INFORMATION

TECHNOLOGY
ACT
OUTLINE
1 Overview if IT Act 2000
2 Amendments to IT Act 2000
3 Digital Signatures
4 Cryptographic Algorithms
5 Public Cryptography
6 Private Cryptography
7 Electronic Governance
8 Legal Recognition of Electronic Records
9 Legal Recognition of Digital Signatures
10 Certifying Authorities
11 Cyber Crime and Offences
12 Network Service Provider Liabilities
13 Cyber Regulations Appellate Tribunal
14 Penalties and Adjudication
INFORMATION TECHNOLOGY
ACT 2000
✔ The Information Technology Act, 2000 (also known
as ITA-2000, or the IT Act) is an Act of the Indian
Parliament (No 21 of 2000) notified on 17 October 2000. It is
the primary law in India dealing
with cybercrime and electronic commerce.
✔ The bill was passed in the budget session of 2000 and signed
by President on 9 May 2000.
✔ The original Act contained 94 sections, divided into 13
chapters and 4 schedules out of which the third schedule and
fourth schedule are omitted.
INFORMATION TECHNOLOGY
ACT 2000
Need for the act
1. The need for information to be collected, stored and utilized in
electronic form which in turn would serve the dual purpose of
facilitating ecommerce and inducting e-governance in the system.
2. Giving effect to the United Nations General Assembly Resolution1
whereby the Model Law on Electronic Commerce was adopted by the
United Nations Commission on International Trade Law.
✔ the idea has been to make a shift from the paper-based system to
electronic system whereby the communication and storage of data
would be through the electronic medium rather than on paper.
3. A statutory mechanism to the creation and use of digital signatures in
the country.
INFORMATION TECHNOLOGY ACT
2000
✔ The required institution is created which would be responsible for issuance of Digital
Signature Certificates and subsequent verification so that it can be used in e-commerce and
e-governance.

4. The Act attempts to achieve the need of e-governance by providing for e-records. It
provides a statutory support to electronic records so that they can be used for promotion
of efficient delivery of government services
5. Cyber crimes have been dealt with by providing for punishment for certain
computer-related wrongs.
6. The Act also provides for electronic transfer of funds.
7. Various other Acts namely the Indian Penal Code, 1860, the Indian Evidence Act, 1872,
the Reserve Bank of India Act, 1934 and the Bankers’ Books Evidence Act, 1891 have
been suitably amended to suit the electronic era.
▪ MIR-011B1E (egyankosh.ac.in)
APPLICATION OF THE ACT
▪ The application of the Act and its extra-territorial effect can be well understood by a

conjoint reading of sections 1, 75 and 81. The Act extends to the whole of India.

▪ Sub-section (1) of section 75 though in wider terms has made the Act applicable also to

any offence or contravention committed outside India by any person irrespective of his
nationality, this subsection has been made subject to the provisions of sub-section (2)
which states that for the purposes of sub-section (1), this Act shall apply to an offence
or contravention committed outside India by any person, if the act or conduct
constituting the offence or contravention involves a computer, computer system or
computer network in India.
AMENDMENTS IN IT ACT 2000
Major Amendments in 2008

❖ It introduced Section 66A which penalized sending "offensive messages".

❖ It also introduced Section 69, which gave authorities the power of "interception or

monitoring or decryption of any information through any computer resource".

❖ It introduced provisions addressing - pornography, child porn, cyber

terrorism and voyeurism.

It was signed into law by President on 5 February 2009.

AMENDMENTS IN IT ACT 2000
Other amendments
▪ The first section contains the amendment in Indian Penal Codes. It has
been widened to bring in ambit electronic documents.
▪ The second amendments deals with Indian Evidence Act. It pertains to
the inclusion of electronic documents as evidence.
▪ The third section amends the Bankers Book Evidence Act. It includes
printouts of data stored in electro-magnetic devices.
▪ The fourth section amends the Reserve Bank of India Act. It pertains to
the regulation of fund transfer through electronic means between banks
or between banks and other financial institutions.
TIME TO PONDER
▪ List various sections, offences and punishments mentioned in IT Act 2000.

▪ Comment on Digital Personal Data Protection Act 2023. How it is different from IT Act

2000.
DIGITAL SIGNATURE
▪ One major change that is the substitution of “digital signature” with
“electronic signature” through an amendment to section 4.
▪ Digital signature is thus recognised as one of the types of electronic
signature only.
▪ With the advent of information technology and movement of the
business on the Internet, it became necessary that there should be a
secure form of entering into online contracts. In an online environment,
the same is done through digital signatures.
▪ Digital Signature has a two-fold purpose: (a) identification of the person
who is signing the document; (b) authentication of the contents of the
document which is being signed.
DIGITAL SIGNATURE
The aim of digital signature is to achieve authentication and non-repudiation.
▪ In electronic world the digital signatures are replacement to physical signatures.
▪ It is a technique that binds a person / entity to the digital data. This binding can be
verified by third party.
▪ Digital signature is cryptographic value that is generated from the data and sender’s
private key.
▪ Its is of paramount importance for receiver to ensure that received message is indeed
sent by party A and not by any third party.
DIGITAL SIGNATURE: IMPORTANCE
❑ Message Authentication: If B can decrypt a message with A’s public key it means that
message must have been initially encrypted with A’s private key.
❑ Data Integrity: Incase attacker has access to the data and modifies it, the data signature
verification at receiver’s end will fail. The hash of modified data and the output
provided by the verification algorithm will not match.
❑ Non-Repudiation: Since the private key is only know to sender (or party A), the
signature has to be unique. Thus, the receiver can present the data and digital signature
to a third party as evidence in case of any dispute.
TIME TO PONDER
▪ Using any program language of your choice generate digital signatures for given piece

of data.
CRYPTOGRAPHIC ALGORITHMS
Plain text --------------------> Cipher Text
Two common ways:
1. Substitution Technique: Caesar, Mono-alphabetic, Homophonic
2. Transposition: Rail Fence, Vernam, Book/Running Key

Types of Ciphers
a. Stream Ciphers
b. Block Ciphers

Encryption: Process of transform (encoding) plain text message to cipher text messages
Decryption: Process of transform (decoding) cipher text message to plain text messages
CRYPTOGRAPHIC ALGORITHMS
Cryptography is the practice and study of techniques for securing communication and
data in presence of adversaries.
SYMMETRIC ALGORITHMS
ASYMMETRIC ALGORITHMS
PUBLIC KEY CRYPTOGRAPHY
▪ Public-key cryptography, also known as asymmetric-key cryptography.

▪ Public key cryptography uses both public key and private key in order to encrypt and

decrypt data.

▪ The public key can be distributed commonly but the private key can not be shared with

anyone. It is commonly used for two users or two servers in a secure way.
PUBLIC KEY CRYPTOGRAPHY
▪ Public Key: Public keys are designed to be public. They can be freely given to everyone

or posted on the internet. By using the public key, one can encrypt the plain text message
into the cipher text. It is also used to verify the sender authentication. In simple words,
one can say that a public key is used for closing the lock.
PUBLIC KEY CRYPTOGRAPHY
▪ Private Key: The private key is totally opposite of the public key. The private key is

always kept secret and never shared. Using this key we decrypt cipher text messages
into plain text. In simple words, one can say that the private key is used for opening the
lock.
ADVANTAGES OF PUBLIC KEY
CRYPTOGRAPHY
Benefits of Public-key Cryptography
• Authentication: It ensures to the receiver that the data received has been sent by the
only verified sender.
• Data integrity: It ensures that the information and program are changed only in a
specific and authorized manner.
• Data confidentiality: It ensures that private message is not made available to an
unauthorized user. It is referred to as privacy or secrecy.
• Non-repudiation: It is an assurance that the original creator of the data cannot deny
the transmission of the said data to a third party.
• Key management: Public-key cryptography allows for secure key management, as the
private keys are never transmitted or shared. This eliminates the need for a secure
channel to transmit the private key, as is required in symmetric key cryptography.
ADVANTAGES OF PUBLIC KEY
CRYPTOGRAPHY
Digital signatures: Public-key cryptography allows for the creation
• of digital
signatures, which provide non-repudiation and can be used to verify the authenticity
and integrity of data.
• Key exchange: Public-key cryptography enables secure key exchange between two
parties, without the need for a pre-shared secret key. This allows for secure
communication even if the parties have never communicated before.
• Secure communication: Public-key cryptography enables secure communication
over an insecure channel, such as the internet, by encrypting the data with the public
key of the recipient, which can only be decrypted by the recipient’s private key.
• Versatility: Public-key cryptography can be used for a variety of purposes, such as
secure communication, digital signatures, and authentication, making it a versatile tool
for securing data and communications.
PRIVATE KEY CRYPTOGRAPHY
▪ Private key cryptography also known as symmetric-key cryptography is an encryption

method in which a single key is used to encrypt and decrypt data.

▪ This key is kept secret between the sender and receiver and is used to encrypt and

decrypt messages
PRIVATE KEY CRYPTOGRAPHY
Benefits

▪ Secure Transactions

▪ Hack Prevention

▪ Anonymity

▪ Scalability
PRIVATE KEY CRYPTOGRAPHY
Cons:
1. Key distribution

2. Key management

3. Lack of forward secrecy

4. Limited authentication

5. Vulnerable to key length attacks

E-GOVERNANCE
▪ E-Governance is the application of IT for delivering government services, exchange of information,

communication transactions, integration of various stand-alone systems between government to

citizen, government to business, government to government, government to employees as well as

back-office processes and interaction within entire government framework.

▪ Through e-governance services are made available to citizens in a convenient, efficient and

transparent manner.

▪ Three stakeholders are: Government, Citizens, and Business/Interest Groups.

E-GOVERNANCE
Pros:
1. Speed
2. Cost Savings
3. Transparency

Cons:
1. Set-up Cost
2. Technical difficulties
3. Illiteracy
E-GOVERNANCE
▪ Determining how those purposes or functions could be fulfilled through electronic-commerce

techniques.

▪ Approach in the UNCITARL Model Law, attention was given to the existing hierarchy of form

requirements.

▪ This approach singles out the basic functions of paper-based form requirements, with a view to

providing criteria which, once they are met by electronic documents, enable such e-documents to

enjoy the same level of legal recognition as corresponding paper documents performing the same

function enjoy.
E-GOVERNANCE
If the same electronic document is sent after being digitally signed by using a digital
signature certificate issued by a trustworthy digital signature certificate provider, then,
since it would be able to perform the same functions of reliability, traceability and
inalterability as a paper-based document, it would receive legal sanction
LEGAL RECOGNITION OF
ELECTRONIC
▪
RECORDS
Section 4 of the Act deems the fulfillment of the requirement of any information to be in writing in

typewritten or printed form, if such information fulfills two conditions.

▪ Two Conditions need to meet

▪ Information should be rendered or made available in an electronic form

▪ Information is accessible as to be usable for a subsequent reference.

▪ ‘Accessible’ meant to imply that information in the form of computer data should be readable and

interpretable.

▪ ‘usable’ is not intended to cover only human use but also computer processing.
LEGAL RECOGNITION OF DIGITAL
SIGNATURES
▪ Section 5 proceeds on the functional-equivalent approach.

▪ The purpose of section 5 is to merely introduce and give legal sanctity and acceptance to the use of digital

signatures.

▪ Law requires a person’s signature to authenticate some information or document. Notwithstanding

anything contained in such law, if person authenticates it with a digital signature in a manner that central

govt. prescribes, that satisfies the requirement of law.

▪ It is not necessary as to what is the mode of signature; it may be paper-based or electronic. However, so

long as the functions of the signature are being performed, such signature will receive legal recognition.
LEGAL RECOGNITION OF DIGITAL
SIGNATURES
▪ It is not the purpose of section 5 to ascertain whether the digital signature affixed is as

per the rules prescribed, or whether the functions of a signature have been fulfilled.

▪ The purpose is merely to provide legal recognition to a digital signature on par with

hand-written signature wherever the law requires the affixation of such signature.
CERTIFYING AUTHORITIES
▪ A certificate authority or certification authority is an entity that issues digital

certificates. A digital certificate certifies the ownership of a public key by the name
subject of the certificate. This allows others to rely upon signatures or on assertions
about the private key that corresponds to certified public key.

▪ The format of these standards are defined by X.509 or EMV standard.

CERTIFYING AUTHORITIES
▪ Section 17(1) of the Act, the Central Government has been empowered to appoint a
Controller for the purposes of the Act.
▪ The functions of the Controller have been enumerated under section 18 of the Act.
▪ It is the Controller’s duty to regulate and control almost each and every activity of the
Certifying Authorities.
▪ Primary work of the Certifying Authorities is issuance of digital signatures and setting
up infrastructure for its subsequent public verification
▪ The Controller also has the function of specifying the form and content of a Digital
Certificate and the key as also specifying the contents of written, printed, or visual
materials and advertisements that may be distributed or used in respect of a Digital
Signature Certificate and the public key.
▪ In case of conflict of interests between the Certifying Authorities and the subscribers,
the Controller has been empowered to resolve the same.
CYBER CRIMES AND OFFENCES
▪ The Indian Legislature doesn’t provide the exact definition of Cyber crime in any statute,
even the Information Technology Act, 2000; which deals with cyber crime doesn’t define the
term of cyber crime.

▪ Dr. Debarati Halder and Dr. K. Jaishankar define cybercrimes as: “Offences that are
committed against individuals or groups of individuals with a criminal motive to
intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to
the victim directly or indirectly, using modern telecommunication networks such as Internet
(Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)”

▪ Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device.
▪ http://www.ripublication.com/irph/ijict_spl/ijictv4n3spl_06.pdf

▪ https://www.kaspersky.com/resource-center/threats/what-is-cybercrime
CYBER CRIMES AND
OFFENCES
▪ Most cybercrime is committed by cybercriminals or hackers who want to make
money.
▪ Occasionally cybercrime aims to damage computers or networks for reasons other
than profit. These could be political or personal.
Characteristics of Cyber Crime
▪ People with specialized knowledge
▪ Geographical challenges
▪ Virtual World
▪ Collection of Evidence
▪ Magnitude of crime unimaginable
CYBER CRIMES AND
OFFENCES
▪ Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per
year over the next three years, reaching $8 trillion USD globally this year and $10.5
trillion USD annually by 2025, up from $3 trillion USD in 2015.
▪ Cybercrime and cyber insecurity are new entrants into the Top 10 rankings of the
most severe global risks over the next decade, according to the World Economic
Forum. Now taking the 8th spot, cybercrime now stands side-by-side with threats
including climate change and involuntary migration.
▪ According to IBM, the average cost of a data breach, including lost business,
detection and escalation, notification, and post-breach response, was $4.35 million
USD in 2022, representing a 2.6 percent increase from 2021 ($4.24 million USD).
This figure was reached by averaging out the activity-based costing related to 550
organizations suffering data breaches across 17 countries (including the U.S.,
Canada, Japan, and Australia) and 17 industries, such as healthcare, finance, and
energy.
▪ Cryptocrime, including exit scams, rug pulls, and theft will cost the world $30
billion USD in 2025 alone, Cybersecurity Ventures predicts, rising at a rate of 15
percent annually. This is nearly twice the $17.5 billion USD lost in 2021.
TYPES OF CYBERCRIME
▪ Email and internet fraud.
▪ Identity fraud (where personal information is stolen and used).
▪ Theft of financial or card payment data.
▪ Theft and sale of corporate data.
▪ Cyber-extortion (demanding money to prevent a threatened attack).
▪ Ransomware attacks (a type of cyberextortion).
▪ Cryptojacking (where hackers mine cryptocurrency using resources they do not own).
▪ Cyber-espionage (where hackers access government or company data).
▪ Interfering with systems in a way that compromises a network.
▪ Infringing copyright.
▪ Illegal gambling.
▪ Selling illegal items online.
▪ Soliciting, producing, or possessing child pornography.
CYBERCRIME: PROTECT
YOURSELF
▪
Keep software and operating system updated
▪ Use anti-virus software and keep it updated
▪ Use strong passwords
▪ Never open attachments in spam emails
▪ Do not click on links in spam emails or untrusted websites
▪ Do not give out personal information unless secure
▪ Contact companies directly about suspicious requests
▪ Be mindful of which website URLs you visit
▪ Keep an eye on your bank statements
NETWORK SERVICE PROVIDER
LIABILITY
▪ A network service provider means any person /organization who provide access to
information service in electronic form. For example, Internet Service provider, cellular
service provider, customer access services, mobile satellite services etc.

▪ NSP performs two tasks

✔ To provide access to network

✔ To act as intermediate between an originator and addressee with respect to any particular
electronic message.

The Indian IT Act, 2000 stipulates that NSP are not liable in certain cases , for any third party
information or data made available by an ISP, if it proves that the offence was committed
without his knowledge or that he had exercised all due diligence to prevent the
commissioning of such offence.
NETWORK SERVICE
PROVIDER LIABILITY
▪ According to section 79 of IT Act 2000,
(1) Notwithstanding anything contained in any law for the time being in force but subject to
the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third
party information, data, or communication link made available or hosted by him.
(2) The provisions of sub-section (1) shall apply if-
(a) the function of the intermediary is limited to providing access to a communication
system over which information made available by third parties is transmitted or
temporarily stored or hosted; or
(b) the intermediary does not-
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
▪ (iii) select or modify the information contained in the transmission;

▪ (c) the intermediary observes due diligence while discharging his duties under this Act
and also observes such other guidelines as the Central Government may prescribe in this
behalf.
CYBER REGULATION APPELLATE
TRIBUNAL
▪ The Cyber Regulation Appellate Tribunal is an independent body under IT Act, 2000 to adjudicate
disputes related to cyber crime, cyber security, and electronic transactions.

▪ The CRAT was created to provide an appellate authority to hear appeals against the orders
passed by adjudicating officers under IT Act.

▪ After amendment of the IT Act in the year 2008 (Which came into effect on 27.10.2009) is known
as the Cyber Appellate Tribunal (CAT).

Constitution of CRAT:

1. A Cyber Appellate Tribunal shall consist of one person only (hereinafter referred to as the

Presiding Officer of the Cyber Appellate Tribunal) to be appointed, by notification, by the

Central Government
CYBER REGULATION APPELLATE
TRIBUNAL
Establishment of Cyber Appellate Tribunal [section 48]

(1) The Central Government shall, by notification, establish one or more appellate

tribunals to be known as the Cyber Regulations Appellate Tribunal.

(2) The Central Government shall also specify, in the notification referred to in

subsection (1), the matters and places in relation to which the Cyber Appellate
Tribunal may exercise jurisdiction
CYBER REGULATION
APPELLATE TRIBUNAL
Procedure and powers of the Cyber Appellate Tribunal [section 58]
1. The Cyber Appellate Tribunal shall not be bound by the procedure laid down by
the Code of civil Procedure, 1908 but shall be guided by the principles of natural
justice and, subject to the other provisions of this Act and of any rules, the Cyber
Appellate Tribunal shall have powers to regulate its own procedure including the
place at which it shall have its sittings.

2. The Cyber Appellate Tribunal shall have, for the purposes of discharging its
functions under this Act, the same powers as are vested in a civil court under the
Code of Civil Procedure, 1908,
CYBER REGULATION APPELLATE
TRIBUNAL
while trying a suit, in respect of the following matters, namely:—
(a) Summoning and enforcing the attendance of any person and examining him on
oath;
(b) Requiring the discovery and production of documents or other electronic
records;
(c) Receiving evidence on affidavits;
(d) Issuing commissions for the examination of witnesses or documents;
(e) Reviewing its decisions;
(f) Dismissing an application for default or deciding it ex pane;
(g) Any other matter which may be prescribed
CYBER REGULATION
APPELLATE TRIBUNAL
▪ Every proceeding before the Cyber Appellate Tribunal shall be deemed to be a

judicial proceeding within the meaning of sections 193 and 228, and for the
purposes of section 196 of the Indian Penal Code and the Cyber Appellate Tribunal
shall be deemed to be a civil court for the purposes of section 195 and Chapter
XXVI of the Code of Criminal Procedure, 1973.
CYBER REGULATION
APPELLATE TRIBUNAL
Powers of cyber appellate court:

1. Summoning and enforcing the attendance of an person and examining him on oath.

2. Requiring the discovery and production of the documents or other records.

3. Receiving evidence on affidavits

4. Issuing commissions for examination of witness or documents.

5. Reviewing his decisions.

6. Dismissing an application for default or deciding its ex parte.

7. Any other matter, that may be prescribed.

PENALTIES
▪ Penalty for damage of computer, computer systems etc.
▪ If any person without permission of owner or any other person who is incharge of a
computer system or computer network accesses or secure access to such
computer, computer system or computer network.
▪ Downloads, extract or copies any data, database, or information from computer,
computer system or computer network including any data stored in any removable
storage device.
▪ Introduces or causes to be introduced any computer containment or computer
virus into any computer, computer system or computer network.
▪ Damages or causes damage any data, database, or information from computer,
computer system or computer network including any data stored in any removable
storage device.
▪ Disrupts or cause disruptions of any computer, computer system or computer
network
PENALTIES
▪ Denies or cause the denial to any computer, computer system or computer network
by any means.
▪ Provide any assistance to any person to facilitate access to a computer, computer
system or computer network in contravention to the provision of this Act, rules or
regulations made there under.
▪ Charges the services availed of by a person to the account of another person by
tampering with or manipulating any computer, computer system or computer
network.
CYBER APPELLATE TRIBUNAL
Conclusion;
The first Cyber Appellate Tribunal has been established by the central government
under the Information Technology Act, 2000. The motive of Cyber Appellate
Tribunal is to stop the cyber crimes and frauds over a period of time. These
tribunal discharge their power as the same as Supreme Court under the code of
civil procedure, 1908. The duties of Cyber Appellate Tribunal are discharged by
one person, who is known as Presiding Officer. He acts and discharges his duties as
Supreme Court judge.