Cyber Laws - PANKAJ PATILHarish Chander, Cyber Laws and It Protection, PHI Publication. By Prof....

Cyber Laws(BTCOE504)UNIT-I

Syllabus• Internet, E-Commerce And E-Governance With Reference To Free Market

Economy• Understanding Computers, Internet and Cyber Laws• Conceptual Framework of E-commerce:E-governance• The Role of Electronic Signatures in E-commerce with Reference to Free

Market Economy in India.Reference Books1. Harish Chander, Cyber Laws and It Protection, PHI Publication.

By Prof. Pankaj R. Patil

Understanding Computers, Internet and Cyber Laws Modern Era- There is abundance of knowledge in every sphere of life in the modern era. The

world has become very small and has come to be called the 'global village'.- The means of communication have become very fast and any kind of

information from any place in the world can be obtained within minutes with the help of the Internet wherein every field of knowledge is available to the people across the world. Such a scenario has also made possible a globalised free market economy in the world.

- E-commerce is the trend today and many business transactions are going online.

- Individuals and business houses need not directly deal with the other business people for doing business.


- Business community as well as individuals are increasingly using computers tocreate, transmit and store Information In the electronic form instead of thetraditional paper documents.

- Information store in electronic form is very cheap easier to store and retrieve,speedier, and long lasting, unlike paper documents.

- Now, business people have realised the a advantages of business transactionin the electronic form.

- Such a change of thinking of business people as well as the availability of thefacilities in the form of computers and electronic commerce has made itessential to have an effective legal regime for governing the e-commerce andbusiness transactions properly and effectively.


Need for Cyber Laws- The advantages of the use of computers and internet are immense in the

modern business and our society cannot smoothly function without computersand information technology (IT).

- But the use of internet and computers has brought along many unavoidablemisuses of computer and the internet.

- This has been easily possible more so because, in the use of the computers,there is no territorial limit and can be used from any jurisdiction.

- This sort of freedom has helped many computer experts Indulging in unlawfulcyber criminal activities across the world.

- Hacking, bugging, cheating, pornography, embezzlement, fraud and so on havebecome very popular on the internet


- In Times of India it was reported that the cases of credit card fraud have shotup these days.-According to the Delhi Police, complaints of online credit card frauds have seena sharp increase in the past two years. And since online transactions are one-sided, customers end up paying for frauds.- Moreover, there is counterfeiting of plastic money. It may be Someone got

hold of your card details and copied them onto a bogus card, and startedspending your money.

- even terrorists plot -terror over the Internet. It is reported by the US officialsthat four Caribbean men who plotted to carry out attacks on fuel tanks andlines leading to the John F. Kennedy airport had conducted "precise andextensive" surveillance using photographs, video, and satellite imagesdownloaded from the Google Earth.


- the importance and need to have proper legislation to curb the kinds crimes onthe internet present legal provisions recognize paper based records anddocuments, which bear signatures. But the e-commerce, eliminates to a greatextent the need for paper based transactions, and therefore in order to facilitateand promote it, there is an imminent need for cyber laws.

- The United Nations Commission on International Trade Law adopted theModel Law on Electronic Commerce in 1996 India is a signatory to this andhas therefore to revise the laws accordingly Keeping in view the urgent need tobring suitable changes in the existing laws to facilitate e-commerce and e-governance, the Information and Technology Bill, 1999 was introduced in theParliament in India.

- provides legal recognition of electronic records and electronic signatures. Suchchanges in laws will enable the conclusion of contracts and the creation orights and obligations through the electronic medium.

- The new law also provides for the use and acceptance of electronic recordsand electronic signatures in government offices and its agencies.


Historical Perspective Impact of the Internet and Information Technology (IT) on Business and

Society- Internet because of its open architecture ,digital format and unifying protocols,

has emerged as the platform to support increase connectivity and interactionamong network .

- technological development offer a vision of future marked by new capabilitiesin processing speed , transport and storage of data .

-


The Character & Use of Internet Technologies - Information technologies and their applications are totally characterised by

heterogeneity.- People access the internet by using a wide variety of devices that range from high -

performance workstations to handheld appliances- heterogeneous marketplace increases the importance of the role of standards.- The unifying nature of the Transmission Control Protocol/Internet Protocol (TCP/IP)

has been critical to Internet's success.- The intense volume of information and the simplicity of its transfer causes some

problems.- Ownership of information is very hard to protect, the illicit reuse of copyright

material is commonplace, the spreading of false and malicious information is also adaily occurrence.

- Therefore, the aim of cyber or cyber-related laws world-wide is to harmonise theexisting laws and the ultimate aim of legislation world-wide should be to reduce thecosts of world trade by issuing out inconsistencies and uncertainties resulting fromdifferences in the municipal laws.


- merging of all sources of information into a single retrievable database.- For instance, every home, office, news medium, library, data bank business,

government agency and computer will be connected to every device, such astelephone, television, or personal computer.

- Products and services once offered only at the local store are now available tothe consumers at every corner of the planet.

- Around the world, e-commerce is the subject of intense interest in manysectors: in government, business, service sector, amongst consumers andacademics. E-commerce has expanded from the closed world of business-to-business transactions between non-parties to encompass a complex web ofdifferent activities involving large number of individuals, many of whom willnever meet each other.

- A world class telecommunications infrastructure and information is the key torapid economic and social development of a country


- IT has become a key enabler for economic growth, it has also broughtabout fundamental changes as to how business is conducted. India'sstrength in the software area has made it a key player in the just-in-timeglobal economy where speed has become the important factor.

- Internet transaction will involve parties from more than one jurisdiction.- Thus, there is an urgent need for the international community to develop a

uniform law based on fair principles of equality, and a system forregulating the Internet and cyberspace regime in the world under the law.

- Each country has tries to develop its own local, national or municipallaws to deal with the the problems of cyber crimes and the resolution ofdisputes about e-commerce and business transactions on the Internet.

- concerted and genuine efforts by the international community to bringabout a uniform international law to deal with the problem of cyber crimesand disputes arising out of e-commerce and international businesstransactions. By Prof. Pankaj R. Patil

- Internet provides intellectual property owners with a unlimited market for theirworks. At the same time, it offers similarly expanded opportunities for thoseseeking to abuse the law.

- the act of registering a domain name similar to or identical with a famoustrademark is an unfair competition whereby the domain registrant takes unfairadvantage of the fame of the trademark to either increase traffic to the domainor to seize a potential asset of trademark owner in the hope that the trademarkowner will pay the registrant to relinquish the domain name.

- even though many courts simply note the objective facts, such as that adomain registrant Owns an inventory of domain names which closely resemblefamous marks and which are not being used for any commerce other than thepotential sale of the domain name to the trademark owner.


- Yahoo! Inc. v. Akash Arora & Anr. wherein the Internet search engine Yahoo!sued an Intenet pirate who had not only copied the domain nameYahooindia.com but had used ‘Yahooindia’ as a trademark in similar script onits website, and by offering directory services with information specific toIndia, was passing itself off as an extension of Yahoo, The defendant hadfurther copied the contents of the plaintiff’s web page and consequently theHTML code associated with the said page.

- In this case, the Delhi High Court granted an Injunction restraining thedefendant from using Yahoo either as a part of his domain name or atrademark or from copying any of the contents of the plaintiff’s website andthereby infringing Yahoo’s copyrights. The court also held that the trademarklaw applies with the equal force on the Internet as it does in the physicalworld.

- Moreover, on account of the case of copying, anonymity, and ease of accessfrom any comer of the world, the internet is a medium in which the courtsshould take a strict view on copying.By Prof. Pankaj R. Patil

-Apart from the usual or ordinary crimes of pornography, hacking, bugging, cheatingand like, now a days websites are being created for defaming and embarrassingindividuals either for political purpose or for harassing women by posting them sexrelated embarrassing situations, taking undue advantages and blackmailing them.- JNU (Jawaharlal Nehru University) Scholar case.- an airhostess had complained that she had been profiled on Orkur as a “Sex struckwomen’. It is reported by The Economic Offences Wing of the Delhi Police that it hasreceived 35 complaints against the site called Orkut. And Delhi Police has registered 6cases in this connection. It has been told by the joint Commissioner of Police (CP)(Crime) Delhi Police that the sites are being used to settle personal scores and defamepeople.-since most of such profiles are created at cyber cafes it is often very difficult toidentify the culprit (offender).-The situations explained in the previous two paragraphs point out the utility and theadverse impact of the Internet and cyberspace on commercial business as well aspeople in society in general. Thus, there is a need to understand properly the role ofcomputers, the cyber laws and the Internet.


Conceptual Framework of E-commerce:E-governance

What is E-commerce? - Traditionally, national or international business or commerce was conductedthrough business contracts specifically written on proper paper documents andwithout them, no business contract—whether national or international—wasconsidered binding and valid on the contractual parties.- In the past, there was no possibility of any other form of contracting business

except through paper documents as the facilities of Internet or cyberspace werenot available.

- conduct business on Internet both nationally and internationally the conduct ofbusiness and business transactions of any kind between the parties on theInternet and cyberspace is called e-commerce.


- A new business when it is at the exploratory and planning stage, some basiclegal and practical problems have got to be understood. While Starting a newbusiness on the Internet or cyber space, the following points must be considered

1. A thorough preparation of investigation and market research is imperativebefore starting a new business on the internet.2. Agreement have to be made, involve financial commitment, contract have to beentered between business parties which are agreement between parties which areenforceable under law.3. The business entrepreneur should be aware about the problems peculiar to thebusiness and the kind of transactions the businessman is going to enter with theother parties.4. It is useful and advisable to anticipate certain terms and conditions of thecontract which are profitable and favorable. and knowing them. fully well will belegally binding.


5. New business can be started as a single owner proprietary business,partnershipbusiness with the firm name, Private Limited Company. Or as a Public Limited Company.

Growth and Development of E-commerce- page of a e-commerce or business on the World Wide Web (WWW) can reach

the surfers very fast in any part of the world.- The scope on the page on the internet can subject the publisher to jurisdiction

of a lawsuit anywhere in the world.- The advantages of cyberspace are that its scope has no territorial boundaries.

And the cost and speed of messages of transactions on the net is almost entirelyindependent of physical location.

- The Messages can be transmitted from one physical location to any otherlocation without degradation, decay, or substantial delay.


Various modes of E-Commerce- e-commerce operates on broad characterizations through four modes which are

as follows1. Advertising, sale, lease or license of tangible products over the Internet

includes goods and products such as shrink-wrapped software, compact disks(CDs), books. machinery, and so on.

2. Advertising, sale, lease or license of intangible contents such as softwaredownloads, digitized forms of music available for downloads, electronicnewspapers, photos and services, offered by online databases. In an intangibleproduct such as subscription for an online newspaper in some cases, allowsthe same to be taken as a print out of a hard copy. In such cases it may beargued that such print out of a hard copy constitutes a tangible medium. Thecost of printing is not included in the online newspaper whereas the cost ofprinting is included in case of traditionally paper-based news paper.


1. Advertising, sale, or license of services such as offshore softwaredevelopment, online newspapers, online ticket bookings, trading in stocks andshares, online banking, online casino games and the like. Such services mayinclude push-content as well, if such service is subscribed to. In such e-commerce in the form of advertising, providing, selling, leasing, licensing,Internet access and telecommunications are the concerned Internet ServiceProvider (ISPs) and the backbone is the service providers.

2. Advertising, sale, lease, license of tangible products over the internet theelectronic counterpart of our traditional order systems. electronic counterpartof mail-order system function as advertising,marketing, selling medium fortangible products derived from content providers, Not only does advertisingtake place through Online advertises but other media such as television orradio .


- e-commerce includes retailing and wholesale businesses, online newspaper and otherinformation sources and services like pay-per-use-schemes for online databases,subscription services, online healthcare services, online gambling services,videoconferencing, offshore and inland banking and stock trading in a way everything thatthe traditional methods could offer. Mechanism Involved in the Operation of Internet- All machines connected to a network are generally identified by their Internet Protocol (IP)

numbers and Internet also has its own IP number.- The devices communicate with each other through the IP number system functioning like

two conventional telephones.- For easier performance the specific IP numbers denoting a computer is given a domain

name. And the communication of data takes place in the form of packets. A typical ‘packet’contains a header as well as a data part.

- The packets can traverse through several networks before reaching destination. The formatand transmission of data is through use of several protocols.

- The common protocol used on the Internet is Transmission Control Protocol/InternetProtocol (TCP/IP).

- The data portion of packet can be encrypted for better security. Packets are made to takethe shortest route to the destination.


Type of Players in E-commerce- following important players are involved in commercial transactions on the internet 1. Network Provider:This forms a part of the internet backbone, providing the requisite amount of bandwidth.2. Internet Service Provider (ISP):The ISP contracts with the Individual users, Companies and organizations to provide access to Internetin the form of dial-up or leased accounts for a requisite fees.ISP also provides space on its servers forhosting websites.3. The User:The most important player in the e-commerce model is the user. All system of e-commerce includingpurchase, sale, payment and others are structured around the user.4. The Website:The website contracts with the ISP to host its business. The user contracts with the website forpurchase, sale of good, products or services. If products or goods are intangible and exclusively foronline use, the website may contract with a content provider to provide requisite products and goods.And if the website represents any manufacturing concern or is its own content provider, it may offer itsproducts for sale, and in other cases, websites may have to offer royalty for content providers for thepurchase of rights or license fees for products.


5. The Payment Providers: -The payment providers are like Visa, or Mastercard which offer exchange collection methodsthrough the use of credit cards and various other forms of electronic money. Generally,tangible forms of money like paper currency support online payment mechanisms or creditcard payment.6. The Payment System Provider:-These are the providers of underlying technology and guidance for the payment systemproviders to function. The payment providers need to get a license from payment systemproviders like RBI or Cyber cash and the like.7. The Software Architects: They provide applications for both clients and server to enable efficient service over the Internet8. Advertiser:-like Ad. In TV and radio, online Ad. Is a big business. It takes forms of banner Ad. And e-mail ad. Advertiser contracts with the websites and supplies Ad. , to increase number of users visiting the websites


9. Content Provider:Provides product and goods to websites for sale. They receive part of proceeds or royalty or both from the website10. The Back-end System:These are software applications that maintain inventory & accounting . Databaseproduct from oracle & Microsoft are typical examples- Besides, players includes search engine like yahoo or Alta Vista Web Development and Hosting Agreement- A customer generally obtains only one of the services which are describedseparately in the following segregated categories:


- File conversation is the basic service which involves file manipulation such as converting non-HTML documents into HIML and scanning photos or graphics and saving such files into GIF or JPEG.

- Web design involves creating designing the look and feel of the website, including logos and banners, navigation bars or tools, page layout and object placement.

- Code development involves coding HTML pages (from scratch), cg scripts, and Java applets or other applications.

- System integration website involves integrating the website with one or more third party applications, such as chat engines, search engines, e-commerce store fronts etc.

- Back-end system involve integrating the website with one or more existing applications such as legacy systems.


Web HostingWeb hosting in the generic description can encompass a number of different relationshipsdescribed in the following:-Collocation occurs when the customer locate customer owned servers at the provider’sfacility. In a straight collocation relationship, the providers will not manipulate content onthese servers. Providers of these services usually provide space for the servers in chain, fencedwithin ‘cages’.- In the typical hosting relationship, the provider (as opposed to the customer) provides theservers and software in addition to the Internet connection.- Co-branding is a popular technique which has been used to expand the scope of a customerwebsite co-branding pages on a third party Servers.- Outsourcing is increasingly becoming popular. Outsourcing occurs When a customeroutsources one or more functions of its website to & third party provider. For example whowhere? allows a customer website to offer co-branded e-mail to its users by directingcustomer's User co-branded pages Operated on Who Where server using Who where?Software.


The Problem of Internet Jurisdiction- The main trouble and problem about the Internet Jurisdiction is the presenceof multiple parties in various parts of the world who have a virtual nexus witheach other.- The question arises in such cases that if one party wants to sue the other, then

where can one sue? The municipal laws traditionally require two areas, theplace where the defendant resides, and where the cause of action arises.However, 1n the context of Internet, we find that both these are difficult toestablish with any certainty.

- For example, X in India decides to download an article from a website, andpays money for it through a credit card; but then he is unable to performdownloading.

- If X wants to sue the owner of the site who is in England, while the site itself isbased in a server in Malaysia. In this case where does the defendant reside?The transaction having occurred on the Internet, was the defendant in India orMalaysia?


- The problems of jurisdiction of such type of issues have contributed to a gooddeal of confusion and contradiction that prevail in the judicial decision of theInternet jurisdiction.

- In Cybersell, Inc. v. Cybersell, Inc it was found that a conflicting factualsituation was involved over the jurisdiction.

- The case was about a trademark dispute between two corporations, one of themin Orlando and another at Arizona.

- The court was faced with the issue of whether the mere use of a website by theFlorida Corporation was sufficient to grant the court in Orlando to try the casewithin its jurisdiction. In this case, the court held that it had no jurisdictionfocusing on traditional analysis established by the US Supreme Courtconcerning the due process aspects of personal jurisdiction.

- In this case, the Court opined “it is essential in each case that there be someact by which the defendant purposefully avails itself of the privilege ofconducting activities within forum state ,thus invoking benefits & protectionof its law.


Illustrative Cases about Cyberspace Jurisdiction- The Pres-kap, Inc. v. System One, Direct Access, Inc;' case involved electronic contacts

through a computerized airline reservation system.- The plaintiff owned and operated a computerized airline reservations system. The computer

system as well as plaintiff's main billing office was in Florida and a branch office operated inNew York. The defendant based in New York owned and operated a travel office in NewYork, the parties negotiated a lease contract in New York and there was a breach of contractwhich was the issue of the lawsuit.

- The Court in this case found only two contacts between defendants and the forum StatesFlorida. The defendants forwarded lease payments to a billing office in Miami anddefendant’s computers made electronic contracts with the plaintiff's computer base inFlorida. The Court, relying on Burger King Corp. v. Rudzewicz, held that a contract withoutof state party alone could not establish its jurisdiction. And so, it was left to decide andconsider only the electronic contracts.

- The Florida Appeals Court ruled that electronic contracts with a computer database locatedin talent State were insufficient to establish personal jurisdiction.


Type of Websites- For the purposes of jurisdiction websites can be divided into two groups:1.Passive and Interactive Sites: These sites provide information in a read only format’.2. Interactive Sites: These encourage the browser to enter information identifying the browserand/or providing background on the browser's interest or buying habits.

-In Zippo Mfg. Co. v. Zippo Dot Com Inc., the Court found purposeful availment based on thedefendant’s interactive website and contacts with 3000 individuals and seven Internet accessproviders in Pennsylvania in a trademark infringement lawsuit.- Here, the website allowed browsers to sign up for the defendant’s Internet news service. The

defendant was a California company and its employees were located in California, and thecompany maintained no office in Pennsylvania, where the law suit was brought.

- The court concluded in this case that because of the 3000 Pennsylvania subscribers and theagreements with Pennsylvania Internet Service Providers (ISPs), the defendant purposefullyavailed itself of Pennsylvania’s jurisdiction.


- -The Court held that the defendant had minimum contacts with the forum State.- In another case that of American Network, Inc. v. Access America/Connect

Atlanta, Inc., wherein a trademark infringement case a Georgia defendant washauled up into a New York Courts.

- A New York plaintiff sued the Georgia defendant for trademark infringementand unfair competition in the US District Court for the Southern District of NewYork. In this case, the plaintiff was a provider of a similar consulting service tothose provided by the defendant and claimed the mark used by the defendant, infringed the plaintiff s mark . Since theplaintiff business was located in New York and the defendant was aware of suchbusiness, it was reasonable for the defendant to expect that the publication ofthe offending mark on the Internet would result in harm suffered in New York.


- Again in Weber .v. Jolly Hotels’, wherein the plaintiff, Weber a New Jerseyresident brought a law suit as a result of injuries sustained while staying atdefendant’s hotel in Italy. In this case, the plaintiff asserted that New Jerseymay exercise general jurisdiction over the defendant, an Italian corporationwhich has the defendant’s Internet advertisements. Following the present caseto instances that involve advertisements placed in ‘national publications’, theCourt held that Internet advertisement by itself was not sufficient to conferpersonal jurisdiction upon a defendant.

- To give a general jurisdiction, the Court opined that it requires the activitywith the forum State to be continuous and substantial, the basic requirementwhich has not been established in this case.

- And the Court further observed that “advertising on the Internet does nottantamount to directing activity at or to purposefully availing on site of aparticular forum Thus it would he observed that in Internet cases, the courtshave been holding that a passive website should not be the basis forjurisdiction.


- It may be pointed out that the modern technology behind the Internet has introduced anumber of complications and the issues, and to determine a jurisdiction of the Court isnot that simple. We see that an e-mail address does not always indicate or specify thegeographical address of the sender. These factors have led to the contradictions in thejudicial decisions with regard to the effect of e-mail. Except when sent to a knownrecipient it may be difficult to say that e-mail distribution is a method by which acompany purposefully avail itself of the privilege of conducting activities within therecipient’s forum state.

- it may be seen that on the question of jurisdiction by Courts to be exercised on thedefendant is not always uniform and consistent in the cases of Jurisdiction on theInternet.

- suggested that independent rule should govern the jurisdiction on the internet .- by uniform law governing cyberspace transaction would be easier.- Its possible for parties to prefer choice of preferred forium of law under contract- parties often choose forum between conflicting laws to apply its own law & its called

forum shopping


The Role of Electronic Signatures in E-commerce with Reference to Free Market Economy in India

- India is one of the very few countries, in the world besides Singapore, to havebrought about legislation in cyber laws in the year 2000. One of the mainobjective of information technology (IT) is to provide a legal recognition fortransactions carried out by means of electronic data interchange and othermeans of electronic communication, commonly referred to as e-commercewhich involves the use of alternatives to the paper-based methods ofcommunication and storage of information to facilitate electronic filing ofdocuments with the government agencies.

-


- Primarily, in contracts, the significance of signature is requirement of evidence inlaw, the law trusting the acknowledged written word in favour of oral agreement. Thereason for this is that signature on paper continued to exist as proof, while the spokenword cannot be reproduced as a proof Therefore the need for signature grew in view ofthe basic distrust of human motives so as to bind the parties to promises with writtensignatures ensuring non-repudiation.- Handwritten paper-based signatures identify a person— by signing the signer marks

the test in his own way, and make it attributable to him. Signature associates thecontent of a and shows int. Signature provides certainty and proof to the personalinvolvement of that person in the act of signing, signature associate the content ofthe document and shows intention of the party to be bound by the content of thecontract by signing.

- It also shows the intent of the persons to endorse the authorship of the text, andassociate himself of written documents by somebody else.

- Signature also shows the time and place of the document. It is a kind of a ceremonyto show the legal significance of his act. Moreover, signatures on a writtenmemorandum often impart a sense of clarity and finality to the transaction.

- Therefore, the present practice of signatures by the parties shows the validity andenforceability of a document. Signature usually intends documenting the transactionand signing or authenticating the documents.


- Electronic signatures is the need of the hour in order to profitably carry out e-commerce andbusiness in the globalized free market economy across the world. Basic Laws of Digital and Electronic Signature in India- Under the IT Act, 2000, Chapter-II, Section 3 provides the basic provisions of Authenticationof electronic records:(l) Subject to the provision of this section, any subscriber may authenticate an electronic recordby affixing his digital signature.(2) The authentication of the electronic record shall be effected by the use of asymmetric cryptosystem and hash function which envelop and transform the initial electronic record into anotherelectronic record,


Explanation:For the purposes of this sub-section, 'hash function' means an algorithm mapping ortranslation of one sequence of bitsinto another, generally smaller, set known as "hash result" such that an electronic record yieldsthe same hash resultevery time the algorithm is executed with the same electronic record as its input making itcomputationally infeasible(a) to derive or reconstruct the original electronic record from the hash result produced by thealgorithm, and(b) that two electronic records can produce the same hash result using the algorithm.

(3) Any person by the use of a public key of the subscriber can verify the electronic record.(4) The private key and the public key are unique to the subscriber and constitute afunctioning key pair.

By the IT (Amendment) Act, 2008, the law has been provided with anotherSection 3A which provides for as follows:


(1) Notwithstanding anything contained in Section 3, but subject to the provisions ofsub-section (2), a- subscriber may authenticate any electronic record by such electronic signature or

electronic authentication technique which(a) is considered reliable; and(b) may be specified in the Second Schedule.- For the purposes of this section, any electronic signature or electronic authentication

technique shall be- considered reliable if(a) the signature creation data or the authentication data are, within the context inwhich they are used, linked to the signatory or, as the case may be, the authenticatorand to no other person;(b) the signature creation data or the authentication data were, at the time of signing,under the control of the signatory or, as the case may be, the authenticator and of noother person;


(c) any alteration to the electronic signature made after affixing such signature isdetectable;(d) any alteration to the information made after its authentication by electronicsignature is detectable; and(e) it fulfils such other conditions which may be prescribed.(3) The Central Government may prescribe the procedure for the purpose ofascertaining whether electronic signature is that of the person by whom it is purportedto have been affixed or authenticated.(4) The Central Government may, by notification in the Official Gazette, add to oromit any electronic signature or electronic authentication technique and the procedurefor affixing such signature from the Second Schedule: Provided that no electronicsignature or authentication technique shall be specified in the Second Schedule unlesssuch signature or technique is reliable.(5) Every notification issued under sub-section (4) shall be laid before each House ofParliament.- It’s essential to keep the validity of digital signature under the law.


Authentication of Digital Signatures and Electronic Records- section 3 of the IT Act, 2000, provides the conditions subjects to which an electronic record may be

authenticated by means of affixing digital signature.- The digital signature is created in two different steps- First, the electronic record is converted into a message digest by using a mathematical function

known as hash function which digitally freezes the electronic record thus ensuring the integrity ofthe content of the intended communication contained in the electronic record.

- Any tampering with the contents of the electronic record will immediately invalidate the digitalsignature.’

- And secondly, the identity of the person affixing the digital signature is authenticated through theuse of a private key which attaches itself to the message digest and which can be verified by anyperson who has the public key corresponding to such private key. This process will enable any bodyto verify whether the electronic record is retained intact or has been tampered with since it was sofixed with the digital signature.

- Moreover, it will also enable a person who has a public key to identify the originator of the message.- The IT (Certifying Authorities) Rules, 2000, Rule 3 provides the manner in which the information

can be authenticated by means of digital signature’.- According to Rule 3 a digital signature—Shall be created and verified by cryptography that concern

itself with transforming electronic record into seemingly unintelligible forms and back again; usewhat is known as ‘public key cryptography, which employs an algorithm using two


- in order to create a digital signature one has to sign an electronic record for any other item of information.

- The signer shall first apply the hash function in the signer’s software; hashfunction shall compute a hash result of standard length which is unique (for allpractical purposes) to the electronic record; the signer’s software transforms thehash result into a digital signature using signer’s private key; the result digitalsignature shall be unique to both electronic record and a private key used tocreate.- The digital signature shall be attached to its electronic record and storedor transmitted with its electronic record.


Authentication of Electronic Signatures and Electronic Records- Section 3A of the IT Act, 2008, provides for the procedures for electronic signatures, electronic

records and the authentication of electronic signatures and electronic authentication technique.- For the validity of electronic signatures it is important to provide for such procedure which is

considered reliable under the law. And such authentication of electronic signatures .and electronicauthentication technique may be specified in the Second Schedule.

- Any electronic signature or electronic authentication technique shall be considered reliable if thesignature creation data or authentication data are within the context in which they are used andlinked to the signatory or the authenticator and to no other person. And the signature creation data orauthentication data were and at the time of signing, under the control of the signatory or theauthenticator and not under the control of any other person. Also, any alteration to the electronicsignature made after affixing such signature is detectable. Similarly, any alteration to the informationafter authentication by electronic signature shall be detectable.

- Moreover, electronic signature or authenticator may be required to fulfill other conditions whichmay be prescribed by the government. The Central Government may prescribe the procedure forascertaining Whether the electronic signature is of such person who had affixed or authenticated.

- Central Government has the power to add to or Omit any electronic signature or electronicauthentication and the procedure from the Second Schedule. But such signature or authenticationtechnique shall not be included in the Second Schedule if they are not reliable.


UNCITRAL: Model Law on Electronic Commerce, 1996-The United Nations Commission on International Trade Law (UNCITRAL) has suggested the ModelLaw on e-commerce to be followed by all the countries the world.-Article 7 of the UNCITRAL Model Law provides:Where the law requires a signature of a person, that requirement is met in relationto a data message if—(1) (a) A method is used to identify that and to indicate that person’s approval ofthe information contained in the data message;1) (b) That method is as reliable as Was appropriate for the purpose for which the data message wasgenerated or communicated, in the light of all the circumstances, including any relevant agreement.(2) Paragraph (1) applies whether the requirement there in is in the form of an obligation or whetherthe law simply provides consequences for the absence of a signature. :- The UNCITRAL model law on e-commerce focuses on two basic function of signature, namely, toidentify the author of document and to confirm that the author approved the content of that document.The reading of these two paragraphs establishes the principles that in an electronic environment, thebasic legal functions of a signature are performed by way of a method that identifies the originator of adata message and confirms that the originator approved the content of that data message.


UNCITRAL: Draft Rules of November, 1998- Make a clear distinction between electronic signatures, enhanced electronic signatures and digital

signature.- Article 1 of the UNCITRAL (Draft Rules of November, 1998) provides the following:(a) “Electronic Signature’ means data in electronic form in, affixed to, or logically associated with, a

data message, and [that may be] used to [identify the signer of the data message and indicate the Signer’sapproval of the information contained in the data message] satisfy the conditions set forth in Article 7(1) (a)of the UNCITRAL Model Law on Electronic Commerce.(b) ‘Enhanced electronic signature’ means an electronic signature which is created, and at the timeit was made can be verified through the application of a security procedure or combination ofsecurity procedures that ensures that such electronic signature—(i) is unique to the signer for the purpose for which and within the context;(ii) can be used to identify objectively the Signer of the data message;(iii) was created and affixed to the data message by the signer or using a means under the sole control of the

signer: and(iv) was created and is linked to the data message to which it relates in a manner such that any change in

the data message would be revealed.


- Variant A: ‘Digital signature means an electronic signature created by transforming a datamessage using a message digest function, and encrypting the resulting transformation with anasymmetric cryptosystem using the Signer’s private key .such that any person having theinitial untransformed data Message, the encrypted transformation and the encryptedtransformation, and the signers corresponding public key Can be accurately determine:(i) transformation was created using the private key that corresponds to thesigner’s public key; and(ii) whether the initial data message has been altered since the transformation was made.-Variant B: ‘Digital Signature’ is a cryptographic transformation using an asymmetriccryptographic technique of the numerical representation of a data message, such that anyperson having the data message and the relevant public key can determine, that-(i) the transformation was created using the private key corresponding to the relevant publickey; and(ii) that the data message has not been altered since the cryptographic transformation.


Securing Electronic transactions Cryptography and Securing Electronic Transactions

- An important condition for e-commerce’s survival is the ability to safeguard all electronictransactions. Unless an electronic transaction is secure it would be difficult to determine itsauthenticity. Moreover, the users will be hesitant to send confidential information over thenet. Existence of safeguards and assurance that such transmission are foolproof will go along way towards boosting e-commerce and the common way of protecting electronictransactions is through cryptography. Cryptography uses sophisticated mathematicalalgorithms, particularly a technology which is known as asymmetric cryptography.

- In this process, encryption and decryption techniques involve the use of two kinds of keys,public keys and private keys, both of which are mathematically linked. One key is used forencryption and the other corresponding key is used for decryption. Each user has a pair ofkeys of which the private key is kept secret and the public key is open to all.

- Therefore, if X wants to send a message to Y, X will encrypt the message with Y’s publickey and send it to Y. It is only Y who Would be able to access the message

- The nature of digital signature 1s the importance of digital signature which is also knownas advanced or secure electronic signature.By Prof. Pankaj R. Patil

The Concept of Hash Function- Apart from the generation of key pairs, another fundamental process known as the hash

function is used in both creating and verifying a digital signature.- A hash function is a mathematical process based on a algorithm which creates a digital

representation or compressed form of the message, often referred to as a ‘message digest’ or‘fingerprint’ of the message in the form of a ‘hash value’ or ‘hash result’ of a standard lengthwhich is usually much smaller than the message, but nevertheless substantially unique to it.

- It is seen that encrypting a document with a public key system requires a lot of time. Tospeed up the procedure, it is possible to apply the private key, not to the whole message butonly on its message digest (or hash code). The message digest is a sort of an excerpt of theoriginal text, known as ‘digital fingerprint’.

- As hash function is public and therefore no private key is required security of the hashfunction is very significant to the integrity of the digital signature. To use the hash functionsfor digital authentication they must have certain properties to make them secure enoughcryptographic usage.


Utility of Digital Signature’s Verification- Thus the verification of digital signature indicates that the digital signature was created using

the signer’s private key, because only the signer’s public key will verify a digital signature created with the signer’s private key, and that the message was not altered since it was signed. - This is because, the hash result computed in verification matches the hash result form the digital signature, which was computed when the message was digitally signed. Certification, Certifying Authorities and the Status of Electronic Signature under the

Indian Law- Any person may make an application to the Certifying Authority for issue of a Electronic

Signature Certificate. He has to apply in the prescribed form of the Central Government. The application shall accompany by such fee not exceeding twenty five thousands rupees as may be prescribed by the Central Government to be paid to the Certifying Authority.

- On receipt of the application the Certifying Authority may after consideration of the certification practice statement or the other statement under Sub-section (3) and after making such enquires as it may deem fit, grant the Electronic Signature Certificate or for reasons to be recorded in writing, rejects the application:


(a) The applicant holds the private key corresponding to the public key to Be listed in theelectronic Signature Certificate.(b) The applicant holds a private key, which 1s capable of creating a electronic signature.(c) The public key to be listed in the certificate can be used to verify a electronic signatureaffixed by the private key held by the applicant.- Provided that no application shall be rejected unless the applicant has been given areasonable opportunity of showing cause against the proposed rejection


The Appointment of Controller and Other Officers and Their Functions- Under Chapter VI of the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, the Central Government may

by notification in the Official Gazette appoint a Controller of CAs and may also by the same or subsequentnotification, appoint such number of Deputy Controllers and Assistant Controllers, others officers and employees as

it deems fit.-The Controller of Certifying Authorities may perform all or any of thefunctions namely—(a) Exercising supervision over the activities of the Certifying Authorities(b) Certifying public keys of the Certifying Authorities;(c) Laying down the standards to be maintained by the Certifying Authorities;(d) Specifying the qualifications and experience which employees of the certifying Authority should process;(e) Specifying the conditions subject to which the Certifying Authorities shall conduct their business;(f) Specifying the contents of written, printed or visual materials and advertisements that may be distributed or

used in respect of a Electronic Signature Certificate and the Public key(g) Specifying the form and content of electronic signature and the key(h) Specifying the form and the manner in which accounts shall be maintained by certifying authority(i) Specifying the term and condition subject to which auditors may be appointed and remuneration to be paid to them


(j) Facilitating the establishment of any electronic system by a Certifying Authority eithersolely or jointly with other Certifying Authorities and regulation of such systems;(k) Specifying the manner in which the Certifying Authorities shall conduct their dealingswith the subscriber’s(l) Resolving any conflict of interests between the Certifying Authoritiesand the subscriber’s(m) Laying down the duties of the Certifying Authorities(n) Maintaining a database containing the disclosure record of every Certifying Authoritycontaining such particulars as may be specified by regulations, which shall be accessible topublic.


Authentication and Verification of Electronic/Digital Signatures- To give authenticity to a electronic/digital signature the verifier must have access to the

signer’s public key and also should provide the assurance that it corresponds to signer’sprivate key.

- The public and private key has no intrinsic association with any person. It is simply a pairof numbers which is quite distinct from paper base signature in the signer’s handwriting.

- Public key encryption is supposed to serve its usage in an open environment so that thekeys are sent to a wide variety of persons where there may not be any relationship or trustdevelopment between the parties.

- In this process, the parties involved should have a high degree of confidence in the publicand the private keys. In this connection, it is found that Trusted Third Parties (TTP’s) or theCAs have a very significant role to play. The CAs are generally organized in a number ofcountries hierarchically into what is often referred to as a Public Key Infrastructure (PKI).

- PKI is a way to provide confidence that a user’s public key has not been tampered with andin fact corresponds to that of the user’s private key.

- And that the encryption techniques being used are sound; and the entities that issue thecryptographic keys can be trusted to retain or recreate the public and private keys that maybe used for confidentiality encryption where the use of such a technique is authorized.


- It may be seen that National Legal System are dependent on the power of governmentcoercion backed by the courts and the rule of A law. The effectiveness of a legal system islimited by its political and geographical boundaries.

- creating & verifying e-signature for many legal purposes1. Signer authentication2. Message authentication3. Affirmative act4. Efficiency


The Cost and Benefits of Implementing Electronic/Digital Signatures in E-commerce in India

- First, there is the cost of institutional overheads of establishing and utilizing CAs,repositories, and other important services, as well as assuring quality in the performance oftheir functions. Secondly, a subscriber or an electronic/ digital signer will require software,and will also probably have to pay the CA the fee for the issue of a Certificate.

- Finally, it works as an open system by retaining a high degree of information security, evenfor information sent over open, insecure but inexpensive and widely used channels.


Security Privacy of Electronic/ Digital Signatures- It is essential that key generation is undertaken under the control of the individual

concerned and that the private keys never leaves the possession of that person withouttaking strong security precautions. In case any other approach is taken, such as generationby a Services organization or by a government authority, serious security and privacy issuesarise because there is scope for the individual to be convincingly impersonated.

- Another important concern relates to the manner in which private keys are stored and arebacked-up and in which back-up copies are stored.

- It is also common to have reforms as a privacy policy. Some of the most privacy-intrusiverisk arise from the existence and misuse of ‘public registers’ of various types for exampletelephone books, motor vehicle register, electoral roll and registers of building approvals.


Private Key Escrow and Key Recovery Systems- An Escrow is an arrangement under which something is placed on deposit with a trusted

party, but may be accessed by third parties under certain conditions. Originally this systemwas used for title deeds for real property, and as a source-code for software packages.

- The Keys Escrow System allows authorized Institutions under certain conditions to decryptdata using information supplied by one or more CAs/TTPs (Trusted Third Parties).

- Nowadays, cryptographers are using the so-called Key Recovery approaches as analternative to key escrow systems. No key is ever transferred to another party and this systemcan be understood by imagining the lock of the front of a house.


- In this case, there are a series of digits, for instance, a six-digit combination (instead of actualnumber) that the house owner may give to his trusted party.

- Here again, it is not necessary that the house owner must provide all six digits to the trustedparty. He may apply splitting of the key approach and split the number and provide the spiltparts to more than one trusted party.

- It is seen that the cryptography key recovery system is much more complex. There are largenumbers of digits that go into the construction of a key.

-What we need is some type of framework for licensing and information transaction, whethermodelled on United Nations Commission on International Trade Law (UNCITRAL) or not,would be useful to facilitate information economy transactions.


Obligation of a Certifying Authority and Certificate Management- The CA is expected to disclose adequate information to its subscribers and also the relying

parties on the assurance levels in the Certificates that it issues and the limitations of itsliabilities. This enables the users of the Certificates to make well informed choices on thetypes of Certificates that will meet their usage requirements.

- To ensure the integrity of Electronic/Digital Certificates, the CA must implementappropriate security controls in the certificate management process like certificateregistration, generation issuance of certificate ,publication renewal,suspension ofcertificate, their revocation and archival security controls.


Security Threats to Cyberspace and E-commerce- These days, most of the people depend on computers to perform work, including homework

and create or store useful information about the transaction or necessary data.- And therefore it is imperative for the information stored on the computer to be kept properly

with necessary security. It is also necessary that people protect there computers from theloss of data misuse and the abuse. it is important and crucial for business people to keepinformation in computer, effectively secured so that hackers cannot access the information.computer security risk is by any action that could cause loss of information, software data,computes processing incompatibilities.

- Under Section 70A the Central Government by notification published in the OfficialGazette may designate any organization of the Government as the national nodal agency inrespect of Critical Information Infrastructure protection which shall be responsible for allmeasures including Research and Development relating to protection of CriticalInformation Infrastructure.


-The Indian Computer Emergency Response Team shall serve as the national agency forperforming the following functions in the area of cyber security:(a) Collection, analysis and dissemination of information on cyber incidents.(b) Forecast and alerts of cyber security incidents.(c) Emergency measures for handling cyber security incidents.(d) Coordination of cyber incidents response activities.(e) Issue guidelines, advisories, vulnerability notes and whitepapers relating to informationsecurity practices, procedures, preventation, response and reporting of cyber incidents.(f) Such other functions relating to cyber security as may be prescribed.


(5) The manner of performing functions and duties of the agency referred to in sub-section (1)shall be such as may be prescribed.(6) For carrying out the provision of sub-section (4), the agency referred to in sub-section (1)may call for information and give direction to the service providers, intermediaries, datacentres, body corporate and any other person.(7) Any service provider, intermediaries, data centers, body corporate or person who fails toprovide the information called for or comply with the direction under sub-section (6), shall bepunishable for a term which may extend to one year or with fine which may extend to one lakhrupees or with both.(8) No court shall take cognizance of any offence under the section, except on a complaintmade by an officer authorized in this behalf by the agency referred to in sub-section (1)


- The biggest threats on the Internet are as follows:• Internet Explorer tops the list of Internet security attack targets in the most recent joint

report of the FBI and security organization SANS Institute.• Phishing and identity theft—In this case, the message may ask the user to click a link that

leads to a bogus Web page complete with realistic user-name and password log-in fields, orit might ask for credit card numbers.

• Malware, which is a software designed to infiltrate or damage a computer system withoutthe owner’s informed concerned. Malware doesn’t need description as most of the usercertainly on one occasion or other encountered some problem related to Malwares.


International Efforts to Enact Laws Relating to Electronic/ Digital Signatures-The OECD which consist of primarily industrialized countries including Australia, Canada, WesternEuropean Nations, Japan and the US have adopted a set of guidelines for cryptography policy. Theseguidelines are summarized as follows:• Cryptography method should be trustworthy in order to generate confidence in the use of information

and communication system.• The users of cryptography should have a right to choose any Cryptography method subject to the

applicable law.• Cryptographic methods should develop in response to the needs, demands and responsibilities of

individuals, and businesses and of government.• The technical standards criteria and protocols form cryptographic methods should be developed and

promulgated at the national and international level. The fundamental rights of individuals to privacyincluding secrecy of communication and protection of personal data should be respected in nationalcryptography policies and in the implementation and use of cryptographic methods.

• National cryptographic policies may allow lawful access to the plaintext of cryptography keys, ofencrypted data. These policies must also respect the other principles contained in the guidelines to thegreatest extent possible.

• Whether established by contract or legislations, the liability of individuals and entities that offercryptographic services or hold or access cryptographic keys should be clearly stated.

• The government should cooperate to coordinate cryptographic policies, and as a part of this effort,government should remove or avoid creating in the name. of cryptographic policy unjustifiedobstacles to trade.


Efforts in the US• The US have enacted or drafted digital signature legislation. The Utah Digital

Signature Act of 1995 provides a legal framework for the use of cryptographyfor authentication and integrity purposes Guidelines under the Singapore Electronic Transaction Act, 1998 - The guidelines in the Singapore Electronic Transaction Act of 1998 provide for the

security guidelines to establish the security criteria for the management systems andoperations of the CAs.

- The guidelines are aimed at protecting the integrity, confidentiality and availability ofcertification services, data and systems.

- The CAs are to be licensed by the Controller of CAs which are required to comply with themandatory criteria stated in the security guidelines.

- These guidelines supplement the provisions in the Electronic Transaction Act and itsRegulations.


The above guidelines address the security criteria for the following certificate manual function performed by the CA: • Identification and authentication of registration, suspension and revocation requests • Generation, issuance, suspension and revocation of certificates • Publication and archival of certificates and their suspension or revocation information • Overall management and obligation of a CA • Certification management • Key management • System and operations • Application integration.


-Accordingly, the IT Act, 2000 has been enacted in India to meet the challenges of e-commerce, cyberspace, digital technology and communication system.- Keeping in view the United Nations Commission on International Trade Law (UNCI

TRAL) which adopted a model law on electronic commerce, the Indian law has tried tofollow the model law recommended by UNCI TRAL in the year 1997, as in the case ofmodel law which provides for equal legal treatment of users of electronic communicationand paper-based communication. India has followed the model recommendation whileenacting the IT Act, 2000.


Different Approaches of Digital Signatures • Prescriptive approaches of Digital Signature: This comprehensive effort that seeks to

enable and facilitate e-commerce with the recognition of digital signatures through aspecific regulatory and statutory framework. This approach establishes a detailed PublicKey Infrastructure (PKI) licensing scheme, allocates duties between contracting parties,prescribes liability standards and creates evidentiary presumptions and standards forsignature or document authentication.

• Criteria Based Approach: The predominant model for criteria-based laws is the CaliforniaAuthentication Standard. The California criteria-based approach has proved to be quiteflexible for various State Legislatures in the US. In this approach, a broad criteria may beapply both to electronic and digital signature, since it is designed to lay the requirementsfor trustworthiness and security. the In this approach,

• Signature-enabling Category Approach: general laws permit any electronic mark that isintended to authenticate writing to satisfy a signature requirement. It is found thatMassachusetts has put 'forward the most modest position regarding electronicauthentication due to similar concerns as voiced in California regarding the potential formarket distortions and the need for technological neutrality


Cyber Laws�(BTCOE504)�Understanding Computers, Internet and Cyber Laws�Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7 Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Conceptual Framework of E-commerce:�E-governanceSlide Number 15Slide Number 16Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21Slide Number 22Slide Number 23Slide Number 24Slide Number 25Slide Number 26Slide Number 27Slide Number 28Slide Number 29Slide Number 30Slide Number 31�The Role of Electronic Signatures in E-commerce with Reference to Free Market Economy in India �Slide Number 33Slide Number 34Slide Number 35Slide Number 36Slide Number 37Slide Number 38Slide Number 39Slide Number 40Slide Number 41Slide Number 42Slide Number 43Slide Number 44Slide Number 45Slide Number 46Slide Number 47Slide Number 48Slide Number 49Slide Number 50Slide Number 51Slide Number 52Slide Number 53Slide Number 54Slide Number 55Slide Number 56Slide Number 57Slide Number 58Slide Number 59Slide Number 60Slide Number 61Slide Number 62Slide Number 63Slide Number 64Slide Number 65

Cyber Laws - PANKAJ PATILHarish Chander, Cyber Laws and It Protection, PHI Publication. By Prof....

Documents

Transcript of Cyber Laws - PANKAJ PATILHarish Chander, Cyber Laws and It Protection, PHI Publication. By Prof....