An article in the Hindu dated 7th February 2021.
What does the Information Technology Act, 2000 in India cover?
• In India, the Information Technology Act, 2000, as amended from time to time,
governs all activities related to the use of computer resources.
Why the Information Technology Act, 2000 was enacted?
• The Act was enacted to provide legal recognition for transactions carried out by means
of electronic data interchange and other means of electronic communication, commonly
referred to as “electronic commerce.”
What mandate has been given under the Act to electronic governance?
• The Act is also meant to facilitate electronic filing of documents with the Government
agencies and to promote efficient delivery of Government services by means of reliable
electronic recordWhat is the jurisdictional extent of this Act?
• The Act extends to the whole of India (including the State of Jammu & Kashmir).
• It applies also to any offence or contravention there under committed outside India
(extra-territorial jurisdiction) by any person, irrespective of his nationality, if the act
or conduct constituting the offence or contravention involves a computer, computer
system or computer network located in India.
What is meant by the term Functional Equivalent Approach?
• The functional equivalent approach extended notions such as “writing”, “signature” and
“original” of traditional paper-based requirements to electronic form.
What are the various cyber offences listed under the Act?
• The Act has categorised cyber offences under following categories:
o (a) Computer related offences, including unauthorized access, disruption, damage,
destruction, etc. of computer resource.
o (b) Obscenity in electronic form (including child pornography).
o (c) Non-compliance of directions, cyber terrorism etc. (including cyber security).
o (d) Breach of confidentiality, privacy etc.
o (e) Offences related to Electronic Signatures Certificate.
Is hacking an offence under the Act?
• Yes, hacking is an offence under the Act though the term “hacking” per se is not defined
by the Act.
Is ethical hacking an offence under the Act?
• The Act does not distinguish between ‘hacking’ and ‘ethical hacking’.
• Both ‘hacking’ and ‘ethical hacking’ could be treated as computer related offences as
articulated under section 66 of the Act.
Whether section 66A covers telemarketers, or any such service providers whose
business models include sending bulk SMSs, Emails etc.?
• Yes, it is clear from section 66A that any person who sends, by means of a computer
resource or a communication device any electronic mail or electronic mail message for
the purpose of causing annoyance or inconvenience shall be punishable with
imprisonment for a term which may extend to three years and with fine.Whether cyber terrorism has been defined under the Act?
• Section 66F defines cyber terrorism. It is an intention to threaten the unity, integrity,
security or sovereignty of India or to strike terror in the people or any section of the
people by using computer resource to access restricted information, data or computer
database with reasons to believe that such restricted information, data or computer
database may cause or likely to cause injury to:
o (i) the interests of sovereignty and integrity of India, the security of the State,
friendly relations with foreign States, public order, decency or morality, or
o (ii) in relation to contempt of court,
o (iii) defamation, or
o (iv) incitement to an offence, or
o (v) the advantage of any foreign nation, group of individuals or otherwise.
• The offence of cyber terrorism is punishable with imprisonment which may extend to
imprisonment for life.
Whether data theft is classified as cyber contravention or cyber offences or both?
• Data theft is being classified as both cyber contravention as well as cyber offences.
• The difference between ‘cyber contravention’ and ‘cyber offence’ is more of the degree
and extent of criminal activity than anything else.
What are digital signatures?
• It is a block of data at the end of an electronic message that attests to the authenticity of
the message.
• Digital signatures are an actual transformation of an electronic message using public key
cryptography• It requires a key pair (private key for encryption and public key for decryption) and a
hash function (algorithm).
• Digital signature is a two-way process, involving two parties: signer (creator of the
digital signature) and the recipient (verifier of the digital signature).
o A digital signature is complete, if and only if, the recipient successfully verifies it.
How digital signatures are different from electronic signatures?
• Digital signature is a sub-set of electronic signature.
• The Amendment Act, 2008, in order to maintain continuity with the regime of the digital
signature has introduced the concept of ‘electronic signature’.
• Examples of electronic signatures may include biometric signatures, passwords, PINs,
encryption applications etc.
• Digital signatures are never issued in the name of the company, partnership, association
etc. These can only be issued to company personnel individually, but never collectively.
What is meant by the term PKI?
• Public Key Infrastructure (PKI) is about the management and regulation of key pairs by
allocating duties between contracting parties (Controller of Certifying Authorities
/Certifying Authorities/ Subscribers), laying down the licensing and business norms for
CAs and establishing business processes/ applications to construct contractual
relationships in a digitized world.
• The idea is to develop a sound public key infrastructure for an efficient allocation and
verification of digital signatures certificates.
What is meant by the term “Critical Information Infrastructure”?
• The term “Critical Information Infrastructure” means the computer resource, the
incapacitation or destruction of which, shall have debilitating impact on national
security, economy, public health or safety.
Who is responsible under the Act to issue directions for interception or monitoring
or decryption of any information through any computer resource?
• The Secretary in the Ministry of Home Affairs, in case of the Central Government; or the
Secretary in charge of the Home Department, in case of a State Government or Union
Territory, as the case may be, to act as the “Competent Authority” to issue directions forinterception or monitoring or decryption of any information through any computer
resource under section 69 of the Act.
What are the roles of CERT-In?
• The Indian Computer Emergency Response Team (CERT-In) to serve as the national
agency for performing the following functions in the area of Cyber Security–
o (a) collection, analysis and dissemination of information on cyber security incidents;
o (b) forecast and alerts of cyber security incidents;
o (c) emergency measures for handling cyber security incidents;
o (d) coordination of cyber incidents response activities;
o (e) issue guidelines, advisories, vulnerability notes and white papers relating to
information security practices, procedures, prevention, response and reporting of
cyber incidents; and
o (f) such other functions relating to cyber security as may be prescribed.
Whether CERT-In plays any role in blocking the websites?
• No, CERT-In no longer plays any role in blocking the websites
What are the Centre’s powers vis-à-vis intermediaries?
• The Act covers all ‘intermediaries’ who play a role in the use of computer resources and
electronic records.
• The term ‘intermediaries’ includes providers of telecom service, network service,
Internet service and web hosting, besides search engines, online payment and auction
sites, online marketplaces and cyber cafes.
• It includes any person who, on behalf of another, “receives, stores or transmits” any
electronic record. Social media platforms would fall under this definition.
• Section 69 of the Act confers on the Central and State governments the power to issue
directions “to intercept, monitor or decrypt…any information generated, transmitted,
received or stored in any computer resource”.
• The grounds on which these powers may be exercised are: in the interest of the
sovereignty or integrity of India, defence of India, security of the state, friendly relations
with foreign states, public order, or for preventing incitement to the commission of any
cognisable offence relating to these, or for investigating any offence.
How does the government block websites and networks?Section 69A, for similar reasons and grounds on which it can intercept or monitor
information, enables the Centre to ask any agency of the government, or any
intermediary, to block access to the public of any information generated, transmitted,
received or stored or hosted on any computer resource.
o Any such request for blocking access must be based on reasons given in writing.
o Failure to comply with a direction to block access to the public on a government’s
written request attracts a prison term of up to seven years, besides a fine.
What are the obligations of intermediaries under Indian law?
• Intermediaries are required to preserve and retain specified information in a manner
and format prescribed by the Centre for a specified duration.
o Contravention of this provision may attract a prison term that may go up to three
years, besides a fine.
Is the liability of the intermediary absolute?
• No. Section 79 of the Act makes it clear that “an intermediary shall not be liable for any
third-party information, data, or communication link made available or hosted by him”.
o This protects intermediaries such as Internet and data service providers and those
hosting websites from being made liable for content that users may post or
generate.
National Critical Information Infrastructure Protection Centre (NCIIPC)
• National Critical Information Infrastructure Protection Centre (NCIIPC), an
organization under the National Technical Research Organization (NTRO), is created
under Sec 70A of the Information Technology Act, 2000 (amended 2008).
• Under the NCIIPC Rules, a “critical sector” has been defined to mean sectors, which are
critical to the nation and whose incapacitation or destruction will have a debilitating
impact on national security, economy, public health or safety.
• These sectors have been classified into five main groups:
o (i) power and energy;
o (ii) banking, financial services and insurance (“BSFI”);
o (iii) ICTs;
o (iv) transportation and
o (v) e-governance and strategic public enterprises
• Unlike the critical sectors identified under the Strategic Approach of the Ministry of
Electronics and Information Technology, the sectors identified by the NCIIPC do not
include the defence sector.
Functions and Duties
• National nodal agency for all measures to protect nation's critical information
infrastructure.
o The basic responsibility for protecting CII system shall lie with the agency running
that CII.
• Protect and deliver advice that aims to reduce the vulnerabilities of critical information
infrastructure, against cyber terrorism, cyber warfare and other threats.
• Identification of all critical information infrastructure elements for approval by the
appropriate Government for notifying the same.
• Calling for information and giving directions to the critical sectors or persons serving or
having a critical impact on Critical Information Infrastructure.