History of the Act
The
United Nations General Assembly by resolution A/RES/51/162, dated the 30
January 1997 has adopted the Model Law on Electronic Commerce adopted by the
United Nations Commission on International Trade Law. This is referred to as
the UNCITRAL Model Law on E-Commerce.
Following
the UN Resolution India passed the Information Technology Act 2000 in May 2000
and notified it for effectiveness on October 17, 2000.
The
Information technology Act 2000 has been substantially amended through the
Information Technology (Amendment) Act 2008 which was passed by the two houses
of the Indian Parliament on December 23, and 24, 2008. It got the Presidential
assent on February 5, 2009 and was notified for effectiveness on October 27,
2009.
A
complete history of how the current version of the Information Technology Act
-2008 version evolved over a period of time between 1998 to 2009 is available
at the reference link given under external links below.'
OBJECTIVES OF IT ACT
1.
It is objective of I.T. Act 2000 to give legal recognition to any transaction
which is done by electronic way or use of internet.2. To give legal recognition to digital signature for accepting any agreement via computer.
3. To provide facility of filling document online relating to school admission or registration in employment exchange.
4. According to I.T. Act 2000, any company can store their data in electronic storage.
5. To stop computer crime and protect privacy of internet users.
6. To give legal recognition for keeping books of accounts by bankers and other companies in electronic form.
7. To make more power to IPO, RBI and Indian Evidence act for restricting electronic crime.
8. To provide legal recognition for transactions:-
9. Carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce“
10. To facilitate electronic filing of documents with Government agencies and E-Payments
11. To amend the Indian Penal Code, Indian Evidence Act,1872, the Banker’s Books Evidence Act 1891,Reserve Bank of India Act ,1934.
SCOPE OF IT ACT
1.Information
technology act 2000 is not applicable on the attestation for creating trust via
electronic way. Physical attestation is must.2. I.T. Act 2000 is not applicable on the attestation for making will of any body. Physical attestation by two witnesses is must.
3. A contract of sale of any immovable property.
4. Attestation for giving power of attorney of property is not possible via electronic record.
Extent of application
Extends to whole of India and also applies to any offence or contravention there under committed outside India by any person {section 1 (2)} read with Section 75- Act applies to offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India
Section 2 (1) (a) –”Access” means gaining entry into ,instructing or communicating with the logical, arithmetic or memory function resources of a computer, computer resource or network
Definitions ( section 2)
"computer" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network;
"computer network" means the inter-connection of one or more computers through-
(i) the use of satellite, microwave, terrestrial lime or other communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;
"computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions;
"data"
means a representation of information, knowledge, facts, concepts or
instruction which are being prepared or have been prepared in a formalized
manner, and is intended to be processed, is being processed or has been
processed in a computer system or computer network, and may be in any form (including
computer printouts magnetic or optical storage media, punched cards, punched
tapes) or stored internally in the memory of the computer
"electronic
record" means date, record or date generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated
micro fiche; “secure system” means computer hardware, software, and procedure that-
(a) are reasonably
secure from unauthorized access and misuse;
(b) provide a reasonable
level of reliability and correct operation;(c) are reasonably suited to performing the intended function; and
(d) adhere to generally accepted security
procedures
“security
procedure” means the security procedure prescribed by the Central Government
under the IT Act, 2000.secure electronic record – where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification
Act is in applicable
to…
(a)
a negotiable instrument (Other than a cheque) as defined in section 13 of the
Negotiable Instruments Act, 1881;(b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;
(c) a trust as defined in section 3 of the Indian Trusts Act, 1882;
(d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including any other testamentary disposition
(e) any contract for the sale or conveyance of immovable property or any interest in such property;
(f) any such class of documents or transactions as may be notified by the Central Government
Section 3 Defines
Digital Signatures
-
The
authentication to be affected by use of asymmetric crypto system and hash
function
-
The
private key and the public key are unique to the subscriber and constitute functioning key pair
-
Verification
of electronic record possible
2.capable of identifying such subscriber;
3. created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated ,then such digital signature shall be deemed to be a secure digital signature
Sections 5, 6 & 7
Legal recognition of Digital Signatures
Use of Electronic Records in Government & Its Agencies
Publications of rules and regulations in the Electronic Gazette.
Retention of Electronic Records
Accessibility of information, same format, particulars of dispatch, origin, destination, time stamp ,etc.
Any person who sends, by means of a computer resource or a communication device,-
(a) any information that is grossly offensive or has menacing character; or
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device,
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages shall be punishable with imprisonment for a term which may extend to three years and with fine.
Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.
DUTIES OF SUBSCRIBERS
Where any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, then, the subscriber shall generate the key pair by applying the security procedure.
(1)A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorizes the publication of a Digital Signature Certificate -
(a) to one or more persons,
(b) in a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner.
(2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that -
(a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same;
(b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true;
(c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.
(d) Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure to a person not authorized to affix the digital signature of the subscriber.
(e) If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations.
Explanation : For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.
The Information Technology (Amendment) Act, 2008
Some of the cyber law observers have criticized the amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil liberties of Indians.
There have also been appreciation about the amendments from many observers because it addresses the issue of Cyber Security.
Section 69 empowers the Central Government/State Government/ its authorized agency to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource if it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence or for investigation of any offence. They can also secure assistance from computer personnel in decrypting data (see mandatory decryption), under penalty of imprisonment.
Section 66A has been criticized and challenged in Lucknow and Madras High Courts for its constitutional validity.
Notification Of IT Act 2008
The Information Technology Amendment Act, 2008 (IT Act 2008) has been passed on 23rd December 2008 and received the assent of President of India on 5th February, 2009. The IT Act 2008 has been notified on Oct 27 2009
CASE STUDY :-
Pune Citibank MphasiS Call Center Fraud
US $ 3,50,000 from accounts of four US customers were dishonestly transferred to bogus accounts. This will give a lot of ammunition to those lobbying against outsourcing in US. Such cases happen all over the world but when it happens in India it is a serious matter and we cannot ignore it. It is a case of sourcing engineering. Some employees gained the confidence of the customer and obtained their PIN numbers to commit fraud. They got these under the guise of helping the customers out of difficult situations. Highest security prevails in the call centers in India as they know that they will lose their business. There was not as much of breach of security but of sourcing engineering.
The call center employees are checked when they go in and out so they can not copy down numbers and therefore they could not have noted these down. They must have remembered these numbers, gone out immediately to a cyber café and accessed the Citibank accounts of the customers.
All accounts were opened in Pune and the customers complained that the money from their accounts was transferred to Pune accounts and that’s how the criminals were traced. Police has been able to prove the honesty of the call center and has frozen the accounts where the money was transferred.
There is need for a strict background check of the call center executives. However, best of background checks can not eliminate the bad elements from coming in and breaching security. We must still ensure such checks when a person is hired. There is need for a national ID and a national data base where a name can be referred to. In this case preliminary investigations do not reveal that the criminals had any crime history. Customer education is very important so customers do not get taken for a ride. Most banks are guilt of not doing this.
No comments:
Post a Comment