7/29/2019 Global Cn
1/64
1
IntroductionWe begin our discussion with the key words underlying the concept of information technology
(IT), namely, information and technology; before tracing the growth of law related thereto.
What is Information Technology?
Information technology, literally speaking, is the technology designed to be applied with respect
to information. When the legal system got equipped with mechanisms to protect the content of
information it was a great legal feat accomplished. However, soon it appeared that the
technology which could make the information travel in a faster and confidential manner was no
less important either. Telecommunication technologies were the ones who did this miracle and
were protected in turn by the governments concerned. But the best (or the worst, depending on
the way we use) was yet to happen.
The technology that enabled the world to make information travel safe and fast both (rather the
fastest and the safest so far) through electronic machines brought with it a sort of revolution
(called information revolution) not seen hitherto fore. The technology which thus revolutionised
the world was termed as information technology (IT).
The information technology (IT) is. therefore, the technology that ensures the information travels
fast while keeping its privacy intact. Thus Information T is a tool to ensure safety of the
information while it travels through, or stored in, or retrieved from an electronic source or
device. The international networking which has connected the people and nations of the world is
termed as the internet or, sometimes simplynet. This has brought in to reference a virtual worldthat is the world run and regulated by electronic machines: the cyber world or the cyber space.
Global Consciousness to Cyber World
International law is a primary concern of the United Nations. The mandate for the activities in
this field emanates from the Charter of the United Nations which, in its Preamble, sets the goal
'to establish conditions under which justice and respect for the obligations arising from treaties
and other sources of international law can be maintained'. The International Court of Justice,
located in The Hague (Netherlands), is one of the six major organs of the United Nations. The
Court, in existence since 1946, serves as the successor to the Permanent Court of International
Justice established by the League of Nations; and derives its authority from a statute which forms
7/29/2019 Global Cn
2/64
2
an integral part of the Charter of the United Nations. The Court has two functions : to render
judgements on disputes submitted to it by states, and to furnish advisory opinions on questions
referred to it by authorized bodies. The International Law Commission was established by the
United Nations General Assembly resolution1 of November 21, 1947. Its primary objective is the
'promotion of progressive development of international law and its codification'.2 The statute has
been amended by the General Assembly a number of times the updated text of which is available
online. The commission meets in one annual session in Geneva and reports to the General
Assembly.The United Nations Commission on International Trade Law (UNCITRAL) was established by
the General Assembly resolution3 of December 17, 1966. Sections I and II of the resolution
define the powers and functions of the Commission. Its primary objective is the 'promotion of
the progressive harmonization and unification of the law of the international trade'. 4 The
Commission meets in one annual session, convened alternately in New York (even years) and
Vienna (odd years), and reports to the General Assembly.Amidst growing concern for regulation of electronic commerce and to evolve standards which
could be adopted as guidelines by the statesconcerned in framing domestic laws on thesubject, the UNCITRAL adopted a resolution on 'Legal Value of Computer Records', which was
approved through a resolution on December 11, 1985 by the United Nations General Assembly.
This was followed by the 'Model Law on Electronic Commerce' which was accepted by the
United Nations General Assembly through a resolution on January 30, 1997. The resolution
obliges the member nations to give proper consideration to the provisions of the model law while
framing or revising (as the case may be) their law with a view to achieve uniformity of law on
this point. Moving further in this direction, the UNCITRAL adopted a 'Model Law on Electronic
Signatures' which was adopted through a resolution by the United Nations General Assembly on
December 12, 2001. A brief outline of these developments is presented below.
1 Resolution 174 (II) of Nov 21 1947.
2 Article 1 of the Statute.
3 Resolution 2205 (XXI) of December 17, 1966.
4 See, Section I of the resolution.
7/29/2019 Global Cn
3/64
3
UNCITRAL on 'Legal Value of Computer Records' (1985)The UNCITRAL, at its eighteenth session in 1985, considered a report prepared by the
Secretariat entitled 'Legal Value of Computer Records' which noted that while on the global
scale there were fewer problems in the use of data stored in computers, a major obstacle to use of
computers and computer-to-computer telecommunication in international trade arose out of the
requirement that documents had to be signed or be in paper form.
Having considered the report, the Commission noted, inter alia, that the automatic data
processing was about to become firmly established through out the world, that legal rules based
upon pre-ADP5 paper-based means of documenting international trade might create obstacles to
such use of ADP by reason of being regarded insecure, and that the developments in the use of
ADP were creating the need for adaptation of existing legal rules. It, therefore, recommended to
the governments, among other things, to review the legal rules affecting the use of computer
records as evidence in litigation; legal requirements that certain trade transaction be in writing;
and legal requirements of hand-written signature or other paper-based method of authentication
on trade related documents with a view to permitting, where appropriate, the use of electronic
means of authentication.
It also recommended to international organisations elaborating legal texts related to trade to take
note of the aforementioned observations. The UN General Assembly adopted the said
recommendation by resolution on December 11, 1985; and called upon the governments and
international organizations to 'take action, where appropriate, in conformity with the
Commission's recommendation so as to ensure legal security in the widest possible use of
automated data processing in international trade'.Considering the possible risk of divergent legislative approaches being adopted by various
nations, the Commission felt the need for uniform legislative provisions with a view to achieve
legal harmony as well as technical inter-operability.UNCITRAL Model Law on Electronic Commerce (1996)
5 Automated Data Processing.
7/29/2019 Global Cn
4/64
4
While the electronic commerce does not render the conventional law obsolete, it does create a
few problems such as the classification of what is termed as 'virtual goods'; and new types of
contract like web hosting and web serving. It also requires an adaptation of conventional
concepts to suitthe new situations because they were either based on existence of some tangiblemedium of transaction e.g. instrument, document, original, signature etc; or based on
geographical locations, e.g. delivery, receipt, dispatch, surrender etc. This, however, is not to
deny the fact that the essence of business transactions is always the same, irrespective of the
medium of transaction. For example, there is no essential difference between, say, an online
contract and an offline contract except the medium through which they have come in to
existence, namely, the electronic and the physical (or, paper based).
The model law aims to facilitate rather than regulate the electronic commerce, to adapt existing
legal requirements, and to provide legal validity and certainty to business transactions carried out
through electronic medium in the same way as given to those carried out through conventional
medium.
The basic principles underlying the model law are functional equivalence, media or technology
neutrality, and party autonomy. Functional equivalence is brought about by analysing the
principles and functions of paper-based requirements like instruments, record, signature, original
etc; and considering the criteria necessary to replicate these functions and giving electronic data
the same level of recognition as information on paper. Similarly, the media-neutrality and
technology-neutrality are ensured by equal treatment of paper based and electronic transactions,
and of different technologies like Electronic Data Interchange (EDI), e-mail, internet, telegram,
telex, fax etc. Party autonomy is ascertained by providing primacy of party agreement on
whether and how to choose electronic commerce techniques, and freedom to parties to choose
security level appropriate for their transaction.
The model law is in two parts, the first dealing with electronic commerce in general and the
second the electronic commerce in specific areas. This is supplemented with a Guide on the
Model Law on Electronic Commerce, which explains the object, underlying principles and
articles of the Model Law. Part One has 15(1-15) articles distributed over four chapters, while
Part Two has two articles (16-17) contained in one chapter. Depending on emerging needs in
other specific areas related to business through electronic means, Part Two may have more
7/29/2019 Global Cn
5/64
5
provisions in future as it is an open ended instrument. Part One also includes article 5 bis as
adopted in 1998.
The core provisions of the model law are contained in article 5 (legal recognition), 6 article 5 bis
(incorporation by reference),7 article 6 (writing),8 article 7 (signature),9 article 8 (original),10
6 Article 5. Legal recognition of data messages: Information shall not be denied legal
effect, validity or enforceability solely on the grounds that it is in the form of a data
message.
7 Article 5 bis. Incorporation by reference : (as adopted by the Commission at its thirty-
first session, in June 1998)Information shall not be denied legal effect, validity or
enforceability solely on the grounds that it is not contained in the data message
purporting to give rise to such legal effect, but is merely referred to in that data message.
8 Article 6 Writing : (1) Where the law requires information to be in writing, that
requirement is met if a data message if the information contained therein is accessible so
as to be usable for a subsequent reference. (2) Paragraph (1) applies whether the
requirement therein is in the form of an obligation or whether the law simply provides
consequences for information not being in writing. (3) The provisions of this article do
not apply to the following: [....].
9 Article 7. Signature : (1) Where the law requires a signature of a person, that
requirement is met in relation to a data message if : (a) a method is used to identify that
person and to indicate that person's approval of the information contained in the data
message; and (b) that method is as reliable as was appropriate for the purpose for which
the data message was generated or communicated, in the light of all the circumstances,
including any relevant agreement. (2) Paragraph (1) applies whether the requirement
therein is in the form of an obligation or whether the law simply provides consequences
for the absence of a signature. (3) The provisions of this article do not apply to the
following : [...].
10 Article 8. Original : (1) Where the law requires information to be presented or retained in
its original form, that requirement is met by a data message if : (a) there exists a reliable
assurance as to the integrity of the information from the time when it was first generated
in its final form, as a data message or otherwise; and (b) where it is required that
7/29/2019 Global Cn
6/64
6
article 9 (evidence),11 article 11 (use of data message in contract.formation),12 article 12 (non-
repudiation),13 article 13 (attribution of data message),14 article 14 (acknowledgement of
information be presented, that information is capable of being displayed to the person to
whom it is to be presented. (2) Paragraph (1) applies whether the requirement therein is in
the form of an obligation or whether the law simply provides consequences for the
information not being presented or retained in its original form. (3) For the purposes of
subparagraph (a) of paragraph (1) : (a) the criteria for assessing integrity shall be whether
the information has remained complete and unaltered, apart from the addition of any
endorsement and any change which arises in the normal course of communication,
storage and display; and (b) the standard of reliability required shall be assessed in the
light of the purpose for which the information was generated and in the light of all the
relevant circumstances. (4) The provisions of this article do not apply to the following :
[...].
11 Article 9. Admissibility and evidential weight of data messages : (1) In any legal
proceedings, nothing in the application of the rules of evidence shall apply so as to deny
the admissibility of a data message in evidence : (a) on the sole ground that it is a data
message; or, (b) if it is the best evidence that the person adducing it could reasonably be
expected to obtain, on the grounds that it is not in its original form. (2) Information in the
form of a data message shall be given due evidential weight. In assessing the evidential
weight of a data message, regard shall be had to the reliability of the manner in which the
data message was generated, stored or communicated, to the reliability of the manner in
which the integrity of the information was maintained, to the manner in which its
originator was identified, and to any other relevant factor.
12 Article 11. Formation and validity of contracts : (1) In the context of contract
formation, unless otherwise agreed by the parties, an offer and the acceptance of an offer
may be expressed by means of data messages. Where a data message is used in the
formation of a contract, that contract shall not be denied validity or enforceability on the
sole ground that a data message was used for that purpose. (2) The provisions of this
article do not apply to the following : [...].
7/29/2019 Global Cn
7/64
7
13 Article 12. Recognition by parties of data messages : (1) As between the originator and
the addressee of a data message, a declaration of will or other statement shall not bedenied legal effect, validity or enforceability solely on the grounds that it is in the form of
a data message. (2) The provisions of this article do not apply to the following :
14 Article 13. Attribution of data messages : (1) A data message is that of the originator if
it was sent by the originator itself. (2) As between the originator and the addressee, a data
message is deemed to be that of the originator if it was sent : (a) by a person who had the
authority to act on behalf of the originator in respect of that data message; or (b) by an
information system programmed by, or. on behalf of, the originator to operate
automatically. (3) As between the originator and the addressee, an addressee is entitled to
regard a data message as being that of the originator, and to act on that assumption, if: (a)
in order to ascertain whether the data message was that of the originator, the addressee
properly applied a procedure previously agreed to by the originator for that purpose; or
(b) the data message as received by the addressee resulted from the actions of a person
whose relationship with the originator or with any agent of the originator enabled that
person to gain access to a method used by the originator to identify data messages as its
own. (4) Paragraph (3) does not apply : (a) as of the time when the addressee has both
received notice from the originator that the data message is not that of the originator, and
had reasonable time to act accordingly; or (b) in a case within paragraph (3)(b), at any
time when the addressee knew or should have known, had it exercised reasonable care or
used any agreed procedure, that the data message was not that of the originator. (5)
Where a data message is that of the originator or is deemed to be that of the originator, or
the addressee is entitled to act on that assumption, then, as between the originator and the
addressee, the addressee is entitled to regard the data message as received as being what
the originator intended to send, and to act on that assumption. The addressee is not so
entitled when it knew or should have known, had it exercised reasonable care or used any
agreed procedure, that the transmission resulted in any error in the data message as
received. (6) The addressee is entitled to regard each data message received as a separate
data message and to act on that assumption, except to the extent that it duplicates another
7/29/2019 Global Cn
8/64
8
receipt),15 article 15 (time and place of dispatch of receipt),16 article 16 (actions related to
contracts of carriage of goods),17 and article 17 (transport documents).18
data message and the addressee knew or should have known, had it exercised reasonable
care or used any agreed procedure, that the data message was a duplicate.
15 Article 14. Acknowledgement of receipt : (1)Paragraphs (2) to (4) of this article apply
where, on or before sending a data message, or by means of that data message, the
originator has requested or has agreed with the addressee that receipt of the data message
be acknowledged. (2) Where the originator has not agreed with the addressee that the
acknowledgement be given in a particular form or by a particular method, an
acknowledgement may be given by (a) any communication by the addressee, automated
or otherwise, or (b) any conduct of the addressee, sufficient to indicate to the originator
that the data message has been received. (3) Where the originator has stated that the data
message is conditional on receipt of the acknowledgement, the data message is treated as
though it has never been sent, until the acknowledgement is received. (4) Where the
originator has not stated that the data message is conditional on receipt of the
acknowledgement, and the acknowledgement has not been received by the originator
within the time specified or agreed or, if no time has been specified or agreed, within a
reasonable time, the originator : (a) may give notice to the addressee stating that no
acknowledgement has been received and specifying a reasonable time by which the
acknowledgement must be received; and (b) if the acknowledgement is not received
within the time specified in subparagraph (a), may, upon notice to the addressee, treat the
data message as though it had never been sent, or exercise any other rights it may have.
(5) Where the originator receives the addressee's acknowledgement of receipt, it is
presumed that the related data message was received by the addressee. That presumption
does not imply that the data message corresponds to the message received. (6) Where the
received acknowledgement states that the related data message met technical
requirements, either agreed upon or set forth in applicable standards, it is presumed that
those requirements have been met. (7) Except in so far as it relates to the sending or
receipt of the data message, this article is not intended to deal with the legal
7/29/2019 Global Cn
9/64
9
consequences that may flow either from that data message or from the acknowledgement
of its receipt.
16 Article 15. Time and place of dispatch and receipt of data messages : (1) Unlessotherwise agreed between the originator and the addressee, the dispatch c: i message
occurs when it enters an information system outside the control of the or.pn or of the
person who sent the data message on behalf of the originator. (2) Unless otherwise agreed
between the originator and the addressee, the time of receipt of a data message is
determined as follows : (a) if the addressee has designated an info?CM system for the
purpose of receiving data messages, receipt occurs : (i) at the time * the data message
enters the designated information system; or (ii) if the data messi= ; sent to an
information system of the addressee that is not the designated inforr.: a system, at the
time when the data message is retrieved by the addressee; (b) if ta addressee has not
designated an information system, receipt occurs when the dsu. message enters an
information system of the addressee. (3) Paragraph (2) apples notwithstanding that the
place where the information system is located may be differed from the place where the
data message is deemed to be received under paragraph (4). 4 Unless otherwise agreed
between the originator and the addressee, a data message 1= deemed to be dispatched at
the place where the originator has its place of business, and is deemed to be received at
the place where the addressee has its place of business. For the purposes of this paragraph
: (a) if the originator or the addressee has more than one place of business, the place of
business is that which has the closest relationship to the underlying transaction or, where
there is no underlying transaction, the principal place of business; (b) if the originator or
the addressee does not have a place of business, reference is to be made to its habitual
residence. (5) The provisions of this article do nor apply to the following : [...].
17 Article 16. Actions related to contracts of carriage of goods : Without derogating from
the provisions of part one of this Law, this chapter applies to any action in connection
with, or in pursuance of, a contract of carriage of goods, including but not limited to : (a)
(i) furnishing the marks, number, quantity or weight of goods; (ii) stating or declaring the
nature or value of goods; (iii) issuing a receipt for goods; (iv) confirming that goods have
been loaded; (b) (i) notifying a person of terms and conditions of the contract; (ii) giving
7/29/2019 Global Cn
10/64
10
instructions to a carrier; (c) (i) claiming delivery of goods; (ii; authorizing release of
goods; (iii) giving notice of loss of, or damage to, goods; (d) giving any other notice or
statement in connection with the performance of the contract: e undertaking to delivergoods to a named person or a person authorized to claim delivery: (f) granting, acquiring,
renouncing, surrendering, transferring or negotiating rights in goods; (g) acquiring or
transferring rights and obligations under the contract.
18 Article 17. Transport documents : (1) Subject to paragraph (3), where the law requires
that any action referred to in article 16 be carried out in writing or by using a paper
document, that requirement is met if the action is carried out by using one or more data
messages. (2) Paragraph (1) applies whether the requirement therein is in the form of an
obligation or whether the law simply provides consequences for failing either to carry cu:
the action in writing or to use a paper document. (3) If a right is to be granted to, or an
obligation is to be acquired by, one person and no other person, and if the law requires
that, in order to effect this, the right or obligation must be conveyed to that person by the
transfer, or use of, a paper document, that requirement is met if the right or obligation is
conveyed by using one or more data messages, provided that a reliable method is used to
render such data message or messages unique. (4) For the purposes of paragraph (3), the
standard of reliability required shall be assessed in the light of the purpose for which the
right or obligation was conveyed and in the light of all the circumstances, including any
relevant agreement. (5) Where one or more data message; are used to effect any action in
subparagraphs (f) and (g) of article 16, no paper document used to effect any such action
is valid unless the use of data messages has been terminated and replaced by the use of
paper documents. A paper document issued in these circumstances shall contain a
statement of such termination. The replacement of data messages by paper documents
shall not affect the rights or obligations of the parties involved. (6) If a rule of law is
compulsorily applicable to a contract of carriage of goods which is in, or is evidenced by,
a paper document, that rule shall not be inapplicable to such a contract of carriage of
goods which is evidenced by one or more data messages by reason of the fact that the
contract is evidenced by such data message or messages instead of by a paper document.
7/29/2019 Global Cn
11/64
11
UNCITRAL Model Law on Electronic Signatures, (2001)
As the paper based documents are being replaced by electronic documents, the hand written
signature is being substituted by electronic authentication techniques for the purpose of business
transactions through electronic media. There is a possibility that in the absence of some guiding
principles and provisions there shall emerge a variety of such authentication techniques,
otherwise known as electronic signatures. This, if anything, can only make the matters worse;
because, shorn of uniformity, the various electronic authentication techniques could play havoc
with the business prospects through electronic media.
Having adopted model law on electronic commerce in 1996, the Commission decided to place
the issues of digital signatures and certification authorities on its agenda. The Working Group
formed for the purpose continued to present its report on uniform rules which was placed before
the Commission every following year only to be further modified. This was principally so
because the increased use of electronic media in business would present newer and newer
problems making the job of the Working Group even more difficult.
. The model law on electronic signatures prepared by the Working Group was further modified in
view of the comments received from the governments and organizations, and, along with a guide
prepared by the Secretariat, was adopted by the Commission on July 5, 2001. The Commission
noted the great utility of new technologies used for personal identification in electronic
commerce and commonly referred to as electronic signatures, expressed its conviction that legal
certainty in electronic commerce will be enhanced by the harmonization of certain rules on the
legal recognition of electronic signatures on a technology-neutral basis, and recommended that
all states give favourable consideration to the model law on electronic signatures together with
model law on electronic commerce. Adopting it through a resolution on December 12, 2001, the
UN General Assembly also made similar recommendation to all the states stressing the need for
'uniformity of the law applicable to alternatives to paper-based forms of communication, storage
and authentication of information'.
The model law on electronic signatures is divided in to twelve articles. Principal provisions are
contained in article 2 (definitions),19 article 3 (equal treatment of signature technologies),20
19 Article 2. Definitions : For the purposes of this Law : (a) "Electronic signature" means
data in electronic form in, affixed to or logically associated with, a data message, which
7/29/2019 Global Cn
12/64
12
article 5 (variation by agreement),21 article 6 (compliance with a requirement of a signature),22
article 8 (conduct of the signatory),23 article. 9 (conduct of the certification service provider),24
may be used to identify the signatory in relation to the data message and to indicate thesignatory's approval of the information contained in the data message; (b) "Certificate"
means a data message or other record confirming the link between a signatory and
signature creation data; (c) "Data message" means information generated, sent, received
or stored by electronic, optical or similar means including, but not limited to, electronic
data interchange (EDI), electronic mail, telegram, telex or telecopy; and acts either on its
own behalf or on behalf of the person it represents; (d) "Signatory" means a person that
holds signature creation data and acts either on its own behalf or on behalf of the person
it represents; (e) "Certification service provider" means a person that issues certificates
and may provide other services related to electronic signatures; (f) "Relying party" means
a person that may act on the basis of a certificate or an electronic signature.
20 Article 3. Equal treatment of signature technologies : Nothing in this Law, except
article 5, shall be applied so as to exclude, restrict or deprive of legal effect any method
of creating an electronic signature that satisfies the requirements referred to in article 6,
paragraph 1, or otherwise meets the requirements of applicable law.
21 Article 5. Variation by agreement : The provisions of this Law may be derogated from
or their effect may be varied by agreement, unless that agreement would not be valid or
effective under applicable law.
22 Article 6. Compliance with a requirement for a signature: 1. Where the law requires a
signature of a person, that requirement is met in relation to a data message ifan electronic
signature is used that is as reliable as was appropriate for the purpose for which the data
message was generated or communicated, in the light of all the circumstances, including
any relevant agreement. 2. Paragraph 1 applies whether the requirement referred to
therein is in the form of an obligation or whether the law simply provides consequences
for the absence of a signature. 3. An electronic signature is considered to be reliable for
the purpose of satisfying the requirement referred to in paragraph 1 if : (a) The signature
creation data are, within the context in which they are used, linked to the signatory and to
7/29/2019 Global Cn
13/64
13
no other person; (b) The signature creation data were, at the time of signing, under the
control of the signatory and of no other person; (c) Any alteration to the electronic
signature, made after the time of signing, is detectable; and (d) Where a purpose of thelegal requirement for a signature is to provide assurance as to the integrity of the
information to which it relates, any alteration made to that information after the time of
signing is detectable. 4. Paragraph 3 does not limit the ability of any person : (a) To
establish in any other way, for the purpose of satisfying the requirement referred to in
paragraph 1, the reliability of an electronic signature; or (b) To adduce evidence of the
non-reliability of an electronic signature. 5. The provisions of this article do not apply to
the following : [...].
23 Article 8. Conduct of the signatory : 1. Where signature creation data can be used to
create a signature that has legal effect, each signatory shall : (a) Exercise reasonable care
to avoid unauthorized use of its signature creation data; (b) Without undue delay, utilize
means made available by the certification service provider pursuant to article 9 of this
Law, or otherwise use reasonable efforts, to notify any person that may reasonably be
expected by the signatory to rely on or to provide services in support of the electronic
signature if : (i) The signatory knows that the signature creation data have been
compromised; or (ii) The circumstances known to the signatory give rise to a substantial
risk that the signature creation data may have been compromised; (c) Where a certificate
is used to support the electronic signature, exercise reasonable care to ensure the accuracy
and completeness of all material representations made by the signatory that are relevant
to the certificate throughout its life cycle or that are to be included in the certificate. 2. A
signatory shall bear the legal consequences of its failure to satisfy the requirements of
paragraph 1.
24 Article 9. Conduct of the certification service provider : 1. Where a certification
service provider provides services to support an electronic signature that may be used for
legal effect as a signature, that certification service provider shall : (a) Act in accordance
with representations made by it with respect to its policies and practices; (b) Exercise
reasonable care to ensure the accuracy and completeness of all material representations
made by it that are relevant to the certificate throughout its life cycle or that are included
7/29/2019 Global Cn
14/64
14
article 11 (conduct of the relying party),25 and article 12 (recognition of foreign certificates and
electronic signatures).26 The Model Law is supplemented by a 'Guide to Enactments'.
in the certificate; (c) Provide reasonably accessible means that enable a relying party toascertain from the certificate : (i) The identity of the certification service provider; (ii)
That the signatory that is identified in the certificate had control of the signature creation
data at the time when the certificate was issued; (iii) That signature creation data were
valid at or before the time when the certificate was issued; (d) Provide reasonably
accessible means that enable a relying party to ascertain, where relevant, from the
certificate or otherwise : (i) The method used to identify the signatory; (ii) Any limitation
on the purpose or value for which the signature creation data or the certificate may be
used; (iii) That the signature creation data are valid and have not been compromised; (iv)
Any limitation on the scope or extent of liability stipulated by the certification service
provider; (v) Whether means exist for the signatory to give notice pursuant to article 8,
paragraph 1 (b), of this Law; (vi) Whether a timely revocation service is offered; (e)
Where services under subparagraph (d) (v) are offered, provide a means for a signatory to
give notice pursuant to article 8, paragraph 1 (b), of this Law and, where services under
subparagraph (d) (vi) are offered, ensure the availability of a timely revocation service;
(f) Utilize trustworthy systems, procedures and human resources in performing its
services. 2. A certification service provider shall bear the legal consequences of its failure
to satisfy the requirements of para 1.
25 Article 11. Conduct of the relying party: A relying party shall bear the legal
consequences of its failure : (a) To take reasonable steps to verify the reliability of an
electronic signature; or (b) Where an electronic signature is supported by a certificate, to
take reasonable steps : (i) To verify the validity, suspension or revocation of the
certificate; and (ii) Tb observe any limitation with respect to the certificate.
26 Article 12. Recognition of foreign certificates and electronic signatures : 1. In
determining whether, or to what extent, a certificate or an electronic signature is legally
effective, no regard shall be had : (a) lb the geographic location where the certificate is
issued or the electronic signature created or used; or (b) Tb the geographic location of the
place of business of the issuer or signatory. 2. A certificate issued outside [the enacting
7/29/2019 Global Cn
15/64
15
Indian Perspective
Responding to the aforementioned initiative, India drafted her first law on electronic commerce :
the Electronic Commerce Act, 1998 with Electronic Commerce Support Act, 1998. It recalled
the rapid development of information and communication technologies revolutionising the
business practices; the transactions accomplished through electronic means-collectively referred
to as "electronic commerce"creating new legal issues; the shift from paper-based to electronic
transactions raising questions concerning recognition, authenticity and enforceability of
electronic documents and signatures; and the challenge before lawmakers of striking a balance
between conflicting goals of safeguarding electronic commerce and encouraging technological
development.
The Draft Electronic Commerce Act, 1998
The Electronic Commerce Act, 1998 aimed to 'facilitate the development of a secure regulatory
environment for electronic commerce by providing a legal infrastructure governing electronic
contracting, security and integrity of electronic transactions, the use of digital signatures and
other issues related to electronic commerce'.27 Another draft known as Electronic Commerce
State] shall have the same legal effect in [the enacting State] as a certificate issued in [the
enacting State] if it offers a substantially equivalent level of reliability. 3. An electronic
signature created or used outside [the enacting State] shall have the same legal effect in
[the enacting State] as an electronic signature created or used in [the enacting State] if it
offers a substantially equivalent level of reliability. 4. In determining whether a certificate
or an electronic signature offers a substantially equivalent level of reliability for the
purposes of paragraph 2 or 3, regard shall be had to recognized international standards
and to any other relevant factors. 5. Where, notwithstanding paragraphs 2, 3 and 4,
parties agree, as between themselves, to the use of certain types of electronic signatures
or certificates, that agreement shall be recognized as sufficient for the purposes of cross-
border recognition, unless that agreement would not be valid or effective under
applicable law.
27 For a complete overview of the Electronic Commerce Act, 1998, see
7/29/2019 Global Cn
16/64
16
Support Act, 1998 had eight sections which were mainly concerned with necessary amendments
to other Acts to bring the latter in complete harmony with Electronic Commerce Act, 1998.28
The above drafts had been prepared by the Ministry of Commerce. Parallel drafts had also been
prepared by the Department of Electronics. Out of these four drafts, the Law Ministry had to
make a final Draft and to put it before Parliament.29However, with the birth of the Ministry of Information Technology, the job was undertaken by it,
and what came forth was the Information Technology Bill, 1999. The Bill was introduced in
Parliament in December, 1999; was passed in May, 2000; and got the Presidential assent on June
09, 2000. It came in to effect from October 23, 2000.
Information Technology Act, 2000$The Information Technology Act,' 2000 aimed to 'provide legal recognition for transactions
carried out by means of electronic data exchange and other means of electronic communication,
commonly referred to as 'electronic commerce', which involve the use of alternatives to paper-
based methods of communication and storage of information, to facilitate electronic filing of
documents with the Government agencies. To this end, it also had to amend the Indian Penal
Code, the Indian Evidence Act, Banker's Books Act and the Reserve Bank of India Act. 30 The
Act had 13 chapters spread over 94 sections; and four schedules. The IT Act, 2000 extends to
whole of India and, in some cases, even outside India. Following the passage of Negotiable
http://www.naavi.org/naavi_comments_itaa/historical_perspective/ect_1998/ect_1998_ov
erview.htm. The Act had 62 sections divided over fifteen parts. This Actas is clear
from the drafts of Electronic Commerce Act, 1998 as well as that of Electronic
Commerce Support Act, 1998was not to apply to the State of Jammu and Kashmir.
28 For the detail of this Act, see
http://www.naavi.org/naavi_comments_itaa/historical_perspective/ect_1998/ec_support_
act_1998.htm.
29 For further detail, See http://www.naavi.org/naavi_comments_itaa/historical_
perspective/ect_1998/ecbgr.htm.
30 See, the preamble to the Act.
http://www.naavi.org/naavi_comments_itaa/historical_http://www.naavi.org/naavi_comments_itaa/historical_http://www.naavi.org/naavi_comments_itaa/historical_http://www.naavi.org/naavi_comments_itaa/historical_7/29/2019 Global Cn
17/64
17
Instruments Amendment Act, 2002, the IT Act, 2000 underwent some major changes with effect
from February 06, 2003.31
Information Technology Amendment Act, 2008However, it was not enough. In the year 2001, the UNCITRAL had come out with its model law
on electronic signature with an aim to make it technology-neutral. Like the model law on
electronic commerce, this too had to be taken care of by concerned nations who were supposed
to bring their information technology laws in tune with the model law on electronic signature. On
the domestic front also, the problems had surfaced on a scale that had made the amendment to
the IT Act, 2000 inevitable. New forms of cyber crimes had appeared on Indian scene posing a
challenge before the lawmakers who were faced with two hard options, namely, either to
drastically amend the existing law to give it some teeth or to helplessly see it being openly
outraged and violated by the cyber criminals and others.At this critical juncture was brought the draft of theInformation Technology Amendment Bill,
2006 which was introduced on December 15, 2006 in the Lower House of Parliament. It was
scrutinised by an Expert Committee which suggested several changes. The gravity of the issue of
emerging cyber crimes on national and global scales had worried the lawmakers so much so that
they referred it to the Standing Committee of Parliament to finally suggest changes necessary to
make the enactment more effective and in agreement with India's international obligations as an
IT power.
31 For this purpose, section 81A was inserted which states that (1) the provisions of this Act
shall apply to electronic cheques and truncated cheques subject to such modifications as
may be ecessary for carrying out the purpose of Negotiable Instruments Act, 1881 by the
Central Government, in consultation with the Reserve Bank of India, by notification in
the Official Gazette; (2) every notification made by the Central Government shall be laid
before each House of Parliament, while it is in session for a total period of sixty days and
if both Houses agree in making any or no modification; the notification shall accordingly
become effective provided that the acts done in accordance with the original notification
shall not be affected by the said modification if any. Here the terms 'electronic cheque'
and 'truncated cheque' shall have the same meaning as under section 6 of the Negotiable
Instruments Act, 1881.
7/29/2019 Global Cn
18/64
18
It took a couple of years before the amendments could see the light of the day. The Information
Technology (Amendment) Bill, 2006 was further amended by the Information Technology
(Amendment) Bill, 2008; and in the process, the underlying Act was renamed as the Information
Technology Amendment Act, 2008 (ITAA, 2008). The Information Technology Amendment
Act, 2008 was passed by the Lower House on December 22, 2008; and by the Upper House on
the following day i.e. December 23, 2008.
Salient features of the IT Act, 2000 As Amended by ITAA,The Act extends to whole of India. An important feature of the Act is that it extends to acts or
omissions of a person even outside India and even if the said person is not an Indian national,
provided that (i) the said acts or omissions constitute offences or contraventions provided for
under the Information Technology Act, 2000; and (ii) the said acts or conducts constituting
offence or contravention involve a computer network located in India.32The changes necessitated by the ITAA, 2008 in the Indian Penal Code and the Indian Evidence
Act have also been given along with the Act as respectively Part III and Part IV thereto. In order
to provide for the cyber offences committed from outside India with respect to a computer source
in India, electronic signatures and sundry other things, the sections 4, 40, 118, 119 and 464 of the
Indian Penal Code have been suitably amended. Likewise, sections 3, 45A, 47A, 67A, 85A, 85B,
85C and 90A of the Indian Evidence Act have been amended to provide legal authenticity to
electronic signatures in place of digital signatures, and electronic signature certificate in place of
digital signature certificate. Section 45A, one of the newlyinserted sections, reads as follows :"When in a proceeding, the Court has to form an opinion on any matter relating' to any
information transmitted or stored in any computer resource or any other electronic or digital
form, the opinion of the Examiner of Electronic Evidence referred to in section 79A of the
Information Technology Act, 2000, is a relevant fact."
It explains that for the purposes of section 45A, the Examiner of Electronic Evidence shall be
(treated as) an expert.33
ITAA, 2008, has omitted several sections, substituted for some other sections, and amended still
others while leaving rest of the sections intact. It has scrapped all the four schedules of the parent
32 Section 75.
33 See, explanation to Section 45A, Indian Evidence Act, as amended by the ITAA, 2008.
7/29/2019 Global Cn
19/64
19
Act and introduced two new schedules : one enumerating the items whereto the provisions of the
Act shall not apply; and the other for the details of electronic signature procedures as prescribed
by the Central Government.34
Among the vital changes introduced through ITAA, 2008, the ones meriting our attention are the
provisions dealing with cyber terrorism(where the maximum punishment to be awarded is the
imprisonment for life), child pornography and obscenity in cyber space, stricter control on
intermediaries, a wider concept of electronic signature as against the digital signature, national
nodal agency for critical information infrastructure protection, an incident response team and, the
all important restructuring of Cyber Appellate Tribunal as a multi-member body (whose chief
shall be appointed by the Central Government after consultation with the Chief Justice of India).
For the sake of clarity, however, the Act will be discussed under the following heads : E-
Governance, Control Mechanism, Offences and Remedies, and Miscellaneous Provisions.
34 Section 1(4) states that the Act will have no application in case of items listed in the First
Schedule. This Schedule enumerates four items, namely, negotiable instrument other than
a cheque (as defined under section 13 of the Negotiable Instruments Act, 1881), a power
of attorney (as defined under section 1A of the Powers of Attorney Act, 1882), a trust (as
defined under section 3 of the Indian Trusts Act), a will (as defined under clause (h) of
section 2 of Indian Succession Act) including any testamentary document by whatever
name called, any contract for the sale or conveyance of immovable property. The Central
Government may, by notification in the Official Gazette, add or delete entries to the First
Schedule. However, Section 1(5) requires that every such notification made under section
1(4) shall be laid before each House of Parliament.
7/29/2019 Global Cn
20/64
20
E-Governance
Electronic governance (e-governance, for short) presupposes the presence and application of an
electronic device or a set thereof which makes the underlying communication feasible.
Computers are the most widely used devices (next possibly to cellular phones only). Any
electronic, magnetic, optical or other high speed data processing device or system which
performs logical, arithmetic and memory functions by manipulation of electronic, magnetic or
optical impulses fits the definition of a computer given under the Act.35 It also includes all input,
output, processing, storage, computer software, or communication facilities related to the
computer in a computer system or a computer network.
The Act defines 'data' as a representation of information, knowledge, facts, concepts or
instructions which are being prepared or have been prepared in a formalised manner, and is
intended to be processed, is being processed or has been processed in a computer system or
computer network. Such a data may be in any form (including computer print-outs, magnetic or
optical storage media, punched cards, punched tapes etc) or stored internally in the memory of
the computer. The term 'information' includes data, text, images, sound, voice, codes, computer
programmes, software and data bases or micro-film or computer generated micro-fiche.By electronic form, with reference to information, is meant 'any information generated, sent,
received or stored in media magnetic, optical, computer memory, micro-film, computer
generated micro-fiche or similar device. An 'electronic record' means data, record or data
generated, image or sound restored, received or sent in an electronic form or micro-film or
computer generated micro-film.A subscriber may authenticate any electronic record by such electronic signature or electronic
authentication technique which (i) is reliable, and (ii) may be specified in the Second Schedule. 36
An electronic signature means authentication of any electronic record by a subscriber by means
of the electronic technique specified in the Second Schedule, and includes a digital signature.37
35 Section 2 (i), ibid.
36 Section 3A, inserted by the Information Technology Amendment Act, 2008 hereinafter
referred to as ITAA, 2008.
37 Section 2(1) (ta), inserted by the ITAA, 2008.
7/29/2019 Global Cn
21/64
21
By digital signature is meant an authentication of any electronic record by a subscriber by means
of an electronic method or procedure in accordance with the provisions of Section 3 of the Act.
For this purpose, a subscriber is a person who gets a digital signature certificate issued under
Section 35 of the Act, from a Certifying Authority-a person who has been granted a licence to
issue an electronic digital signature certificate-under Section 24 of the Act.A digital signature involves the use of a pair of keys. The first one, the private key, is used to
create a digital signature whereas the second one, that is, public key is used to verify the digital
signature. In other words, the public key is used by any person, other than the person affixing his
digital signature, to verify the original record. In relation to a digital signature certificate, to
verify an electronic record or a public key is to determine (i) whether the initial electronic record
was affixed with the digital signature by the use of private key corresponding to the public key of
the subscriber; and (ii) whether the initial record is retained intact or has been altered since such
electronic record was so affixed with the digital signature.The person who sits at the initial point of this electronic communication is termed as an
originator. An originator means 'a person who sends, generates, stores or transmits any electronic
message or causes any electronic message to be sent, generated, stored or transmitted to any
other person.' However, the term 'originator' does not include an intermediary; because an
intermediary is one who on behalf of another person receives, stores or transmits that message or
provides any service with respect to that message.
Section 3 states that a subscriber may authenticate an electronic record by affixing his digital
signature. Such an authentication is effected by the use of 'asymmetric crypto system' and liash
function', which envelop and transform the initial electronic record in to another electronic
record. Here, the 'hash function' means an algorithm mapping or translation of one sequence of
bits into another, generally smaller, set known as liash result' such that an electronic record
yields the same result every time the algorithm is executed with the same electronic record as its
input. Thus, it is not possible to derive or reconstruct the original electronic record from the hash
result (produced by algorithm) nor is there a chance that two records produce the same hash
result (using the algorithm). In other words, a digital signature, like a manual signature in case of
a paper document, establishes and ensures for posterity the uniqueness or the originality of the
initial electronic record. This is so because the private key and the public key are unique to the
7/29/2019 Global Cn
22/64
22
subscriber and constitute a functioning key pair. Section 10 empowers the Central Government
to make rules for digital signature.For the purpose of governance through electronic means, the Act provides legal recognition to
electronic records (section 4), electronic signatures (section 5), and the use of such records and
signatures in government and its agencies (section 6) in a manner prescribed by the appropriate
government. It also empowers the appropriate government to make rules in this regard. Section
84A, inserted by the ITAA, 2008 states that the Central Government may, for secure use of the
electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or
methods for encryption.Section 6A38 empowers the appropriate government to authorize, for the efficient delivery of
services to the public through electronic means, any service provider to set up, upgrade and
maintain computerized facilities and to perform such services as are specified. It may also
authorize a service provider to collect, retain and appropriate service charges in lieu of the said
services; and a service provider to collect service charges under this section notwithstanding the
fact that there is no express provision under this Act or the rules made there under. Further, it
may prescribe different scales of service charges for different types of services.Where any law provides the retention of a document for a certain period of time, the same shall
be deemed to have been satisfied if the said document is retained in the electronic form;39 where
the audit of a document is provided for, such provision shall apply to documents processed and
maintained in electronic form;40 or where the publication in the Official Gazette is required, the
publication in either the Official Gazette or the Electronic Gazette will do; and if the publication
has been made in both forms, the date of the publication of the earlier one shall be taken as the
date of publication of the said law.41
However, these provisions do not confer a right upon any person to insist that a ministry etc of
the Central or the State Government or any authority under these governments should accept,
38 Inserted by the ITAA, 2008.
39 Section 7.
40 Section 7A, inserted by ITAA 2008.
41 Section 8.
7/29/2019 Global Cn
23/64
23
issue, create, retain or preserve any document in electronic form or effect any monitory
transaction in the electronic form.42
Electronic Signature CertificatesFollowing the model law on electronic signature proposed by the United Nations Commission of
International Trade Law (UNCITRAL) in the year 2001, the ITAA, 2008 has provided for
electronic signature which includes digital signature. Affixing an electronic signature means
'adoption of any methodology or procedure by a person for the purpose of authenticating an
electronic record by means of an electronic signature.43 An electronic signature certificate means
'an electronic signature certificate issued under section 35' and it 'includes digital signature
certificate'.44 Accordingly, the name of the chapter has been changed from 'digital signature
certificates' to 'electronic signature certificates'. A digital signature certificate means a digital
signature certificate issued under sub-section (4) of section 35. The particulars of electronic
signature or electronic authentication technique and procedure are yet to be notified, and, after
such notification, shall form the content of the second schedule.The Act provides a procedure to get digital signature certificates. Any person can make an
application, along with prescribed fee (not exceeding twenty five thousand rupees), and a
certification practice statement (or any other statement prescribed by regulations), to the
Certifying Authority who, after proper inquiries, may grant the digital signature certificate.45 The
Certifying Authority can not reject an application unless the applicant has been given a
reasonable opportunity of showing cause against the proposed rejection.The Certifying Authority, while issuing the digital signature certificate, shall certify, among
other things, that it has complied with the provisions of the Act or rules; that it has published the
digital signature certificate or made it available to such person relying on it and the subscriber
has accepted it; that the subscriber holds the private key corresponding to the public key listed in
the digital signature certificate; that the public key can be used to verify the signature created by
42 Section 9.
43 Section 2 (1) (d).
44 Section 2 (1) (tb), inserted by ITAA 2008.
45 Section 35.
7/29/2019 Global Cn
24/64
24
private key; and that the information contained in the digital signature certificate is accurate, to
the best of its knowledge.46A digital signature certificate can be suspended either on a request from the subscriber listed in
the certificate or any person authorised to act on his behalf; or by the Certifying Authority itself
in the public interest. However, in case of suspension exceeding 15 days, the subscriber shall be
given a fair hearing; and on suspension of a digital signature certificate, the Certifying Authorityshall communicate the same to the subscriber.47A Certifying Authority may revoke the digital signature certificate issued by it (a) on the request
of the subscriber or a person authorised by him; (b) upon the death of the subscriber; or, where
the subscriber is a firm or a company, upon the dissolution of the firm or winding up of the
company. If the Certifying Authority is of the opinion that a material fact represented in the
digital signature certificate is false or has been concealed, or a requirement for the issuance of
the certificate has not been satisfied; or the private key or the security has been compromised in a
manner which mainly affects the reliability of the certificate; or the subscriber, as the case may
be, has been declared insolvent or dissolved or wound up or otherwise has ceased to exist, it may
revoke the certificate after, where it is possible, the subscriber has been given a fair opportunity
to be heard.48In case of revocation or suspension of a certificate, the authority shall publish a notice of such
suspension etc in the repository (or, in case of there being more than one, in all the repositories)
of the digital signature certificate for publication of such notice.49
If a person publishes an electronic signature certificate or otherwise makes it available to any
other person with the knowledge that certain particulars are not true, he shall be punished with
imprisonment for a term which may extend to two years and fine which may extend to one lac
rupees or both; unless such publication is for the purpose of verifying a digital signature created
prior to suspension or revocation of the certificate.50 For example, if the said publisher knows
46 Section 36.
47 Section 37.
48 Section 38.
49 Section 39.
50 Section 73.
7/29/2019 Global Cn
25/64
25
that the Certifying Authority listed in the certificate has not issued it, or the subscriber listed in
the certificate has not accepted it, or the certificate has been revoked or suspended; the
provisions of this section shall be attracted. The Act stipulates the same punishment in case of
publication of an electronic signature certificate for fraudulent purposes.51Section 10, as modified by ITAA, 2008, empowers the Central Government to make rules
prescribing the type of electronic signature; the manner of affixing the electronic signature;
control processes to ensure integrity, security and confidentiality of electronic records; and any
other matter to give legal effect to electronic signature. Section 10A52 grants validity to contracts
formed through means of electronic records.Duties of SubscribersUpon acceptance of the certificate, it is the duty of the subscriber to generate a key pair applying
the security procedure.53 In case of an electronic signature certificate, the subscriber shall
perform such duties as may be prescribed.54 A subscriber shall be deemed to have accepted
a digital signature certificate if he publishes or authorises the publication of a digital signature
certificate to one or more persons, or demonstrates his approval in any other manner. By
accepting the digital signature certificate, the subscriber certifies to all who reasonably rely on
the information contained in the digital signature certificate that he holds the private key
corresponding to the public key listed in the certificate and is entitled to hold the same; and that
all representations made by him to the authority and all information in the digital signature
certificate are correct to the best of his knowledge.55
Every subscriber shall exercise a reasonable care to retain control of the private key
corresponding to the public key and take all steps to prevent its disclosure to a person not
authorised to affixing the digital signature of the subscriber. Also, the subscriber shall, without
any delay, inform the certifying authority in case the private key has been compromised. The
51 Section 74.
52 Inserted by ITAA, 2008.
53 Section 40.
54 Section 40A, inserted by ITAA, 2008.
55 Section 41.
7/29/2019 Global Cn
26/64
26
subscriber shall be liable for any consequence for the period extending from the point of time of
the said compromise to the point of time when he has informed the certifying authority.56
Attribution of Electronic RecordsMuch of the evidentiary value of a statement, inter alia, depends on the person who makes it and
his locus in the entire episode under consideration. In fixing liability arisen out of reliance on an
electronic record, therefore, it becomes of utmost importance to know who the said electronic
record is attributable to. An electronic record shall be attributed to the originator if it has been
sent either by the originator himself or a person authorised by him in this behalf or an
information system programmed by the originator to operate automatically.57Where the originator has not stipulated that the acknowledgement of receipt of electronic record
be given in a particular form or by a particular method, any communication by or any conduct of
the addressee will do if it is sufficient to indicate to the originator that the electronic record has
been received. On the other hand, if the originator has stipulated that the record shall be binding
only on the acknowledgement of the receipt of such electronic record by him, then in the absence
of such a receipt, the electronic record shall be deemed to have been never sent by the originator.
In case where no specific form is stipulated, but the addressee has not acknowledged the receipt
of the record in any manner sufficient to inform the originator of the receipt; the originator may
notify the addressee about it and ask him to send the acknowledgement within time specified by
the originator failing which the record will be treated as though it had never been sent.58The dispatch of an electronic record occurs when it enters a computer resource outside the
control of the originator; and the receipt occurs at a time when (i) the dispatch enters the
designated computer resource; or (ii) in case of it having been sent to the computer resource
other than the designated one, when the dispatch is retrieved by the addressee. Moreover,if theaddressee has not designated a computer resource along with specified timings, if any, the receipt
occurs when the electronic record enters the computer resource of the addressee. In absence of an
agreement to the contrary, an electronic record is deemed to have been dispatched at a place
56 Section 42.
57 Section 11.
58 Section 12, as modified by ITAA, 2008.
7/29/2019 Global Cn
27/64
27
where the originator has his place of business, and is deemed to have been received at a place
where the addressee has his place of business. In case of more than one places of business, the
principal place of business (of the originator or the addressee, as the case may be) shall be taken
to be the place of business; and in case of no such place (s), the usual place of residence shall be
deemed to be the place of business. For a body corporate, the usual place of business is the place
where it is registered.59
InM/s PR Transport Agency v. Union of India and others,60the Allahabad High Court held that
the contract completes at the point where the offer was accepted by the appellant. Because the
appellant's place of business fell within the Court's jurisdiction, the Court had jurisdiction to hear
the case and decide, notwithstanding anything contrary in the contract formed by the parties. By
agreeing to the jurisdiction of some civil court of their choice, held the Court, the parties had
actually expressed their own limitation rather than the Court's; because the parties could not oust
the jurisdiction of a High Court conferred by the Article 226 of the Constitution. Here the
agreement had been entered in to by E-mail. The Court held that since the contract was
completed by the appellant and the money for delivery of coal had been received by the
respondents; any further discovery on the part of respondent, that there was some higher bidder,
would not undo the contract already completed with the appellant.
Secure Records and SignaturesWhere any security procedure has been applied to an electronic record at a specific point of time,
such record shall be deemed to be a secure electronic record from such point of time to the point
of reproduction.61 An electronic signature shall be deemed to be a secure electronic signature if
the signature creation data at the time of affixing was under the exclusive control of signatory
and nobody else; and that the signature creation data was stored and affixed in such exclusive
59 Section 13.
60 Civil Misc Writ Petition No. 58468 of 2005. Decided on September 24, 2005.
61 Section 14.
7/29/2019 Global Cn
28/64
28
manner as may be prescribed. In case of a digital signature, the term 'signature creation data'
means the private key of the subscriber.62The Central Government has been empowered to prescribe the security procedure and practices
having regard to the commercial circumstances prevailing at the time when the procedure was
used.63
IntermediaryMost of the electronic communications are made by individuals through the medium of what are
termed as network service providers. In such a situation, the names of intermediaries also figure
in every episode if the information or data transmitted with their help proves to be
in contravention of the Act or rules made there under, or offending to some other individual or
company or the like. Crucial points to be decided in such cases are, inter alia, whether and, if
yes, up to what extent the network service provider (s) may be held liable to be punished along
with other culprits like, say, the originator of the information etc.Under the Information Technology Act, 2000, the said network service provider would mean an
'intermediary', the person transmitting the information etc the 'third party, and the information
dealt with by the intermediary in this capacity the 'third party information'. Such intermediary
would not be liable for any third party information, made available by him, if he could prove the
offence had been committed without his knowledge or that he had exercised due diligence.Through ITAA, 2008, the noose has been tightened around the network service providers,
probably in the light of increasing incidents of cyber crime wherein the role of intermediaries
was found to be questionable. This is manifest in the definition of the term 'intermediary', and the
provisions regarding their liability or, as the case may be, non-liability. As a result, the job of an
intermediary has become very much akin to that of a tight-rope walker. Now, an intermediary, with respect to any particular electronic record, is any person who on
behalf of another person receives, stores or transmits that record or provides any service with
respect to that record and includes telecom service providers, network service providers, internet
62 Sections 15, substituted vide ITAA, 2008.
63 Section 16, as amended by ITAA, 2008.
7/29/2019 Global Cn
29/64
29
service providers, web hosting service providers, search engines, online payment sites, online-
auction sites, online market places and cyber cafes.64An intermediary shall not be liable for any third party information, data, or communication link
made or hosted by him,65 if(a) his function is limited to providing access to communication system over which the
information made available by the third party is transmitted or temporarily stored; or(b) he does not initiate the information, select the receiver of the transmission, and select or
modify the information contained in the transmission; or(c) he observes due diligence while discharging his duties under the Act and the guidelines
prescribed by the Central Government.66It is not an exaggeration of the fact that in great many cases the intermediaries play the roles far
removed from what their name would have ever suggested. When, for example, the
intermediaries commit, or conspire to commit, or aid or abet the causation of a cyber crime; they
are certainly acting in a direction neither intended nor approved of by law. Thus the Supreme
Court in Sanjay Kumar Kedia v. Narcotics Control Bureau and anr.,67declined to grant bail to
the appellant because it found, in the light of the evidence before it, that 'the appellant and his
associates were not innocent intermediaries or network service providers as defined undersection 79 of the Act (that is, IT Act, 2000)', but that their business was 'only a facade and
camouflage for more sinister activity'. Here, the company headed by the appellant had designed,
developed and hosted pharmaceutical websites; and, using these websites, had distributed huge
quantity of psychotropic substances (phentermine and butalbital) in the United States of America
with the help of his associates. This was an offence punishable with rigorous imprisonment for a
term of ten years to twenty years and fine from one lac to two lac rupees, under section 24 of the
Narcotic Drugs and Psychotropic Substances Act, 1985. The Court also made it clear that where
the accused had violated the provisions of the Narcotic Drugs and Psychotropic Substances Act,
64 Section 2 (1) (w), substituted by ITAA, 2008.
65 Section 79 (1), corrected by ITAA, 2008.
66 Section 79 (2), inserted by ITAA, 2008.
67 See : 2007(12) SCR 812; 2008 (2) SCC 294.
7/29/2019 Global Cn
30/64
30
1985, section 79 of IT Act, 2000 would not grant him immunity from prosecution since section
79 could do so only with respect to offences under the IT Act, 2000.The present Act appears all set to hit hard such persons who, while indulging in committing
crimes, try to use the garb of an intermediary as a shield to save their skin. An intermediary shall,
therefore, be liable to be punished if(a) he has conspired or abetted or aided or induced whether by threats or promise or
otherwise in the commission of the unlawful act, or(b) upon receiving actual knowledge, or on being notified by the appropriate Government or
its agency that any information, data or communication link residing in or connected to a
computer resource controlled by the intermediary is being used to commit the unlawful
act, the intermediary fails to expeditiously remove or disable access to that material on
that resource without vitiating the evidence in any manner.68An intermediary shall preserve and retain such information as may be specified for such duration
and in such manner and format as the Central Government may prescribe. 69 Any intermediary
who intentionally or knowingly contravenes the aforesaid direction of the Central Government
shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to fine.70
Protected systems
The appropriate government may, by notification, declare any computer resource which directly
or indirectly affects the facility of Critical Information Infrastructure to be a protected system. 71
68 Section 79 (3), inserted by ITAA, 2008. For the purpose of section 79, adds an
explanation at the end of the section, the expression 'third party information' means any
information dealt with by an intermediary in his capacity as an intermediary.
69 Section 67C (1), inserted by ITAA,2008.
70 Section 67C (2), inserted by ITAA,2008.
71 Section 70 (1), substituted ITAA, 2008. For the purposes of this section, 'Critical
Information Infrastructure' means the computer resource, the incapacitation or destruction
of which, shall have debilitating impact on national security, economy public health or
safety.
7/29/2019 Global Cn
31/64
31
The appropriate Government may, by order in writing, authorise persons who are authorised to
access such protected systems as are notified.72 Any person who accesses in an unauthorisedway; or tries, without lawful authority, to get access to such protected system shall be punished
with imprisonment up to ten years and fine.73 The Central Government shall prescribe the
information security practices and procedures for protected systems.74
In respect of Critical Information Infrastructure Protection, the Central Government shall, by a
notification in the Official Gazette, designate any organisation of the Government as the national
nodal agency.75 The national nodal agency so designated shall be responsible for all measures
including research and development relating to protection of Critical Information
Infrastructure.76 The manner of performing functions and duties of the said agency shall be as
may be prescribed.77
Control Mechanism
The ITAA, 2008 has both enlarged and strengthened the control mechanism devised by the
Information Technology Act, 2000. On the one hand, it has converted the Cyber Appellate
Tribunal (Section 68) from a one member to a multi-member body, and amended the process of
appointing its Chairperson (earlier known as Presiding Officer) by bringing in to picture none
other than the Chief Justice of India who shall be consulted by the Central Government before
appointing the Chairperson; and on the other, it has provided for the Indian Computer
Emergency Response Team (Section 70B), Examiner of Electronic Evidence (Section 79A) and
an Agency to monitor traffic data etc (Section 69B).
Besides, it has drastically amended the provisions related to the Controller (Section 17),
Certifying Authorities (Sections 30-34), the Cyber Appellate Tribunal (Section 68), Adjudicating
Officer (Section 46-47) and Cyber Regulations Advisory Committee (Section 88).
72 Section 70 (2).
73 Section 70 (3).
74 Section 70 (4), inserted by ITAA, 2008.
75 Section 70A (1), inserted by ITAA, 2008.
76 Section 70A (2), inserted by ITAA, 2008.
77 Section 70A (3), inserted by ITAA, 2008.
7/29/2019 Global Cn
32/64
32
We shall have a look at the relevant provisions of the Act, not necessarily in the order mentioned
above.
Controller
The Central Government may appoint the Controller; and proper number of deputy controllers,
assistant controllers, officers and employees. The Controller acts under the general
superintendence of the Central Government. The deputy controllers and assistant controllers
shall perform the functions assigned to them by the Controller under the general superintendence
and control of the Controller. The qualifications, experience and terms and conditions of service
of Controller, deputy controllers, assistant controllers, and other officers and employees shall be
such as may be prescribed by the Central Government. The head office and the branch office of
the office of the Controller shall be at such places as the Central Government may specify, and
these may be established at such places as the Central Government may think fit. There shall be a
seal of the office of the Controller.78
(a) Functions of ControllerThe Controller supervises the activities of Certifying Authorities, lays down the standards to be
maintained by Certifying Authorities, specifies the manner in which Certifying Authorities will
conduct their business, lays down the duties of the Certifying Authorities and resolves the
disputes between these authorities and their customers.Other functions of the Controller include specifying the conditions subject to which the
authorities shall conduct their business; contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of an electronic signature certificate
and the public key; terms and conditions for appointment of auditors; the form and content of an
electronic signature certificate and the key; and, specifying the form and manner in which
accounts will be maintained by the Certifying Authorities.79Recognition to Foreign Certifying AuthoritiesWith the prior approval of the Central Government and subject to proper conditions and
restrictions, the Controller may, by notification in the Official Gazette, recognize any Foreign
78 Section 17, as amended by ITAA, 2008.
79 Section 18, as amended by ITAA, 2008.
7/29/2019 Global Cn
33/64
33
Certifying Authority as a Certifying Authority for the purposes of the Act; and the digital
signature certificate issued by such foreign Certifying Authorities shall be valid for the purposes
of the Act. In case such foreign Certifying Authority contravenes any of the conditions under
which it had been granted recognition, the Controller may, for reasons to be recorded in writing,
by notification in the Official Gazette, revoke such recognition.80
Grant of licence to issue digital signature certificateThe Act details the procedure following which one can get a licence to issue digital signature
certificates. Any person can make an application to the Controller for a licence to issue digital
signature certificates. For this, the applicant must fulfil the requirements prescribed by the
Central Government with respect to qualification, expertise, manpower, financial resources and
other infrastructural facilities necessary for issuance of digital signature certificates. A licence so
granted is non-transferable and non-heritable, and remains valid for a period specified by the
Central Government.81An application for issuance of a digital signature certificate must be accompanied by a
certification practice statement, a statement with respect to the identification of the applicant,
prescribed fee (not exceeding twenty five thousand rupees), and any other document prescribed
by the Central Government.82 At least five days before its expiry, the present licence may be
renewed after an application for the same with prescribed fee (not exceeding five thousand
rupees) is made to the Controller.83 The Controller may, after perusal of the application, grant the
licence, or reject the application in which case he must provide the opportunity to the applicant
to present his case.84
The Controller may, if he is satisfied after an inquiry, that a Certifying Authority has made an
incorrect statement in relation to the issue or renewal of the licence, or failed to comply with the
terms and conditions of the licence, or contravened the provisions of the Act or any rules made
there under, revoke the licence. The Controller, if he has a reasonable cause to believe that there
80 Section 19.
81 Section 21.
82 Section 22.
83 Section 23.
84 Section 24.
7/29/2019 Global Cn
34/64
34
is any ground for revoking a licence, may suspend the licence pending an inquiry. However, such
suspension can not continue beyond a period of ten days without providing the Certifying
Authority a reasonable opportunity of showing cause against the proposed action. When its
licence is suspended, no Certifying Authority shall issue any digital signature certificate.85When the licence of a Certifying Authority is revoked or cancelled, the Controller shall publish
the notice to this effect in the data base maintained by him. The data base containing the said
revocation or suspension will be accessible round the clock. Where one or more repositories are
specified, the notice shall be published in all such repositories.86 The Controller may delegate his
powers to a Deputy Controller, Assistant Controller or any other officer.87
(b) Powers of ControllerThe Controller or any officer authorised by him in this behalf shall take up for investigation any
contravention of the provisions of the Act. The Controller or, as the case may be, any officer
authorised by him shall exercise all the powers which are conferred on Income Tax authorities
under the Income Tax Act, 1961, and subject to limitations laid down there under.88
Power to accessOn a reasonable suspicion that any provision of the Act or any rule made there under has been
contravened, the Controller or any officer authorised by him has the power of access to any
computer system, any apparatus, any data or any other material connected with such system for
the purpose of searching or causing a search to be made for obtaining any information or data
contained in or available to such computer system. For this purpose, Controller or any officer
authorised by him may, by order, direct any person in charge of, or otherwise connected with the
operation of, the computer system, data apparatus or material, to provide him with such
reasonable technical and other assistance as he may consider necessary.89
85 Section 25.
86 Section 26.
87 Section 27.
88 Section 28.
89 Section 29.
7/29/2019 Global Cn
35/64
35
Power to make regulationsAfter consultation with the Cyber Regulations Advisory Committee, and with prior approval of
the Central Government, the Controller may makeregulations to carry out the purposes of theAct.90 In particular, but without prejudice to the general powers in this regard, the regulations
made by the Controller may provide for the following:91(a) the particulars relating to maintenance of database containing the disclosure record of
every Certifying Authority under clause (n) of section 18;(b) the conditions and restrictions subject to which the Controller may recognize any foreign
Certifying Authority under section 19(1);(c) the terms and conditions subject to which a licence may be granted under clause (c) of
section 21(3);(d) other standards to be observed by a Certifying Authority under clause (d) of section 30;(e) the manner of disclosure of information by a Certifying Authority under section 34 (1);(f) particulars of statement accompanying an application to a Certifying Authority for grant
of an electronic signature certificate under section 35 (3);(g) the manner in which a subscriber communicates the compromise of private key to the
Certifying Authority under section 42 (2).Every regulation so made shall be placed before both Houses of Parliament while in session for
sixty days; and shall be effective with or without modifications made by the Houses or, if the
Houses so decide, shall be of no effect; provided that any such modification or annulment shall
not adversely affect anything previously done under that regulation.92
Examiner of Electronic EvidenceCompared to paper-based documents, there is a greater chance of disto