not reveal that the criminals had any crime history. The customer education is very important so customers do not get taken for a ride. Most banks are guilty of not doing this.

sony.sambandh.com Case

India saw its first cybercrime conviction recently. It all began after a complaint was filed by Sony India Private Ltd, which runs a website called www.sony-sambandh.com, targeting Non Resident Indians. The website enables the NRIs to send Sony products to their friends and relatives in India, after they pay for it online. The company undertakes to deliver the products to the concerned recipients. In May 2002, someone logged onto the website under the identity of Barbara Campa and ordered a Sony colour television set and a cordless head phone. She gave her the credit card number for the payment and requested that the products be delivered to Arif Azim in Noida. The payment was duly cleared by the credit card agency and the transaction processed. After following the relevant procedures of due diligence and checking, the company delivered the items to Arif Azim. At the time of delivery, the company took digital photographs showing the delivery being accepted by Arif Azim. The transaction closed at that but after one and a half months, the credit card agency informed the company that this was an unauthorized transaction as the real owner had denied having made the purchase.

The company lodged a complaint for online cheating at the Central Bureau of Investigation which registered a case under Section 418, 419 and 420 of the Indian Penal Code. The matter was investigated into and Arif Azim was arrested. The investigations revealed that Arif Azim while working at a call centre in Noida, gained access to the credit card number of an American national which he misused on the company's site.

The CBI recovered the colour television and the cordless head phone. In this matter, the CBI had evidence to prove their case and so the accused admitted his guilt. The court convicted Arif Azim under Section 418, 419 and 420 of the Indian Penal Code—this being the first time that a cybercrime has been convicted. The court however, felt that as the accused was a young boy of 24 years and a first-time convict a lenient view needed to be taken. The court therefore, released the accused on probation for one year. The judgment is of immense significance for the entire nation. Besides being the first conviction in a cybercrime matter it has shown that the Indian Penal Code can be effectively applied to certain categories of cyber crimes which are not covered under the Information Technology Act, 2000. Secondly, a judgement of this sort sends out a clear message to all that the law cannot be taken for a ride.

1. What is Cyber Law? (Ref. Para-17.1)
2. What are the objectives of the Information Technology Act, 2000. (Ref. Para-17.2)
3. What is the scope of Information Technology Act and describe various relevant definitions in it. (Ref. Para-17.3,17.4)
4. Explain the computer, computer network and computer system under the Information Technology Act. (Ref. Para-17.4)
5. What is digital signature? How is it used for the authentication of electronic record? (Ref. Para-17.5)
6. What do you understand by the term ‘hash function?’ (Ref. Para-17.5)
7. What is e-governance? Explain the various provisions for e-governance in Chapter-3 of IT Act. (Ref. Para-17.6)
8. Write a short notes on digital signature certificate. (Ref. Para-17.7)
9. Write a short note on the Cyber Regulations Appellate Tribunal. (Ref. Para-17.8)
10. Which activities can be considered as offences under the Information Technology Act and what are the penalties thereof in IT Act? (Ref. Para-17.9,17.10)
11. Explain the liabilities of companies in the Information Technology Act. (Ref. Para-17.11)
12. Explain the duties of the controller of certifying authorities (Ref. Para-17.12)
13. Explain the duties of the certifying authorities. (Ref. Para-17.13)
14. What are the duties of a sub scriber? (Ref. Para-17.14)
15. What are the powers of Central Government to make rules under the act? (Ref. Para-17.15)
16. Explain the various issues covered and not covered in IT Act. (Ref. Para-17.16)
  1. The Information Technology Act is popularly known as _____________
    1. cyber law.
    2. hacking law.
    3. electronic law.
    4. security law.
  2. The Information Technology Act is not applicable to
    1. whole of India.
    2. whole of India except state of Jammu and Kashmir.
    3. power of attorney.
    4. none of the above.
  3. The Information Technology Act is not applicable to
    1. will.
    2. cheque.
    3. bills of exchange.
    4. all of the above.
  4. The Information Technology Act consist ______________ chapters.
    1. 12
    2. 13
    3. 14
    4. 15
  5. The Information Technology Act consist _____________ Sections.
    1. 90
    2. 99
    3. 100
    4. 94
  6. Out of the following, which are the objectives of the Information Technology Act?
    1. To give legal recognization of e-commerce transaction.
    2. To facilitate electronic storage of data.
    3. Both (i) and (ii).
    4. None of the above.
  7. Out of the following, which are the objectives of the Information Technology Act?
    1. To give legal recognization to digital signature.
    2. To eliminate signature.
    3. Both (i) and (ii).
    4. None of the above.
  8. Out of following which are the objectives of Information Technology Act?
    1. To facilitate the electronic filing of documents.
    2. To facilitate electronic storage of data.
    3. To facilitate online crime.
    4. None of the above.
  9. Out of following which are the objectives of Information Technology Act?
    1. To recognize e-commerce transaction.
    2. To allow chat between person.
    3. To pay stamp duty online.
    4. Both (i) and (iii).
  10. ________________ is key of key pair used to create digital signature.
    1. Public key
    2. Private key
    3. both (i) and (ii)
    4. Pass key
  11. _______________ is key of key pair used to verify digital signature.
    1. Public key
    2. Private key
    3. both (i) and (ii)
    4. Pass key
  12. Key pair includes
    1. public key.
    2. private key.
    3. both (i) and (ii).
    4. pass key.
  13. By using _______________ any one can verify digital signature.
    1. public key
    2. private key
    3. both (i) and (ii)
    4. pass key
  14. ____________ is the unique value for message or content.
    1. Hash
    2. Message digest
    3. Encryption
    4. Private key
  15. The electronic governance means and includes
    1. filing any form online.
    2. filing any form offline.
    3. make application online.
    4. both (i) and (iii).
  16. What are the benefits of electronic governance?
    1. low cost
    2. efficient working of government
    3. transparency in working of government
    4. all of the above
  17. The ______________ provides legal recognition for electronic records.
    1. Indian Contract Act
    2. Companies Act
    3. Evidence Act
    4. Information Technology Act
  18. The _____________ will issue the digital certificate.
    1. certificate authority
    2. State Government
    3. Central Government
    4. NASCOM
  19. Appeal can be made to the _____________ against the order of appellate tribunal.
    1. Magistrate Court
    2. High Court
    3. Supreme Court
    4. both (i) and (ii)
  20. Appeal can be made to high court against the order of appellate tribunal within _____________ days.
    1. 30
    2. 45
    3. 60
    4. 90
  21. ____________ are offences under the Information Technology Act.
    1. Sending offensive message
    2. Steal information
    3. Video conference
    4. both (i) and (ii)
  22. The digital signature can be suspended by the certifying authority in case of _______________
    1. public interest.
    2. interest of any person.
    3. interest of user.
    4. both (i) and (ii).
  23. The digital signature can be suspended by the _______________-
    1. Central Government.
    2. State Government.
    3. certifying authority.
    4. controller.
  24. The digital signature can be issued by ____________
    1. Central Government.
    2. State Government.
    3. certifying authority.
    4. controller.
  25. The digital signature cannot be suspended for period exceeding __________ days.
    1. 15
    2. 30
    3. 45
    4. 60
  26. The certifying authority can be appointed by ____________
    1. Central Government.
    2. State Government.
    3. certifying authority.
    4. controller.
  27. Application for licence to issue electronic signature certificates is made along with which document?
    1. Certificate of practice.
    2. PAN.
    3. Driving licence.
    4. Electricity bill.
  28. The controller shall publish notice of ___________ of licence in the database maintained by him.
    1. suspension
    2. revocation
    3. both (i) and (ii)
    4. none of above
  29. The controller may revoke a licence on ground of ___________ information contained in application.
    1. false
    2. incorrect
    3. both (i) and (ii)
    4. none of above
  30. No licence shall be suspended by controller for period exceed than __________ days.
    1. 10
    2. 15
    3. 30
    4. 45
1 (i) 2 (ii) 3 (iv) 4 (ii) 5 (iv)
6 (iii) 7 (i) 8 (iv) 9 (i) 10 (ii)
11 (i) 12 (iii) 13 (i) 14 (ii) 15 (iv)
16 (iv) 17 (iv) 18 (i) 19 (ii) 20 (iii)
21 (iii) 22 (i) 23 (iii) 24 (iii) 25 (i)
26 (iv) 27 (i) 28 (iii) 29 (iii) 30 (i)