IT ACT, 2000

The Genesis of IT legislation in India: Mid 90’s saw an impetus in globalization and
computerisation, with more and more nations computerizing their governance, and e-
commerce seeing an enormous growth. Until then, most of international trade and transactions
were done through documents being transmitted through post and by telex only. Evidences and
records, until then, were predominantly paper evidences and paper records or other forms of
hard-copies only. With much of international trade being done through electronic
communication and with email gaining momentum, an urgent and imminent need was felt for
recognizing electronic records ie the data what is stored in a computer or an external storage
attached thereto.
An Act to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as “electronic
commerce”, which involve the use of alternatives to paper-based methods of communication
and storage of information, to facilitate electronic filing of documents with the Government
agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the
Banker’s Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters
connected therewith or incidental thereto.

The Act essentially deals with the following issues:

Legal Recognition of Electronic Documents
Legal Recognition of Digital Signatures
Offenses and Contraventions
Justice Dispensation Systems for cyber crimes.

Some of the notable features of the ITAA are as follows:

Focussing on data privacy
Focussing on Information Security
Defining cyber café
Making digital signature technology neutral
Defining reasonable security practices to be followed by corporate
Redefining the role of intermediaries
Recognising the role of Indian Computer Emergency Response Team
Inclusion of some additional cyber crimes like child pornography and cyber terrorism
authorizing an Inspector to investigate cyber offences (as against the DSP earlier)

Definitions.

 communication device” means cell phones, personal digital assistance or combination of

both or any other device used to communicate, send or transmit any text, video, audio or
image;]
 “computer” means any electronic, magnetic, optical or other high-speed data processing
device or system which performs logical, arithmetic, and memory functions by
manipulations of electronic, magnetic or optical impulses, and includes all input, output,
processing, storage, computer software or communication facilities which are connected
or related to the computer in a computer system or computer network;
 “computer network” means the inter-connection of one or more computers or computer
systems or communication device through–
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers or
communication device whether or not the inter-connection is continuously
maintained;]
 “computer resource” means computer, computer system, computer network, data,
computer data base or software;
 “computer system” means a device or collection of devices, including input and output
support devices and excluding calculators which are not programmable and capable of
being used in conjunction with external files, which contain computer programmes,
 electronic instructions, input data and output data, that performs logic, arithmetic, data
storage and retrieval, communication control and other functions;
 “data” means a representation of information, knowledge, facts, concepts or instructions
which are being prepared or have been prepared in a formalised manner, and is
intended to be processed, is being processed or has been processed in a computer
system or computer network, and may be in any form (including computer printouts
magnetic or optical storage media, punched cards, punched tapes) or stored internally
in the memory of the computer;
 “digital signature” means authentication of any electronic record by a subscriber by
means of an electronic method or procedure.
 “electronic form” with reference to information, means any information generated, sent,
received or stored in media, magnetic, optical, computer memory, micro film, computer
generated micro fiche or similar device;

Authentication of electronic records.–

(1) any subscriber may authenticate an electronic record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto
system and hash function which envelop and transform the initial electronic record into another
electronic record. .
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute a functioning
key pair.

Electronic signature.—(1) Notwithstanding anything contained in section 3, but subject to the

provisions of sub-section (2), a subscriber may authenticate any electronic record by such
electronic signature or electronic authentication technique which—
(a) is considered reliable; and
(b) may be specified in the Second Schedule.
(2) For the purposes of this section any electronic signature or electronic authentication
technique shall be considered reliable if—

(a) the signature creation data or the authentication data are, within the context in which they
are used, linked to the signatory or, as the case may be, the authenticator and to no other
person;
(b) the signature creation data or the authentication data were, at the time of signing, under the
control of the signatory or, as the case may be, the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable;
(d) any alteration to the information made after its authentication by electronic signature is
detectable; and
(e) it fulfils such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining
whether electronic signature is that of the person by whom it is purported to have been affixed
or authenticated.
(4) The Central Government may, by notification in the Official Gazette, add to or omit any
electronic signature or electronic authentication technique and the procedure for affixing
such signature from the Second Schedule

ELECTRONIC GOVERNANCE-

Legal recognition of electronic records.—Where any law provides that information or any
other matter shall be in writing or in the typewritten or printed form, then, notwithstanding
anything contained in such law, such requirement shall be deemed to have been satisfied if such
information or matter is–
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference.
Use of electronic records and 1[electronic signatures] in Government and its agencies.–
(1) Where any law provides for—
 (a) the filing of any form, application or any other document with any office, authority, body or
agency owned or controlled by the appropriate Government in a particular manner;
(b) the issue or grant of any licence, permit, sanction or approval by whatever name called in a
particular manner;
(c) the receipt or payment of money in a particular manner

Power to make rules by Central Government in respect of electronic signature—The

Central Government may, for the purposes of this Act, by rules, prescribe—
(a) the type of 1[electronic signature;
(b) the manner and format in which the 1[electronic signature] shall be affixed;
(c) the manner or procedure which facilitates identification of the person affixing the
1[electronic signature];
(d) control processes and procedures to ensure adequate integrity, security and confidentiality
of electronic records or payments; and
(e) any other matter which is necessary to give legal effect to 1[electronic signatures].

ATTRIBUTION AND ACKNOWLEDGMENT OF ELECTRONIC RECORDS-

Attribution of electronic records.—An electronic record shall be attributed to the originator— (a) if
it was sent by the originator himself; (b) by a person who had the authority to act on behalf
of the originator in respect of that electronic record; or (c) by an information system
programmed by or on behalf of the originator to operate automatically.
Acknowledgment of receipt.—(1) Where the originator has not stipulated that the
acknowledgment of receipt of electronic record be given in a particular form or by a
particular method, an acknowledgment may be given by— (a) any communication by the
addressee, automated or otherwise; or (b) any conduct of the addressee, sufficient to
indicate to the originator that the electronic record has been received.

SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURE-

Secure electronic signature.—An electronic signature shall be deemed to be a secure electronic
signature if—
(i) the signature creation data, at the time of affixing signature, was under the exclusive
control of signatory and no other person; and
(ii) the signature creation data was stored and affixed in such exclusive manner as may be
prescribed.

ELECTRONIC SIGNATURE CERTIFICATES-

(1) Any person may make an application to the Certifying Authority for the issue of a electronic
signature Certificate in such form as may be prescribed by the Central Government.
(2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand
rupees as may be prescribed by the Central Government, to be paid to the Certifying
Authority.
(3)Every such application shall be accompanied by a certification practice statement

Suspension of Digital Signature Certificate-The Certifying Authority which has issued a

Digital Signature Certificate may suspend such Digital Signature Certificate,–
(a) on receipt of a request to that effect from–
(i) the subscriber listed in the Digital Signature Certificate; or
(ii) any person duly authorised to act on behalf of that subscriber;
(b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest.
A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless
the subscriber has been given an opportunity of being heard in the matter.
On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall
communicate the same to the subscriber.

DUTIES OF SUBSCRIBERS-
 Generating key pair.–Where any Digital Signature Certificate the public key of which corresponds
to the private key of that subscriber which is to be listed in the Digital Signature Certificate
has been accepted by a subscriber
Control of private key.–
(1) Every subscriber shall exercise reasonable care to retain control of the private key
corresponding to the public key listed in his Digital Signature Certificate and take all steps to
prevent its disclosure.
(2) If the private key corresponding to the public key listed in the Digital Signature Certificate has
been compromised, then, the subscriber shall communicate the same without any delay to
the Certifying Authority in such manner as may be specified by the regulations.

Offences-

Section Offence Description Penalty

If a person knowingly or intentionally conceals,

destroys or alters or intentionally or knowingly
causes another to conceal, destroy or alter any
Tampering with Imprisonment up to three
computer source code used for a computer,
65 computer source years, or/and with fine up
computer programme, computer system or
documents to ₹200,000
computer network, when the computer source
code is required to be kept or maintained by law for
the time being in force.

If a person with the intent to cause or knowing that

he is likely to cause wrongful loss or damage to the
Imprisonment up to three
Hacking with public or any person destroys or deletes or alters
66 years, or/and with fine up
computer system any information residing in a computer resource or
to ₹500,000
diminishes its value or utility or affects it injuriously
by any means, commits hack.

Receiving stolen A person receives or retains a computer resource

Imprisonment up to three
computer or or communication device which is known to be
66B years, or/and with fine up
communication stolen or the person has reason to believe is
to ₹100,000
device stolen.

A person fraudulently uses the password, digital Imprisonment up to three

Using password of
66C signature or other unique identification of another years, or/and with fine up
another person
person. to ₹100,000

Imprisonment up to three
Cheating using If a person cheats someone using a computer
66D years, or/and with fine up
computer resource resource or communication.
to ₹100,000

If a person captures, transmits or publishes images Imprisonment up to three

Publishing private
66E of a person's private parts without his/her consent years, or/and with fine up
images of others
or knowledge. to ₹200,000

If a person denies access to an authorised

Acts of cyber
66F personnel to a computer resource, accesses a Imprisonment up to life.
terrorism
protected system or introduces contaminant into a
system, with the intention of threatening the unity,
 integrity, sovereignty or security of India, then he
commits cyber terrorism.

If a person publishes or transmits or causes to be

published in the electronic form, any material which
Publishing
is lascivious or appeals to the prurient interest or if Imprisonment up to five
information which
67 its effect is such as to tend to deprave and corrupt years, or/and with fine up
is obscene in
persons who are likely, having regard to all to ₹1,000,000
electronic form.
relevant circumstances, to read, see or hear the
matter contained or embodied in it.

Publishing images Imprisonment up to seven

If a person publishes or transmits images
67A containing sexual years, or/and with fine up
containing a sexual explicit act or conduct.
acts to ₹1,000,000

Imprisonment up to five
years, or/and with fine up
If a person captures, publishes or transmits images
Publishing child to ₹1,000,000 on first
of a child in a sexually explicit act or conduct. If a
67B porn or predating conviction. Imprisonment up
person induces a child into a sexual act. A child is
children online to seven years, or/and with
defined as anyone under 18.
fine up to ₹1,000,000 on
second conviction.

Persons deemed as intermediary (such as an ISP)

Failure to maintain Imprisonment up to three
67C must maintain required records for stipulated time.
records years, or/and with fine.
Failure is an offence.

The Controller may, by order, direct a Certifying

Authority or any employee of such Authority to take
such measures or cease carrying on such activities
Imprisonment up to three
Failure/refusal to as specified in the order if those are necessary to
68 years, or/and with fine up
comply with orders ensure compliance with the provisions of this Act,
to ₹200,000
rules or any regulations made there under. Any
person who fails to comply with any such order
shall be guilty of an offence.

If the Controller is satisfied that it is necessary or

expedient so to do in the interest of the sovereignty
or integrity of India, the security of the State,
friendly relations with foreign Stales or public order
or for preventing incitement to the commission of
any cognizable offence, for reasons to be recorded
in writing, by order, direct any agency of the
Failure/refusal Government to intercept any information Imprisonment up to seven
69
to decrypt data transmitted through any computer resource. The years and possible fine.
subscriber or any person in charge of the computer
resource shall, when called upon by any agency
which has been directed, must extend all facilities
and technical assistance to decrypt the
information. The subscriber or any person who fails
to assist the agency referred is deemed to have
committed a crime.