INFORMATION TECHNOLOGY ACT 2000- AN OVERVIEW

Dr. M.K.SHARMA & ASHISH KANJARIA - KNVIBM

CHANGE IN THE ENVIRONMENT

Technological Revolution.
Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Increase in transactions.

Volumes

&

Complexities

of

User wants the electronic records confidential & protected from tampering

to

be

More Flexible, Time Savings & Communicate easily etc..

Universal Internet access Total Internet economy in 2008 US $ 4.48 trillion E-Commerce in India in 2008 Rs. 2,95,000 Crore E-Commerce in Asia in 2008 38% of world total

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

E- COMMERCE

EC transactions over the Internet include

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Formation of Contracts Delivery of Information and Services Delivery of Content

IT ACT, 2000
Enacted

on 17th May 2000- India is 12th nation in the world to adopt cyber laws

Dr. M.K.SHARMA & ASHISH KANJARIA - KNVIBM

OBJECTIVES OF THE IT ACT

To provide legal recognition for transactions:Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce To facilitate electronic filing of documents with Government agencies and E-Payments To amend the Indian Penal Code, Indian Evidence Act,1872, the Bankers Books Evidence Act 1891,Reserve Bank of India Act ,1934

ACT DOES NOT APPLY TO

(a) a negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881; (b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882; (c) a trust as defined in section 3 of the Indian Trusts Act, 1882; (d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including any other testamentary disposition

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

ACT DOES NOT APPLY TO

(e) any contract for the sale or conveyance of immovable property or any interest in such property; (f) any such class of documents or transactions as may be notified by the Central Government

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

DEFINITIONS ( SECTION 2)
"computer" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network; "computer network" means the inter-connection of one or more computers through (i) the use of satellite, microwave, terrestrial lime or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

DEFINITIONS ( SECTION 2)
"computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions; "data" means a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

10

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

DEFINITIONS ( SECTION 2)
"electronic record" means date, record or date generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche; secure system means computer hardware, software, and procedure that(a) are reasonably secure from unauthorized access and misuse; (b) provide a reasonable level of reliability and correct operation; (c) are reasonably suited to performing the intended function; and (d) adhere to generally accepted security procedures

11

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

DEFINITIONS ( SECTION 2)

security procedure means the security procedure prescribed by the Central Government under the IT Act, 2000. secure electronic record where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

12

SECTION 3 DEFINES DIGITAL SIGNATURES

The authentication to be affected by use of asymmetric crypto system and hash function
Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

The private key and the public key are unique to the subscriber and constitute functioning key pair Verification of electronic record possible

13

ESSENTIAL STEPS OF THE DIGITAL SIGNATURE

PROCESS

STEP 1 The signatory is the authorized holder a unique cryptographic key pair; STEP 2 The signatory prepares a data message (for example, in the form of an electronic mail message) on a computer; STEP 3 The signatory prepares a message digest, using a secure hash algorithm. Digital signature creation uses a hash result derived from and unique to the signed message; STEP 4 The signatory encrypts the message digest with the private key. The private key is applied to the message digest text using a mathematical algorithm. The digital signature consists of the encrypted message digest, STEP 5 The signatory typically attaches or appends its digital signature to the message; 14 STEP 6 The signatory sends the digital signature and the (unencrypted or encrypted) message to the relying party electronically;

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

ESSENTIAL STEPS OF THE DIGITAL SIGNATURE

PROCESS

STEP 7 The relying party uses the signatorys public key to verify the signatorys digital signature. Verification using the signatorys public key provides a level of technical assurance that the message came exclusively from the signatory; STEP 8 The relying party also creates a message digest of the message, using the same secure hash algorithm; STEP 9 The relying party compares the two message digests. If they are the same, then the relying party knows that the message has not been altered after it was signed. Even if one bit in the message has been altered after the message has been digitally signed, the message digest created by the relying party will be different from the message digest created by the signatory; STEP 10 Where the certification process is resorted to, the relying party obtains a certificate from the certification service provider (including through the signatory or otherwise), which confirms the digital signature on the signatorys message. The certificate contains the public key and name of 15 the signatory (and possibly additional information), digitally signed by the certification service provider.

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

SECTION 4- LEGAL RECOGNITION OF ELECTRONIC RECORDS

If any information is required in printed or written form under any law the Information provided in electronic form, which is accessible so as to be usable for subsequent use, shall be deemed to satisfy the requirement of presenting the document in writing or printed form.

16

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

SECTIONS 5, 6 & 7
Legal recognition of Digital Signatures Use of Electronic Records in Government & Its Agencies Publications of rules and regulations in the Electronic Gazette. Retention of Electronic Records Accessibility of information, same format, particulars of dispatch, origin, destination, time stamp ,etc

17

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

CONTROLLING & CERTIFYING AUTHORITIES [CAS]

The Central Government may appoint a Controller of Certifying Authority who shall exercise supervision over the activities of Certifying Authorities.

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Certifying Authority means a person who has been granted a license to issue a Digital Signature Certificate. The Controller of Certifying Authority shall have powers to lay down rules, regulations, duties, responsibilities and functions of the Certifying Authority issuing Digital Signature Certificates. The Certifying Authority empowered to issue a Digital Signature Certificate shall have to procure a license from the Controller of Certifying Authority to issue Digital Signature Certificates. The Controller of Certifying Authority has prescribed detailed rules and regulations in the Act, as to the application for license, suspension of license and procedure for grant or rejection of license.

18

TYPES OF CYBER CRIMES

Cyber terrorism Cyber pornography Sale of illegal articles-narcotics, weapons, wildlife Online gambling Intellectual Property crimessoftware piracy, copyright infringement, trademarks violations, theft of computer source code Email spoofing Credit card frauds

Crime against Government

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Crime against persons

Crime against property

19

TYPES OF CYBER CRIMES

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Cyber crimes
Web jacking

Hacking

Information Theft

E-mail bombing

Salami attacks

Denial of Service attacks

Trojan attacks

20

Common scenarios in Cyber Crime

Unauthorized access: This occurs when a user/hacker deliberately gets access into someone elses network either to monitor or data destruction purposes
Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Denial of service attack: It involves sending of disproportionate demands or data to the victims server beyond the limit that the server is capable to handle and hence causes the server to crash Virus, Worms and Trojan attacks: Viruses are basically programs that are attached to a file which then gets circulated to other files and gradually to other computers in the network. Worms unlike Viruses do not need a host for attachments they make copies of themselves and do this repeatedly hence eating up all the memory of the computer. Trojans are unauthorized programs which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing.

21

to

Email Bombing It refers to sending a large number of emails the victim resulting in the victim's email account (in case of an individual) or mail servers (in case of a company or an email service provider) crashing
Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Internet Time Thefts This connotes the usage by an unauthorized person of the Internet hours paid for by another. Web Jacking This occurs when someone forcefully takes control of a website (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on that website

Theft and Physical damage of computer or its peripherals This type of offence involves the theft of a computer, some parts of a computer or a peripheral attached to the computer. and physically damaging a computer or its peripherals

22

Software and Hardware Issues: The growth of Cyber crime as given rise to numerous Forensic software vendors. The challenge being to choose among them and no single forensic tool solves the entire case, there are loads of third party tools available. But when it comes to Mobile forensics it is a challenge to decide the compatibility of different phones and which h/w to rely on.. Recently China has been manufacturing mobile phones that have cloned IME numbers which is a current challenge faced in Mobile forensics. Information sharing: Information sharing is a best practice and can be accomplished by a variety of means such as interacting with industry groups, attending briefings, meetings, seminars and conferences, and working actively with forensic bodies.

23

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Global Issues: Most of the IP addresses retrieved during investigation leads to servers or computers located abroad which have no identity, hence further investigations are blocked and closed. Correspondence with bodies such as Google, Yahoo, Hotmail is quite time consuming and prolong the investigations.

Wireless or Wi-Fi, Bluetooth, Infrared Issues: Latest wireless technologies which provide internet connections causes exploitation especially when it is not secured. This is the present technology terrorists and radical activists exploit. This is another vulnerability that law enforcement faces.

24

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

SECTION 65: SOURCE CODE

Most important asset of software companies Computer Source Code" means the listing of programmes, computer commands, design and layout Ingredients Knowledge or intention Concealment, destruction, alteration computer source code required to be kept or maintained by law Punishment imprisonment up to three years and / or fine up to Rs. 2 lakh

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

25

Section 66: Hacking

Ingredients
Intention or Knowledge to cause wrongful loss or damage to the public or any person Destruction, deletion, alteration, diminishing value or utility or injuriously affecting information residing in a computer resource
Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Punishment
imprisonment up to three years, and / or fine up to Rs. 2 lakh

26

SEC. 67. PORNOGRAPHY

Ingredients

Publishing or transmitting or causing to be published in the electronic form, Obscene material On first conviction

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Punishment

imprisonment of either description up to five years and fine up to Rs. 1 lakh

imprisonment of either description up to ten years and fine up to Rs. 2 lakh

On subsequent conviction

Section covers

Internet Service Providers, Search engines, Pornographic websites

27

SEC 69: DECRYPTION OF

Ingredients Controller issues order to Government agency to intercept any information transmitted through any computer resource. Order is issued in the interest of the
sovereignty or integrity of India, the security of the State, friendly relations with foreign States, public order or preventing incitement for commission of a cognizable offence

INFORMATION

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Person in charge of the computer resource fails to extend all facilities and technical assistance to decrypt the information-punishment up to 7 years.

28

SEC 70 PROTECTED SYSTEM

Ingredients

Securing unauthorised access or attempting to secure unauthorised access to protected system

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

Acts

covered by this section:

Using installed software / hardware Installing software / hardware Imprisonment up to 10 years and fine

Punishment

29

Computer Related Crimes under IPC and Special Laws

Sending threatening messages by email

Sec 503 IPC

Sec 499, 500 IPC

Sending defamatory messages by email

Forgery of electronic records

Bogus websites, cyber frauds

Email spoofing
Online sale of Drugs

Web - Jacking Online sale of Arms Dr. M.K.SHARMA & ASHISH

KANJARIA - KNVIBM

Sec 463, 470, 471 IPC Sec 420 IPC Sec 416, 417, 463 IPC NDPS Act Sec. 383 IPC Arms Act 30

CYBER STALKING

Ritu Kohli (first lady to register the cyber stalking case) is a victim of cyber-stalking. A friend of her husband gave her phone number and name on a chat site for immoral purposes. A computer expert, Kohli was able to trace the reason. Now, the latter is being tried for "outraging the reserve of a woman", under Section 509 of IPC.

31

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

EMAIL SPOOFING:

Pranab Mitra , former executive of Gujarat Ambuja Cement posed as a woman, Rita Basu, and created a fake e-mail ID through which he contacted one V.R. Ninawe an Abu Dhabi businessmen . After long cyber relationship and emotional massages Mitra sent an e-mail that she would commit suicide if Ninawe ended the relationship. He also gave him another friend Ruchira Senguptas e-mail ID which was in fact his second bogus address. When Ninawe mailed at the other ID he was shocked to learn that Mitra had died and police is searching Ninawe. Mitra extorted few lacs Rupees as advocate fees etc. Mitra even sent e-mails as high court and police officials to obtain under force more money. Ninawe finally came down to Mumbai to file apolice case.

32

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

ONLINE GAMBLING: VIRTUAL CASINOS, CASES OF MONEY LAUNDERING

Cyber case: In Andhra Pradesh one Kola Mohan created a website and an email address on the Internet with the address 'eurolottery@usa.net.' which shows his own name as receiver of 12.5 million pound in Euro lottery. After getting confirmation with the email address a telgu newspaper published this as news. He gathered huge sums from the public as well as from some banks. The fraud came to light only when a cheque amounting Rs 1.73 million discounted by 33 him with Andhra bank got dishonored.

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

SALIENT FEATURES OF THE ACT

The salient features of the Information Technology Act, 2000 are as follows: (i) Extends to the whole of India (Section 1) (ii) Authentication of electronic records (Section 3) (iii) Legal Framework for affixing Digital signature by use of asymmetric crypto system and hash function (Section 3) (iv) Legal recognition of electronic records (Section 4) (v) Legal recognition of digital signatures (Section 5) (vi) Retention of electronic record (Section 7) (vii) Publication of Official Gazette in electronic form (Section 8) (viii) Security procedure for electronic records and digital signature (Sections 14, 15, 16) (ix) Licensing and Regulation of Certifying authorities for issuing digital signature certificates (Sections 17-42) Functions of Controller (Section 18)
Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM

34

Cont..
(xi) (xii) (xiii) (xiv) (xv) (xvi) (xvii) (xviii) (xix) (xx) (xxi) (xxii) (xxiii) (xxiv) (xxv)
(xxvi)

Appointment of Certifying Authorities and Controller of Certifying Authorities, including recognition of foreign Certifying Authorities (Section 19) Controller to act as repository of all digital signature certificates (Section 20) Data Protection (Sections 43 & 66) Various types of computer crimes defined and stringent penalties provided under the Act (Section 43 and Sections 66, 67, 72) Appointment of Adjudicating officer for holding inquiries under the Act (Sections 46 & 47) Establishment of Cyber Appellate Tribunal under the Act (Sections 48-56) Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and not to any Civil Court (Section 57) Appeal from order of Cyber Appellate Tribunal to High Court (Section 62) Interception of information from computer to computer (Section 69) Protection System (Section 70) Act to apply for offences or contraventions committed outside India (Section 75) Investigation of computer crimes to be investigated by officer at the DSP (Deputy Superintendent of Police) level Network service providers not to be liable in certain cases (Section 79) Power of police officers and other officers to enter into any public place and search and arrest without warrant (Section 80) 35 Offences by the Companies (Section 85) Constitution of Cyber Regulations Advisory Committee who will advice the Central Government and Controller (Section 88)

Dr. M.K.SHARMA & ASHISH KANJARIA KNVIBM