An Introduction to Information Technology ACT 2008 - India

E-mail related crimes

Email spoofing
Sending malicious codes through email Email bombing

Sending threatening emails

Defamatory emails Email frauds

Common Cyber Crimes

Unauthorized access to computer systems or networks
Theft of information contained in electronic form Data diddling Salami attacks / Logic bombs Denial of Service attack Virus / worm attacks Trojan attacks Internet time thefts Web jacking Theft of computer system Physically damaging a computer system

ITA 2008- Genesis

Based on the UNCITRAL Model Law for Electronic

Commerce 1996 Draft E Commerce Act 1998 by Union Ministry of Commerce released for public comments in 1998 Went into hibernation until a new ministry Ministry of Information technology was formed in 1999 Draft revised and presented as IT Bill and presented in the parliament in Dec 1999 Went into hibernation until the I Love You virus woke up the Indian Government from its slumber Bill passed into IT Act in May 2000 and rules notified bringing it into effect from 17th October 2000 (ITA 2000)

ITA 2008- Genesis contd.

2004: the baazee.com incident happened

CEO of baazee.com, an intermediary was charged under

Section 67 of ITA 2000 Industry protested.. Call for correction of IT ACt PM obliged and a Review of ITA 2000 was ordered An Expert Committee gave its report in August 2005 ITAA 2006 was presented in the Parliament in Dec 2006 Was referred to a Parliamentary committee under the chairmanship of Mr Nikhil Kumar Nov 2007 - Parliamentary committee returned the Bill to the Ministry (now Ministry of Communications and Information Technology) suggesting major revisions.

ITA 2008- Genesis contd.

December 2008: Information Technology Amendment

Bill 2008 was introduced in the Parliament To amend Information technology amendment bill 2006 Was passed without any discussions during one fateful evening on December 23 in the Lok Sabha when 8 bills were passed in 17 minutes Rajya sabha passed the amendments on Dec 24th and Information Technology Amendment Act 2008 became a law It amended the Information Technology Act 2000 Presently referred to as ITA 2008

ITA 2000.. Some reflections

Born in the background of UNCITRAL Model law
To promote E-Commerce To provide recognition for Electronic Documents,

Digital Signatures and Digital Contracts Incidentally Defined some basic Cyber Crimes Set in process Adjudication and CYBER REGULATIONS APPELLATE TRIBUNAL (CRAT) for speedy grievance redressal

ITA - 2008
ITA 2008 became a Security focussed legislation More Offences were added to the list of Cyber Crimes in

ITA 2000 Civil liabilities were enhanced Concept Data Protection was brought in CERT In was given enormous powers Role of Police increased Intermediaries could not get the dilution they planned for through the Expert Committee Scope for new Technology increased with the introduction of Electronic Signatures E auditing and digital evidence examiner concept introduced etc

CERT-In Indian computer emergency response team

Collection, analysis and dissemination of information

on cyber incidents. Forecast and alerts of cyber security incidents Emergency measures for handling cyber security incidents Coordination of cyber incident activities Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practises, procedures, prevention, response and reporting of cyber incidents Such other functions relating to cyber security as may be prescribed.

IT ACT 2008
CHAPTER 1 - PRELIMINARY CHAPTER 2 - DIGITAL AND ELECTRONIC SIGNATURE CHAPTER 3 - ELECTRONIC GOVERNANCE CHAPTER 4 - ATTRIBUTION, ACKNOWLEDGEMENT AND DESPATCH OF ELECTRONIC RECORDS CHAPTER 5 - SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURES CHAPTER 6 - REGULATION OF CERTIFYING AUTHORITIES CHAPTER 7 - ELECTRONIC SIGNATURE CERTIFICATES CHAPTER 8 - DUTIES OF SUBSCRIBERS CHAPTER 9 - PENALTIES AND ADJUDICATION CHAPTER 10 - THE CYBER REGULATIONS APPELLATE TRIBUNAL CHAPTER 11 - OFFENCES CHAPTER 12 - NETWORK SERVICE PROVIDERS NOT TO BE LIABLE IN CERTAIN CASES CHAPTER 12 A - EXAMINER OF ELECTRONIC EVIDENCE CHAPTER 13 - MISCELLANEOUS Objectives Notes On Clauses

Section 3: Authentication of Electronic Records

Use of digital /electronic signature Use of asymmetric crypto system and hash function to

authenticate electronic records Authenticates the electronic document Identifies the person who has put his electronic signature any alteration to the electronic signature made after affixing such signature is detectable any alteration to the information made after its authentication by electronic signature is detectable

What is Asymmetric Crypto System?

It is an encryption system using two keys Documents encrypted with one key can be decrypted only with

an associated second key One is called the Private Key and is used for Encryption The other is called the Public Key and is used for Decryption "Hash function" means an algorithm mapping or translation of one sequence of bits into another set known as "Hash Result" . An electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input It is computationally infeasible to derive or reconstruct the original electronic record from the hash result produced by the algorithm; No two electronic records can produce the same hash result using the same algorithm.

Offences under Information Technology Act 2008

Sec43: Penalty and Compensation for damage to computer, computer system, etc

SEC 43: If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network accesses or secures access to such computer, computer system or computer network or computer resource downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

SEC 43 continued : disrupts or causes disruption of any computer, computer system or computer network; denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules regulations made there under, or charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected

Sec 65:Tampering with Computer Source Documents

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

Sec 66: Computer Related Offences

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

SEC 66: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. Meaning of "Dishonestly as per sec 24 of the IPC Whoever does anything with the intention of causing wrongful gain to one person or wrongful loss to another person, is said to do that thing "dishonestly". Meaning of "Fraudulently as per section 25 of the IPC A person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.

Sec 66 A : Punishment for sending offensive messages through communication service, etc

 SEC 66A : Any person who sends, by means of a computer

resource or a communication device, any information that is grossly offensive or has menacing character; or any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill-will, persistently by making use of such computer resource or a communication device, any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) shall be punishable with imprisonment for a term which may extend to three years and with fine.

Sec 66B :Stolen Computer

Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe that the same to be a stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.

Sec 66 C: Identity Theft Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term that extends upto three years and shall also be liable to fine which may extend to rupees one lakh

Sec 66D: Impersonation

Whoever by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

Sec 66 E:Video Voyeurism

SEC 66E : Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that persons, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees or with both.

Sec 66F:Cyber Terrorism Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

SEC 66F : Whoever,(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by (i) denying or cause the denial of access to any person authorised to access computer resource; or (ii) attempting to penetrate or access a computer resource without authorisation or exceeding authorised access; or (iii) introducing or causing to introduce any computer contaminant; and by means of such conduct causes or likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical infrastructure specified under Section 70, or 76

Sec 66 F (B) knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the state or foreign relations or any restricted information data or computer data base with reasons to believe that such information, data or computer data base so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of Cyber Terrorism

Sec 67 :Punishment for publishing or transmitting obscene material in electronic form

 Sec 67 :Whoever publishes or transmits or causes to be

published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

Sec 67 A:Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form (Inserted vide ITAA 2008)

 Sec 67 A :

Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven year and also with fine which may extend to ten lakh rupees.

Sec 67 B:Punishment for publishing or transmitting of obscene material relating to children

Sec 67 B : Whoever, publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or facilitates abusing children online or records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Sec 67 C : Preservation and Retention of information by intermediaries

 Sec 67 C :

Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe. Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Sec 70: Protected system

 Sec 70 : The appropriate Government may, by notification

in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system. The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine. The Central Government shall prescribe the information security practices and procedures for such protected system.

71)Penalty for misrepresentation. 72) Breach of confidentiality and privacy. 73) Penalty for publishing Digital Signature Certificate false in certain particulars. 74) Publication for fraudulent purpose.

Sec 79. Network service providers not to be liable in certain cases

DOCUMENTS OR TRANSACTIONS TO WHICH THE ACT SHALL NOT APPLY

A negotiable instrument (other than a cheque) as

defined in section 13 of the Negotiable Instruments Act, 1881. A power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882. A trust as defined in section 3 of the Indian Trusts Act, 1882. A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925, including any other testamentary disposition by whatever name called. Any contract for the sale or conveyance of immovable property

AMENDMENTS IN OTHER ACTS

INDIAN PENAL CODE THE INDIAN EVIDENCE ACT, 1872 THE BANKERS BOOKS EVIDENCE ACT, 1891

THE RESERVE BANK OF INDIA ACT, 1934