Cyber Laws

 Course Title: Cyber Laws

 Course Code: BTCOE504(B)
 Reference Books:
1. Harish Chander, Cyber Laws and IT Protection, PHI Publication.
2. Faiyaz Ahamad, KLSI, Cyber Law and Information Security,
Dreamtech Press.
3. Murray, Information Technology Law: Law and Society, 3rd Edition, Oxford
University Press Oxford 2016.
4. Sunit Belapure Nina Godbole, Cyber Security, Wiley India Pvt. Ltd.
5. Vivek Sood, Cyber Law Simplified, McGraw-Hill Publication.
 Syllabus :
Legal position of IT, e-commerce & business transactions
on the Internet under IT Act
 Unit 1 explains basics of computers, the Internet &
Cyber Laws, conceptual framework of e-commerce &
e-governance, Role of Electronic Signatures in E-
commerce
 Unit 2 covers Law Relating To Electronic Records And
Intellectual Property Rights In India
 Unit 3 describes International Efforts Relating To
Cyberspace Laws And Cyber Crimes
 InUnit 4, Penalties, Compensation and Offences Under
The Cyberspace and Internet In India are given
 The Unit 5 deals with Miscellaneous Provisions of IT Act
and Conclusions
 Unit 1
Internet, E-Commerce and E-Governance
with Reference to Free Market Economy
 Abundance (large quantity) of knowledge everywhere
 World has become ‘global village’
 Quick availability of Information through Internet
 Cyberspace on Internet Leads to free market economy
s/w
 Info. Tech. uplifted general & industrial growth
of the society
 At the same time
 Unavoidable legal problem in e-commerce & e-transactions
 Need of Amendment in IT Act 2000 in India
 E-Commerce involves digitally enabled commercial
transactions between and among organizations and
individuals.
Digitally enabled transactions include all those mediated
by digital technology.
 Commercial transactions involve the exchange of value
(e.g. Money) across organizational or individual
boundaries in return for products or services.
 Instead of traditional paper documents, information is
created, transmitted and stored in electronic form
which is easier to store and retrieve, speedier and long
lasting.
 Need of effective legal management for governing the
e-commerce and business transactions properly and
effectively.
Need for Cyber Laws

 Use of computers and IT has become essence of

modern business & the society
 It has also caused misuse of Computers & Internet
 For Internet there is no territorial limit and can be
used from any jurisdiction
 This helps in unlawful cyber criminal activities across
the world
 Hacking, bugging, cheating, pornography,
embezzlement, fraud and so on have become very
popular
 Examples
 Online credit card frauds
 Terrorist plot terror over Internet- use of photos, satellite
images, videos downloaded from G- earth
 e-commerce eliminates the need for paper based
transactions and therefore in order to facilitate and
promote it, there is an imminent need for cyber laws.
 In India- IT Act 2000
 to have proper e-commerce and e-governance &
 to provide legal recognition of electronic records and electronic
signatures
 to provide the use and acceptance of electronic records and
electronic signatures in government offices and its agencies
Historical Perspective

 Impact of the Internet and Information Technology

(IT) on Business and Society
 Internet
 fundamentally decentralized and open
 offers communication medium to people across globe
 its open architecture, digital format and unifying
protocols gives the platform to support increased
connectivity and interaction among network
 Technological development offer a vision of future
marked by new capabilities in processing speed,
transport and storage of data
 The Character & Use of Internet Technologies

 Heterogeneity of I T and their applications

 Access to Internet by using a wide variety of devices
 Transmission Control Protocol/Internet Protocol (TCP/IP) supports
the Internet's success
 Ownership of information is very hard to protect, the illicit
reuse of copyright material is commonplace, the spreading
of false and malicious information is also a daily
occurrence
 Cyber-related laws should issue out inconsistencies and
uncertainties
 Information Highways’
 Merging of all sources of information into a single
retrievable database
 Every home, office, news medium, library, data bank
business, government agency and computer will be
connected to every device, such as telephone, television, or
personal computer.
 Products and services are now available to the consumers
at every corner of the planet.
 e-commerce is the subject of intense interest in many
sectors: in government, business, service sector, amongst
consumers and academics
 A world class telecommunications infrastructure and
information is the key to rapid economic and social
development of a country
 India's strength in the software area - key player in
the just-in-time global economy speedily
 Internet transaction will involve parties from more
than one jurisdiction
 An urgent need for the international community to
develop a uniform law based on fair principles of
equality and a system for regulating the Internet and
cyberspace system in the world under the law
 Internet provides intellectual property owners with a
unlimited market for their works. At the same time, it
offers similarly expanded opportunities for those
seeking to abuse the law
 The act of registering a domain name similar to or
identical with a famous trademark
 Yahooindia.com
 Conceptual
Framework of
E-commerce:
E-governance
 What is E-commerce?

 Theconduct of business and business transactions of

any kind between the parties on the Internet and
cyberspace is called e-commerce
Starting a new business on the Internet or cyber space, the
following points must be considered:

 A thorough preparation of investigation and market research

before starting new business on Internet
 Agreements have to be made - financial commitment, contract
(foundation of legal relationship between business parties)
 Businessman should be aware of –

i) specific & probable problems ii) kind of transactions

 Anticipate certain terms and conditions of the contract which
are profitable and favorable &
Know them with legal binding
 New business can be started as i)a single owner proprietary
business, ii)partnership business with the firm name,
iii) Private Limited Company iv)as a Public Limited Company.
 Growth and Development of E-commerce
A page of a e-commerce reach the surfers anywhere in
the world very fast
 Scope of cyberspace is beyond territorial/regional
boundaries without geographical boundaries
 Transactions between people unknown to each other

 Entities under different jurisdiction

 Pervasiveness of Internet
Various Modes of E-Commerce

e-commerce operates on broad characterizations through

four modes which are as follows:
1. Advertising, sale, lease or license of tangible products
over the Internet
- goods and products such as shrink-wrapped software,
compact disks (CDs), books, machinery and so on.
2. Advertising, sale, lease or license of intangible contents
-software downloads, digitized forms of music available
for downloads, electronic newspapers, photos and
services, offered by online databases
3. Advertising, sale, or license of services
- offshore software development, online newspapers, online
ticket bookings, trading in stocks and shares, online
banking, online casino games etc
4. Advertising, sale, lease, license of tangible products
over the internet is the electronic counterpart of our
traditional order systems.
- electronic counterpart of mail-order system function as
advertising, marketing, selling medium for tangible
products derived from content providers
 Due to the amplified growth of Internet e-commerce
now includes
 retailing and wholesale businesses,
 online newspaper and other information sources and
services like pay-per-use-schemes for online databases
 subscription services
 online healthcare services
 online gambling services
 videoconferencing
 stock trading
in a way everything that the traditional methods could
offer
 Mechanism Involved in the Operation of Internet
 All machines connected to a network are generally identified
by their Internet Protocol (IP) numbers and Internet also has
its own IP number.
 The devices communicate with each other through the IP
number system functioning like two conventional telephones.
 Protocol used on the Internet is Transmission Control
Protocol/Internet Protocol (TCP/IP).
 Communication of data takes place in the form of packets. A
typical ‘packet’ contains a header as well as a data part.
 IP Addressing Scheme

 Types of IP Addresses: IPV4 & IPV6

 IPV4 – Private & Public IP address
 Private IP Address Range
 Class A – 10. X. X. X Subnet 255. 0. 0. 0 CIDR/8
 Class B – 172. 16. X. X Subnet 255. 255. 0. 0 CIDR/16

 Class C – 192. 168. X. X Subnet 255. 255. 255. 0 CIDR/24

 X : 0 - 254
 Subnet Mask: Defines Class of IP Address
 CIDR: Cisco Inter-domain Routing is representation of Subnet Mask
 NAT : Network Address Translation
 Type of Players in E-commerce

Important players involved in commercial transactions on

the Internet:
1. Network Provider:
This forms a part of the internet backbone, providing the
requisite amount of bandwidth
2. Internet Service Provider (ISP)
 contractswith the Individual users, Companies and
organizations to provide access to Internet
 dial-up or leased accounts with charges

 provides space on its servers for hosting websites.

3. The User
 important player in the e-commerce model
 system of e-commerce including purchase, sale,
payment and others are structured around the user
4. The Website
 contracts with the ISP to host its business
 The user contracts with the website for purchase, sale of
good, products or services
 If website represents its own content provider, it may
offer its products for sale otherwise offer royalty for
content providers for the purchase of rights or license
fees for products
5. The Payment Providers
 Visa or MasterCard : offers exchange collection methods
through the use of credit cards and various other forms of
electronic money
6. The Payment System Provider
 Providers of underlying technology and guidance for the
payment system providers to function
 The payment providers need to get a license from
payment system providers like RBI
7. The Software Architects
 Provide applications for both clients and server to enable
efficient service over the Internet

8. Advertiser
 Advertiser contracts with the websites and supplies ads to
increase number of users visiting the websites
9. Content Provider
 Provides product and goods to websites for sale.
 They receive part of proceeds or royalty or both from the
website
10. The Back-end System
 These are software applications that maintain inventory &
accounting
 eg: Database product from oracle & Microsoft

Besides, the players includes search engine like Google,

Yahoo or Alta Vista
 Web Development and Hosting Agreement

A customer generally obtains only one of the following services:

 File Conversation - involves file manipulation such as converting
non-HTML documents into HTML and scanning photos or graphics
and saving such files into GIF or JPEG.
 Web Design involves creating designing the look and feel of the
website, including logos and banners, navigation bars or tools,
page layout and object placement.
 Code Development - involves coding HTML pages (from scratch),
CGI (Common Gateway Interface) scripts and Java applets or other
applications.
 System Integration Website - involves integrating the website
with one or more third party applications, such as chat engines,
search engines, e-commerce store fronts etc.
 Back-end system - involve integrating the website with one or
more existing applications such as legacy systems.
 Web Hosting

Web hosting can include a number of different relationships:

 Collocation(Association) occurs when the customer locate customer
owned servers at the provider’s facility. In a straight collocation
relationship, the providers will not manipulate content on these
servers. Providers usually provide space for the servers
 In the typical hosting relationship, the provider (as opposed to
the customer) provides the servers and software in addition to the
Internet connection
 Co-branding is a popular technique used to expand the scope of
a customer website co-branding pages on a third party Servers
 Outsourcing is increasingly becoming popular. Outsourcing occurs
when a customer outsources one or more functions of its website to
& third party provider.
 The Problem of Internet Jurisdiction

 The main trouble and problem about the Internet Jurisdiction

is the presence of multiple parties in various parts of the
world who have a virtual nexus with each other
 X in India -> downloaded article from website whos owner
in England
If problem arises (after payment, article not downloaded)
Website is based in a server in Malaysia
What is the jurisdiction of such case?
 Type of Websites

For the purposes of jurisdiction, websites can be divided into

two groups:
1. Passive and Interactive Sites: These sites provide information
in a read only format’
2. Interactive Sites: These encourage the browser to enter
information identifying the browser and/or providing
background on the browser's interest or buying habits
The Role of Electronic Signatures
in E-commerce with Reference to
Free Market Economy in India
 Significance of signature -
requirement of evidence in law
the law trusting the acknowledged written word in favor of oral
agreement
Handwritten paper-based signatures -
provides certainty and proof to the personal involvement of that
person in the act of signing
shows the intent of the persons to authorize the authorship of the
text
shows the time and place of the document
impart a sense of clarity and finality to the transaction

Thus the signatures show validity and enforceability of a

document
Electronic signature is the needed to profitably carry out e-
commerce and business in the globalized free market economy
across the world.
Basic Laws of Digital and Electronic Signature in
India

 Under the IT Act, 2000, Chapter-II, Section 3 provides the

basic provisions of law as:
 Authentication of electronic records:
 any subscriber may authenticate an electronic record by
affixing his digital signature.
 The authentication of the electronic record shall be effected
by the use of asymmetric crypto system and hash function
which envelop and transform the initial electronic record
into another electronic record,
Public Key- used for encryption and
Private Key- used for decryption
A hash function is a function which when given a key, generates an
address in the table.
By the IT (Amendment) Act, 2008, the law has been
provided with another Section 3A which provides for as
follows:
1. Subscriber may authenticate any electronic record by
electronic signature or electronic authentication technique
which
(a) is considered reliable; and
(b) may be specified in the Second Schedule
 2. Any electronic signature or electronic authentication
technique shall be considered reliable if (Authentication of
Electronic Signatures and Electronic Records):

 The signature creation data or the authentication data are within

the context in which they are used, linked to the signatory or the
authenticator and to no other person
 The signature creation data or the authentication data were at the
time of signing, under the control of the signatory and of no other
person
 Any alteration to the electronic signature made after affixing such
signature is detectable
 Any alteration to the information made after its authentication by
electronic signature is detectable
 It fulfils such other conditions which may be prescribed
3. The Central Government may prescribe the procedure for the
purpose of ascertaining whether electronic signature is that of
the person by whom it is supposed to have been affixed or
authenticated.
4. The Central Government may, by notification in the Official
Gazette, add to or omit any electronic signature or electronic
authentication technique and the procedure for affixing such
signature
5. Every notification issued under sub-section (4) shall be laid
before each House of Parliament.

It’s essential to keep the validity of digital signature

under the law
Authentication of Digital Signatures and Electronic Records

Section 3 of the IT Act, 2000, provides the conditions subjects to

which an electronic record may be authenticated by means of
affixing digital signature:
 The digital signature is created in two different steps

 electronic record is converted into a message digest by

using a mathematical function known as hash function which
digitally freezes the electronic record thus ensuring the
integrity of the content of the intended communication
contained in the electronic record
 Any tampering with the contents - invalidate the digital
signature
  secondly, the identity of the person affixing the digital
signature is authenticated through the use of a private key
which attaches itself to the message digest and which can
be verified by any person who has the public key
corresponding to such private key
 verify whether the electronic record is retained intact or has
been tampered
 According to Rule 3 a digital signature — shall be created
and verified by public key cryptography
Public key cryptography
Difference Between Digital Signature and Electronic Signature

Digital Signature Electronic Signature

Characterized by a unique feature like
fingerprint that is embedded in a document
Used to secure a document
Described as any electronic symbol, process or
sound that is associated with a record or
contract
Mainly used to verify a document

A digital signature is authorized and regulated

Usually not authorized
by certification authorities
Comprised of more security features Comprised of less security features
A digital signature can be verified An electronic signature cannot be verified.
Preferred more than electronic signature due
Easy to use but less authentic
to high levels of authenticity
Particularly concerned about securing the
Shows intent to sign the contract
document
 UNCITRAL: Model Law on Electronic Commerce, 1996
 The United Nations Commission on International Trade Law
(UNCITRAL) has suggested the Model Law on e-commerce to
be followed by all the countries the world.
Securing Electronic Transactions Cryptography and
Securing Electronic Transactions

 An important condition for e-commerce’s survival is the

ability to safeguard all electronic transactions
 Cryptography uses sophisticated mathematical algorithms,
particularly a technology which is known as asymmetric
cryptography (public key cryptography).
 Therefore, if X wants to send a message to Y,
X will encrypt the message with Y’s public key and
send it to Y.
It is only Y who would be able to access the message
The Concept of Hash Function
Utility of Digital Signature’s Verification

Verification of Digital Signature

Certification, Certifying Authorities and the Status of Electronic
Signature under the Indian Law

 Any person may make an application to issue a Electronic

Signature Certificate from to Certifying Authority
 The application fee not exceeding Rs. 25000 to be paid
 On receipt of the application, Certifying Authority may after
consideration and after making such enquires issues decision
as:
(a) The applicant holds the private key corresponding to the public key to be
listed in the electronic Signature Certificate.
(b) The applicant holds a private key, which is capable of creating a electronic
signature.
(c) The public key to be listed in the certificate can be used to verify a
electronic signature affixed by the private key held by the applicant.
The Controller of Certifying Authorities may perform
all or any of the functions namely

Exercising supervision over the activities of the Certifying Authorities

(b) Certifying public keys of the Certifying Authorities;
(c) Laying down the standards to be maintained by the Certifying Authorities;
(d) Specifying the qualifications and experience which employees of the
certifying Authority should process;
(e) Specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
(f) Specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a Electronic
Signature Certificate and the Public key
(g) Specifying the form and content of electronic signature and the key
(h) Specifying the form and the manner in which accounts shall be maintained
by certifying authority
(i) Specifying the term and condition subject to which auditors may be
appointed and remuneration to be paid to them
(j) Facilitating the establishment of any electronic system by a Certifying
Authority either solely or jointly with other Certifying Authorities and regulation
of such systems;
(k) Specifying the manner in which the Certifying Authorities shall conduct their
dealings with the subscriber’s
(l) Resolving any conflict of interests between the Certifying Authorities
and the subscriber’s
(m) Laying down the duties of the Certifying Authorities
(n) Maintaining a database containing the disclosure record of every
Certifying Authority containing such particulars as may be specified by
regulations, which shall be accessible to public.
Authentication and Verification of Electronic/Digital
Signatures

 Creating & Verifying e-signature for Many Legal

Purposes:
 Signer authentication : Signer not has to lose control of
his private key
 Message authentication: Use of hash results to verify
original signatures
 Affirmative act : Agreeing signer for possible legal
consequences
 Efficiency : High degree of assurance compared to
traditional paper methods
The Cost and Benefits of Implementing
Electronic/Digital Signatures in E-commerce in India

 First, there is the cost of institutional overheads of establishing

and utilizing CAs, repositories, and other important services,
as well as assuring quality in the performance of their
functions. Secondly, a subscriber or an electronic/ digital signer
will require software, and will also probably have to pay the
CA the fee for the issue of a Certificate.
 Finally, it works as an open system by retaining a high degree
of information security, even for information sent over open,
insecure but inexpensive and widely used channels.
Security Privacy of Electronic/ Digital Signatures

 It is essential that key generation is undertaken under the control of the

individual concerned and that the private keys never leaves the possession
of that person without taking strong security precautions. In case any other
approach is taken, such as generation by a Services organization or by a
government authority, serious security and privacy issues arise because
there is scope for the individual to be convincingly impersonated.
 Another important concern relates to the manner in which private keys
are stored and are backed-up and in which back-up copies are stored.
 It is also common. Some of the most privacy-intrusive risk arise from the
existo have reforms as a privacy policytence and misuse of ‘public
registers’ of various types for example telephone books, motor vehicle
register, electoral roll and registers of building approvals.
Private Key Escrow and Key Recovery Systems

 An Escrow is an arrangement under which something is placed

on deposit with a trusted party, but may be accessed by third
parties under certain conditions.
 The Keys Escrow System allows authorized Institutions under
certain conditions to decrypt data using information supplied
by one or more CAs/TTPs
 Nowadays, cryptographers are using the so-called Key
Recovery approaches as an alternative to key escrow systems.
 In this case, there are a series of digits, for instance, a six-digit
combination (instead of actual number) that the house owner may
give to his trusted party
Obligation of a Certifying Authority and Certificate
Management

 The CA is expected to disclose adequate information

to its subscribers and also the relying parties on the
assurance levels in the Certificates that it issues and
the limitations of its liabilities
 To ensure the integrity of Electronic/Digital
Certificates, the CA must implement appropriate
security controls like:
 certificate registration, generation issuance of certificate,
publication renewal, suspension of certificate, their
revocation(cancellation) and related to security controls.
 Security Threats to Cyberspace and E-commerce

The Indian Computer Emergency Response Team shall serve as the

National Agency for performing the following functions in the area
of cyber security:
(a) Collection, analysis and dissemination of information on cyber
incidents.
(b) Forecast and alerts of cyber security incidents.
(c) Emergency measures for handling cyber security incidents.
(d) Coordination of cyber incidents response activities.
(e) Issue guidelines, advisories, vulnerability notes and whitepapers
relating to information security practices, procedures, preventation,
response and reporting of cyber incidents.
(f) Such other functions relating to cyber security as may be
prescribed.
The biggest threats on the Internet are as follows:
 Internet Explorer tops the list of Internet security attack
targets in the most recent joint report of the FBI and security
organization SANS Institute.
 Phishing and identity theft—In this case, the message may
ask the user to click a link that leads to a fake Web page
complete with realistic user-name and password log-in
fields, or it might ask for credit card numbers.
 Malware, which is a software designed to penetrate or
damage a computer system without the owner’s informed
concerned. Malware doesn’t need description as most of the
user certainly on one occasion or other encountered some
problem related to Malwares.
International Efforts to Enact Laws Relating to
Electronic/ Digital Signatures

 a set of guidelines for cryptography policy

Different Approaches of Digital Signatures

 Prescriptive approaches of Digital Signature:

 This approach establishes a detailed Public Key
Infrastructure (PKI) licensing scheme, allocates duties
between contracting parties, prescribes liability
standards and creates evidentiary presumptions and
standards for signature or document authentication.
 Criteria Based Approach:
 a broad criteria may be apply both to electronic
and digital signature, since it is designed to lay
the requirements for trustworthiness and security
 Signature-enabling Category Approach:
 Inthis approach, general laws permit any electronic
mark that is intended to authenticate writing to satisfy
a signature requirement.