THE INDIAN LAW INSTITUTE

(Deemed University)

POST GRADUATE DIPLOMA

IN

CYBER LAW

STUDY MATERIAL

(For restricted circulation only for Post Graduate

Diploma of ILI students)
 CONTENTS

Paper No. Title Page No.

Paper- I Basics of the Computer and Cyber world 1 – 130

Paper- II Regulatory Framework of the Cyber world 131 – 265

Paper- III Intellectual Property Rights in the Cyber world 266 – 331

Paper- IV Electronic Commerce 332 – 397

Paper- V Information Technology Act, 2000 398 – 450

 CONTENTS

Paper No. Title Page No.

Paper- II Regulatory Framework of the Cyber world 1 – 65

Paper- V Information Technology Act, 2000 66 – 99

 Paper- I

Basics of the Computer and Cyber world

Chapter 1: Computer organization and architecture

Hardware – Inside a Computer

Hardware components
Anything in computer that we can touch and see is called hardware. Eg: Monitor, Keyboard,
Mouse, Tower (Enclosure of computer electronics), Motherboard, Processor, Storage Media
(HDD, Floppy, CDs, DVDs, BlueRay Discs). We will discuss these parts one by one that comprises
of computer hardware.

Hardware is basically all the components used in interacting with computer, getting output from
various devices like monitor, printer etc. Another example: You touch and see a Disk (CD), you
can also read what the label or print says on CD, but you cannot read the information stored in
it; thus CD is h/w, the information that is stored can be categorized as software. Few of
important hardware devices are discussed below:

Display Unit
Also known as Visual Display Unit (VDU), Monitor. It is a device that re-produce images, both in
motion and static. The Display unit that we would be referring would be in terms of computers.
Basic function of a VDU is to show output of a computer through a VGA (Video Graphics
Adaptor) port. This VGA port is either built into the motherboard, or comes as a separate card,
called as a Display Card (or Video Graphics Adaptor, or PCIx16 card, or simply Graphics Card). A
VDU usually has two kinds of cables attached to it, one is for the power, which supplies power
for its circuits and screen, the other is a data cable, which receives the signals for showing image.
The other end of data cable is attached to Video Display Graphics Card.

A display device comprises of many coloured dots aligned and combined together, to form an
image on screen. Each of this ‘dot’ comprises of three basic colours, Red, Green and Blue. Each
colour can have values ranging from 0~255, ie each colour can have 256 colour shades. That is,
each dot can represent upto 256x256x256 colours. It is combination of these three basic colours
that finally show one dot in a particular colour and shade. Each of this light (combining Red,
Green and Blue as one group), is called a pixel. In a typical monitor, there are 1024x768 pixels in
a screen, which means it has 8,04,864 pixels in total. It repaints each of these pixels for approx.
60 times in a second. This is called the refresh rate of the monitor. This refresh rate varies from
1
60 to 100 Hz (times in one second). Refresh rate is represented in Hz, ie, monitors are refresh
rate is 60Hz to 100Hz. So, when we purchase a monitor, we have to decide on these basic
properties, and then size of the screen as per your requirement. The more the refresh rate, the
smoother motion images you will see.

Broadly, there are two categories of a monitor.

Flat Panel monitors

LCD Monitors. LCD Monitors stands for Liquid Crystal Display. It works on
the Crystal movement principle. The crystals oscillate several times in a
second to block each colour within a pixel.
TFT Monitors TFT are advanced form of LCD monitors. TFT stands for Thin
Film Transistors. Instead of crystals, it is array of transistors that do a similar
job of stopping coloured lights. LCD and TFT both are now getting more and
more advanced. However, LCD and TFT are very close to real colours, but
not exact. With advancement of technology, these monitors are becoming
closer to real colours.
LED Monitors: It is usually a TFT, except the light source for these are LED
that are spread across the screen. In other cases, the light source comes
from one end, and is distributed by help of glass aligned in such a way that it
spreads light evenly. Advanced LED monitors have a feature, that it can be
turned OFF on certain area, which helps to increase contrast ratio; eg: A
portion where screen needs to show Black colour, it simply fades, or switch
OFF LEDs in that area.
Plasma Monitors: It comprises of a gas filled in a vacuum sealed tube.
These inert gases get converted into plasma when electricity is passed
through them. This excites phosphorous and causes it to emit light. It is
very different from LCD/TFT, and a technology, closer to CRT TVs. Plasma
displays are brighter and usually these screen comes in sizes greater than 32
inches only. However, their power consumption is higher as compared to
LCD TVs. The power consumption varies as per the display required.

CRT Monitors: CRT Stands for Cathode Ray Tube. In this, an electric beam is fired
with help of electron gun, the same beam gets deflected with help of electro-
magnet & circuits in such a way, that the beam passes from left to right, completes
one line, and then moves to second line, left to right, and this way it hits the screen

2
 surface scanning from left to right and reach bottom. A typical computer monitor
screen completes such 60 cycles in one second.
Each of this one cycle is called refresh rate. Monitors have refresh rates of 60Hz
to 100Hz.

Part Names:

1. Electron Guns. Three are here for Red Green and blue.
2. Electron Beams.
3. Focusing Coils.
4. Deflecting Electromagnetic coils
5. Anode Connection
6. Mask for separating beams for red, green and blue.
7. Phosphor layered with red, green and blue zones.
8. Enlarge view of phosphor coated on the inner side of the screen.
Input Devices: There are various input devices that can be used in a computer. The basic
input device being a Keyboard.
These input devices acts as a media that enables a user to give instructions and data
to computer, so that necessary output (later or immediate) can be achieved. As
discussed, keyboard is the basic input device. If a computer’s hardware parts are ok,
the computer supports basic input output devices without the need of extra
software (drivers). This means, even if computer software is not installed, your
keyboard (basic input devices), will communicate with the computer and give

3
 instructions and signals to computer. Other input devices can be named as: Mouse,
light pens, touch screens, scanner, web-cam, microphone, punch cards, etc.

The Tower / Computer Casing: It is an enclosure for Power Supply (SMPS), Motherboard,
Processor, RAM, HDD, Optical Drives, Add-on cards and other internal parts that can be
plugged directly on the motherboard. It is specifically designed in such a way so that it helps
in maintaining a proper flow of air so that internal parts stay cool enough and give optimum
performance, and of course in open, things may not look tidy. Each device inside the tower
has a specific space, so it helps in easy maintenance and upgradability. Eg: HDD has its bay,
FDD has its bay, Optical drives, motherboard, SMPS, all have their respective bays. These
towers are defined as per various factors like size of the motherboard being the most
important factor and have different names as per different sizes and frames (form factor of
motherboards). Various form factors of casing/motherboards, in increasing order of sizes:
Pico-ITX, Nano-ITX, Mini-ITX, Micro-ATX, Standard-ATX. Computer case is often also called
as CPU (Central Processing Unit). But CPU can be misleading, as it is also called for a
Processor (Micro Processor). So, it is recommended to call Computer Casing or Tower which
specifies clearly, which part of computer we are referring.
SMPS: SMPS, stands for Switch Mode Power Supply.

This is a technology which is different from conventional transformer based

electronics. It is basically designed to step down the normal domestic AC
(Alternating Current) voltage to DC (Direct Current) voltages that can be used by
computer parts. Ie, it not only coverts from AC to DC, but also steps down voltage.
Typically, a HDD, FDD, Optical Drive will have a different input voltage as compared
to Memory, Processor and similar stuff. Most of drives operate their circuit on 5v,
and run (spin etc.) motors on 12v. A typical SMPS has 20/24 pin connector that
connects to motherboard, to give supply to various circuits on motherboard.

4
 Motherboard power Connectors for HDD / Optical Connector for
connector Drives / FDD SATA Drives

Motherboard: A motherboard is also known as Main Board or System board. Its

main task is to distribute power amongst various components embedded on the
motherboard, USB ports, and expansion cards (if installed). It also gives power to
processor, RAM. Please note that the motherboard distribute power to low
powered devices only. In case of heavy usage, the devices has to be powered with
SMPS output connector or any other external power source. Eg: A typical USB
Storage media may come with additional power adaptor to meet its power
requirements, however, it is connected to one of the USB port of motherboard as
well. Some Graphic Cards requires additional power.
The other most important task that a motherboard does is, to provide
communication channel between various components and chips. The wires that are
specifically designed to carry data – are referred as bus. There are various buses on
a motherboard, Eg: Front Side Bus or also called as FSB (Carries data between Main
Chipset on board and Processor), RAM Bus (carries data between RAM and main
chipset), Audio Bus, carries data (music) from main processor to audio ports.

Motherboard is identified by the name of main chip installed on it, which is usually
referred as ‘Chipset’. There are various chipset manufacturers available, e.g., Intel,
Apple (Macintosh), VIA, Sis etc. Since developing these kind of chips requires a very high
investment, and highly complex, only few manufacturers develop these chips. There are
various assemblers (motherboard manufacturers) who use these chips on their
motherboards. Eg: Asus may use Intel / VIA chipsets in their motherboard. These
motherboards are referred as Intel Chipset or VIA chipset boards made by Asus
respectively. There are various motherboard manufacturers like Asus, Intel, Gigabyte,
AsRock etc. A typical Motherboard picture is being displayed below, for reference only.

5
 In the picture above, we have shown an Intel Chipset based motherboard,
manufactured by Intel.

Processor: Processor is also sometimes referred as the brain in the computer

system. It is to be noted that computers are not intelligent, ie, it is not able to think
or take any decision by itself. The term ‘Brain’ is used to denote that this is the main
part which carries out the calculations part.

Processor is the main component in the computer that that carries out and process
the instructions received. In most cases, these instructions are received from the
operating system in binary form (or machine language). It can be some instructions
invoked by a user or a program may also invoke it. As of now, few core manufacturers
of processor are: Intel, AMD, ARM (usually used for mobile utility, also built some of
Apple series like A4/A5/A5x) etc. The other manufacturers eventually merged into
bigger groups, Intel & AMD. It is the most important factor responsible for speed of
processing instructions speedily. It is the most important part of circuit that governs
6
speed of a computer. Since, processor is the fastest chip on any computer, the
instructions that are stored in RAM often faces speed mismatch and a fetch delay. To
overcome this, there is a small Memory that is usually in-built in the processor.
Conceptually, this is similar to RAM, but much faster than RAM (which is installed in/on
motherboard). This special memory is called CACHE memory. CACHE memory is usually
a Static RAM (SRAM), as compared to RAM, which is a DRAM (Dynamic Random Access
Memory).

However, it is other components like RAM, motherboard and OS combination that

overall govern the speed and efficiency of a computer.

The new generation processors are defined by speed and core. Earlier, technology
was very costly, but as the cost of technology became more affordable and smaller, the
concept of more core per unit became possible. A single core may be defined as one
processor in itself. Now days, there are multiple cores that are combined in a single
package, in other words, it has more than one processor packed into one-unit housing.
The initial range of processors launched by Intel with multiple processors was Dual-Core
Processors, also Intel released yet another series, which is popular as Core-2-duo. In
2006, they launched Quad-core. And now, their latest series processors for desktop and
high-end computing series are i5 & i7, which has again multiple cores and makes use of
CACHE memory dynamically. AMD also has multi-core processors like AMD Phenom-II,
AMD Athlon-II etc.

RAM: RAM also known as Random Access Memory. It comprises of chips that store
the data temporarily. The processor is known to be the fastest chip on any given
computer. But if the processor does not get instructions or calculations fast enough,
the speed of a computer will remain very slow. In order to queue up the list of
instructions going to Processor, all these set of instructions are stored in RAM first.
This process is known as loading of program or software. Once the program gets
loaded into RAM, the processor, and RAM & Processor go hand-in-hand to do the
required tasks. A typical example can be, eg: if you were preparing some notes in
Word Processing Software, and you typed few pages. While typing seventh page,
the power fails. If you did not tell the computer to save on a storage media
(HDD/USB Drive etc), you would end up in losing all of the matter that you typed,
because till you did not give any instructions, it was there in the RAM only. One may
ask, then why do we use RAM. Here is a small explanation: You would have seen,
when we double click any document file, it takes several seconds to come up on the

7
screen; this is due to the fact that all your document gets loaded into the RAM. This
is done once when you open it up. Now if RAM was not there, in that case, every
time when you modified any word / sentence, each time, it would have gone to
Hard-disk, and update there, and thus causing slow-work (delays caused by
mechanical movement). This would result in very slow speed, where hard-disk
would have been the bottle neck. Thus, memory is the key factor that governs the
efficiency of a computer. The more the memory, the more number of applications it
can handle. One can go to the Windows Task Manager and monitor the processor
and RAM usage.

It can rightly be said that Processor is directly related to speed of your computer,
and RAM is related to efficiency of a computer to handle number of programs.
Higher speeds of processor helps in processing calculations faster, and higher RAM
helps more programs to run at the same time, quicker.

HDD: HDD, called for Hard Disk Drives. These devices are categorized under storage
devices. It is capable of holding data even when the computer is turned off.
Humans record data on paper by writing with help of Ink and Pen. We store music
in form of Gramo-phone record discs, Cassettes, CDs, Blue-ray etc. All these are
storage devices, which keep the information for our usage. We can record or re-
record on them, until there life span and respective limitations of the media.
Similarly, Hard disk is one of the primary storage device used for storing programs,
data and information of a user on a computer.
A hard disk drive (HDD) is a type of data storage device that serves as the main
storage device on most computers as well as for a growing number of other
products, including video surveillance equipment, scientific instrumentation,
cameras, set top boxes for televisions, satellite TV receivers and portable music
players (such as Apple's iPod).

Hard Disk Drive may be defined as various kinds:

Magnetic Storage HDD:

These are simply called as Hard Disk Drive. It is a magnetic storage hard-disk
(conventional) is an ferro-magnetic type of data storage media. It is similar
to the technology that is used in audio cassette or VHS tapes combined with
the LP record technology. You may refer a picture to see a LP. Storage in a
8
computer context refers to devices or media that can retain data for
relatively long periods of time, for example, years or even decades. This
type of HDD consists of a rigid metal case that contains one or more
identical platters, at least two magnetic heads for each platter, a spindle
motor for rotating the platters, an actuator mechanism for moving the
heads, and control circuitry.

In this hard disk, there are many such LP that are placed on one another
(called as Platter). Except for top most and most bottom, nothing is
recorded, but on inner platters, data is recorded on both sides with help of
multiple heads. A platter is a thin, high-precision aluminium or glass disk
that is coated on each side with a very thin layer (typically only a few
millionths of an inch thick) of a high-precision magnetic material in which
the actual data is stored. Data is written to and read from this coating by
magnetic heads, which are highly sensitive and high-precision
electromagnets. There is usually one head for each side of each platter.

The magnetic coating on each side of each platter is divided into tracks. A
track is any of the concentric circles on the magnetic media over which one
head passes while the head is stationary but the disk is spinning. Each track

9
on a modern HDD has a width of only a few microns (i.e., millionths of a
meter), and there can be tens of thousands of tracks on each platter. The
thinner the tracks, the greater the storage capacity of the disk. A single,
imaginary, concentric circle that cuts through all of the platters and includes
the same track on each side of each platter is called a cylinder.

Tracks are divided into a number of segments called sectors. Each sector
generally contains 512 bytes and is the smallest unit of data that can be
accessed by a disk drive (although software makes it possible to access
individual bytes and even individual bits). The operating system keeps track
of where data is stored by noting its track and sector numbers.

The first commercial HDD was launched by IBM in September 1956.

Designated the IBM 350 RAMAC (random access method of accounting and
control), it had a capacity of about five megabytes, which was attained by
using 50 platters, each 24 inches in diameter. The average data access time
was very slow by today's standards, largely because there was only a single
head to access to all the platters. IBM's 3340 Winchester disk system,
introduced in 1973, was the first HDD to use a sealed head/disk assembly,
which substantially improved performance and is now standard.

The history of HDDs has been one of continuous rapid progress, particularly
with regard to capacity, reliability, miniaturization and cost reduction. This
has been the result of advances in a number of areas, including the
development of improved magnetic media with greater areal density (i.e.,
increased data storage capacities per unit of area), increased precision of
the heads, motors and other mechanical parts, and improved control
circuitry. Please refer to a block diagram illustration of HDD:

10
Each of hard disk drive has 2 main connectors, one is for the power, which is
drawn directly from SMPS and the other is Data cable. Based on this, there
are two type of hard disks, one is PATA (Parallel ATA) and SATA (Serial ATA)
where ATA is short for Advanced Technology Attachment. [In earlier forms
of computing, computers were named as XT (eXtended Technology) and AT
(Advanced Technology)].

Solid State Hard disk: There has been much interest for a number of years in
replacing HDDs with solid state storage, mainly flash memory, because solid
state devices feature huge advantages with regard to weight, power
consumption, shock resistance and longevity. In contrast of conventional
memory, flash memory retains its contents even in the absence of a power
supply. FLASH is a chip that is also widely used in USB-Pen-Drives.
However, because the cost on a per-bit basis is still far higher for flash
memory than for HDDs and substantial improvements are continuing to be
made in HDD capacity and performance, no large-scale replacement is likely
for a few of years. Rather, replacement will continue to be mainly for
applications for which miniaturization and durability are more important
than price, such as ultra-portable computers, portable music players,
scientific instrumentation and military laptops or military equipments. SSD

11
 HDD are coming in maximum of 128GB, only few offer up to 800GB but
since the cost of FLASH is declining, it seems to be a good replacement for
the conventional magnetic HDD in future.

Optical Disk Drives (OOD): An optical disc drive (ODD) is a disk drive that uses laser
light (or electromagnetic waves near the light spectrum) to read or write data to or
from the optical storage media (referred as discs). Some drives can only read from
discs, but recent drives are commonly both readers and recorders (also known as
writer). Compact discs, DVDs, HD DVDs and Blu-ray discs are common types of
optical media which can be read and recorded by such drives. The most initial disks
were CD (Compact Disc). It had storage capacity ranging upto 650MB. Then due to
advancement in laser technology, a thinner beam was used to read and write, thus
was able to store more data on same sized disc, this was DVD. DVD could store
4.7GB of data, and on single sided double layer, it can store 8.5GB of data. Yet
another spectrum of light was discovered, and now the latest form of Optical drives
is Blue Ray Disc. These are very expensive, but has massive storage capacity. A
single layer Blue ray can store up to 50GB and a dual layer can store up to 100GB.

Connector ports on a computer

PS2 Connector: Please do not confuse it with Play Station 2, this is a
universal standard port that is primarily used for connecting keyboard and
mouse. It is named after the designers called it – IBM Personal System / 2.
A colour coding is followed, which is Purple colour for keyboard and green
colour for Mouse. This port serves as an attachment for dedicated primary
input devices. You may also find few Barcode scanners with PS2
connectivity.
Audio Ports: These ports are input/output ports, receive analog signals
from mic or line-in and deliver analogue and digital sound that needs to be

12
 amplified with help of amplifiers or amplified speakers (multi-media
speakers). However, headphones can be directly connected to these ports.
All analogue ports are usually 3-pin 3.5mm stereo standard plug. It is usually
used with other music devices like walkman, MP3 players, in some iPods and
Music systems also.
Serial Ports: It is a communication port, which transfers information one bit
at a time. It is getting phased out and is being replaced with USB port.
These ports were used with dial up modems, or other communication
devices.
Parallel port / LPT1 port: This is also another form of Communication port.
It can transfer several bits of information at a single time. This was primarily
used for printers. This way, printer could send feedback to computer about
paper jam etc. This port was also known as Printer Port. This technology is
again getting phased out, and USB is being used rather parallel port
technology.
USB Ports: USB stands for Universal Serial Bus. It is yet another form of
communication port on a computer. Small devices can draw power of 5V
from this port itself and does not required to be attached with another
power source. Eg: A printer consumes more power, so an additional power
adaptor needs to be attached, and communication can be done with a USB
Cable; on other hand, a USB Pen drive can be powered by the USB port
itself. There are 3 versions of USB that are available. USB 1.x (where x is 0
or 1, ie 1.0 & 1.1). This was one of the first releases. It had transfer rate of
1.5Mbits/sec and 12Mbits/sec. USB 2.0 has a transfer rate of up to
480Mbits/sec. USB 3.0 has a transfer rate of up to 3.2Gbits/sec.
Peripherals
Printers: It is a device/peripheral that is used to produce a hard copy of
digital information stored in form of a file or picture on a computer storage
device. Printers usually have two connectors, one is the power port, the
other is communication port. The communication port may be through a
wire or wireless (Bluetooth or WiFi). Again the printer can be connected to
a personal computer via LPT cable, USB cable or it may be connected to LAN
port (RJ45) through a network hub/switch. As printer has many
requirements in day to day life, it is also sometimes combined with multiple
features, like it can be a Scanner, Printer, Photo-copier or an All-In-One (AIO)
which serves purpose of Scanner, Printer, Photo-copier and fax. However,
13
there are several type of printers and are categorized by their print
technology:

Impact Printers or DMP: These are one of the oldest technology

and it impacts on a paper with help of a mini hammer. In between
paper and hammer, there is a coloured ribbon (usually black) which
creates an impression on the paper. Earlier it was used for legal
documents and where one requires multiple copies together (Eg:
Invoice Printing). DMP stands for Dot Matrix Printer. As the name
states, it combines several small hammers to form a letter or an
image. This printer is very noisy, very slow on graphics, but still in
use. Due to the fact that it uses impact on a printer, it is still widely
used in banks. Your ATM pins etc. are still printed through this
printer only. The ribbon is removed, and self-carbon special
envelope is used to do the required task.
Inkjet Printers: These are also known as bubble jet printers. It
sprays an ionized tiny drops of ink on paper to create an impression.
This is achieved by using magnetized plates which directs the path of
tiny ink drop on the paper. Almost all Ink-jet printers give colour
printing too. These printers are again sub-divided in terms of
resolution and speed of printing. The normal resolution by these
printers is 300 dots per square inch. This is also said as 300 dpi. This
is most commonly house-hold printer. The initial cost of printer is
very less, but ink cartridges are slightly expensive.

Laser Printers: These printers throw a laser beam on drum to create

an image. The drum is then rolled through a pool or reservoir, or
toner, and the electrically charged portions of the drum, pick up ink.
Finally using a combination of heat and pressure, the ink on the
drum gets transferred on the page. Laser printer prints very fast.
Laser printers are best suited for SOHO (Small Office Home Office)
applications. Colour Laser printers combine four different toner
colours. Another form of printer which is LED/LCD printers. It uses
LED / LCD instead of laser. However, these (LED/LCD) printers are
not very common.

14
 Plotters: These are very accurate at producing long line drawings.
They are commonly used for technical drawings, such as engineering
drawings or architectural blue prints. There are two type of
plotters, flat bed and drum plotters. Flatbed plotters are
horizontally aligned with a flat surface to which a piece of paper is
attached; the paper remains stationary and the printer moves pens
across the paper to draw the image. Drum plotters, also called
upright plotters, are vertically positioned. They have a drum that the
paper rolls on. Drum plotters usually make more noise and are more
compact than flatbed plotters.

Thermal Printers: These are usually Label Printers. One may notice
these printers in grocery shops, airports etc. These are very fast and
have a very high resolution prints. Usually used for printing bar-
codes. It works similar to impact printer, but instead of impact, it
heats the ribbon which forms an image on a special paper. In some
cases, the ink disappears from paper.

Scanners: A scanner is a device that captures images from photographic

prints, posters, magazine pages, and similar sources for computer editing
and display. Scanners come in hand-held, feed-in, and flatbed types and for
scanning black-and-white only, or color. Scanners usually come with
software, that allows to resize and modify a captured image.

Joystick: A joystick is an input device consisting of a stick that pivots on a

base and reports its angle or direction to the device it is controlling. Joysticks
are often used to control video games, and usually have one or more push-
buttons whose state can also be read by the computer. A popular variation
of the joystick used on modern video game consoles is the analog stick.
Some joystick also provide feedback to user in form of vibrations. There are
two popular ways to connect a joystick, which is a Game port or USB port.

Multimedia Speakers: These are output devices that are categorized under
multimedia. These devices produces output in form of sound. These are
connected through the sound port present on the computer. The sound
port may be on-board or additional sound card.

15
 USB Pen Drives: These are the most convenient way to carry data along
with. It is very portable and very reliable. It uses USB port for
communication and can be plugged in or plugged out even when the
computer is on. In other words, this device is hot plug and play. It gets
detected automatically in new versions of OS (WinXP, Vista Windows 7,
Windows 8 etc), so there is no need of extra software. However, there are
few applications that come with password protection features, which
requires an additional software to be installed / configured.

Web-Camera: Also called as Web-Cam. It is a device that captures video

and sends it to computer. The most common use of web-cam is video chat
through various messengers. Messengers like Windows Live, Yahoo
messenger, Skype are the most common applications that use it.

Add-on Cards:
We use a wide variety of electronic gadgets. Depending upon the power consumption, they
have different kind of plugs that goes into the wall-socket. Most commonly used are 15amp
and 5amp plugs in house-hold gadgets. You just have to check the voltage and power
specifications provided by the manufacturer, and then you can plug in your device for
power. It is because, it is an industry standard followed by various manufacturers, which
makes several electrical appliances to be pluged in any wall socket (provided it meets
technical specifications). Similarly, in computers, people wanted more objectives to be
achieved using the same hardware. Eg: requirement of a Fax-modem card; so that the
computer can also be used as a fax machine. One could easily use computer for sending a
Word Processor document through fax directly. In order to add these specific hardware
cards, a common design format is followed. The most common add-on card is being listed
below:

PCI Add-on Card:

PCI stands for Peripheral Component Interconnect. It is a facility provided on the
motherboard (through sockets) for attaching peripherals devices to a computer
motherboard. It is the most popular local Input / Output bus used. PCI provides a
shared data path between the CPU and peripheral controllers in every computer
models. It supports 32-bit and 64-bit data paths, that can run 33MHz or 66MHz
speeds. These cards usually come with device driver software so that the same can

16
be configured on respective Operating System. They may require additional
application software in order to make use of the card.

TV-tuner card: It is a device that plugs into PCI socket of motherboard. It

helps in watching cable-TV or TV on your computer. An optional remote is
also present, to change channels, volume etc or changing from TV to PC.
Some TV-Tuner card also gives a recording feature.

Graphic Enhancement Cards (PCIx16, PCI): These add-on cards are usually
installed on high-speed ports on motherboard. Usually motherboard these
days come with on-board Display Graphic Chip, but, some users like DTP
designers, Architects, Gamers install Accelerated Graphic Cards that
enhances the quality of display to higher resolution and faster refresh rate
(which smoothens motion). These card have their own memory (RAM) and
own processor. Indirectly, these cards reduce ‘the load’ on processor to
some extent.

PCI dialup modem: This add-on card helps doing fax machine functions
from computer. It also helps in connecting to internet through dial-up
connection. Modem basically means a MOdulator and DEModulator. The
computer sends and receives data in digital form, and Modem receives and
sends data in analogue form. It converts digital data to analogue and vice-
versa. This technology has become obsolete and is hardly being used these
days, as broadband has become a lot cheaper, faster and allows both phone
and Internet to work simultaneously. Please note, even broadband devices
are modems, but these are much faster. These DSL modems do not come
on-board, all ISP (Internet Service Providers) provide their own version of hi-
speed modem.

PCMCIA Cards: It stands for Personal Card Memory Card International

Association. PCMCIA is an organization which consists of around 500
companies, and developed a standard for small credit card devices (usually
for laptops). These are cards that are used in Laptops to extend the
Memory in a laptop, or add modem functionality in laptop. These cards are
hot swappable, ie, they can be removed or plugged in, even when computer

17
 is on. However, this concept is already obsolete, and is replaced by yet
another technology called USB.

USB Data Cards: These days, a portable modem is more in practice. It uses
air as a medium to connect to their servers, similar as a mobile phone works.
Like Mobile phone wirelessly connects to the nearest tower, and carries
voice, similarly these portable modem carries data. Various services
providers available in India are Tata-photon, Reliance Netconnect, MTNL
wireless 3G model etc.
Various hardware devices just make one part of computer, which virtually cannot do anything on its
own. Even if you assemble all these devices, and turn on, it will just wait for the instructions of
software, ie Operating System. The same is covered in later sections.

18
Software – What makes a computer dynamic

In early phases of computers, the machines were built with specific tasks that it had to
perform. That is, if one had to change the purpose, one had to re-design or modify the
system itself to accomplish the required task. In 1801, Joseph-Marie Jacquard developed a
loom, in which the pattern being woven was controlled by punched cards. This did not
require any modification in the loom. This punch card served as what a software does now.
It is software that made our computers versatile. One can play a movie DVD or play games
or use Word Applications. The only thing a user has to do is, to choose appropriate
software. However, software is of various kinds which is categorized by the role it plays. A
software acts as an interface between the computer hardware (electronics) and the end
user who makes use computer for specific purpose. Software may be categorized as
Operating System, Driver Software & Application Software.

Operating System: It is also referred as OS (Operating System), and a OS which is dedicated

to work in a Network Environment, is called NOS (Network Operating System). OS is an
interface between user/application and hardware. A user may be the end user or in form of
an Application program. There are broadly two ways to interact with OS, i.e., it gives two
kinds of interface to user to work. In OS like DOS (Disk Operating System), it has a CLI
(Command Line Interface); In this, the user needs to remember specific commands for any
specific purpose, and has to type specific commands on a prompt which is provided by the
OS to accomplish task.

19
These days, the interface is GUI (Graphical User Interface). Its interface is picture
(graph) based interface. GUI gives many ways to approach for same application e.g.
we can open MS Paint by either clicking on a command by clicking on Start->All
Programs->Accessories->Paint to open Paint application or we can create a shortcut
on screen (desktop) and double click Paint icon. It gives us various options of
approach to fulfil desired goals of running an application.

Above, a typical screen of Windows 7

20
A typical desktop of Windows 8

Desktop of a typical Mac OS

An OS also handles the resource allocation, sharing of resources and access

prevention of the hardware resources. It also offers APIs (Application Programming
Interface) or system calls to other application software(s). API is basically common
calls that are required for basic operations; this usually happens between the
application and OS. For this the application programmer does not need to re-write
code in their respective program/application. Eg: If a programmer developed a
word processor application, he does not have to write a code on how to save a file,
instead, he just needs to send a request call to the OS and supply the necessary
parameters ie, the programmer will request for a File-Save to OS, and provide File
Name, File size, Location and drive where it has to be saved, the OS in turn will check
for available space, validate the drive and save at a physical space (media). Similar
to these, many of APIs are provided by the OS itself.
21
An Operating System (OS) is a computer program (software) that manages the
hardware and software resources of a computer. At the foundation of all system
software, the OS performs basic tasks such as controlling and allocating
memory, prioritizing system requests, controlling input and output devices,
facilitating networking, and managing files. It also provides an User Interface
command line interface (CLI) or graphical user interface (GUI) for higher level
functions. General-purpose computers, including personal computers and
mainframes, have an operating system (a general purpose operating system) to
run other programs - run application software. Examples of operating systems
for personal computers include Microsoft Windows, GNU/Linux, and Mac OS.

Some operating-system vendors do build many more utility programs and auxiliary
functions into their operating systems (e.g.: Calculator, WordPad, Internet Explorer-
IE etc. in Windows).

Few of important functions of OS are given as below:

Processor Management: This part of OS schedules the work to be done by the

processor. As most computers have one processor, it involves the computation and
distribution of "timeshares" (picking different tasks/processes/‘threads’ at fixed time
intervals).

Thread: A thread is a single sequential flow of control within a program. A

thread itself is not a program. It cannot run on its own, but runs within
program.

There are various state of processors, however, few of them are only listed
as below:

22
 Suspend / Suspended: Many processes consume no CPU time until they get
some sort of input. This is a state where the process is put ‘on hold’ for
some time or if it is waiting for some further instruction. For example, a
process might be waiting on a keystroke from the user. While it is waiting for
the keystroke, it uses no CPU time.

Thrashing: CPU cycles different process/threads to accomplish its task in

different intervals of time. If the user tries to have too many processes
functioning at the same time, which requires equal priority. The operating
system itself requires some CPU cycles to perform the saving and swapping
of all the registers, queues and stacks of the application processes; the
computer may seem to get ‘stuck’, mouse may not respond immediately.
This is called as Thrashing. To avoid Thrashing (to some extent), OS divides
Processes into multiple threads.

Memory (RAM) Management: OS coordinates the memories by tracking which one

is available, which is to be allocated or de-allocated and how to swap between the
main memory (RAM) and secondary memories like HDD (Virtual Memory).
Virtual Memory: Virtual Memory allows software to run in a memory
whereby memory pages stored in primary storage (RAM) are written to
secondary storage - usually Hard Disk Drive (often to a swap file or swap
partition), thus freeing faster primary storage for other processes to use.

Device Management: OS also manages Devices with help of Drivers (Device Driver
Software). It is a Specific type of computer software developed to allow interaction
with hardware devices. A driver's function is to be the translator between the
electrical signals of the hardware subsystems and the high-level programming
languages of the operating system and application programs. Eg: Managing External
Hard-Drives, Managing Printers, scanners etc.
Storage Management: This part of OS manages drives, storage systems and files,
file securities. Operating systems have a variety of native file systems. Linux has a
greater range of native file systems, those being: ext2, ext3, ReiserFS, Reiser4, GFS,
GFS2, OCFS, OCFS2, NILFS and Google File System. Linux also has full support for XFS
and JFS, along with the FAT file systems, and NTFS. Windows on the other hand has
limited file system support which only includes: FAT12, FAT16, FAT32, and NTFS. The
NTFS file system is the most efficient and reliable of the four Windows systems. FAT
23
 is older than NTFS and have limitations on the partition and file size that can cause a
variety of problems.
OS manages saving your files, e.g., when you go to save a file in word
processing application software, the application software sends few of
request to software with the following information, (a) location (b) file name
(c) file size; the OS will check if there is enough space at the location, if yes,
then it will physically write on the media (HDD/USB Drive etc.) and revert
back with confirmation. All such background activities are taken care by OS.

Application Interface (APIs): Just as drivers provide a way for applications to make
use of hardware subsystems without having to know every detail of the hardware's
operation, application program interfaces (APIs) let application programmers use
functions of the computer and operating system without having to directly keep
track of all the details in the CPU's operation. Eg: A programmer does not have to
write a code for saving a file from its application, the programmer just sends a
request to OS to save a file for that Application. Eg: Saving a file in Word-Processor
Program. The Word Processor collects information from the user, send the same to
one of API of OS.

User Interface: It brings structure to the interaction between a user and the
computer. A GUI (Graphical User interface) has a desktop environment, OS has
START menu, where one can choose various applications like Windows Explorer
helps to browse folders and files. DOS uses DIR command, which is CLI (Command
Line Interface).

Driver Software: Driver Software: A driver is a specially written program which understands
the operation of the device it interfaces to, such as a printer, video card, sound card or CD
ROM drive. It translates commands from the operating system or user into commands
understood by the component computer part it interfaces with. It also translates responses
from the component computer part back to responses that can be understood by the
operating system, application program, or user.

Application Software: Applications Software: A software which is specifically designed to do

a typical job work. Includes programs that do real work for users. For example, word
processors, spreadsheets, and database management systems fall under the category of

24
applications software. Eg: Word Processing software, Spread-sheets, Graphic multimedia
software like Photoshop, PowerPoint; Tally.

Basic working of Word Editor Software: It is a computer application

software used for composing, editing formatting and printing (on printable
material). Earlier uses of typewriter in office was replaced by electronic
type-writers and later word processing software applications on computer.
The main difference in this software is that one can validate the text before
getting a hard copy. They are also equipped with a library where it checks
for spellings, grammar etc. It can also be save your work for later use and
reference. Functions like Mail-merge can be used, where one needs to send
similar matter to a lot of people. Few of most popular Word Editing
Software is MS Word, also, Document Writer by Open Office (free). A
sample screen shot is taken from Open Office Writer:

Basic working of Spreadsheet: A spreadsheet is an application software

that maintains accounting similar to one that is maintained on a paper. It
displays multiple cells that together make up a matrix consisting of rows and
columns, each cell can contain alphanumeric text or numeric values. A
spreadsheet cell may also contain a formula that defines how the content of
that cell is to be calculated from the contents of any other cell (or
combination of cells) each time any cell is updated. Spread sheets are widely
used to maintain track of inventory, prepare and summarize management
reports, as with its basic tools, various numbers can be represented in form

25
 of charts (bar graphs, pie-charts etc). Spreadsheets are also used for
financial information because of their ability to re-calculate the entire sheet
automatically after a change to a single cell is made. You may refer to a
sample spread-sheet as below.

Most popular spread sheet software is from Microsoft, called as MS Excel

(Microsoft Excel). MS Excel being expensive, other open source applications
are available freely from internet. Open Source provides Open Source Calc
(Short for Calculator).

Computer Languages
Have you ever wondered, how you utilize your computer by using Spreadsheets,
Games, Word Processor software etc.? Yes these are the Application Software. But
these have to be built so that you can use it. The software like Operating Systems
(Windows XP, Linux etc) are also built using some tools. These tools are usually
developing languages. These tools help making software. It is special software that
helps constructing software. These may be an OS, Application software, Driver
Software or another language in itself. You may have heard about Assembly,
Borland C, Visual C++, FoxPro, Fortran; all these are examples of Computer
Languages. Computer languages are basically responsible to create a special file that
can be executed by the computer, which can be executed directly, or with help of
Operating System. All programming computer languages are written for a specific
hardware environment. Please note, hardware environment is basically the
Processor architecture for which it is made.

26
 HIGH LEVEL C, Visual Visual
Fortran Pascal
LANGUAGE C++ BASIC

ASSEMBLY LANGUAGE
LOW LEVEL
LANGUAGE
MACHINE LANGUAGE

HARDWARE

Binary Language. This is the most primitive form of language in digital

electronics, also used for computers. We use decimal number counting
system, which comprises of ten numerals, 0~9. We can make smallest and
biggest number by arranging these numerals in any combinations. Eg: 1,234
= One Thousand Two Hundred and Thirty Four; 05 = Five; 50 = Fifty; And so
on. Similarly, Computers use binary number system, which has 2 numerals,
0 & 1. We can make any number, but we have to ensure using of only these
numerals – 0 and 1. 1111101000 = Equivalent of decimal 1,000. One may
ask, why to complicate simple numbering system (that we know as decimal
numbering system). Well, one first has to understand, that it is easier for us
humans to understand decimal number system, as we have been using since
we get to know counting. However, the main reason that lies behind using a
binary system is rather different numbering system is because of electrical
characteristics; in any electrical circuit, or especially in context of digital
electronics. This concept is based on ON and OFF. If there is any voltage,
the condition is assumed as ON, and if no voltage, then it is considered as
OFF. OR in other words – ON=1, OFF=0. The combination of these ON and
OFF makes the digital electronic world possible. In lay man’s term, all digital
circuits are expressed in binary language. With help of few complex

27
electronic circuit and software (or firmware), it becomes possible to process
information. These also include instructions like add, subtract, multiply,
divide numbers etc. Quite often, Binary language is also known as Machine
Language, as it is the most basic, or most low-level language that a digital-
circuit (especially computers) can understand. In early phases of computer
development, the complete circuit had to be changed and re-engineered to
work for different tasks. In second phase, these computers were modified
to take input with special Punch cards, these punch cards served both
purposes, storing the program (set of instructions) and act as input device
for the system. Now-a-days, we can use keyboard, mouse, touch screens to
key in instructions or run programs that are stored or installed in permanent
storage media like Hard-disk, USB or any other storage media.

Low-Level Language: Since, computers made in initial stages had very

limited functionality, and had almost fixed role to do. However, a need was
felt about making computers more dynamic. So instead of modifying the
electronic circuit each time, they introduced software, which is easier to
change and configure; as compared to change of circuit or basic design of
machine. Instead of giving commands through punch cards, switches, now
they wrote instructions. Of course, these instructions were different from
our day to day life instructions, people had to be trained to use these
methods. These methods are basically set of instructions that may be
stored or given at real-time. Till date, Assembly Language is considered to
be most powerful software to write a code. But since, software written on
Assembly contained very specific instructions, one has to re-compile
complete instructions (programs) for a different platform (hardware). A
utility program called an assembler is used to translate assembly language
statements into target computer’s machine code.

High-Level Languages: Then came BASIC, Fortran, Cobol etc. These

languages were closer to our English language. The languages that are
closer to English Language and are called as high level language. These are
easier for us to understand, but it requires more interpretation for the
computer to understand the instruction in binary language. Since, it passes
through many stages of interpretation, it becomes slower than the low-level
languages like Assembly. These languages are much simpler to understand
28
 and much easier to manage. These have an advantage over low level
languages, is that their programs are more flexible and can run on various
different hardware platforms.

The software makes a computer dynamic and versatile. The same set of hardware can be used as
gaming device, entertainment device, web browsing, search information, etc.

29
Chapter 2: Harddisk cloning, Backup, restoration

Harddisk Backup

Backup-to-disk refers to technology that allows one to back up large amounts of data to a disk
storage unit. The backup-to-disk technology is often supplemented by tape drives for data archival
or replication to another facility for disaster recovery. Additionally, backup-to-disk has several
advantages over traditional tape backup for both technical and business reasons

Type of Backup

Unstructured

An unstructured repository may simply be a stack of or CD-Rs or DVD-Rs with minimal

information about what was backed up and when. This is the easiest to implement, but
probably the least likely to achieve a high level of recoverability as it lacks automation.

Full only / System imaging

A repository of this type contains complete system images taken at one or more specific
points in time. This technology is frequently used by computer technicians to record known
good configurations. Imaging[3] is generally more useful for deploying a standard
configuration to many systems rather than as a tool for making ongoing backups of diverse
systems.

Incremental

An incremental style repository aims to make it more feasible to store backups from more
points in time by organizing the data into increments of change between points in time. This
eliminates the need to store duplicate copies of unchanged data: with full backups a lot of
the data will be unchanged from what has been backed up previously. Typically, a full
backup (of all files) is made on one occasion (or at infrequent intervals) and serves as the
reference point for an incremental backup set. After that, a number of incremental backups
are made after successive time periods. Restoring the whole system to the date of the last
incremental backup would require starting from the last full backup taken before the data
loss, and then applying in turn each of the incremental backups since then.[4] Additionally,
some backup systems can reorganize the repository to synthesize full backups from a series
of incremental.

Differential

Each differential backup saves the data that has changed since the last full backup. It has the
advantage that only a maximum of two data sets is needed to restore the data. One
disadvantage, compared to the incremental backup method, is that as time from the last full
backup (and thus the accumulated changes in data) increases, so does the time to perform
the differential backup. Restoring an entire system would require starting from the most
recent full backup and then applying just the last differential backup since the last full
backup.
30
 Note: Vendors have standardized on the meaning of the terms "incremental backup" and
"differential backup". However, there have been cases where conflicting definitions of these
terms have been used. The most relevant characteristic of an incremental backup is which
reference point it uses to check for changes. By standard definition, a differential backup
copies files that have been created or changed since the last full backup, regardless of
whether any other differential backups have been made since then, whereas an incremental
backup copies files that have been created or changed since the most recent backup of any
type (full or incremental). Other variations of incremental backup include multi-level
incremental and incremental backups that compare parts of files instead of just the whole
file.

Reverse delta

A reverse delta type repository stores a recent "mirror" of the source data and a series of
differences between the mirror in its current state and its previous states. A reverse delta
backup will start with a normal full backup. After the full backup is performed, the system
will periodically synchronize the full backup with the live copy, while storing the data
necessary to reconstruct older versions. This can either be done using hard links, or using
binary diffs. This system works particularly well for large, slowly changing, data sets.
Examples of programs that use this method are rdiff-backup and Time Machine.

Storage Medium

Regardless of the repository model that is used, the data has to be stored on some data storage
medium.

Magnetic tape

Magnetic tape has long been the most commonly used medium for bulk data storage,
backup, archiving, and interchange. Tape has typically had an order of magnitude better
capacity-to-price ratio when compared to hard disk, but recently the ratios for tape and hard
disk have become a lot closer. There are many formats, many of which are proprietary or
specific to certain markets like mainframes or a particular brand of personal computer. Tape
is a sequential access medium, so even though access times may be poor, the rate of
continuously writing or reading data can actually be very fast. Some new tape drives are
even faster than modern hard disks.

Hard disk

The capacity-to-price ratio of hard disk has been rapidly improving for many years. This is
making it more competitive with magnetic tape as a bulk storage medium. The main
advantages of hard disk storage are low access times, availability, capacity and ease of use.
External disks can be connected via local interfaces like SCSI, USB, FireWire, or eSATA, or via
longer distance technologies like Ethernet, iSCSI, or Fibre Channel. Some disk-based backup
systems, such as Virtual Tape Libraries, support data deduplication which can dramatically
reduce the amount of disk storage capacity consumed by daily and weekly backup data. The
main disadvantages of hard disk backups are that they are easily damaged, especially while

31
 being transported (e.g., for off-site backups), and that their stability over periods of years is
a relative unknown.

Optical storage

Recordable CDs, DVDs, and Blu-ray Discs are commonly used with personal computers and
generally have low media unit costs. However, the capacities and speeds of these and other
optical discs are typically an order of magnitude lower than hard disk or tape. Many optical
disk formats are WORM type, which makes them useful for archival purposes since the data
cannot be changed. The use of an auto-changer or jukebox can make optical discs a feasible
option for larger-scale backup systems. Some optical storage systems allow for cataloged
data backups without human contact with the discs, allowing for longer data integrity.

Solid state storage

Also known as flash memory, thumb drives, USB flash drives, CompactFlash, SmartMedia,
Memory Stick, Secure Digital cards, etc., these devices are relatively expensive for their low
capacity in comparison to hard disk drives, but are very convenient for backing up relatively
low data volumes. A solid-state drive does not contain any movable parts unlike its magnetic
drive counterpart, making it less susceptible to physical damage, and can have huge
throughput in the order of 500Mbit/s to 6Gbit/s. The capacity offered from SSDs continues
to grow and prices are gradually decreasing as they become more common.

Remote backup service

As broadband Internet access becomes more widespread, remote backup services are
gaining in popularity. Backing up via the Internet to a remote location can protect against
some worst-case scenarios such as fires, floods, or earthquakes which would destroy any
backups in the immediate vicinity along with everything else. There are, however, a number
of drawbacks to remote backup services. First, Internet connections are usually slower than
local data storage devices. Residential broadband is especially problematic as routine
backups must use an upstream link that's usually much slower than the downstream link
used only occasionally to retrieve a file from backup. This tends to limit the use of such
services to relatively small amounts of high value data. Secondly, users must trust a third
party service provider to maintain the privacy and integrity of their data, although
confidentiality can be assured by encrypting the data before transmission to the backup
service with an encryption key known only to the user. Ultimately the backup service must
itself use one of the above methods so this could be seen as a more complex way of doing
traditional backups.

Floppy disk

During the 1980s and early 1990s, many personal/home computer users associated backing
up mostly with copying to floppy disks. However, the data capacity of floppy disks failed to
catch up with growing demands, rendering them effectively obsolete.

32
Managing the data repository

Regardless of the data repository model, or data storage media used for backups, a balance needs to
be struck between accessibility, security and cost. These media management methods are not
mutually exclusive and are frequently combined to meet the user's needs. Using on-line disks for
staging data before it is sent to a near-line tape library is a common example.

On-line

On-line backup storage is typically the most accessible type of data storage, which can begin
restore in milliseconds of time. A good example is an internal hard disk or a disk array
(maybe connected to SAN). This type of storage is very convenient and speedy, but is
relatively expensive. On-line storage is quite vulnerable to being deleted or overwritten,
either by accident, by intentional malevolent action, or in the wake of a data-deleting virus
payload.

Near-line

Near-line storage is typically less accessible and less expensive than on-line storage, but still
useful for backup data storage. A good example would be a tape library with restore times
ranging from seconds to a few minutes. A mechanical device is usually used to move media
units from storage into a drive where the data can be read or written. Generally, it has
safety properties similar to on-line storage.

Off-line

Off-line storage requires some direct human action to provide access to the storage media:
for example, inserting a tape into a tape drive or plugging in a cable. Because the data are
not accessible via any computer except during limited periods in which they are written or
read back, they are largely immune to a whole class of on-line backup failure modes. Access
time will vary depending on whether the media are on-site or off-site.

Off-site data protection

To protect against a disaster or other site-specific problem, many people choose to send
backup media to an off-site vault. The vault can be as simple as a system administrator's
home office or as sophisticated as a disaster-hardened, temperature-controlled, high-
security bunker with facilities for backup media storage. Importantly a data replica can be
off-site but also on-line (e.g., an off-site RAID mirror). Such a replica has fairly limited value
as a backup, and should not be confused with an off-line backup.

33
 Backup site or disaster recovery center (DR center)

In the event of a disaster, the data on backup media will not be sufficient to recover.
Computer systems onto which the data can be restored and properly configured networks
are necessary too. Some organizations have their own data recovery centers that are
equipped for this scenario. Other organizations contract this out to a third-party recovery
center. Because a DR site is itself a huge investment, backing up is very rarely considered the
preferred method of moving data to a DR site. A more typical way would be remote disk
mirroring, which keeps the DR data as up to date as possible.

Objectives

Recovery point objective (RPO)

The point in time that the restarted infrastructure will reflect. Essentially, this is the roll-back
that will be experienced as a result of the recovery. The most desirable RPO would be the
point just prior to the data loss event. Making a more recent recovery point achievable
requires increasing the frequency of synchronization between the source data and the
backup repository.

Recovery time objective (RTO)

The amount of time elapsed between disaster and restoration of business functions.

Data security

In addition to preserving access to data for its owners, data must be restricted from
unauthorized access. Backups must be performed in a manner that does not compromise
the original owner's undertaking. This can be achieved with data encryption and proper
media handling policies.

Data retention period

Regulations and policy can lead to situations where backups are expected to be retained for
a particular period, but not any further. Retaining backups after this period can lead to
unwanted liability and sub-optimal use of storage media.

Limitations

An effective backup scheme will take into consideration the limitations of the situation.

Backup window

The period of time when backups are permitted to run on a system is called the backup window. This
is typically the time when the system sees the least usage and the backup process will have the least
amount of interference with normal operations. The backup window is usually planned with users'
convenience in mind. If a backup extends past the defined backup window, a decision is made
whether it is more beneficial to abort the backup or to lengthen the backup window.

34
 Performance impact

All backup schemes have some performance impact on the system being backed up. For example,
for the period of time that a computer system is being backed up, the hard drive is busy reading files
for the purpose of backing up, and its full bandwidth is no longer available for other tasks. Such
impacts should be analyzed.

Costs of hardware, software, labor

All types of storage media have a finite capacity with a real cost. Matching the correct amount of
storage capacity (over time) with the backup needs is an important part of the design of a backup
scheme. Any backup scheme has some labor requirement, but complicated schemes have
considerably higher labor requirements. The cost of commercial backup software can also be
considerable.

Network bandwidth

Distributed backup systems can be affected by limited network bandwidth.

Implementation

Meeting the defined objectives in the face of the above limitations can be a difficult task. The tools
and concepts below can make that task more achievable.

Scheduling

Using a job scheduler can greatly improve the reliability and consistency of backups by
removing part of the human element. Many backup software packages include this
functionality.

Authentication

Over the course of regular operations, the user accounts and/or system agents that perform
the backups need to be authenticated at some level. The power to copy all data off of or
onto a system requires unrestricted access. Using an authentication mechanism is a good
way to prevent the backup scheme from being used for unauthorized activity.

Chain of trust

Removable storage media are physical items and must only be handled by trusted
individuals. Establishing a chain of trusted individuals (and vendors) is critical to defining the
security of the data.

Measuring the process

To ensure that the backup scheme is working as expected, key factors should be monitored and
historical data maintained.

Backup validation
35
 (also known as "backup success validation") Provides information about the backup, and
proves compliance to regulatory bodies outside the organization: for example, an insurance
company in the USA might be required under HIPAA to demonstrate that its client data meet
records retention requirements.[18] Disaster, data complexity, data value and increasing
dependence upon ever-growing volumes of data all contribute to the anxiety around and
dependence upon successful backups to ensure business continuity. Thus many
organizations rely on third-party or "independent" solutions to test, validate, and optimize
their backup operations (backup reporting).

Reporting

In larger configurations, reports are useful for monitoring media usage, device status, errors,
vault coordination and other information about the backup process.

Logging

In addition to the history of computer generated reports, activity and change logs are useful
for monitoring backup system events.

Validation

Many backup programs use checksums or hashes to validate that the data was accurately
copied. These offer several advantages. First, they allow data integrity to be verified without
reference to the original file: if the file as stored on the backup medium has the same
checksum as the saved value, then it is very probably correct. Second, some backup
programs can use checksums to avoid making redundant copies of files, and thus improve
backup speed. This is particularly useful for the de-duplication process.

Monitored backup

Backups are monitored by a third party monitoring center, which alerts users to any errors that
occur during automated backups. Monitored backup requires software capable of
pinging[clarification needed] the monitoring center's servers in the case of errors. Some monitoring
services also allow collection of historical meta-data, that can be used for Storage Resource
Management purposes like projection of data growth, locating redundant primary storage capacity
and reclaimable backup capacity

36
Disk Cloning

Disk cloning is a direct disk-to-disk method for creating an exact copy. There is no intermediary
process, simply connect both drives and clone the contents from the source drive to the destination
drive. Once completed, the two drives will be interchangeable, both will hold the identical data (at
time of cloning) and both will boot to the identical system.

How it is different from Harddisk Imaging

Disk imaging, on the other hand, is NOT a direct disk-to-disk method and requires an intermediary
process. One cannot create a copy of a hard drive simply by placing a disk image file on it; the image
needs to be opened and installed (restored) on the drive via the same imaging software that was
used to create it.

1. Create a disk image and save to external media

2. Restore that image from external media to selected drive

Disk Cloning creates a verbatim copy of Disk Imaging copies the entire contents
the entire disk contents on a second of a hard drive into a single compressed
hard drive file, generally of a proprietary format.

 Disk Cloning takes immediate effect,
once the cloning process has been
completed, the new drive (or destination
drive) can be used to boot to the system
straight away.
 Disk Imaging is not immediate, the
image created by the imaging software
needs to be restored (opened and
installed) to a drive before it can be used
to boot to the system.

 Disk Cloning requires a good, working
system – not much point in cloning a
broken system, and not much use with a
failed hard drive.
 Disk Imaging allows users to restore an
image created previously, when the
system was in a known good state,
either to the same (original) hard drive
or to a different hard drive.

Example of Disk Cloning using AOMEI Software

AOMEI Backupper is a third party software which aims at system, partition/volume, disk as well as
file/folder backup and restore. Also, it supports clone function, such as disk clone, system clone and
partition/volume clone. Finally, there is a free version of AOMEI Backupper - AOMEI Backupper
Standard Edition which contain most features and can do disk clone.

37
Here, it will take AOMEI Backupper Std as example to show you how to use AOMEI Backupper clone.
Before start, download, install and open AOMEI Backupper.

To Clone Disk:

1. In the left tab page, select the Clone option and then select Disk Clone.

2. Select the source disk that you want to clone. Click Next.

38
 3. Select the destination disk to which the source disk will be cloned, and click Next.

Warning! The destination disk and all existing data will be overwritten.

4. Preview the information of your source and destination disk. In the wizard page, set desired
advanced settings as follows:

a) If you want to adjust the partitions size or location on the destination disk, click the "Edit
partitions on the destination disk" button. Options available are:

 Copy without resizing partitions: Do not do any changes.

 Fit partition to entire disk: The destination disk partitions will be automatically resized to
the entire disk, appropriate for the disk size.
 Edit partitions on this disk: Manually adjust the partition size and location by dragging a
slider bar.

39
b) Sector by sector clone: Copies all sectors of the disk to the destination disk whether in use or not.
The destination disk size must be equal to or larger than the source disk. Usually, to save destination
disk space, there is no need to tick this option. Unchecking AOMEI Sector by sector clone will only
clone the used part of source disk, thus the room required on destination is smaller. Yet, the data or
system is also intact unchecking Sector by sector clone and system is bootable after cloning.

c) Align partition to optimize for SSD: If your destination disk is SSD (Solid-State Drive), we highly
recommend you to tick this option for optimizing the performance of the SSD.

5. Finally, click Start Clone. Wait for the process to complete and then click Finish.

Disk to Disk Cloning

Step 1: Select "Disk Clone" option under the "Clone" tab.

40
Step 2: Select the source disk (Disk0) which you want to clone, and then click "Next".

Step 3: Select the destination disk (Disk1) where you want to clone source disk to, and then click
"Next".

Step 4: Confirm the settings of the source and destination disk, and then click "Start Clone".

41
Tips:

 The "Sector by sector clone" option is also available. It allows you to clone all sectors on
source disk no matter they are used or not to destination disk. If you clone a large hard drive
to a smaller SSD, do not choose this option.
 If the destination disk is an SSD, it is recommended to check the box before "Aglin partition
to optimize for SSD".
 If you clone a small disk to a larger disk, you can click the button of "Edit partitions on the
destination disk". There are three options for you to resize partitions so that you can use full
capacity.

Step 5: Click "Finish" when all the operations have been done:

In fact, disk clone is also called "Disk to Disk (Disk2Disk)". There is a similar function-Disk Imaging,
which can store all the data on a disk to a image file. That is the so-called "Disk to Image
(Disk2Image)". AOMEI Backupper can realize Disk2Disk as well as Disk2Image. It can backup your
disk to an image file so that you can restore your disk in the future.

42
Some other Cloning Software available in the market:

Hardware Cloning Devices:

Hard drive docking stations can be incredibly valuable to small businesses, the tech service industry,
and even enthusiasts who require access to a large amount of data. Combining the functionality of
an external hard drive enclosure with the features of partition imaging software, there are three
primary reasons you might need to pick one up for yourself.

If you need on-hand access to large amounts of data, the docking feature of a hard drive duplicator
is incredibly handy. Currently, standard spinning-disk hard drives offer storage space at a very
economical cost per gigabyte. Multi-terabytes of storage space can be picked up for a couple
hundred dollars. Keeping those drives on hand, you’ll be able to pop them in or out of the docking
station as needed. If transfer rates are important to you, there are very few portable storage
solutions that can beat the throughput of a 2.5” SSD connected to an eSATA or USB 3.1 interface.

If you regularly need to provide upgrade or maintenance service for computer systems, these hard
drive duplicators can make your life much easier. Internal storage can be upgraded with as little as
five to ten minutes of actual work. Just remove the old drive, plug it into the duplicator next to the
new one, then press the button. After about 10 seconds, the light will begin flashing indicating that
the cloning process has begun.

These drive cloners are also very popular in enterprise environments. Critical drives can be backed
up daily with just the push of a button. Restoration images of the company’s computers can be kept
on hand, meaning setting up any new piece of equipment is as simple as copying your installation
source onto a new drive.

When it comes to hard drive duplicators, there are many options available on the market today.
Thanks to high bandwidth communication ports such as USB 3.1 and eSATA, these devices have
never been easier or more affordable. Let’s take a look at some of the best options.

StarTech SATA Hard Drive Duplicator Dock

The StarTech SATA Hard Drive Duplicator Dock comes in a fairly plain case. The black plastic frame
uses a top-loading method to connect to your hard drives. It’s sized for 3.5” drives, but a fold down
plastic insert has a small cutout allowing you to insert a 2.5” drive while keeping it secure.

43
Connectivity

To communicate with your computer, this drive duplicator gives you three options. The USB 2.0 /
SATA combination is likely the most popular. eSATA is fast enough that you can access most drives
just as if they were internal. For all other purposes, USB 2.0 is fast enough to browse the drive
structure or perform simple file transfers. Those of you that do not have access to an eSATA port can
opt for the USB 3.0 model.

This will facilitate file transfers at up to a peak rate of 480 megabits per second. Finally, if you are on
the cutting edge of technology you can take advantage of the USB 3.1 model which has a peak
throughput of 10Gbps. Currently, there is no drive that can even come close to reaching that kind of
speed, but if you intend to keep the duplicator around for a long time you may wish to take
advantage of that feature.

For connecting to your hard drives, most models use SATA connections. Virtually every drive on the
market is SATA, so this is necessary for the majority of consumers. If you are performing data
recovery / duplication on very old drives there is an IDE model available, but it is triple the price of
the SATA ones.

44
Chapter 3: Networking Concepts

Network

A computer network or data network is a digital telecommunications network which allows nodes
to share resources. In computer networks, networked computing devices exchange data with each
other using a data link. The connections between nodes are established using either cable media or
wireless media.

Few Important Terms

Connection: In networking, connection is built before the data transfer (by following the procedures
laid out in a protocol) and then is deconstructed at the at the end of the data transfer.

Packet: A packet is, generally speaking, the most basic unit that is transferred over a network. When
communicating over a network, packets are the envelopes that carry your data (in pieces) from one
end point to the other.

Packets have a header portion that contains information about the packet including the source and
destination, timestamps, network hops, etc. The main portion of a packet contains the actual data
being transferred. It is sometimes called the body or the payload.

Network Interface: A network interface can refer to any kind of software interface to networking
hardware. For instance, if you have two network cards in your computer, you can control and
configure each network interface associated with them individually.

Protocol: A protocol is a set of rules and standards that basically define a language that devices can
use to communicate. There are a great number of protocols in use extensively in networking, and
they are often implemented in different layers.

Some low level protocols are TCP, UDP, IP, and ICMP. Some familiar examples of application layer
protocols, built on these lower protocols, are HTTP (for accessing web content), SSH, TLS/SSL, and
FTP.

Port: A port is an address on a single machine that can be tied to a specific piece of
software(Service). It is not a physical interface or location, but it allows your server to be able to
communicate using more than one application.

SMTP Port: 25 HTTP Port: 80

Network Types:

1. Peer to Peer Network

2. Client Server Model

Peer to Peer Network:

45
In a peer-to-peer network, a group of computers is connected together so that users can share
resources and information. There is no central location for authenticating users, storing files, or
accessing resources. It also means that users must log on to each computer to access the shared
resources on that computer.

In most peer-to-peer networks, it is difficult for users to track where information is located because
data is generally stored on multiple computers.

Client-Server network

In a server-based network, the server is the central location where users share and access network
resources. This dedicated computer controls the level of access that users have to shared resources.
Shared data is in one location, making it easy to back up critical business information. Each
computer that connects to the network is called a client computer. In a server-based network, users
have one user account and password to log on to the server and to access shared resources.

Network Types (Geographical)

We can distinguish Network types on basis of their geographical structure as followings:

LAN (Local Area Network)

LAN is a form of a computer network most known to the general public. It has a limited reach,
roughly a bunch of closely situated houses or building. And that’s because we typically use the
Ethernet technology (IEEE 802.3) to power our local area networks. The ethernet cables we lay
across our houses and offices have their practical limitations. Beyond a certain length, the speed
gets degraded. The reach of a LAN can be enhanced using repeaters, bridges, etc.

Home Area Network (HAN)

A kind of local area network is the HAN (Home Area Network). All the devices like smartphones,
computers, IoT devices, televisions, gaming consoles, etc. connect to a central router (wired or
wireless) placed in a home constitute a home area network.

What is a Wireless LAN (WLAN)?

This type of computer network is a wireless counterpart of the local area network. It uses the WiFi
technology defined as per the IEEE 802.11 standards. If you’re the one who thinks WiFi and WLAN
are the same things, then you need to rectify your confusion. They are completely different. WiFi is
used to create a wireless local area network.

What is a Metropolitan Area Network (MAN)?

The area covered by a MAN is quite larger in comparison to a LAN. In fact, a MAN can be used to link
several LANs spread across a city or a metro area. A wired backhaul spread across a city is used to
powers a metropolitan area network in that place. You might have known about various city-wide
WiFi networks in different parts of the world.

46
What is a Wide Area Network (WAN)?

We can think of a WAN as the superset of all the small networks we find in our homes, offices, cities,
states, and countries. The router or modem placed at your home is a device used to connect to the
WAN. The internet is also a type WAN that spans across the entire earth. Various technologies like
ADSL, 4G LTE, Fiber optic, cable, etc. are used to connect to the internet. However, these
technologies mostly confine to a country at max.

What is a Storage Area Network (SAN)?

Generally, it is used to connect external storage devices to servers but make them believe that the
storage is attached directly. The technology used to accomplish this is known as Fiber Channel.

What is a Near-me Network (NAN)?

Although it sounds totally unfamiliar, you use Near-me network almost every day. Remember
chatting with your friends on Facebook while all of you were sitting in the same room. You were part
of a NAN, even though you might be on the networks of different carriers.

A message from your device would traverse all the way to Facebook servers over the internet come
to your friend’s device sitting right next to you. In a logical way, both the devices are on some sort of
network. They don’t need to be connected to the same network. For instance, they can be
connected via WiFi, cellular, etc.

What is a Virtual Private Network (VPN)?

VPN is a type of computer network which doesn’t have physical existence. The devices that are part
of a VPN could be present anywhere on the earth, connected to each other over the internet.

VPNs are used by corporates to interconnect their offices located in different places and give their
remote employees access to company’s resources. It has phased out another type of network
known as Enterprise Private Network, a physical network created by organizations to link their office
locations.

Types of Network Topology

Network Topology is the schematic description of a network arrangement, connecting various nodes
(sender and receiver) through lines of connection.

BUS Topology

Bus topology is a network type in which every computer and network device is connected to single
cable. When it has exactly two endpoints, then it is called Linear Bus topology.

47
Features of Bus Topology

1. It transmits data only in one direction.

2. Every device is connected to a single cable

Advantages of Bus Topology

1. It is cost effective.
2. Cable required is least compared to other network topology.
3. Used in small networks.
4. It is easy to understand.
5. Easy to expand joining two cables together.

Disadvantages of Bus Topology

1. Cables fails then whole network fails.

2. If network traffic is heavy or nodes are more the performance of the network decreases.
3. Cable has a limited length.
4. It is slower than the ring topology.

RING Topology

It is called ring topology because it forms a ring as each computer is connected to another computer,
with the last one connected to the first. Exactly two neighbors for each device.

48
Features of Ring Topology

1. A number of repeaters are used for Ring topology with large number of nodes, because if
someone wants to send some data to the last node in the ring topology with 100 nodes,
then the data will have to pass through 99 nodes to reach the 100th node. Hence to prevent
data loss repeaters are used in the network.
2. The transmission is unidirectional, but it can be made bidirectional by having 2 connections
between each Network Node, it is called Dual Ring Topology.
3. In Dual Ring Topology, two ring networks are formed, and data flow is in opposite direction
in them. Also, if one ring fails, the second ring can act as a backup, to keep the network up.
4. Data is transferred in a sequential manner that is bit by bit. Data transmitted, has to pass
through each node of the network, till the destination node.

Advantages of Ring Topology

1. Transmitting network is not affected by high traffic or by adding more nodes, as only the
nodes having tokens can transmit data.
2. Cheap to install and expand

Disadvantages of Ring Topology

1. Troubleshooting is difficult in ring topology.

2. Adding or deleting the computers disturbs the network activity.
3. Failure of one computer disturbs the whole network.

STAR Topology

In this type of topology all the computers are connected to a single hub through a cable. This hub is
the central node and all others nodes are connected to the central node.

Features of Star Topology

1. Every node has its own dedicated connection to the hub.

2. Hub acts as a repeater for data flow.
3. Can be used with twisted pair, Optical Fibre or coaxial cable.

Advantages of Star Topology

1. Fast performance with few nodes and low network traffic.

49
 2. Hub can be upgraded easily.
3. Easy to troubleshoot.
4. Easy to setup and modify.
5. Only that node is affected which has failed, rest of the nodes can work smoothly.

Disadvantages of Star Topology

1. Cost of installation is high.

2. Expensive to use.
3. If the hub fails then the whole network is stopped because all the nodes depend on the hub.
4. Performance is based on the hub that is it depends on its capacity

MESH Topology

It is a point-to-point connection to other nodes or devices. All the network nodes are connected to
each other. Mesh has n(n-1)/2 physical channels to link n devices.

There are two techniques to transmit data over the Mesh topology, they are :

1. Routing
2. Flooding

Routing

In routing, the nodes have a routing logic, as per the network requirements. Like routing logic to
direct the data to reach the destination using the shortest distance. Or, routing logic which has
information about the broken links, and it avoids those node etc. We can even have routing logic, to
re-configure the failed nodes.

Flooding

In flooding, the same data is transmitted to all the network nodes, hence no routing logic is required.
The network is robust, and the its very unlikely to lose the data. But it leads to unwanted load over
the network.

Types of Mesh Topology

1. Partial Mesh Topology: In this topology some of the systems are connected in the same
fashion as mesh topology but some devices are only connected to two or three devices.
50
 2. Full Mesh Topology: Each and every nodes or devices are connected to each other.

Features of Mesh Topology

1. Fully connected.
2. Robust.
3. Not flexible.

Advantages of Mesh Topology

1. Each connection can carry its own data load.

2. It is robust.
3. Fault is diagnosed easily.
4. Provides security and privacy.

Disadvantages of Mesh Topology

1. Installation and configuration is difficult.

2. Cabling cost is more.
3. Bulk wiring is required.

TREE Topology

It has a root node and all other nodes are connected to it forming a hierarchy. It is also called
hierarchical topology. It should at least have three levels to the hierarchy.

Features of Tree Topology

1. Ideal if workstations are located in groups.

2. Used in Wide Area Network.

Advantages of Tree Topology

1. Extension of bus and star topologies.

2. Expansion of nodes is possible and easy.
3. Easily managed and maintained.
4. Error detection is easily done.
51
Disadvantages of Tree Topology

1. Heavily cabled.
2. Costly.
3. If more nodes are added maintenance is difficult.
4. Central hub fails, network fails.

HYBRID Topology

It is two different types of topologies which is a mixture of two or more topologies. For example if in
an office in one department ring topology is used and in another star topology is used, connecting
these topologies will result in Hybrid Topology (ring topology and star topology).

Features of Hybrid Topology

1. It is a combination of two or topologies

2. Inherits the advantages and disadvantages of the topologies included

Advantages of Hybrid Topology

1. Reliable as Error detecting and troubleshooting is easy.

2. Effective.
3. Scalable as size can be increased easily.
4. Flexible.

Disadvantages of Hybrid Topology

1. Complex in design.
2. Costly.

Network Devices

Hubs
Logically, there is a single bus and computers are connected to it. A HUB can have any numbers of
ports according to its size. Information from one computer say ‘A’ goes to the other computer, say

52
‘B’, through the dotted lines as shown. HUB gave birth to Star Topology but its internal structure is
like a bus. 10Base-T line is used where ‘T’ denotes the T-type structure. We can also connect
another hub through the port of one hub!!! Suppose we have 15 users and one hub has only 10
ports. Then we connect two hubs like this:

Each computer in a 10-port Hub gets 1 Mbps speed each. Latency is involved in Hub as packets
collide with each other. Thus, data rate gets reduced!!

Bridges

Bridge is a device to connect two networks. It has two stages

i) Bridge is learning

ii) Bridge is forwarding

Bridge learns the address of devices and keep a table to communicate between the networks.

53
Switches
Hubs are now replaced by switches. A switch is a multiple bus device i.e. there are multiple
transceiver chips for every port. Here, every computer has 10 Mbps speed and no latency is
involved. I/o chips can interact with each other which are within the buses. Since, there are several
buses, so no information traffic occurs. Simply, a computer A can send packets to computer C
without interruption. Pure isolation is provided. Switch is a very sophisticated device. We have 2
switching techniques.

SWITCHING

– CUT-THROUGH

– STORE&FORWARD

Switch has a CAM i.e. Content Address Memory Table. It is a feature taken from the ‘BRIDGE’

CAM Table:-

Port No. Mac Address

1 _______

2 _______

Whenever a PC gets booted, light blinks in the switch for that PC and Mac address of that PC gets
updated automatically in the CAM table opposite its port number. Switch refreshes its table after
every 300 millisecond

1. Cut Through Switching: Here, there is no need for switch to see the CRC. It only reads source
and destination address. It has a latency (delay) of 35 ms. It is just a chance technology. Thus, it is
not so reliable since different office are located far away.

2. Store and Forward Switching: Here, the frame goes into the memory of the switch; refers the
CAM table; reads the whole packet; checks for any error; and then finally sends the packet. Earlier,
it had a latency of 51 ms but now it has been enhanced to only 40 ms. Thus, technology is more
reliable in comparison to cut through technology.

Routers
In technical terms, a Router is a Layer 3 network gateway device, meaning that it connects two or
more networks and that the router operates at the network layer of the OSI model. Routers contain
a processor (CPU), several kinds of digital memory, and input-output (I/O) interfaces. They function
as special-purpose computers, one that does not require a keyboard or display.

The router's memory stores an embedded operating system (O/S). Router operating systems limit
what kind of applications can be run on them and also need much smaller amounts of storage space.
Examples of popular router operating systems include Cisco Internetwork Operating System (IOS)
and DD-WRT. These operating systems are manufactured into a binary firmware image and are
commonly called router firmware.

54
By maintaining configuration information in a part of memory called the routing table, routers also
can filter both incoming or outgoing traffic based on the addresses of senders and receivers.

OSI Layers
Two objects, if wanting to communicate, should satisfy some specifications. Thus, ISO (Organization
for International Standards) was asked to make certain specifications (specially for Ethernet at the
time of Bob Metceff). Thus, OSI layers were introduced. OSI stands for Open System for
Interconnection. OSI said that last step of interface is SAP (Service Access Point).

These 7 layers are seven SAPs and after qualifying these specifications only will the networks get
qualified for interacting.

Application Layer: The application layer is the layer that the users and user-applications most often
interact with. Network communication is discussed in terms of availability of resources, partners to
communicate with, and data synchronization.

Presentation Layer: It defines how the OS accepts the info given by the application software and
forwards it. Presentation may be different for different operation systems (OS).

Session Layer: OS dictates which priority works first or else it can get hanged or can be reinstalled.
OS also dictates how many windows can be opened up at a time. Eg –Microsoft holds maximum 12-
13 windows LINUX holds maximum 24-30 windows.

Transport Layer: It contains TCP (Transfer Control Protocol) and UDP (User Demand Protocol). TCP
is a carrier. TCP and UDP are the blind transporters which have no idea where to take the packets.
They just follow the sign boards. Packets are huge and in large amounts. They are given the name
‘Datagram’ (incremental packets layer by layer). Thus, slicing takes place. Packets are converted
into segments. Sequence numbers are put on them.

Network Layer: This layer tells TCP and UDP where to go, i.e. segments are given a direction.
Different protocols in network layer are IP, ARP, IGMT, RARP etc. Every segment is given a
destination IP address and is connected into packets. Thus, TCP without IP is not valid!!

Data Link Layer: Now, information is loaded in LAN card of PC. L-2 switches work here. Packets are
represented by bits here and frames are generated.

Physical: Now, data link layer does not know where the packets are going. It only knows that it has
to go to the switch. Thus, MAC address is defined of self and the destination PC in this layer.

You can remember all seven layers by using following phrases:

All People Seems To Need Data Presentation

Or

Apne Pyare Sachin Tendulkar Ne Doodh Piya

So, we can remember 7 layers of OSI:

Application Presentation Session Transport Network DataLink Physical

55
So, in overall we conclude that:

• Till the transportation layer, we have the work of operating system.

• At network layer we have Routers and some special types of switches called the L-3
switches.

• At Data Link Layer, we have the normal switches, LAN card etc.

• At Physical Layer we have cables, hubs etc.

TCP/IP Model

This is called DARPA model as well. The TCP/IP model, more commonly known as the Internet
protocol suite, is another layering model that is simpler and has been widely adopted. It defines the
four separate layers, some of which overlap with the OSI model:

• Application: In this model, the application layer is responsible for creating and transmitting
user data between applications. The applications can be on remote systems, and should
appear to operate as if locally to the end user. The communication is said to take place
between peers.

• Transport: The transport layer is responsible for communication between processes. This
level of networking utilizes ports to address different services. It can build up unreliable or
reliable connections depending on the type of protocol used.

• Internet: The internet layer is used to transport data from node to node in a network. This
layer is aware of the endpoints of the connections, but does not worry about the actual
connection needed to get from one place to another. IP addresses are defined in this layer
as a way of reaching remote systems in an addressable manner.

• Link: The link layer implements the actual topology of the local network that allows the
internet layer to present an addressable interface. It establishes connections between
neighboring nodes to send data

What is Internet Protocol (IP)?

IP (short for Internet Protocol) specifies the technical format of packets and the addressing scheme
for computers to communicate over a network. Most networks combine IP with a higher-level
protocol called Transmission Control Protocol (TCP), which establishes a virtual connection
between a destination and a source.

IP by itself can be compared to something like the postal system. It allows you to address a package
and drop it in the system, but there's no direct link between you and the recipient. TCP/IP, on the
other hand, establishes a connection between two hosts so that they can send messages back and
forth for a period of time.

56
 Internet Protocol Versions

There are currently two version of Internet Protocol (IP): IPv4 and a new version called IPv6. IPv6 is
an evolutionary upgrade to the Internet Protocol. IPv6 will coexist with the older IPv4 for some time.

What is IPv4 (Internet Protocol Version 4)?

IPv4 (Internet Protocol Version 4) is the fourth revision of the Internet Protocol (IP) used to to
identify devices on a network through an addressing system. The Internet Protocol is designed for
use in interconnected systems of packet-switched computer communication networks.

IPv4 is the most widely deployed Internet protocol used to connect devices to the Internet. IPv4 uses
a 32-bit address scheme allowing for a total of 2^32 addresses (just over 4 billion addresses). With
the growth of the Internet it is expected that the number of unused IPv4 addresses will eventually
run out because every device -- including computers, smartphones and game consoles -- that
connects to the Internet requires an address.

What is IPv6 (Internet Protocol Version 6)?

A new Internet addressing system Internet Protocol version 6 (IPv6) is being deployed to fulfill the
need for more Internet addresses. IPv6 (Internet Protocol Version 6) is also called IPng (Internet
Protocol next generation) and it is the newest version of the Internet Protocol (IP) reviewed in the
IETF standards committees to replace the current version of IPv4.

IPv6 is the successor to Internet Protocol Version 4 (IPv4). It was designed as an evolutionary
upgrade to the Internet Protocol and will, in fact, coexist with the older IPv4 for some time. IPv6 is
designed to allow the Internet to grow steadily, both in terms of the number of hosts connected and
the total amount of data traffic transmitted. IPv6 is often referred to as the "next generation"
Internet standard and has been under development now since the mid-1990s. IPv6 was born out of
concern that the demand for IP addresses would exceed the available supply.

The Benefits of IPv6

While increasing the pool of addresses is one of the most often-talked about benefit of IPv6, there
are other important technological changes in IPv6 that will improve the IP protocol:

 No more NAT (Network Address Translation)

 Auto-configuration
 No more private address collisions
 Better multicast routing
 Simpler header format
 Simplified, more efficient routing
 True quality of service (QoS), also called "flow labelling"
 Built-in authentication and privacy support
 Flexible options and extensions
 Easier administration (say good-bye to DHCP)

The Difference Between IPv4 and IPv6 Addresses

An IP address is binary numbers but can be stored as text for human readers. For example, a 32-bit
numeric address (IPv4) is written in decimal as four numbers separated by periods. Each number can
be zero to 255. For example, 1.160.10.240 could be an IP address.

57
IPv6 addresses are 128-bit IP address written in hexadecimal and separated by colons. An example
IPv6 address could be written like this: 3ffe:1900:4545:3:200:f8ff:fe21:67cf (see "What does an IPv6
address look like?")

We have two questions:

1) How many networks are there in the world?

2) In every network how many hosts are there?

If both these questions are justified, then IP addresses are made. Concurrently, we have an IP
addressing scheme of 32 bits i.e. 4 outlets.

We have generally three types of IP addresses:

i) Class A :

0 7 15 23 31

N/W ID Host ID

Here, the first octet is called the Network ID and the other three octets are Host IDs. In the
N/W ID the first bit starts from ‘0’. Total number of networks available here are

2 (8-2) – 2 = 27 – 2 = 126 networks.

Thus, IP addresses of Class A are :\

1.__.__.___

2.__.__.___

3.__.__.___

126.__.__.__

Total number of computers in one network are : 224 – 2 = 16,777,214 = 2,113,928,964

Incredible !!

58
 ii) CLASS B : Here, we have 2 octets as Network IDs and 2 octets as Host IDs.

0 7 15 23 31

N/W ID N/W ID Host ID Host ID

Here, the first bit is ‘1’ and the second is ‘0’

Total Networks = 214 – 2
No. of PCs in 1 N/W = 216 - 2

Any IP address starting from ‘128’ till ‘151’ comes under Class B scheme.

iii) CLASS C : Here, we have three outlets as N/W IDs and one outlet as Host ID. It is
the most commonly used IP addressing scheme. Also, it is more desirable to use
this class as the host ID is least here.

0 1 15 23 31

N/W ID Host ID

Here, 1st bit is 1, 2nd bit is 1 and the 3rd bit is 0.

Total N/W = 221 – 2

Total no. of PCs in 1 N/W = 28 – 2

Thus, Class A is represented as : N.H.H.H

Class B : N.N.H.H.
Class C: N.N.N.H

Now, we need to do masking i.e. filtering of IP addresses so that only the relevant
information is kept. Network IDs are always checked first and not the Host IDs. Thus, Host
IDs need to be masked. All bits of Host IDs are made ‘0’ during masking and N/W IDs are
denoted by all ‘1s’.

Thus, Class A IP address are masked as : 255.0.0.0 where ‘255’ is decimal of binary number
containing all ‘1s’

Class B : 255.255.0.0

Class C : 255.255.255.0

Example – Suppose we have a Class C IP address 192.168.1.15. After masking it will be

seen as 255.255.255.0

We now verify the above masking:

59
 i) We convert the given IP address into its binary form
11000000.10101000.00000001.00001111

ii) We now perform a ‘Logic AND’ operation of above IP with binary of 255.255.255.255

Thus, we get :

11000000.10101000.00000001.00001111

+ 11111111.11111111.11111111.11111111

11000000.10101000.00000001.00000000

Host ID

Clearly, the Host ID becomes all zero. Hence, proved!

The Host PC converts the IP address of destination PC as : 192.168.1.0

Now, every router in the way checks these networks and then finally when the last network
is reached, the host ID is demanded through the Broadcasting technique. In this example,
the Host ID is ‘15’.

Subnet Mask

Representation of Class Addressing:

Thus, Class A : N.H.H.H

Class B : N.N.H.H

Class C: N.N.N.H

Now, we need to do masking i.e. filtering of IP addresses so that only the relevant
information is kept. Network IDs are always checked first and not the Host IDs. Thus, Host
IDs need to be masked. All bits of Host IDs are made ‘0’ during masking and N/W IDs are
denoted by all ‘1s’.

Thus, Class A IP address are masked as : 255.0.0.0 where ‘255’ is decimal of binary number
containing all ‘1s’

Class B : 255.255.0.0

Class C : 255.255.255.0

Example – Suppose we have a Class C IP address 192.168.1.15. After masking it will be

seen as 255.255.255.0

SUB NETTING: IPs can be classified into

(i) Public IPs

(ii) Private IPs

60
Public IPs are generally provided to user application companies like the Internet Service
Providers like Reliance etc.; Network Service Providers provide telephone services, internet
services etc. eg – MTNL; Telecom Service Providers (authorized to send our info to outside
world via cables and lines) Eg- Airtel, Tata, Reliance etc. provide cable landing services.

Public IPs have a valid passport to travel across the globe. Public IPs are given to users
only when they want Internet or other useful services.

Generally, all websites are made on public IPs so that everyone can view these websites.
Private IPs are given to those companies which do not provide any user services and
perform their own work. These IPs are given to companies like NTPC, Oil companies etc.
which are for high level workings. These are reserved IPs and can also be needed when we
want to make our own networks.

Following is the range of private IPs:

1. In Class A : 0.0.0.0 - 10.255.255.255

2. In Class B : 172.16.0.1 - 172.31.255.255

3. In Class C : 192.168.0.1 - 192.168.255.255

Note : Cable Landing Services may be used as it is or we can also use MTNL and then
further these services provide help in linking to the outer world.

Do you know that if Tata company gets closed then all ISD calls will never occur!

Also, if the international gateways like Airtel, Reliance etc. go down or strike then no net
connection would be possible – Amazing!!

Now the question arises that if we have private IPs, then how can we access the
internet?

There is a device used for this called NAT. NAT stands for Network Access Translation.

NAT contains two LAN cards. One for the Private IP and other for the Public IP. For one
whole network, we require one NAT.

* Effective use of IP addresses: If we have multiple offices then we can use Class A
scheme else Class B or Class C is used. Class C is generally used for fewer offices. Thus,
our aim is to have Class C scheme always. Thus, we convert the Host IDs of Class A or
Class B into Network IDs.

There is a decomposition formula for this. Suppose we have an IP address of Class A:

10.0.0.0 We need to convert it to Class C scheme. We cannot touch the Network ID. We
can only manipulate the Host IDs to get it converted to Network IDs.

10.0.0.0

↓ ↓ ↓↓
61
N HHH

Suppose this IP range is given to a certain Head Office and we have to assign different IPs
to its computers.

So, we play with the Host ID of second outlet.

N. N.H.H

10.0.0.0

254

Thus, the host ID changes to Network ID. Subnet Mask of above IP address becomes
255.255.0.0

This is the subnet mask of Class B. But we need to obtain Class C. thus, we play with the
next Host ID and the previous Network ID becomes fixed.

10. 0. 0. 0

Becomes fixed 2

Thus, the subnet mask becomes 255.255.255.0 and we get a Class C IP scheme.

Note :

1. If we have 1000 PCs then we do not do subnetting. We then provide DHCP Server
and not IP.

2. When we want to keep track of websites accessed, we then need IP addresses

instead of DHCP Server.

Suppose that we want to differentiate between two classes, say BSc Maths and BSc
Chemistry i.e. traffic is to be dived i.e. a BSc Chemistry student cannot access the data
of BSc Maths student and vice versa. For this to happen, we divide Class C IP address
further.

For example, suppose we have 192.168.1.0. We zoom the last outlet we get

192. 168. 1. 0

(Zoomed)

192.168.1.00000000

62
Since in this example we want to have two sub networks from a given network of Class C,
we need to play with 1 bit to have two logic conditions. Thus, two sub networks made are :

192.168.1.00000000 → N#1

192.168.1.10000000 → N#2

Note : We can only alter the Host ID and never the Network ID

127th and 128th networks are unnecessarily wasted here and are called as Broadcast
address.

Note: If we want to do intentional broadcasting we make all host bits of the Host ID as ‘1’.

Now, subnet masks are :-

192.168.1.0 → 255.255.255.0

192.168.1.128 → 255.255.255.128

► For making 6 networks:

Suppose we are given 192.168.5.0. For making six networks out of this given IP, we need to
manipulate with 3 bits i.e. 3-bit logic is applied here. Thus, we get:-

N#1 : 00000000 → 192.168.5.0

N#2 : 00100000 → 192.168.5.32

N#3 : 01000000 → 192.168.5.64

N#4 : 01100000 → 192.168.5.96

N#5 : 10000000 → 192.168.5.128

N#6 : 10100000 → 192.168.5.160

Subnet masks of the respective given networks will be :-

N#1 : 255.255.255.0

N#2 : 255.255.255.32

N#3 : 255.255.255.64

N#4 : 255.255.255.96

N#5 : 255.255.255.128

63
N#6 : 255.255.255.160

► For 12 Networks:- Given IP 192.168.5.0. For 12 networks, we need four bit logic.

N#1 : 00000000 → 192.168.5.0

N#2 : 00100000 → 192.168.5.16

N#3 : 00100000 → 192.168.5.32

N#4 : 00110000 → 192.168.5.48

N#5 : 01000000 → 192.168.5.54

N#6 : 01010000 → 192.168.5.70

N#7 : 01100000 → 192.168.5.86

N#8 : 01110000 → 192.168.5.102

N#9 : 10000000 → 192.168.5.118

N#10 : 10010000 → 192.168.5.134

N#11 : 10100000 → 192.168.5.150

N#12 : 10110000 → 192.168.5.166

Wireless technologies defined

Wireless is a term used to describe telecommunications in which electromagnetic waves -- rather

than some form of wire -- carry the signal over part or all of the communication path. The first
wireless transmitters went on the air in the early 20th century using radiotelegraphy (Morse code).

Later, as modulation made it possible to transmit voices and music via wireless, the medium came to
be called radio. With the advent of television, fax, data communication and the effective use of a
larger portion of the spectrum, the term "wireless" has been resurrected.

More information on wireless networking

Wireless technology is rapidly evolving and playing an increasing role in the lives of people
throughout the world. Various technologies and devices are being developed in response to the

64
growing use of wireless. In addition, larger numbers of people are relying on the technology directly
or indirectly.

Wireless access technologies are commonly divided into categories, based on speed and distance.

 Wireless Personal Area Network (WPAN) technologies are designed to reach only about 10
meters. IrDA and Bluetooth are two common WPAN examples. Emerging technologies in this
space include 802.15.4a (Zigbee) and 802.15.3c (UWB).
 Wireless Local Area Network (WLAN) technologies can deliver up to 200 Mbps at distances
up to 100 meters. 802.11a/b/g (Wi-Fi) are widely deployed WLAN examples. Proprietary
MIMO products and the new 802.11n high-speed WLAN standard are emerging technologies
in this category.
 Wireless Metropolitan Area Network (WMAN) technologies deliver up to 75 Mbps over
wireless "first mile" links that span several kilometers. There have been several iterations of
the 802.16 Broadband Wireless Access WMAN standard, certified under the brand WiMAX.
Fixed WiMAX is now being complemented by the emerging 802.20 Mobile WiMAX standard.
 Wireless Wide Area Network (WWAN) technologies now deliver up to a few hundred Kbps
over large service areas such as cities, regions or even countries. Commonly deployed
WWAN technologies include GSM/GPRS/EDGE and CDMA2000 1xRTT. These services are
gradually being complemented by newer third-generation technologies like UMTS/HSDPA
and CDMA EV-DO Rev.0/A. Future technologies here include HSUPA.

A wireless LAN (WLAN) is one in which a mobile user can connect to a local area network (LAN)
through a wireless (radio) connection. A wireless personal area network (WPAN) is a personal area
network for interconnecting devices centered around a person's workspace in which the
connections are wireless. Though IrDA and Bluetooth are quite advanced, WPAN technology
continues to develop rapidly.

Protocols and specifications

Wi-Fi is a term for certain types of WLAN that use specifications in the 802.11 family. The term Wi-Fi
was created by an organization called the Wi-Fi Alliance, which oversees tests that certify product
interoperability. A wireless LAN node that provides a public Internet connection via Wi-Fi from a
given location is called a hot spot. Many airports, hotels, and fast-food facilities offer public access to
Wi-Fi networks.

A wireless industry coalition, WiMAX (Worldwide Interoperability for Microwave Access), organized
to advance IEEE 802.16 standards for wireless broadband access, sometimes referred to as BWA,
networks. WiMax has a range of up to 30 miles, presenting provider networks with a viable wireless
last-mile solution.

Bluetooth is a telecommunications industry specification that describes how mobile phones,

computers and personal digital assistants (PDAs) can be easily interconnected using a short-range
wireless connection.

Ultra wideband (also known as UWB or digital pulse wireless) is a wireless technology for
transmitting large amounts of digital data over a wide spectrum of frequency bands with very low
power for a short distance (up to 230 feet) and carrying signals through doors and other obstacles
that tend to reflect signals at more limited bandwidths and a higher power.

WAP (Wireless Application Protocol) is a specification for a set of communication protocols to

standardize the way that wireless devices can be used for Internet access. Designed to provide a
WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN,
65
Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wi-Fi standard, 802.11.
Another security standard for users of computers equipped with Wi-Fi wireless connection is Wi-Fi
Protected Access (WPA). It is an improvement on, and is expected to replace, the original Wi-Fi
security standard, WEP.

802.11 is an evolving family of specifications for WLANs developed by a working group of the
Institute of Electrical and Electronics Engineers (IEEE). There are several specifications in the family,
and new ones are occasionally added.

Specifications that have not yet been formally approved or deployed, 802.11x refers to a group of
evolving WLAN standards that are under development as elements of the IEEE 802.11 family of
specifications. The 802.11 specifications are summarized in our 802.11 Fast Reference, which
includes a link to our definition of each specification.

66
Chapter 4: Security Threats and vulnerabilities

Ethical Hacking & Concepts

Hacking is the act of finding the possible entry points that exist in a computer system or a computer
network and finally entering into them. Hacking is usually done to gain unauthorized access to a
computer system or a computer network, either to harm the systems or to steal sensitive
information available on the computer.

Hacking is usually legal as long as it is being done to find weaknesses in a computer or network
system for testing purpose. This sort of hacking is what we call Ethical Hacking.

A computer expert who does the act of hacking is called a "Hacker". Hackers are those who seek
knowledge, to understand how systems operate, how they are designed, and then attempt to play
with these systems.

Types of Hacking
We can segregate hacking into different categories −

 Website Hacking − Hacking a website means taking unauthorized control over a web server
and its associated software such as databases and other interfaces.

 Network Hacking − Hacking a network means gathering information about a network by

using tools like Telnet, NS lookup, Ping, Tracert, Netstat, etc. with the intent to harm the
network system and hamper its operation.

 Email Hacking − It includes ge ng unauthorized access on an Email account and using it

without taking the consent of its owner.

 Ethical Hacking − Ethical hacking involves finding weaknesses in a computer or network

system for testing purpose and finally getting them fixed.

 Password Hacking − This is the process of recovering secret passwords from data that has
been stored in or transmitted by a computer system.

 Computer Hacking − This is the process of stealing computer ID and password by applying
hacking methods and getting unauthorized access to a computer system.

Advantages of Hacking
Hacking is quite useful in the following scenarios −

 To recover lost information, especially in case you lost your password.

 To perform penetration testing to strengthen computer and network security.

67
  To put adequate preventative measures in place to prevent security breaches.

 To have a computer system that prevents malicious hackers from gaining access.

Disadvantages of Hacking
Hacking is quite dangerous if it is done with harmful intent. It can cause −

 Massive security breach.

 Unauthorized system access on private information.

 Privacy violation.

 Hampering system operation.

 Denial of service attacks.

 Malicious attack on the system.

Process of Ethical Hacking

Ethical hacking has a set of distinct phases. It helps hackers to make a structured ethical hacking
attack.

Different security training manuals explain the process of ethical hacking in different ways, but as a
standard the entire process can be categorized into the following six phases.

Reconnaissance
Reconnaissance is the phase where the attacker gathers information about a target using
active or passive means.

Scanning
In this process, the attacker begins to actively probe a target machine or network for
vulnerabilities that can be exploited.

Gaining Access
In this process, the vulnerability is located and you attempt to exploit it in order to enter
into the system.

Maintaining Access
It is the process where the hacker has already gained access into a system. After gaining
access, the hacker installs some backdoors in order to enter into the system when he needs
access in this owned system in future.
68
 Clearing Tracks
This process is actually an unethical activity. It has to do with the deletion of logs of all the
activities that take place during the hacking process.

Reporting
Reporting is the last step of finishing the ethical hacking process. Here the Ethical Hacker
compiles a report with his findings and the job that was done such as the tools used, the
success rate, vulnerabilities found, and the exploit processes.

Foot Printing & Scanning, Enumeration

Foot printing is a part of reconnaissance process which is used for gathering possible information
about a target computer system or network. Foot printing could be both passive and active.
Reviewing a company’s website is an example of passive foot printing, whereas attempting to gain
access to sensitive information through social engineering is an example of active information
gathering.

Foot printing is basically the first step where hacker gathers as much information as possible to find
ways to intrude into a target system or at least decide what type of attacks will be more suitable for
the target.

During this phase, a hacker can collect the following information −

 Domain name
 IP Addresses
 Namespaces
 Employee information
 Phone numbers
 E-mails
 Job Information

Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a
process where the attacker establishes an active connection with the victim and try to discover as
much attack vectors as possible, which can be used to exploit the systems further.

Enumeration can be used to gain information on −

 Network shares
 SNMP data, if they are not secured properly
69
  IP tables
 Usernames of different systems
 Passwords policies lists

Trojan & Viruses

Trojans are non-replication programs; they don’t reproduce their own codes by attaching
themselves to other executable codes. They operate without the permissions or knowledge of the
computer users.

Trojans hide themselves in healthy processes. However, we should underline that Trojans infect
outside machines only with the assistance of a computer user, like clicking a file that comes
attached with email from an unknown person, plugging USB without scanning, opening unsafe
URLs.

Trojans have several malicious functions −

 They create backdoors to a system. Hackers can use these backdoors to access a victim
system and its files. A hacker can use Trojans to edit and delete the files present on a victim
system, or to observe the activities of the victim.

 Trojans can steal all your financial data like bank accounts, transaction details, PayPal
related information, etc. These are called Trojan-Banker.

 Trojans can use the victim computer to attack other systems using Denial of Services.

 Trojans can encrypt all your files and the hacker may thereafter demand money to decrypt
them. These are Ransomware Trojans.

Virus

A computer virus is a type of malicious software program ("malware") that, when

executed, replicates itself by modifying other computer programs and inserting its own
code. Infected computer programs can include, as well, data files, or the "boot" sector of the hard
drive. When this replication succeeds, the affected areas are then said to be "infected" with a
computer virus.

Virus writers use social engineering deceptions and exploit detailed knowledge of security
vulnerabilities to initially infect systems and to spread the virus. The vast majority of viruses target
systems running Microsoft Windows, employing a variety of mechanisms to infect new hosts, and
often using complex anti-detection/stealth strategies to evade antivirus software.
The term "virus" is also commonly, but erroneously, used to refer to other types of malware.
Malware" encompasses computer viruses along with many other forms of malicious software, such
as computer "worms", ransomware, trojan horses, key loggers, rootkits, spyware, adware,

70
malicious Browser Helper Object (BHOs) and other malicious software. The majority of active
malware threats are actually trojan horse programs or computer worms rather than computer
viruses.

The Creeper virus was first detected on ARPANET

Sniffing

Sniffing is the process of monitoring and capturing all the packets passing through a given network
using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It
is also called wiretapping applied to the computer networks.

There is so much possibility that if a set of enterprise switch ports is open, then one of their
employees can sniff the whole traffic of the network. Anyone in the same physical location can plug
into the network using Ethernet cable or connect wirelessly to that network and sniff the total
traffic.

In other words, Sniffing allows you to see all sorts of traffic, both protected and unprotected. In the
right conditions and with the right protocols in place, an attacking party may be able to gather
information that can be used for further attacks or to cause other issues for the network or system
owner.

What can be sniffed?

One can sniff the following sensitive information from a network −

 Email traffic
 FTP passwords
 Web traffics
 Telnet passwords
 Router configuration
 Chat sessions
 DNS traffic

A sniffer normally turns the NIC of the system to the promiscuous mode so that it listens to all the
data transmitted on its segment.

Promiscuous mode refers to the unique way of Ethernet hardware, in particular, network interface
cards (NICs), that allows an NIC to receive all traffic on the network, even if it is not addressed to
this NIC. By default, a NIC ignores all traffic that is not addressed to it, which is done by comparing
the destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of the
71
device. While this makes perfect sense for networking, non-promiscuous mode makes it difficult to
use network monitoring and analysis software for diagnosing connectivity issues or traffic
accounting.

Types of Sniffing
Sniffing can be either Active or Passive in nature.

Passive Sniffing
In passive sniffing, the traffic is locked but it is not altered in any way. Passive sniffing allows
listening only. It works with Hub devices.
Active Sniffing
In active sniffing, the traffic is not only locked and monitored, but it may also be altered in
some way as determined by the attack. Active sniffing is used to sniff a switch-based
network.

Web Server, Application, SQL Injection

A server by definition is a dedicated computing system running services to users and other
computers on a network. Examples of service range from public services such as online gaming to
sharing sensitive files inside a large organization. In the context of client-server architecture, a
servers is a computer program running to serve the requests of other programs, known as the
"clients". Thus, the server performs some computational task on behalf of "clients". The clients
either run on the same computer, or connect through the network. For example, a server would host
a game to the world while clients would access the game remotely. There are various forms of
providing services to clients such as an Apache Web Server limited to HTTP or a BEA WebLogic
Application Server that does HTTP plus more.

Web applications have been created to perform practically every useful function you could possibly
implement online. Here are some web application functions that have risen to prominence in recent
years:

 Shopping (Amazon)
 Social networking (Facebook)
 Banking (Citibank)
 Web search (Google)
 Auctions (eBay)
 Gambling (Betfair)
 Web logs (Blogger)
 Web mail (Gmail)
 Interactive information (Wikipedia)

In addition to the public Internet, web applications have been widely adopted inside organizations to
support key business functions. Many of these provide access to highly sensitive data and
functionality like HR functions in an organization.

72
SQL injection is a set of SQL commands that are placed in a URL string or in data structures in order
to retrieve a response that we want from the databases that are connected with the web
applications. This type of attacks generally takes place on webpages developed using PHP or
ASP.NET.

An SQL injection attack can be done with the following intentions −

 To dump the whole database of a system,

 To modify the content of the databases, or

 To perform different queries that are not allowed by the application.

This type of attack works when the applications don’t validate the inputs properly, before passing
them to an SQL statement. Injections are normally placed put in address bars, search fields, or data
fields.

The easiest way to detect if a web application is vulnerable to an SQL injection attack is to use the "
‘ " character in a string and see if you get any error.

SQLMAP is one of the best tools available to detect SQL injections. It can be downloaded
from http://sqlmap.org/

IDS, Fire Walls & Honey Pots

IDS (Intrusion Detection System) systems only detect an intrusion, log the attack and send an alert to
the administrator. IDS systems do not slow networks down like IPS as they are not inline. IDS
systems if not fine-tuned, just like IPS will also produce false positives. IDS can be used initially to see
how the system behaves without actually blocking anything.

IPS (Intrusion Prevention System) systems are deployed inline and actually take action by blocking
the attack, as well as logging the attack and adding the source IP address to the block list for a
limited amount of time; or even permanently blocking the address depending on the defined
settings. Hackers take part in lots of port scans and address scans, intending to find loop holes within
organizations. IPS systems would recognize these types of scans and take actions such as block,
drop, quarantine and log traffic. However, this is the basic functionality of IPS. IPS systems have
many advanced capabilities in sensing and stopping such attacks.

Firewall

A firewall is a computer program that monitors the system and blocks the entry of viruses and other
unwanted programs. Put simply, it regulates the connection between your system and the Internet.
Firewalls are of two types: hardware and software. A hardware firewall is a piece of hardware that
sits between your modem and the system. Often these are wired or wireless routers or broadband

73
gateways. A software firewall is a piece of software installed in the system to protect your computer
from unauthorized access or entry.

What does a firewall do?

 A firewall blocks open ports through which an intruder can gain access to your system
and the valuable data you have stored in it.
 As all information passes through firewall, you can know what is happening in the
network.
 It allows you to create rules or set privileges for the type of traffic that can pass through
the firewall in both directions.
 It blocks malicious viruses from entering your system.

Honey Pots

A honeypot is a system that's put on a network so it can be probed and attacked. Because the
honeypot has no production value, there is no "legitimate" use for it. This means that any interaction
with the honeypot, such as a probe or a scan, is by definition suspicious.

There are two types of honeypots:

 Research: Most attention to date has focused on research honeypots, which are used to
gather information about the actions of intruders. Production: Less attention has been paid
to production honeypots, which are actually used to protect organizations. Production
honeypots are being recognized for the detection capabilities they can provide and for the
ways they can supplement both network- and host-based intrusion protection.

How honeypots work

Honeypots can also be described as being either low interaction or high interaction, a distinction
based on the level of activity that the honeypot allows an attacker. A low-interaction system offers
limited activity; in most cases, it works by emulating services and operating systems. The main
advantages of low-interaction honeypots are that they are relatively easy to deploy and maintain
and they involve minimal risk because an attacker never has access to a real operating system to
harm others.

In contrast, high-interaction honeypots involve real operating systems and applications, and nothing
is emulated. By giving attackers real systems to interact with, organizations can learn a great deal
about an attacker's behaviour. High-interaction honeypots make no assumptions about how an
attacker will behave, and they provide an environment that tracks all activity.

Penetration Testing goes beyond a normal testing by evaluating identified vulnerabilities to verify if
the vulnerability is real or a false positive. A Penetration Test would attempt to attack those
vulnerabilities in the same manner as a malicious hacker to verify which vulnerabilities are genuine
reducing the real list of system vulnerabilities to a handful of security weaknesses. The most
effective Penetration Tests are the ones that target a very specific system with a very specific goal.
Quality over quantity is the true test of a successful Penetration Test.

Some fundamentals for developing a scope of work for a Penetration Test are as follows:
 Definition of Target System(s): This specifies what systems should be tested. This includes
the location on the network, types of systems, and business use of those systems.

74
  Timeframe of Work Performed: When the testing should start and what is the timeframe
provided to meet specified goals. Best practice is NOT to limit the time scope to business
hours.

 How Targets Are Evaluated: What types of testing methods such as

scanning or exploitation are and not permitted? What is the risk associated with permitted
specific testing methods? What is the impact of targets that become inoperable due to
penetration attempts? Examples are; using social networking by pretending to be an
employee, denial of service attack on key systems, or executing scripts on vulnerable
servers.

 Tools and software: What tools and software are used during the Penetration Test? This is
important and a little controversial.

 Notified Parties: Who is aware of the Penetration Test? This is very important when looking
at web applications that may be hosted by another party such as a cloud service provider
that could be impacted from your services

 Definition of Target Space: This defines the specific business functions

included in the Penetration Test.

 Identification of Critical Operation Areas: Define systems that should not be touched to
avoid a negative impact from the Penetration Testing services.

Vulnerability Assessment: This is the process in which network devices, operating systems and
application software are scanned in order to identify the presence of known and unknown
vulnerabilities. Vulnerability is a gap, error, or weakness in how a system is designed, used, and
protected. When a vulnerability is exploited, it can result in giving unauthorized access, escalation of
privileges, denial-of-service to the asset, or other outcomes. Vulnerability Assessments typically stop
once a vulnerability is found, meaning that the Penetration Tester doesn't execute an attack against
the vulnerability to verify if it's genuine. A Vulnerability Assessment deliverable provides potential
risk associated with all the vulnerabilities found with possible remediation steps.

Vulnerability scans are only useful if they calculate risk. The downside of many security audits is
vulnerability scan results that make security audits thicker without providing any real value. Many
vulnerability scanners have false positives or identify vulnerabilities that are not really there.
Assigning risk to vulnerabilities gives a true definition and sense of how vulnerable a system is.

75
Chapter 5: Cryptography

Introduction to Cryptography

The Basics of Cryptography

When Julius Caesar sent messages to his generals, he didn't trust his messengers. So he replaced
every A in his messages with a D, every B with an E, and so on through the alphabet. Only someone
who knew the "shift by 3" rule could decipher his messages.

Encryption and decryption

Data that can be read and understood without any special measures is called plaintext or cleartext.
The method of disguising plaintext in such a way as to hide its substance is called encryption.
Encrypting plaintext results in unreadable gibberish called ciphertext. You use encryption to ensure
that information is hidden from anyone for whom it is not intended, even those who can see the
encrypted data. The process of reverting ciphertext to its original plaintext is called decryption.
Figure 1-1 illustrates this process.

Figure 1-1. Encryption and decryption

What is cryptography?

Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography
enables you to store sensitive information or transmit it across insecure networks (like the Internet)
so that it cannot be read by anyone except the intended recipient.

While cryptography is the science of securing data, cryptanalysis is the science of analyzing and
breaking secure communication. Classical cryptanalysis involves an interesting combination of
analytical reasoning, application of mathematical tools, pattern finding, patience, determination,
and luck. Cryptanalysts are also called attackers.

Cryptology embraces both cryptography and cryptanalysis.

Strong cryptography

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from
reading your files, and cryptography that will stop major governments from reading your files. This
book is about the latter.

--Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C.

OpenPGP is also about the latter sort of cryptography. Cryptography can be strong or weak, as
explained above. Cryptographic strength is measured in the time and resources it would require to
recover the plaintext. The result of strong cryptography is ciphertext that is very difficult to decipher
76
without possession of the appropriate decoding tool. How difficult? Given all of today's computing
power and available time — even a billion computers doing a billion checks a second — it is not
possible to decipher the result of strong cryptography before the end of the universe.

One would think, then, that strong cryptography would hold up rather well against even an
extremely determined cryptanalyst. Who's really to say? No one has proven that the strongest
encryption obtainable today will hold up under tomorrow's computing power. However, the strong
cryptography employed by OpenPGP is the best available today. Vigilance and conservatism will
protect you better, however, than claims of impenetrability.

How does cryptography work?

A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and

decryption process. A cryptographic algorithm works in combination with a key — a word, number,
or phrase — to encrypt the plaintext. The same plaintext encrypts to different ciphertext with
different keys. The security of encrypted data is entirely dependent on two things: the strength of
the cryptographic algorithm and the secrecy of the key.

A cryptographic algorithm, plus all possible keys and all the protocols that make it work comprise a
cryptosystem. OpenPGP is a cryptosystem.

Conventional cryptography

In conventional cryptography, also called secret-key or symmetric-key encryption, one key is used
both for encryption and decryption. The Data Encryption Standard (DES) is an example of a
conventional crypto system that is widely employed by the Federal Government. Figure 1-2 is an
illustration of the conventional encryption process.

Figure 1-2. Conventional encryption

Caesar's Cipher

An extremely simple example of conventional cryptography is a substitution cipher. A substitution

cipher substitutes one piece of information for another. This is most frequently done by offsetting
letters of the alphabet. Two examples are Captain Midnight's Secret Decoder Ring, which you may
have owned when you were a kid, and Julius Caesar's cipher. In both cases, the algorithm is to offset
the alphabet and the key is the number of characters to offset it.

For example, if we encode the word "SECRET" using Caesar's key value of 3, we offset the alphabet
so that the 3rd letter down (D) begins the alphabet.

77
So starting with

ABCDEFGHIJKLMNOPQRSTUVWXYZ

and sliding everything up by 3, you get

DEFGHIJKLMNOPQRSTUVWXYZABC

where D=A, E=B, F=C, and so on.

Using this scheme, the plaintext, "SECRET" encrypts as "VHFUHW." To allow someone else to read
the ciphertext, you tell them that the key is 3.

Obviously, this is exceedingly weak cryptography by today's standards, but hey, it worked for Caesar,
and it illustrates how conventional cryptography works.

Symmetric key encryption

Symmetric key encryption is a type of encryption that makes use of a single key for both the
encryption and decryption process. Some of the encryption algorithms that use symmetric keys
include: AES (Advanced Encryption Standard), Blowfish, DES (Data Encryption Standard), Triple DES,
Serpent, and Twofish.

If you want to apply symmetric key encryption to a file transfer environment, both the sender and
receiver should have a copy of the same key. The sender will use his copy of the key for encrypting
the file, while the receiver will use his copy for decrypting it.

So if you manage a secure file transfer server that only supports symmetric encryption and one of
your users wants to encrypt a file first before uploading it, one of you (either the user or you, the
server admin) should first generate a key and then send the other person a copy of that key.

Asymmetric key encryption

Asymmetric key encryption, on the other hand, makes use of two keys. A private key and a public
key. The public key is used for encrypting, while the private key is used for decrypting. Two of the
most widely used asymmetric key algorithms are: RSA and DSA.

If you're going to use asymmetric key encryption in a file transfer environment, the sender would
need to hold the public key, while the receiver would need to hold the corresponding private key.

So, going back to the scenario given in the previous section, if you manage a file transfer server and
one of your users wants to encrypt a file first before uploading it, it would typically be your duty to
generate the key pair. You should then send the public key to your user and leave the private key on
the server.

Which is stronger?

Actually, it's difficult to compare the cryptographic strengths of symmetric and asymmetric key
encryptions. Even though asymmetric key lengths are generally much longer (e.g. 1024 and 2048)
than symmetric key lengths (e.g. 128 and 256), it doesn't, for example, necessarily follow that a file
encrypted with a 2048-bit RSA key (an asymmetric key) is already tougher to crack than a file
encrypted with a 256-bit AES key (a symmetric key).

78
Instead, it would be more appropriate to compare asymmetric and symmetric encryptions on the
basis of two properties:

 Their computational requirements, and

 Their ease of distribution

Symmetric key encryption doesn't require as many CPU cycles as asymmetric key encryption, so you
can say it's generally faster. Thus, when it comes to speed, symmetric trumps asymmetric. However,
symmetric keys have a major disadvantage especially if you're going to use them for securing file
transfers.

Because the same key has to be used for encryption and decryption, you will need to find a way to
get the key to your recipient if he doesn't have it yet. Otherwise, your recipient won't be able to
decrypt the files you send him. However way you do it, it has to be done in a secure manner or else
anyone who gets a hold of that key can simply intercept your encrypted file and decrypt it with the
key.

The issue of key distribution becomes even more pronounced in a file transfer environment, which
can involve a large number of users and likely distributed over a vast geographical area. Some users,
most of whom you may never have met, might even be located halfway around the world.
Distributing a symmetric key in a secure manner to each of these users would be nearly impossible.

Asymmetric key encryption doesn't have this problem. For as long as you keep your private key
secret, no one would be able to decrypt your encrypted file. So you can easily distribute the
corresponding public key without worrying about who gets a hold of it (well, actually, there are
spoofing attacks on public keys but that's for another story). Anyone who holds a copy of that public
key can encrypt a file prior to uploading to your server. Then once the file gets uploaded, you can
decrypt it with your private key.

Data Encryption Standard (DES):

DES is a symmetric block cipher (shared secret key), with a key length of 56-bits. Published as the
Federal Information Processing Standards (FIPS) 46 standard in 1977, DES was officially withdrawn in
2005 [although NIST has approved Triple DES (3DES) through 2030 for sensitive government
information].

The federal government originally developed DES encryption over 35 years ago to provide
cryptographic security for all government communications. The idea was to ensure government
systems all used the same, secure standard to facilitate interconnectivity.

To show that the DES was inadequate and should not be used in important systems anymore, a
series of challenges were sponsored to see how long it would take to decrypt a message. Two
organizations played key roles in breaking DES: distributed.net and the Electronic Frontier
Foundation (EFF).

 The DES I contest (1997) took 84 days to use a brute force attack to break the encrypted
message.
 In 1998, there were two DES II challenges issued. The first challenge took just over a month
and the decrypted text was "The unknown message is: Many hands make light work". The
second challenge took less than three days, with the plaintext message "It's time for those
128-, 192-, and 256-bit keys".
 The final DES III challenge in early 1999 only took 22 hours and 15 minutes. Electronic
Frontier Foundation's Deep Crack computer (built for less than $250,000) and distributed
79
 net's computing network found the 56-bit DES key, deciphered the message, and they (EFF &
distributed.net) won the contest. The decrypted message read "See you in Rome (Second
AES Candidate Conference, March 22-23, 1999)", and was found after checking about 30
percent of the key space...Finally proving that DES belonged to the past.

Even Triple DES (3DES), a way of using DES encryption three times, proved ineffective against brute
force attacks (in addition to slowing down the process substantially).

Advanced Encryption Standard (AES):

Published as a FIPS 197 standard in 2001. AES data encryption is a more mathematically efficient and
elegant cryptographic algorithm, but its main strength rests in the option for various key lengths.
AES allows you to choose a 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the
56-bit key of DES. In terms of structure, DES uses the Feistily network which divides the block into
two halves before going through the encryption steps. AES on the other hand, uses permutation-
substitution, which involves a series of substitution and permutation steps to create the encrypted
block. The original DES designers made a great contribution to data security, but one could say that
the aggregate effort of cryptographers for the AES algorithm has been far greater.

One of the original requirements by the National Institute of Standards and Technology (NIST) for
the replacement algorithm was that it had to be efficient both in software and hardware
implementations (DES was originally practical only in hardware implementations). Java and C
reference implementations were used to do performance analysis of the algorithms. AES was chosen
through an open competition with 15 candidates from as many research teams around the world,
and the total amount of resources allocated to that process was tremendous. Finally, in October
2000, a NIST press release announced the selection of Rijndael as the proposed Advanced Encryption
Standard (AES).

Comparing DES and AES

DES AES

Developed 1977 2000

Key Length 56 bits 128, 192, or 256 bits

Cipher Type Symmetric block cipher Symmetric block cipher

Block Size 64 bits 128 bits

Security Proven inadequate Considered secure

Hash functions

The system described above has some problems. It is slow, and it produces an enormous volume of
data — at least double the size of the original information. An improvement on the above scheme is
the addition of a one-way ** in the process. A one-way hash function takes variable-length input —
in this case, a message of any length, even thousands or millions of bits — and produces a fixed-

80
length output; say, 160-bits. The hash function ensures that, if the information is changed in any way
— even by just one bit — an entirely different output value is produced.

OpenPGP uses a cryptographically strong hash function on the plaintext the user is signing. This
generates a fixed-length data item known as a message digest. (Again, any change to the
information results in a totally different digest.)

Then OpenPGP uses the digest and the private key to create the "signature." OpenPGP transmits the
signature and the plaintext together. Upon receipt of the message, the recipient uses OpenPGP to
recompute the digest, thus verifying the signature. OpenPGP can encrypt the plaintext or not;
signing plaintext is useful if some of the recipients are not interested in or capable of verifying the
signature.

As long as a secure hash function is used, there is no way to take someone's signature from one
document and attach it to another, or to alter a signed message in any way. The slightest change in a
signed document will cause the digital signature verification process to fail.

Figure 1-7. Secure digital signatures

Digital signatures play a major role in authenticating and validating other OpenPGP users' keys.

RSA

short for the surnames of its designers Ron Rivest, Adi Shamir and Leonard Adleman

 Not used to encrypt data directly because of speed constraints and also because its yield is
small (see this post for a good explanation; also this TechNet article).
o Usually RSA is used to share a secret key and then a symmetric key algorithm is used
for the actual encryption.
o RSA can be used for digital signing but is slower. DSA (see below) is preferred.
However, RSA signatures are faster to verify. To sign data a hash is made of it and
the hash encrypted with the private key. (Note: RSA requires that a hash be made
rather than encrypt the data itself).
o RSA does not require the use of any particular hash function.

81
  Public and Private keys are based on two large prime numbers which must be kept secret.
RSA’s security is based on the fact that factorization of large integers is difficult. (The public
and private keys are large integers which are derived from the two large prime numbers).
 PKCS#1 is a standard for implementing the RSA algorithm. The RSA algorithm can be
attacked if certain criteria are met so the PKCS#1 defines things such that these criteria are
not met. See this post for more info.
 Was originally patented by the RSA but has since (circa 2000) expired.
 SSH v1 only uses RSA keys (for identity verification).

RC4

Rivest Cipher 4, or Ron’s Code 4 – also known as ARC4 or ARCFOUR (Alleged RC4).

 Used to be an unpatented trade-secret for RSA Data Security Inc (RSADSI). Then someone
posted the source code online, anonymously, and it got into the public domain.
 Very fast, but less studied than other algorithms.
 RC4 is good if the key is never reused. Then its considered secure by many.
 In practice RC4 is not recommended. TLS 1.1 and above forbid RC4 (also this RFC).
CloudFlare recommends against it (check this blog post too). Microsoft recommends against
it. Current recommendations overall are to use TLS 1.2 (which forbids RC4) and use AES-
GCM.
 See this blog post too.
 RC4 is a stream cipher. It’s the most widely used stream cipher.
 Recently block ciphers were found to have issues (e.g. BEAST, Lucky13) because of which
RC4 rose in importance. Now such attacks are mitigated (use GCM mode for instance) and
RC4 is strongly recommended against.
 In 1994, Ronald Rivest designed RC5 for RSA Security. RC5 has a variable number of rounds
ranging from 0 to 255 with block size bits of 32, 64 or 128. Keys can range from 0 to 2040
bits. Users can choose between rounds, block sizes and keys. When the output and input
blocks and the keys are all the same size, an RC5 block can match the same number of block
sizes from permutations to integers. RC5 is known for its technical flexibility and the security
it provides.

RC6

Rivest Cipher 6 or Ron’s Code 6 – designed by Ron Rivest and others

 Was one of the finalists in the AES competition

 Proprietary algorithm. Patented by RSA Security.
 RC5 is a predecessor of RC6. Other siblings include RC2 and RC4.
 More on RC5 and RC6 at this RSA link.
 RC5 and RC6 are block ciphers.

MD5

Message-Digest 5 – designed by Ron Rivest to replace MD4

 As with MD4 it creates a digest of 128-bits.

 MD5 too is no longer recommended as vulnerabilities have been found in it and actively
exploited.

82
SHA 0

(a.k.a. SHA) – Secure Hash Algorithm 0 – designed by the NSA

 Creates a 160-bit hash.

 Not widely used.

SHA-1

Secure Hash Algorithm 1 – designed by the NSA

 Creates a 160-bit hash.

 Is very similar to SHA-0 but corrects many alleged weaknesses. Is related to MD-4 too.
 Is very widely used but is not recommended as there are theoretical attacks on it that could
become practical as technology improves.
 SHA-2 is the new recommendation. Microsoft and Google will stop accepting certificates
with SHA-1 hashes, for instance, from January 2017.

SHA-2

Secure Hash Algorithm 2 – designed by the NSA.

 Significantly different from SHA-1.

 Patented. But royalty free.
 SHA-2 defines a family of hash functions.
 Creates hashes of 224, 256, 384 or 512 bits. These variants are called SHA-224, SHA-256,
SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
 SHA-256 and SHA-512 new hash functions. They are similar to each other. These are the
popular functions of this family.
 SHA-512 is supported by TrueCrypt.
 SHA-256 is used by DKIM signing.
 SHA-256 and SHA-512 are recommended for DNSSEC.
 SHA-224 and SHA-384 are truncated versions of the above two.
 SHA-512/224 and SHA-512/256 are also truncated versions of the above two with some
other differences.
 There are theoretical attacks against SHA-2 but no practical ones.

SHA-3

Secure Hash Algorithm 3 – winner of the NIST hash function competition

 Not meant to replace SHA-2 currently.

 The actual algorithm name is Keccak.

PK Infrastructure, Digital Signature

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage,
distribute, use, store, and revoke digital certificates and manage public-key encryption. The purpose
of a PKI is to facilitate the secure electronic transfer of information for a range of network activities
such as e-commerce, internet banking and confidential email. It is required for activities where
simple passwords are an inadequate authentication method and more rigorous proof is required to
83
confirm the identity of the parties involved in the communication and to validate the information
being transferred.

In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities
(like people and organizations). The binding is established through a process of registration and
issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the
binding, this may be carried out by an automated process or under human supervision.

The PKI role that assures valid and correct registration is called a registration authority (RA). An RA is
responsible for accepting requests for digital certificates and authenticating the entity making the
request. In a Microsoft PKI, a registration authority is usually called a subordinate CA.

An entity must be uniquely identifiable within each CA domain on the basis of information about
that entity. A third-party validation authority (VA) can provide this entity information on behalf of
the CA.

Digital Signature

Digital signatures allow us to verify the author, date and time of signatures, authenticate the
message contents. It also includes authentication function for additional capabilities.

A digital signature should not only be tied to the signing user, but also to the message.

84
Applications

There are several reasons to implement digital signatures to communications:

Authentication

Digital signatures help to authenticate the sources of messages. For example, if a bank’s branch
office sends a message to central office, requesting for change in balance of an account. If the
central office could not authenticate that message is sent from an authorized source, acting of such
request could be a grave mistake.

Integrity

Once the message is signed, any change in the message would invalidate the signature.

Non-repudiation

By this property, any entity that has signed some information cannot at a later time deny having
signed it.

Introduction to SSL/TLS

SSL (Secure Socket Layer) is an old protocol deprecated in favor of TLS (Transport Layer Security).

TLS is a protocol for secure transmission of data heavily based on SSLv3. It offers confidentiality,
integrity and authentication. In layman’s terms that means that it:

 Confidentiality: hides the content of the messages

 Integrity: detects when they’ve been tampered with

 Authentication: ensures that whoever is sending them is who he says he is.

Additionally, it detects missing and duplicated messages.

TLS is the primary way to secure web traffic, and is mostly used for that purpose. A whole lot of
pages trust that TLS is secure (from the smallest online shop to Facebook), that is why things like
POODLE and Heartbleed receive so much press.

At this point I want to make something abundantly clear, SSL IS BROKEN, ALL THREE VERSIONS. The
latest one, version 3, had its confidentiality severely compromised by POODLE. DO NOT USE SSL.

Confidentiality and integrity in TLS

First I’ll briefly explain how TLS offers confidentiality and integrity. We will leave authentication at
the end as that will be the bulk of the tutorial.

85
I will be using a lot of crypto jargon here so do not fret if any of this seems too alien to you, generally
you won’t be fiddling with this directly as TLS negotiates much of this for you.

However, I do recommend getting familiar with the basics of public key encryption. Not the inner
workings mind you, just how they are used in practice to encrypt/authenticate.

If you are really interested on these subjects I’d recommend researching:

 AES

 Block ciphers modes of operation

 Cryptographic hashes

 SHA-2

 HMAC

 Key exchange

 Diffie-Hellman

 Public key cryptography

The Stanford course in Coursera about Cryptography is an awesome starting point.

For confidentiality TLS uses either Diffie-Hellman (elliptic curve mode supported) or RSA for the key
exchange. With the whole Heartbleed debacle, it is now recommended using a key exchange
mechanism with forward secrecy, which implies Diffie-Hellman in this case. The actual encryption is
normally done using AES with several modes available (CBC, CCM, GCM).

For integrity normally HMAC is used, today is pretty much mandatory to use SHA256.

Basics of authentication in TLS

Authentication is the part that you will most likely have to fiddle with the most and the one that
actually costs you money, it is also essential for the security of your communications: You. Cannot.
Have. Secure. Communications. Without. Authentication.

How is that you might ask? Well the thing about confidentiality and integrity is that they are
worthless without authentication. If there is no way to ensure that the guy that says "I am gmail.com
I swear" is in fact gmail.com and not evil8yoldhacker.com, then you could potentially encrypt and
validate a spurious connection.

So without authentication you would be open to, for example, MitM (Man in the Middle) attacks.
But how can you authenticate a server if you have never seen it before, and let alone exchanged any
credentials with it?

The answer is TLS certificates. Certificates are just a public key with a bunch of information attached
to it, such as the FQDN being authenticated, a contact email, the “issued on” and “expires on" dates,

86
among other things. The server stores and keeps secret the corresponding private key. TLS uses
these keys to authenticate the server to the client.

Recall that in public key cryptography, messages encrypted with the public key can only be
decrypted using the private key, but messages encrypted with the private key can be decrypted with
either. The owner of the keys keeps the private key secret, and distributes the public key freely.

Now, the usual way to authenticating someone using public key cryptography is the following
(Assume that Bob wants to authenticate Alice):

1. Bob sends Alice a random message encrypted with Alice’s public key

2. Alice decrypts the message using her private key and sends it back to Bob

3. Bob compares the message from Alice against the one that it sends. If they match Alice is
who she says she is, because only her could have decrypted the message, because only she
has her private key

TLS uses a variation of this technique, but is essentially the same.

Now, even with this trick validation of a certificate is not straightforward, so for didactic purposes
we’ll begin with an oversimplified, naive and flawed solution.

Solution #1:

1. A hash of the certificate is made, encrypted with the private key, and then appended to the
certificate to create a new certificate

2. The server sends this new certificate to the clients that connect to it

3. To verify the certificate, the client decrypts the hash using the public key of the certificate,
then calculates its own hash and compares them, if they are equal the certificate is valid

4. It then sends a random message to the server encrypted with the provided public key, if the
server sends the original unencrypted message back, then is considered authenticated

This process ensures that:

 The provided public key corresponds to the private key used to encrypt the hash

 The server has access to the private key

The encrypted hash created appended to the certificate is called a digital signature. In this example,
the server has digitally signed its own certificate, this is called a self-signed certificate.

Now, this scheme does not authenticate at all if you think about it. If an attacker manages to
intercept the communications or divert the traffic, it can replace the public key on the certificate
with his own, redo the digital signature with his own private key, and feed that to the client.
87
The problem lies in the fact that all the information necessary for verification is provided by the
server, so the only thing you can be sure of is that the party that you’re talking to has the private key
corresponding to the public key that it itself provided.

This is why when you connect to an entity with a self-signed certificate browser will give a warning,
they cannot ensure that whoever you are communicating with is who they say they are.

However, these kind of certificates are really useful in some scenarios. They can be created free of
charge, quickly, and with little hassle. Thus they are good for some internal communications and
prototyping.

Solution #2:

So that did not work out. How can we solve it? Well, since the problem is that the server provides all
the information for authenticating the certificate, why don’t we just move some of that information
to the client?

Let us drive over to the client after lunch with a copy of the certificate in an USB drive, and store it
directly on the client. Later when the server sends it’s certificate:

1. The client generates its own hash of the certificate and decrypts the provided hash with the
public key of the copy of the certificate that was provided earlier in the USB drive, this way it
ensures that: 1. the certificate has not changed, 2. whoever signed it has the correct private
key.

2. It then sends a random message to the server encrypted with the public key in the copy of
the certificate that was stored earlier, if the server sends back the original unencrypted
message we consider it authenticated

If someone intercepts or diverts the connection, they have no hope of passing our random number
challenge and providing a valid certificate, without the private key that is computationally infeasible.

The “driving over to the client after lunch with an USB drive” is called an out of band process.

Now this solution actually authenticates, and is sometimes used for internal communications.
However, it is not very practical for several use cases. It would be cumbersome to have to download
a certificate every time you need to access a new secure website like a bank or e-shop, or worse,
waiting for someone to drive over to you house after lunch with an USB drive.

Moreover, you have to ensure that the certificate is not tampered with on the way, which is one of
the problems TLS should be solving for us in the first place. There is also the problem of what to do
when the certificate expires, or how to revoke it if the private key becomes compromised.

Solution #3:

Well, we got something working, but it is not quite ready for use on the landing page of your online
store yet. How can we solve it? Well, here is where money comes in.

88
Meet Bob, he is a well-known member of the community, a truly and responsible fellow loyal to a
fault, and he comes up with a business. He will create a self-signed certificate, and will give it freely
to everybody using an out of band process (let's say, during a neighborhood-wide free-of-charge
barbecue), he will then charge you a fee to digitally sign your certificate using his private key.

See, up until this time every certificate was self-signed, this time it is Bob that will sign it, now we’re
in a situation where:

 Everybody has the certificate that Bob so generously gave them

 Everybody just trusts Bob (who wouldn't, he saves orphan puppies from fires in his spare
time)

Therefore, anyone that has his certificate signed with Bob’s private key can have it authenticated by
anyone that has Bob’s certificate (because Bob’s certificate has his public key).

Bob will make sure nobody impersonates anyone. If he receives an email from you saying that you
want certain certificate signed for your company, Bob will go to your house personally and ensure
that it is your certificate, that it is your company, and that you did sent out that email...you can
never be too careful with all these 8-year-old evil hackers.

When Bob’s certificates is about to expire he will make sure he gives you a new one.

If anyone wants to revoke his or her certificate they can just tell Bob to put it in his list of revoked
certificates, when somebody tries to authenticate you with a certificate they will call Bob to check if
that certificate has been revoked.

Well, this is how the real world kind of works, with a few major changes:

 Bob is a CA (Certification Authority) such as DigiCert, Comodo, Symantec, GoDaddy,

GlobalSign, etc (and no, the don’t save puppies, and sometimes f!@# up really bad)

 The out of band process is not a barbeque. Their certificates already come bundled with
your operating system and browser (check /etc/ssl/certs if you’re on Linux)

 The revocation mechanisms are called CRL and OCSP (OCSP was supposed to supersede CRL,
but the whole thing is kind of a mess right now)

 You kind of HAVE to trust them

They do charge you though. Depending on the kind of certificate the prices vary.

The process where a third party that both the server and the client trust signs the certificate of the
server creates a chain of trust. With TLS, we create chains of trust using CAs as our third parties.

Note that your data will not have a stronger or weaker encryption depending on how much you pay,
all TLS connections use some form of AES, how strong depends of what the client and server are able
and willing to handle/use. For example, many servers refuse to use SSLv3 since the whole POODLE
scandal, some older clients do not support the newest encryption algorithms, some servers have not
been updated, some clients use Internet Explorer.

Now, you might wonder, if every certificate gives me equally strong encryption, integrity and
authentication, why are some more costly than others?
89
Well, CAs generally charge you more for certificates that will be used on several machines, so for
example a certificate for *.talpor.com will cost more than one for www.talpor.com (notice the
shameless self-promotion). However, what CAs really sell is not certificates, is trust.

90
Chapter 6: Forensics

Introduction to Forensic Analysis

Computer forensics is the practice of collecting, analysing and reporting on digital data in a way that
is legally admissible. It can be used in the detection and prevention of crime and in any dispute
where evidence is stored digitally. Computer forensics follows a similar process to other forensic
disciplines, and faces similar issues.

Uses of computer forensics

There are few areas of crime or dispute where computer forensics cannot be applied. Law
enforcement agencies have been among the earliest and heaviest users of computer forensics and
consequently have often been at the forefront of developments in the field.

Computers may constitute a ‘scene of a crime’, for example with hacking or denial of service attacks
or they may hold evidence in the form of emails, internet history, documents or other files relevant
to crimes such as murder, kidnap, fraud and drug trafficking.

It is not just the content of emails, documents and other files which may be of interest to
investigators but also the ‘metadata’ associated with those files. A computer forensic examination
may reveal when a document first appeared on a computer, when it was last edited, when it was last
saved or printed and which user carried out these actions.

More recently, commercial organizations have used computer forensics to their benefit in a variety
of cases such as;

* Intellectual Property theft

* Industrial espionage
* Employment disputes
* Fraud investigations
* Forgeries
* Bankruptcy investigations
* Inappropriate email and internet use in the work place
* Regulatory compliance

The four main principles from this guide (with references to law enforcement removed) are as
follows:

 No action should change data held on a computer or storage media which may be
subsequently relied upon in court.
 In circumstances where a person finds it necessary to access original data held on a
computer or storage media, that person must be competent to do so and be able to give
evidence explaining the relevance and the implications of their actions.
 An audit trail or other record of all processes applied to computer-based electronic evidence
should be created and preserved. An independent third-party should be able to examine
those processes and achieve the same result.
 The person in charge of the investigation has overall responsibility for ensuring that the law
and these principles are adhered to.

Live acquisition
91
In what situations would changes to a suspect’s computer by a computer forensic examiner be
necessary?

Traditionally, the computer forensic examiner would make a copy (or acquire) information from a
device which is turned off. A write-blocker would be used to make an exact bit for bit copy of the
original storage medium. The examiner would work from this copy, leaving the original
demonstrably unchanged.

However, sometimes it is not possible or desirable to switch a computer off. It may not be possible if
doing so would, for example, result in considerable financial or other loss for the owner. The
examiner may also wish to avoid a situation whereby turning a device off may render valuable
evidence to be permanently lost. In both these circumstances the computer forensic examiner
would need to carry out a ‘live acquisition’ which would involve running a small program on the
suspect computer in order to copy (or acquire) the data to the examiner’s hard drive.

By running such a program and attaching a destination drive to the suspect computer, the examiner
will make changes and/or additions to the state of the computer which were not present before his
actions. However, the evidence produced would still usually be considered admissible if the
examiner was able to show why such actions were considered necessary, that they recorded those
actions and that they are to explain to a court the consequences of those actions.

Stages of an examination

We’ve divided the computer forensic examination process into six stages, presented in their usual
chronological order.

Readiness

Forensic readiness is an important and occasionally overlooked stage in the examination process. In
commercial computer forensics it can include educating clients about system preparedness; for
example, forensic examinations will provide stronger evidence if a device’s auditing features have
been activated prior to any incident occurring.

For the forensic examiner themselves, readiness will include appropriate training, regular testing and
verification of their software and equipment, familiarity with legislation, dealing with unexpected
issues (e.g., what to do if indecent images of children are found present during a commercial job)
and ensuring that the on-site acquisition (data extraction) kit is complete and in working order.

Evaluation

The evaluation stage includes the receiving of instructions, the clarification of those instructions if
unclear or ambiguous, risk analysis and the allocation of roles and resources. Risk analysis for law
enforcement may include an assessment on the likelihood of physical threat on entering a suspect’s
property and how best to counter it.

Commercial organizations also need to be aware of health and safety issues, conflict of interest
issues and of possible risks – financial and to their reputation – on accepting a particular project.

Collection
92
The main part of the collection stage, acquisition, has been introduced above.

If acquisition is to be carried out on-site rather than in a computer forensic laboratory, then this
stage would include identifying and securing devices which may store evidence and documenting
the scene. Interviews or meetings with personnel who may hold information relevant to the
examination (which could include the end users of the computer, and the manager and person
responsible for providing computer services, such as an IT administrator) would usually be carried
out at this stage.

The collection stage also involves the labelling and bagging of evidential items from the site, to be
sealed in numbered tamper-evident bags. Consideration should be given to securely and safely
transporting the material to the examiner’s laboratory.

Analysis

Analysis depends on the specifics of each job. The examiner usually provides feedback to the client
during analysis and from this dialogue the analysis may take a different path or be narrowed to
specific areas. Analysis must be accurate, thorough, impartial, recorded, repeatable and completed
within the time-scales available and resources allocated.

There are myriad tools available for computer forensics analysis. It is our opinion that the examiner
should use any tool they feel comfortable with as long as they can justify their choice. The main
requirements of a computer forensic tool are that it does what it is meant to do and the only way for
examiners to be sure of this is for them to regularly test and calibrate the tools they rely on before
analysis takes place.

Dual-tool verification can confirm result integrity during analysis (if with tool ‘A’ the examiner finds
artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results).

Presentation

This stage usually involves the examiner producing a structured report on their findings, addressing
the points in the initial instructions along with any subsequent instructions. It would also cover any
other information which the examiner deems relevant to the investigation.

The report must be written with the end reader in mind; in many cases the reader will be non-
technical, and so reader-appropriate terminology should be used. The examiner should also be
prepared to participate in meetings or telephone conferences to discuss and elaborate on the
report.

Review

As with the readiness stage, the review stage is often overlooked or disregarded. This may be due to
the perceived costs of doing work that is not billable, or the need ‘to get on with the next job’.

However, a review stage incorporated into each examination can help save money and raise the
level of quality by making future examinations more efficient and time effective.

A review of an examination can be simple, quick and can begin during any of the above stages. It
may include a basic analysis of what went wrong, what went well, and how the learning from this
can be incorporated into future examinations’. Feedback from the instructing party should also be
sought.

93
Any lessons learnt from this stage should be applied to the next examination and fed into the
readiness stage.

Issues facing computer forensics

The issues facing computer forensics examiners can be broken down into three broad categories:
technical, legal and administrative.

Technical issues

Encryption – Encrypted data can be impossible to view without the correct key or password.
Examiners should consider that the key or password may be stored elsewhere on the computer or
on another computer which the suspect has had access to. It could also reside in the volatile
memory of a computer (known as RAM which is usually lost on computer shut-down; another
reason to consider using live acquisition techniques, as outlined above.

Increasing storage space – Storage media hold ever greater amounts of data, which for the
examiner means that their analysis computers need to have sufficient processing power and
available storage capacity to efficiently deal with searching and analysing large amounts of data.

New technologies – Computing is a continually evolving field, with new hardware, software and
operating systems emerging constantly. No single computer forensic examiner can be an expert on
all areas, though they may frequently be expected to analyze something which they haven’t
previously encountered. In order to deal with this situation, the examiner should be prepared and
able to test and experiment with the behavior of new technologies. Networking and sharing
knowledge with other computer forensic examiners is very useful in this respect as it’s likely
someone else has already come across the same issue.

Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic analysis.

This may include encryption, the over-writing of data to make it unrecoverable, the modification of
files’ metadata and file obfuscation (disguising files). As with encryption, the evidence that such
methods have been used may be stored elsewhere on the computer or on another computer which
the suspect has had access to. In our experience, it is very rare to see anti-forensics tools used
correctly and frequently enough to totally obscure either their presence or the presence of the
evidence that they were used to hide.

Legal issues

Legal issues may confuse or distract from a computer examiner’s findings. An example here would
be the ‘Trojan Defense’. A Trojan is a piece of computer code disguised as something benign but
which carries a hidden and malicious purpose. Trojans have many uses, and include key-logging),
uploading and downloading of files and installation of viruses. A lawyer may be able to argue that
actions on a computer were not carried out by a user but were automated by a Trojan without the
user’s knowledge; such a Trojan Defense has been successfully used even when no trace of a Trojan
or other malicious code was found on the suspect’s computer. In such cases, a competent opposing
lawyer, supplied with evidence from a competent computer forensic analyst, should be able to
dismiss such an argument. A good examiner will have identified and addressed possible arguments
from the “opposition” while carrying out the analysis and in writing their report.

Administrative issues

Accepted standards – There are a plethora of standards and guidelines in computer forensics, few of
which appear to be universally accepted. The reasons for this include: standard-setting bodies being
94
tied to particular legislations; standards being aimed either at law enforcement or commercial
forensics but not at both; the authors of such standards not being accepted by their peers; or high
joining fees for professional bodies dissuading practitioners from participating.

Fit to practice – In many jurisdictions there is no qualifying body to check the competence and
integrity of computer forensics professionals. In such cases anyone may present themselves as a
computer forensic expert, which may result in computer forensic examinations of questionable
quality and a negative view of the profession as a whole.

Some Key Terms

1. Hacking: modifying a computer in a way which was not originally intended in order to
benefit the hacker’s goals.
2. Denial of Service attack: an attempt to prevent legitimate users of a computer system from
having access to that system’s information or services.
3. Metadata: data about data. It can be embedded within files or stored externally in a
separate file and may contain information about the file’s author, format, creation date and
so on.
4. Write blocker: a hardware device or software application which prevents any data from
being modified or added to the storage medium being examined.
5. Bit copy: ‘bit’ is a contraction of the term ‘binary digit’ and is the fundamental unit of
computing. A bit copy refers to a sequential copy of every bit on a storage medium, which
includes areas of the medium ‘invisible’ to the user.
6. RAM: Random Access Memory. RAM is a computer’s temporary workspace and is volatile,
which means its contents are lost when the computer is powered off.
7. Key-logging: the recording of keyboard input giving the ability to read a user’s typed
passwords, emails and other confidential information.

BIOS, BOOT Sequence & Boot Environment

BIOS is an acronym for basic input/output system, the built-in software that determines what a
computer can do without accessing programs from a disk. The BIOS is an important part of any
computer system. On personal computers (PCs), for example, the BIOS contains all the code
required to control the keyboard, display screen, disk drives, serial communications, and a
number of miscellaneous functions.

The ROM BIOS Explained

The BIOS is typically placed in a ROM chip that comes with the computer (it is often called a ROM
BIOS). This ensures that the BIOS will always be available and will not be damaged by disk failures. It
also makes it possible for a computer to boot itself. Because RAM is faster than ROM, though, many
computer manufacturers design systems so that the BIOS is copied from ROM to RAM each time the
computer is booted. This is known as shadowing.

Many modern PCs have a flash BIOS, which means that the BIOS has been recorded on a flash
memory chip, which can be updated if necessary.

PC BIOS Standardization

The PC BIOS is fairly standardized, so all PCs are similar at this level (although there are different
BIOS versions). Additional DOS functions are usually added through software modules. This means
you can upgrade to a newer version of DOS without changing the BIOS.

95
Newer PC BIOSes that can handle Plug-and-Play (PnP) devices are known as PnP BIOSes, or PnP-
aware BIOSes. These BIOSes are always implemented with flash memory rather than ROM.

Boot Sequence

Definition - What does Boot Sequence mean?

Boot sequence is the order in which a computer searches for nonvolatile data storage devices
containing program code to load the operating system (OS). Typically, a Macintosh structure uses
ROM and Windows uses BIOS to start the boot sequence. Once the instructions are found, the CPU
takes control and loads the OS into system memory.

The devices that are usually listed as boot order options in the BIOS settings are hard disks, floppy
drives, optical drives, flash drives, etc. The user is able to change the boot sequence via the CMOS
setup.

Boot sequence is also called as boot order or BIOS boot order.

Prior to boot sequence is the power-on self-test (POST), which is the initial diagnostic test performed
by a computer when it is switched on. When POST is finished, the boot sequence begins. If there are
problems during POST, the user is alerted by beep codes, POST codes or on-screen POST error
messages.

Unless programmed otherwise, the BIOS looks for the OS on drive A first, then looks for the drive C.
It is possible to modify the boot sequence from BIOS settings. Different BIOS models have different
key combination and onscreen instructions to enter the BIOS and change the boot sequence.
Normally, after the POST, BIOS will try to boot using the first device assigned in the BIOS boot order.
If that device is not suitable for booting, then the BIOS will try to boot from the second device listed,
and this process continues till the BIOS finds the boot code from the devices listed.

If the boot device is not found, an error message is displayed and the system crashes or freezes.
Errors can be caused by an unavailable boot device, boot sector viruses or an inactive boot partition.

A boot loader is a computer program that loads an operating system or some other system software
for the computer after completion of the power-on self-tests; it is the loader for the operating
system itself. Within the hard reboot process, it runs after completion of the self-tests, then loads
and runs the software. A boot loader is loaded into main memory from persistent memory, such as a
hard disk drive or, in some older computers, from a medium such as punched cards, punched tape,
or magnetic tape. The boot loader then loads and executes the processes that finalize the boot. Like
POST processes, the boot loader code comes from a "hard-wired" and persistent location; if that
location is too limited for some reason, that primary boot loader calls a second-stage boot loader or
a secondary program loader.

On modern general purpose computers, the boot up process can take tens of seconds, or even
minutes, and typically involves performing a power-on self-test, locating and initializing peripheral
devices, and then finding, loading and starting an operating system. The process of hibernating or
sleeping does not involve booting. Minimally, some embedded systems do not require a noticeable
boot sequence to begin functioning and when turned on may simply run operational programs that
are stored in ROM. All computing systems are state machines, and a reboot may be the only method
to return to a designated zero-state from an unintended, locked state.

In addition to loading an operating system or stand-alone utility, the boot process can also load a
storage dump program for diagnosing problems in an operating system.
96
Boot is short for bootstrap or bootstrap load and derives from the phrase to pull oneself up by one's
bootstraps. The usage calls attention to the requirement that, if most software is loaded onto a
computer by other software already running on the computer, some mechanism must exist to load
the initial software onto the computer. Early computers used a variety of ad-hoc methods to get a
small program into memory to solve this problem. The invention of read-only memory (ROM) of
various types solved this paradox by allowing computers to be shipped with a startup program that
could not be erased. Growth in the capacity of ROM has allowed ever more elaborate start up
procedures to be implemented.

Modern boot loaders

When a computer is turned off, its software—including operating systems, application code, and
data—remains stored on non-volatile memory. When the computer is powered on, it typically does
not have an operating system or its loader in random-access memory (RAM). The computer first
executes a relatively small program stored in read-only memory (ROM) along with a small amount of
needed data, to access the nonvolatile device or devices from which the operating system programs
and data can be loaded into RAM.

The small program that starts this sequence is known as a bootstrap loader, bootstrap or boot
loader. This small program's only job is to load other data and programs which are then executed
from RAM. Often, multiple-stage boot loaders are used, during which several programs of increasing
complexity load one after the other in a process of chain loading.

Some computer systems, upon receiving a boot signal from a human operator or a peripheral device,
may load a very small number of fixed instructions into memory at a specific location, initialize at
least one CPU, and then point the CPU to the instructions and start their execution. These
instructions typically start an input operation from some peripheral device (which may be switch-
selectable by the operator). Other systems may send hardware commands directly to peripheral
devices or I/O controllers that cause an extremely simple input operation (such as "read sector zero
of the system device into memory starting at location 1000") to be carried out, effectively loading a
small number of boot loader instructions into memory; a completion signal from the I/O device may
then be used to start execution of the instructions by the CPU.

Smaller computers often use less flexible but more automatic boot loader mechanisms to ensure
that the computer starts quickly and with a predetermined software configuration. In many desktop
computers, for example, the bootstrapping process begins with the CPU executing software
contained in ROM (for example, the BIOS of an IBM PC) at a predefined address (some CPUs,
including the Intel x86 series are designed to execute this software after reset without outside help).
This software contains rudimentary functionality to search for devices eligible to participate in
booting, and load a small program from a special section (most commonly the boot sector) of the
most promising device, typically starting at a fixed entry point such as the start of the sector.

Boot loaders may face peculiar constraints, especially in size; for instance, on the IBM PC and
compatibles, a boot sector should typically work in only 32 KB[24] (later relaxed to 64 KB[25]) of
system memory and not use instructions not supported by the original 8088/8086 processors. The
first stage of boot loaders (FSBL, first-stage boot loader) located on fixed disks and removable drives
must fit into the first 446 bytes of the Master Boot Record in order to leave room for the default 64-
byte partition table with four partition entries and the two-byte boot signature, which the BIOS
requires for a proper boot loader — or even less, when additional features like more than four
partition entries (up to 16 with 16 bytes each), a disk signature (6 bytes), a disk timestamp (6 bytes),
an Advanced Active Partition (18 bytes) or special multi-boot loaders have to be supported as well in
some environments. In floppy and super floppy Volume Boot Records, up to 59 bytes are occupied
for the Extended BIOS Parameter Block on FAT12 and FAT16 volumes since DOS 4.0, whereas the
97
FAT32 EBPB introduced with DOS 7.1 requires even 71 bytes, leaving only 441 bytes for the boot
loader when assuming a sector size of 512 bytes. Microsoft boot sectors therefore traditionally
imposed certain restrictions on the boot process, for example, the boot file had to be located at a
fixed position in the root directory of the file system and stored as consecutive sectors, conditions
taken care of by the SYS command and slightly relaxed in later versions of DOS. The boot loader was
then able to load the first three sectors of the file into memory, which happened to contain another
embedded boot loader able to load the remainder of the file into memory. When they added LBA
and FAT32 support, they even switched to a two-sector boot loader using 386 instructions. At the
same time other vendors managed to squeeze much more functionality into a single boot sector
without relaxing the original constraints on the only minimal available memory and processor
support. For example, DR-DOS boot sectors are able to locate the boot file in the FAT12, FAT16 and
FAT32 file system, and load it into memory as a whole via CHS or LBA, even if the file is not stored in
a fixed location and in consecutive sectors.

Examples of first-stage bootloaders include coreboot, Libreboot and Das U-Boot.

Second-stage boot loader

Second-stage boot loaders, such as GNU GRUB, BOOTMGR, Syslinux, NTLDR or BootX, are not
themselves operating systems, but are able to load an operating system properly and transfer
execution to it; the operating system subsequently initializes itself and may load extra device drivers.
The second-stage boot loader does not need drivers for its own operation, but may instead use
generic storage access methods provided by system firmware such as the BIOS or Open Firmware,
though typically with restricted hardware functionality and lower performance.

Many boot loaders (like GNU GRUB, Windows's BOOTMGR, and Windows NT/2000/XP's NTLDR) can
be configured to give the user multiple booting choices. These choices can include different
operating systems (for dual or multi-booting from different partitions or drives), different versions of
the same operating system (in case a new version has unexpected problems), different operating
system loading options (e.g., booting into a rescue or safe mode), and some standalone programs
that can function without an operating system, such as memory testers (e.g., memtest86+), a basic
shell (as in GNU GRUB), or even games (see List of PC Booter games). Some boot loaders can also
load other boot loaders; for example, GRUB loads BOOTMGR instead of loading Windows directly.
Usually a default choice is preselected with a time delay during which a user can press a key to
change the choice; after this delay, the default choice is automatically run so normal booting can
occur without interaction.

The boot process can be considered complete when the computer is ready to interact with the user,
or the operating system is capable of running system programs or application programs. Typical
modern personal computers boot in about one minute, of which about 15 seconds are taken by a
power-on self-test (POST) and a preliminary boot loader, and the rest by loading the operating
system and other software. Time spent after the operating system loading can be considerably
shortened to as little as 3 seconds[28] by bringing the system up with all cores at once, as with
coreboot. Large servers may take several minutes to boot and start all their services.

Many embedded systems must boot immediately. For example, waiting a minute for a digital
television or a GPS navigation device to start is generally unacceptable. Therefore, such devices have
software systems in ROM or flash memory so the device can begin functioning immediately; little or
no loading is necessary, because the loading can be precomputed and stored on the ROM when the
device is made.

Large and complex systems may have boot procedures that proceed in multiple phases until finally
the operating system and other programs are loaded and ready to execute. Because operating
98
systems are designed as if they never start or stop, a boot loader might load the operating system,
configure itself as a mere process within that system, and then irrevocably transfer control to the
operating system. The boot loader then terminates normally as any other process would.

FAT & NTFS File System

Windows 95 OSR2, Windows 98, and Windows Me include an updated version of the FAT file
system. This updated version is called FAT32. The FAT32 file system allows for a default cluster size
as small as 4 KB, and includes support for EIDE hard disk sizes larger than 2 gigabytes (GB).

NOTE: Microsoft Windows NT 4.0 does not support the FAT32 file system.

For additional information about supported file systems in Windows NT 4.0, click the article number
below to view the article in the Microsoft Knowledge Base:
100108 Overview of FAT, HPFS, and NTFS File Systems

FAT32 Features

FAT32 provides the following enhancements over previous implementations of the FAT file system:

 FAT32 supports drives up to 2 terabytes in size.

NOTE: Microsoft Windows 2000 only supports FAT32 partitions up to a size of 32 GB.
 FAT32 uses space more efficiently. FAT32 uses smaller clusters (that is, 4-KB clusters for
drives up to 8 GB in size), resulting in 10 to 15 percent more efficient use of disk space
relative to large FAT or FAT16 drives.
 FAT32 is more robust. FAT32 can relocate the root folder and use the backup copy of the file
allocation table instead of the default copy. In addition, the boot record on FAT32 drives is
expanded to include a backup copy of critical data structures. Therefore, FAT32 drives are
less susceptible to a single point of failure than existing FAT16 drives.
 FAT32 is more flexible. The root folder on a FAT32 drive is an ordinary cluster chain, so it can
be located anywhere on the drive. The previous limitations on the number of root folder
entries no longer exist. In addition, file allocation table mirroring can be disabled, allowing a
copy of the file allocation table other than the first one to be active. These features allow for
dynamic resizing of FAT32 partitions. Note, however, that although the FAT32 design allows
for this capability, it will not be implemented by Microsoft in the initial release.

FAT32 Compatibility Considerations

To maintain the greatest compatibility possible with existing programs, networks, and device drivers,
FAT32 was implemented with as little change as possible to the existing Windows architecture,
internal data structures, Application Programming Interfaces (APIs), and on-disk format. However,
because 4 bytes are now required to store cluster values, many internal and on-disk data structures
and published APIs have been revised or expanded. In some cases, existing APIs will not work on
FAT32 drives. Most programs will be unaffected by these changes. Existing tools and drivers should
continue to work on FAT32 drives. However, MS-DOS block device drivers (for example, Aspidisk.sys)
and disk tools will need to be revised to support FAT32 drives.
99
All of the Microsoft bundled disk tools (Format, Fdisk, Defrag, and MS-DOS- based and Windows-
based ScanDisk) have been revised to work with FAT32. In addition, Microsoft is working with
leading device driver and disk tool manufacturers to support them in revising their products to
support FAT32.

NOTE: A FAT32 volume cannot be compressed by using Microsoft DriveSpace or DriveSpace 3.

FAT32 Performance
Converting to the FAT32 file system is one of the biggest performance enhancements you can make
to your Windows 98-based computer.

Dual-Boot Computers`
At this time, Windows 95 OSR2, Windows 98, Windows 2000, and Windows Me are the only
Microsoft operating systems that can access FAT32 volumes. MS-DOS, the original version of
Windows 95, and Windows NT 4.0 do not recognize FAT32 partitions, and are unable to boot from a
FAT32 volume. Also, FAT32 volumes cannot be accessed properly if the computer is started by using
another operating system (for example, a Windows 95 or MS-DOS boot disk).

Windows 95 OSR2 and Windows 98 can be started in Real mode (for example, to run a game) and
can use FAT32 volumes.

Creating FAT32 Drives

In Windows 95 OSR2, Windows 98, and Windows Me, if you run the Fdisk tool on a hard disk that is
over 512 megabytes (MB) in size, Fdisk prompts you whether or not to enable large disk support. If
you answer "Yes" (enabling large disk support), any partition you create that is larger than 512 MB is
marked as a FAT32 partition.

Windows 98 and Windows Me also includes a FAT32 conversion tool that you can use to convert an
existing drive to the FAT32 file system. To use the conversion tool, follow these steps:

1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click
Drive Converter (FAT32).
2. Click Next.
3. Click the drive that you want to convert to the FAT32 file system, and then click Next.
4. Follow the instructions on the screen.

Support Boundaries

Microsoft will support the functionality of the FAT32 file system for error-free reading, and saving of
files either in Real mode or Protect mode. Microsoft supports the Real-mode and Protected-mode
tools that are included with Windows 95.

For legacy (older) programs that cannot be installed on a FAT32 volume, or do not properly save files
or read them, you must contact the manufacturer of the software package.

100
NOTE: Although the FAT32 file system supports hard disks up to 2 terabytes in size, some hard disks
may not be able to contain bootable partitions that are larger than 7.8 GB because of limitations in
your computer's basic input/output system (BIOS) INT13 interface. Please contact your hardware
manufacturer to determine if your computer's BIOS supports the updated INT13 extensions.

For additional information about FAT32, click the article number below to view the article in the
Microsoft Knowledge Base:

NTFS File System

NTFS (NT file system; sometimes New Technology File System) is the file system that the
Windows NT operating system uses for storing and retrieving files on a hard disk. NTFS is the
Windows NT equivalent of the Windows 95 file allocation table (FAT) and the OS/2 High
Performance File System (HPFS). However, NTFS offers a number of improvements over FAT and
HPFS in terms of performance, extendibility, and security.

Notable features of NTFS include:

 Use of a b-tree directory scheme to keep track of file clusters

 Information about a file's clusters and other data is stored with each cluster, not just a
governing table (as FAT is)
 Support for very large files (up to 2 to the 64th power or approximately 16 billion bytes in
size)
 An access control list (ACL) that lets a server administrator control who can access specific
files
 Integrated file compression
 Support for names based on Unicode
 Support for long file names as well as "8 by 3" names
 Data security on both removable and fixed disks

How NTFS Works

When a hard disk is formatted (initialized), it is divided into partitions or major divisions of the
total physical hard disk space. Within each partition, the operating system keeps track of all the
files that are stored by that operating system. Each file is actually stored on the hard disk in one
or more clusters or disk spaces of a predefined uniform size. Using NTFS, the sizes of clusters
range from 512 bytes to 64 kilobytes. Windows NT provides a recommended default cluster size
for any given drive size. For example, for a 4 GB (gigabyte) drive, the default cluster size is 4 KB
(kilobytes). Note that clusters are indivisible. Even the smallest file takes up one cluster and a 4.1
KB file takes up two clusters (or 8 KB) on a 4 KB cluster system.

The selection of the cluster size is a trade-off between efficient use of disk space and the
number of disk accesses required to access a file. In general, using NTFS, the larger the hard disk
the larger the default cluster size, since it's assumed that a system user will prefer to increase
performance (fewer disk accesses) at the expense of some amount of space inefficiency.

101
Validation, Forensic Acquisition

With the field of digital forensics growing at an almost warp-like speed, there are many issues out
there that can disrupt and discredit even the most experienced forensic examiner. One of the issues
that continues to be of utmost importance is the validation of the technology and software
associated with performing a digital forensic examination. The science of digital forensics is founded
on the principles of repeatable processes and quality evidence. Knowing how to design and properly
maintain a good validation process is a key requirement for any digital forensic examiner. This article
will attempt to outline the issues faced when drafting tool and software validations, the legal
standards that should be followed when drafting validations, and a quick overview of what should be
included in every validation.

Setting the Standard: Standards and Legal Baselines for Software/Tool Validation

According to the National Institute of Standards and Technology (NIST), test results must be
repeatable and reproducible to be considered admissible as electronic evidence. Digital forensics test
results are repeatable when the same results are obtained using the same methods in the same
testing environment. Digital forensics test results are reproducible when the same test results are
obtained using the same method in a different testing environment (different mobile phone, hard
drive, and so on). NIST specifically defines these terms as follows:

Repeatability refers to obtaining the same results when using the same method on identical test
items in the same laboratory by the same operator using the same equipment within short intervals
of time.

Reproducibility refers to obtaining the same results being obtained when using the same method on
identical test items in different laboratories with different operators utilizing different equipment.

In the legal community, the Daubert Standard can be used for guidance when drafting software/tool
validations. The Daubert Standard allows novel tests to be admitted in court, as long as certain
criteria are met. According to the ruling in Daubert v. Merrell Dow Pharmaceuticals Inc. the following
criteria were identified to determine the reliability of a particular scientific technique:

1. Has the method in question undergone empirical testing?

2. Has the method been subjected to peer review?
3. Does the method have any known or potential error rate?
4. Do standards exist for the control of the technique's operation?
5. Has the method received general acceptance in the relevant scientific community?

The Daubert Standard requires an independent judicial assessment of the reliability of the scientific
test or method. This reliability assessment, however, does not require, nor does it permit, explicit
identification of a relevant scientific community and an express determination of a particular degree
of acceptance within that community. Additionally, the Daubert Standard was quick to point out that
the fact that a theory or technique has not been subjected to peer review or has not been published
does not automatically render the tool/software inadmissible. The ruling recognizes that scientific
principles must be flexible and must be the product of reliable principles and methods. Although the
Daubert Standard was in no way directed toward digital forensics validations, the scientific baselines
and methods it suggests are a good starting point for drafting validation reports that will hold up in a
court of law and the digital forensics community.

The Scientific Method and Software/Tool Validations: A Perfect Fit

102
In the Daubert ruling, The Court defined scientific methodology as “the process of formulating
hypotheses and then conducting experiments to prove or falsify the hypothesis.” The Scientific
Method refers to a body of techniques for investigating phenomena, acquiring new knowledge, or
correcting and integrating previous knowledge. To be termed scientific, the method must be based
on gathering, observing, or investigating, and showing measurable and repeatable results. Most of
the time, the scientific process starts with a simple question that leads to a hypothesis, which then
leads to experimentation, and an ultimate conclusion. To exemplify, if you are validating a particular
hardware write blocking device you may want to start with the simple question “Does this tool
successfully allow normal write-block operation to occur to source media?” Since it is assumed that
the write-blocking device supports various types of media (SATA, IDE, and so on) you may be
required to list the various requirements of the tool. Because if this, it is good practice for an
examiner to use the scientific method as a baseline for formulating digital forensic validations. It is
recommended that forensic examiners follow these four basic steps as a starting point for an
internal validation program:

1) Develop the Plan

Developing the scope of the plan may involve background and defining what the software or tool
should do in a detailed fashion. Developing the scope of the plan also involves creating a protocol for
testing by outlining the steps, tools, and requirements of such tools to be used during the test. This
may include evaluation of multiple test scenarios for the same software or tool. To illustrate, if
validating a particular forensic software imaging tool, that tool could be tested to determine
whether or not it successfully creates, hashes, and verifies a particular baseline image that has been
previously setup. There are several publically available resources and guides that can be useful in
establishing what a tool should do such as those available from NIST’s Computer Forensic Tool
Testing Project (CFTT) available from http://www.cftt.nist.gov. The CFTT also publishes detailed
validation reports on various types of forensic hardware and software ranging from mobile phones
to disk imaging tools. In addition to CFTT, Marshall University has published various software and
tool validation reports that are publically available for download from:

http://forensics.marshall.edu/Digital/Digital-Publications.html

These detailed reports can be used to get a feel for how your own internal protocol should be
drafted. The scope of the plan may also include items such as: tool version, testing manufacturer,
and how often the tests will be done. These factors should be established based on your
organization standards. Typically, technology within a lab setting is re-validated quarterly or
biannually at the very least.

2) Develop a Controlled Data Set

This area may be the longest and most difficult part of the validation process as it is the most
involved. This is because it involves setting-up specific devices and baseline images and then adding
data to the specific areas of the media or device. Acquisitions would then need to be performed and
documented after each addition to validate the primary baseline. This baseline may include a
dummy mobile phone, USB thumb drive, or hard drive depending on the software or hardware tool
you are testing. In addition to building your own baseline images, Brian Carrier has posted several
publically available disk images designed to test specific tool capabilities, such as the ability to
recover deleted files, find keywords, and process images. These data sets are documented and are
available at http://dftt.sourceforge.net. Once baseline images are created, tested, and validated it is
a good idea to document what is contained within these images. This will not only assist in future

103
validations, but may also be handy for internal competency and proficiency examinations for digital
examiners.

3) Conduct the Tests in a Controlled Environment

Outside all the recommendations and standards set forth by NIST and the legal community, it only
makes sense that a digital forensics examiner would perform an internal validation of the software
and tools being used in the laboratory. In some cases these validations are arbitrary and can occur
either in a controlled or uncontrolled environment. Since examiners are continuously bearing
enormous caseloads and work responsibilities, consistent and proper validations sometimes fall
through the cracks and are validated in a somewhat uncontrolled “on-the-fly” manner. It’s also a
common practice in digital forensics for examiners to “borrow” validations from other laboratories
and fail to validate their own software and tools. Be very careful with letting this happen. Keep in
mind that in order for digital forensics to be practicing true scientific principles, the processes used
must be proven to be repeatable and reproducible. In order for this to occur, the validation should
occur within a controlled environment within your laboratory with the tools that you will be using. If
the examiner uses a process, software, or even a tool that is haphazard or too varied from one
examination to the next, the science then becomes more of an arbitrary art. Simply put, validations
not only protect the integrity of the evidence, they may also protect your credibility. As stated
previously, using a repeatable, consistent, scientific method in drafting these validations is always
recommended.

4) Validate the Test Results against Known and Expected Results

At this point, testing is conducted against the requirements set forth for the software or tool in the
previous steps. Keep in mind that results generated through the experimentation and validation
stage must be repeatable. Validation should go beyond a simple surface scan when it comes to the
use of those technologies in a scientific process. With that said, it is recommended that each
requirement be tested at least three times. If there are any variables that may affect the outcome of
the validation (e.g. failure to write-block, software bugs) they should be determined after three test
runs. There may be cases, however, where more or fewer test runs may be required to generate
valid results.

It’s also important to realize that you are probably not the first to use and validate a particular
software or tool, so chances are that if you are experiencing inconsistent results, the community
may be experiencing the same results as well. Utilizing peer review may be a valuable asset when
performing these validations. Organizations such as the High Technology Crime Investigation
Association (HTCIA) and the International Association of Computer Investigative Specialists (IACIS)
maintain active member e-mail lists for members that can be leveraged for peer review. There are
also various lists and message boards pertaining to mobile phone forensics that can be quite helpful
when validating a new mobile technology. In addition, most forensic software vendors maintain
message boards for software, which can be used to research bugs or inconsistencies arising during
validation testing.

Sterilization & Write Blocking

Write blockers are devices that allow acquisition of information on a drive without creating the
possibility of accidentally damaging the drive contents. They do this by allowing read commands to
pass but by blocking write commands, hence their name.
104
There are two ways to build a write-blocker: the blocker can allow all commands to pass from the
computer to the drive except for those that are on a particular list. Alternatively, the blocker can
specifically block the write commands and let everything else through.

Write blockers may also include drive protection which will limit the speed of a drive attached to the
blocker. Drives that run at higher speed work harder (the head moves back and forth more often
due to read errors). This added protection could allow drives that cannot be read at high speed
(UDMA modes) to be read at the slower modes (PIO).

There are two types of write blockers, Native and Tailgate. A Native device uses the same interface
on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for
one side and a different one for the other, for example a Firewire to SATA write block.

Steve Bress and Mark Menz invented hard drive write blocking (US Patent 6,813,682).

There are both hardware and software write blockers. Some software write blockers are designed
for a specific operating system. One designed for Windows will not work on Linux. Most hardware
write blockers are software independent.

Hardware Write Blockers

Hardware write blockers can be either IDE-to-IDE or Firewire/USB-to-IDE. Simson prefers the IDE-to-
IDE because they deal better with errors on the drive and make it easier to access special
information that is only accessible over the IDE interface.

First Responder Process

Introduction to First Responder Procedures

The term first responder refers to a person who first arrives at a crime scene and accesses the
victim’s computer system once the incident has been reported. The first responder may be a
network administrator, law enforcement officer, or investigating officer. Generally, the first
responder is a person who comes from the forensic laboratory or from a particular agency for initial
investigation.

If a crime occurs that affects a company’s servers or individual workstations, the company first
contacts the forensic laboratory or agency for crime investigation. The laboratory or agency then
sends the first responder to the crime scene for initial investigation. The first responder is
responsible for protecting, integrating, and preserving the evidence obtained from the crime scene.
The first responder needs to have complete knowledge of computer forensic investigation
procedures. He or she preserves all evidence in a simple, protected, and forensically sound manner.
The first responder must investigate the crime scene in a lawful manner so that any obtained
evidence will be acceptable in a court of law.

Electronic Evidence

Electronic evidence is data relevant to an investigation that is transferred by or stored on an

electronic device. This type of evidence is found when data on any physical device is collected for
examination. Electronic evidence has the following properties:

 It may be hidden, similar to fingerprint evidence or DNA evidence.

105
  It can be broken, changed, damaged, or cracked by improper handling; therefore, particular
precautions must be taken to document, gather, safeguard, and examine these types of
evidences.
 It can expire after a period of time.

Sources of Electronic Evidence

Electronic information is usually stored on magnetic or optical storage devices, such as floppy disks,
flash drives, memory cards, backup tapes, CD-ROMs, and DVD-ROMs. Hard drives, including
removable drives and laptop drives, often contain significant information in hidden files. Computer
systems—in particular PCs and network servers in which electronic data are organized, stored,
deleted, and accessed—should not be ignored. All e-mail servers and their backup schedules are also
critical, and any Internet-related files should be obtained from Internet service providers or specific
network servers.

Role of the First Responder

As the first person to arrive at the crime scene, the first responder plays an important role in
computer forensic investigation. After all the evidence is collected from the crime scene, the
investigation process starts. If the evidence collected by the first responder is forensically sound, it is
significantly easier for the investigation team to find the actual cause of the crime.

The following are the main responsibilities of the first responder:

• Identifying the crime scene: After arriving at the crime scene, the first responder identifies the
scope of the crime scene and establishes a perimeter. The perimeter will include a particular area,
room, several rooms, or even an entire building, depending on whether the computers are
networked. The first responder should list the computer systems involved in the incident.

• Protecting the crime scene: Like any other case, a search warrant is required for the search and
seizure of digital and electronic evidence. Therefore, the first responder should protect all
computers and electronic devices while waiting for the officer in charge.

• Preserving temporary and fragile evidence: In the case of temporary and fragile evidence that
could change or disappear, such as screen information and running programs, the first responder
does not wait for the officer in charge. Rather, he or she takes immediate photographs of this
evidence.

Electronic Devices: Types and Collecting Potential Evidence

• Collecting all information about the incident: The first responder conducts preliminary interviews
of all persons present at the crime scene and asks questions about the incident.

• Documenting all findings: The first responder starts documenting all information about the
collected evidence in the chain of custody document. The chain of custody document contains
information such as case number, name and title of the individual from whom the report is received,
address and telephone number, location where the evidence is obtained, date and time when the
evidence is obtained, and a complete description of each item.

• Packaging and transporting the electronic evidence: After collecting the evidence, the first
responder labels all the evidence and places it in evidence storage bags, which protect it from
sunlight and extreme temperatures. These bags also block wireless signals so that wireless devices

106
cannot acquire data from the evidence. The storage bags are then transported to the forensic
laboratory.

Electronic Devices: Types and Collecting

Potential Evidence

The following are some of the types of electronic devices relevant to a crime scene:
Computer systems: A computer system generally consists of the central processing unit (CPU),
motherboard, memory, case, data storage devices, monitor, keyboard, and mouse. Digital evidence
is found in files that are stored on memory cards, hard drives, USB drives, other removable storage
devices, and media such as floppy disks, CDs, DVDs, cartridges, and tapes.

Hard drives: A hard drive is an electronic storage device that stores data magnetically.

Thumb drives: A thumb drive is a removable data storage device with a USB connection.

Memory cards: A memory card is a removable electronic storage device that is used in many devices
such as digital cameras, computers, and PDAs.

Smart cards, dongles, and biometric scanners: Evidence is found in the data on the card or inside
the devices themselves.

Answering machines: These store voice messages, time and date information, and when messages
were left. To find the evidence, an investigator should check the voice recordings for deleted
messages, most recent numbers called, messages, recorded phone numbers, and tapes or digital
recording data.

Digital cameras: To find the evidence, an investigator should check the stored images, removable
media, and time and date stamps of the images.

MP3 players: To find the evidence, an investigator should check the information stored on the
device.

Pagers: To find the evidence, an investigator should check the stored addresses, text messages, e-
mails, voice messages, and phone numbers.

Personal digital assistants: PDAs are handheld devices that have computing, telephone or fax,
paging, and networking features. To find the evidence, an investigator should check the address
book, meeting calendar, documents, and e-mails.

Printers: To find the evidence, an investigator should check the usage logs, time and date
information, and network identity information.

Removable storage devices (tapes, CDs, DVDs, and floppies): Evidence is found on the devices
themselves.

Telephones: To find the evidence, an investigator should check stored names, stored phone
numbers, and caller identification information.

Modems: Evidence is found on the devices themselves.

Scanners: Evidence is found in user usage logs and time and date stamps.

107
Copiers: Evidence is found in user texts, user usage logs, and time and date stamps.

Credit card skimmers: To find the evidence, an investigator should check the card expiration date,
user’s address, card numbers, and user’s name.
Fax machines: To find the evidence, an investigator should check the documents, phone numbers,
film cartridges, and sent and received logs.

First Responder Toolkit

The first responder has to create a toolkit before a cybercrime event happens and prior to any
potential evidence collection. Once a crime is reported, someone should immediately report to the
site and should not have to waste any time gathering materials.

The first responder toolkit is a set of tested tools designed to help in collecting genuine presentable
evidence. It helps the first responder understand the limitations and capabilities of electronic
evidence at the time of collection. The act of creating a toolkit makes the first responder familiar
with computer forensic tools and their functionalities.

The first responder has to select trusted computer forensic tools that provide output-specific
information and determine system dependencies. For example, any program running on the victim’s
computer generally uses common libraries for routine system commands. If the first responder
starts collecting evidence with the trusted tools, it will be easy to determine the system
dependencies.

Creating a First Responder Toolkit

Creating a first responder toolkit includes the following procedures:

1. Create a trusted forensic computer or test bed: This trusted forensic computer or test bed will be
used to test the functionality of the collected tools. Prior to testing any tool, the investigator should
make sure that this is a trusted resource.

To create a trusted forensic computer, follow these steps:

• Choose the operating system type. Create two different test bed machines: one for Windows and
one for Linux.

• Completely sanitize the forensic computer. This includes formatting the hard disk completely to
remove any data, using software such as BCWipe for Windows or Wipe for Linux.

• Install the operating system and required software from trusted resources. If the operating system
is downloaded, verify the hashes prior to installation.

• Update and patch the forensic computer.

• Install a file integrity monitor to test the integrity of the file system.

2. Document the details of the forensic computer: Documenting the forensic computer or test bed is
the second step in creating a first responder toolkit. It helps the forensic expert easily understand
the situation and the tools used, and will help to reproduce results if they come into question for any
reason. The forensic computer or test bed documentation should include the following:

108
• Version name and type of the operating system

• Names and types of the different software

• Names and types of the installed hardware

3. Document the summary of collected tools: The third step in creating a first responder toolkit is to
document the summary of the collected tools. This allows the first responder to become more
familiar with and understand the working of each tool. Information about the following should be
included while documenting the summary of tools:

• Acquisition of the tool

• Detailed description of the tool

• Working of the tool

• Tool dependencies and system effects

4. Test the tools: After documenting the summary of the collected tools, the investigator should test
them on the forensic computer or test bed to examine the performance and output. He or she
should examine the effects of each tool on the forensic computer. He or she should also monitor any
changes in the forensic computer caused by the tools.

Evidence-Collecting Tools and Equipment

The investigator should have general crime scene processing tools, such as the following:

• Cameras

• Notepads

• Sketchpads

• Evidence forms

• Crime scene tape

• Markers

The following are some of the tools and equipment used to collect the evidence:

• Documentation tools:

• Cable tags

• Indelible felt-tip markers

• Stick-on labels

• Disassembly and removal tools:

• Flat-head and Phillips-head screwdrivers

109
• Hex-nut drivers

• Needlenose pliers

• Secure-bit drivers

• Small tweezers

• Specialized screwdrivers

• Standard pliers

• Star-type nut drivers

• Wire cutters

• Package and transport supplies:

• Antistatic bags

• Antistatic bubble wrap

• Cable ties

• Evidence bags

• Evidence tape

• Packing materials

• Sturdy boxes of various sizes

• Other tools:

• Gloves

• Hand truck

• Magnifying glass

• Printer paper

• Seizure disk

• Unused floppy disks

• Notebook computers:

• Licensed software

• Bootable CDs

110
• External hard drives

• Network cables

• Software tools:

• DIBS Mobile Forensic Workstation

• AccessData’s Ultimate Toolkit

• Teel Technologies SIM Tools

• Hardware tools:
• Paraben forensic hardware

• Digital Intelligence forensic hardware

• Tableau Hardware Accelerator

• WiebeTech forensic hardware tools

• Logicube forensic hardware tools

First Response Basics

The following are some first response basics:

• Under no circumstances should anyone except qualified forensic analysts make any attempts to
collect or recover data from any computer system or device that holds electronic information.

• Any information present inside the collected electronic devices is potential evidence and should be
treated accordingly.

• Any attempts to recover data by untrained persons could either compromise the integrity of the
files or result in the files being inadmissible in administrative or legal proceedings.

• The workplace or office must be secured and protected to maintain the integrity of the crime
scene and the electronic storage media.

Incident Response: Different Situations

The first response to an incident may involve one of three different groups of people, each of which
will have different tasks based on the circumstance of the incident. The three groups are as follows:

• System administrators
• Local managers or other non-forensic staff
• Laboratory forensic staff

First Response by System Administrators

The system administrator plays an important role in ensuring network protection and maintenance,
as well as playing a vital role in the investigation. Once a system administrator discovers an incident,
it must be reported according to the current organizational incident reporting procedures. The

111
system administrator should not touch the system unless directed to do so by either the
incident/duty manager or one of the forensic analysts assigned to the case.

First Response by Non-Forensic Staff

Non-forensic staff members are responsible for securing the crime scene and making sure that it is
retained in a secure state until the forensic team advises otherwise. They should also make notes
about the scene and those present to hand over to the attending forensic team. The surrounding
area of the suspect computer should be secured, not just the computer itself.

First Response by Laboratory Forensic Staff

The first response by laboratory forensic staff involves the following six stages:

1. Securing and evaluating the electronic crime scene: This ensures that all personnel are removed
from the crime scene area. At this point in the investigation, the states of any electronic devices are
not altered.
• Search warrant for search and seizure
• Plan the search and seizure

Incident Response: Different Situations

• Conduct the initial search of the scene
• Health and safety issues

2. Conducting preliminary interviews: All personnel, subjects, or any others at the crime scene are
identified. Their position at the time of entry and their reasons for being at the crime scene are
recorded.

• Ask questions
• Check consent issues
• Witness signatures
• Initial interviews

3. Documenting the electronic crime scene: Documentation of the electronic crime scene is a
continuous process during the investigation, creating a permanent record of the scene.

• Photograph the scene

• Sketch the scene

4. Collecting and preserving the electronic evidence: Electronic evidence is volatile in nature and
easily broken, so particular precautions must be taken to prevent damage.

• Collect evidence
• Deal with powered-off or powered-on computers at the time of seizure
• Seize portable computers
• Preserve the electronic evidence

5. Packaging the electronic evidence: All evidence should be well documented, and all containers
should be properly labeled and numbered.

112
6. Transporting the electronic evidence: Special precautions must be taken while transporting
electronic evidence. Make sure that proper transportation procedures are followed to avoid physical
damage.

• Ensure proper handling and transportation to the forensic laboratory

• Ensure the chain of custody is strictly followed

Securing and Evaluating the Electronic Crime Scene

The following checklist should be followed when securing and evaluating an electronic crime scene:

• Follow the policies of the legal authority for securing the crime scene.

• Verify the type of incident.

• Make sure that the scene is safe for the responders.

• Isolate other persons who are present at the scene.

• Locate and help the victim.

• Verify any data that is related to the offense.

• Transmit additional flash messages to other responding units.

• Request additional help at the scene if needed.

• Establish a security perimeter to see if the offenders are still present at the crime scene area.

• Protect evidence that is at risk of being easily lost.

• Protect perishable data such as pagers and caller ID boxes.

• Make sure that the devices that contain perishable data are secured, documented, and
photographed.

• Find the telephone lines that are connected to devices such as modems and caller ID boxes.

• Document, disconnect, and label telephone lines and network cables.

• Observe the present situation at the scene and record observations.

• Protect physical evidence or hidden fingerprints that may be found on keyboards, mice, diskettes,
and CDs.

Warrant for Search and Seizure

The investigating officer or first responder must perform the investigation process in a lawful
manner, which means a search warrant is required for search and seizure. The following are the two
types of relevant search warrants:

113
• Electronic storage device search warrant: This allows for search and seizure of computer
components such as the following:

• Hardware

• Software

• Storage devices

• Documentation

• Service provider search warrant: If the crime is committed through the Internet, the first
responder needs information about the victim’s computer from the service provider. A service
provider search warrant allows the first responder to get this information. The first responder can
get the following information from the service provider:

• Service records

• Billing records

• Subscriber information

Planning the Search and Seizure

A search and seizure plan should contain the following details:

• Description of the incident

• Incident manager

• Case name or title for the incident

• Location of the incident

• Applicable jurisdiction and relevant legislation

• Location of the equipment to be seized:

• Structure’s type and size

• Where the computers are located

• Who was present at the incident

• Whether the location is potentially dangerous

• Details of what is to be seized (make, model, location, ID, etc.):

• Types

• Serial numbers

• If the seized computers were running or powered down

114
• Whether the computers were networked, and if so, what type of network, where data is stored on
The network, where the backups are held, if the system administrator is cooperative, if it is
necessary to take the server down, and the business impact of this action

• Other work to be performed at the scene (e.g., full search and evidence required)

• Search and seizure type (overt/covert)

• Local management involvement

Initial Search of the Scene

Once the forensic team has arrived at the scene and unloaded their equipment, they will move to
the location of the incident and try to identify any evidence. A perpetrator may attempt to use a
self-destruct program or reformat the storage media upon the arrival of the team. If a suspected
perpetrator is using the system, an investigator should pull the power cord immediately.

An investigator should isolate the computer system (whether it is a workstation, a standalone, or

network server) or other forms of media so that digital evidence will not be lost. In many cases
computer systems are backed up on a regular basis. If attackers erase files from the primary storage
device, these files may still remain on the backup storage media.

Health and Safety Issues

In order to protect the staff and preserve evidence such as fingerprints, investigators should follow
these health and safety precautions:

• All elements of an agency’s health and safety plan should be clearly documented.

• Health and safety considerations should be followed at all stages of the investigation by
everyone involved.

• The health and safety program should be frequently monitored and documented by designated
agency representatives.
• All forensic teams should wear protective latex gloves for all search and seizure on-site operations.

Conducting Preliminary Interviews

Questions to Ask When a Client Calls the Forensic Investigator

When a client first calls the investigator, the investigator should ask the following questions:
• What happened?

• Who is the incident manager?

• What is the case name or title for the incident?

• What is the location of the incident?

• Under what jurisdiction are the case and seizure to be performed?

115
• What is to be seized (make, model, location, and ID)?

• What other work will need to be performed at the scene (e.g., full search and evidence required)?

• Is the search and seizure to be overt or covert, and will local management be informed?

Consent

A properly worded banner displayed at login and an acceptable-use policy informing users of
monitoring activities and how any collected information will be used will satisfy the consent burden
in the majority of cases. There are instances when the user is present and consent from the user is
required. It should never be taken as generally acceptable for system administrators to conduct
unplanned and random monitoring activities. In cases such as this, appropriate forms for the
jurisdiction should be used and must be carried in the first responder toolkit. Monitoring activities
should be a part of a well-documented procedure that is clearly detailed in the obtained consent.

Witness Signatures

Depending on the legislation in the jurisdiction, a signature (or two) may or may not be required to
certify collection of evidence. Typically, one witness signature is required if it is the forensic analyst
or law enforcement officer performing the seizure. Where two are required, guidance should be
sought to determine who the second signatory should be.

The witness signature verifies that the information in the consent form and other written documents
was
correctly explained to, and supposedly understood by, the signatory or the signatory’s legally
authorized representative, and that informed consent was given freely. Whoever signs as a witness
must have a clear understanding of that role and may be called upon to provide a witness statement
or attend court proceedings.

Conducting Preliminary Interviews

When preparing a case, computer forensic professionals (CFPs) start their investigation by collecting
evidence and conducting preliminary interviews. As a part of their preliminary investigation, they
talk to everyone present at the site at the time of the offense. After identifying the persons present
at the time of the crime, the CFPs conduct individual interviews and note everyone’s physical
position and his or her reason for being there.

As part of the investigation process, the CFP first determines whether the suspect has committed a
crime
or has violated any departmental policies. Usually, departments establish certain policies regarding
the usage of computers. Adhering to departmental policies and applicable laws, the CFP gathers
evidence and collects information from individuals, such as the following:

• Actual holders or users of any electronic devices present at the crime scene

• Usernames and Internet service providers

• Passwords required to access the system, software, or data

• Purpose of using the system

• Unique security schemes or destructive devices

116
• Any off-site data storage

• Hardware and software documents

If the evidence the CFP gathers suggests that the suspect has committed a crime, the evidence will
be presented in court. If the evidence suggests that the suspect has breached company policy, the
CFP will hand over the evidence at the corporate inquiry.

A CFP should keep the following points in mind during preliminary interviews:

• Identify all persons present.

• If the suspect is present at the time of the search and seizure, the incident manager or the
laboratory manager may consider asking some questions. However, they must comply with the
relevant human resources or legislative guidelines for their jurisdiction.

• During an initial interview suspects are often taken off guard, having been given little time to
create a false story. This means that they will often answer questions such as, “What are the
passwords for the account?” truthfully.

• If the system administrator is present at the time of the initial interview, he or she may help
provide important information such as how many systems are involved, who is associated with a
particular account, and what the relevant passwords are.

• A person having physical custody of evidence is responsible for the safety and security of that
evidence.

• Whenever possible, evidence must be secured in such a way that only a person with complete
authority is allowed access. Typical questions could include the following:

• Are there any physical keys to the system?

• What are the users’ IDs and passwords?

• What e-mail addresses are in use? What are the users’ IDs and passwords for them?

Documenting the Electronic Crime Scene

Documentation of the electronic crime scene is a continuous process during the investigation that
makes a permanent record of the scene. When documenting, an investigator should keep the
following points in mind:

• It is essential to properly take note of the physical location and states of computers, digital storage
media, and other electronic devices.

• Document the physical crime scene, noting the position of the mouse and the location of elements
found near the system.

• Document details of any related or difficult-to-find electronic components.

• Record the state of computer systems, digital storage media, and electronic devices, including the
power status of the computer.

117
• Take a photograph of the computer monitor’s screen and note what was on the screen.

• The crime scene should be documented in detail and comprehensively at the time of the
investigation.

Photographing the Scene

On arrival, the first step taken by the forensic team should be to photograph the scene. It is very
important that this be done in a way that will not alter or damage the scene, and everything should
be clearly visible.

The best course of action is to take various photographs of the crime scene. For example, an
investigator should first take a photograph of the building and/or office number. This should be
followed by an entry photograph (what is seen as one enters the crime scene) and then by a series
of 360-degree photographs. These are overlapping photographs depicting the entire crime scene. It
is important to proceed all the way from the entire scene down to the smallest piece of evidence.
Crime scene photographs should be taken of the work area, including things such as computer disks,
handwritten documents, and other components of the system. Photos should also be taken of the
back of the computer system to accurately show how cables are linked. If this cannot be done on-
site, then all cables must be labeled so the computer system can be reconnected at the forensic
laboratory and photographed.

Sketching the Scene

After securing the scene, the CFP has to prepare a sketch of the crime scene. This sketch should
include all details about the objects present and their locations within the office area. As with
photographs, forensic professionals prepare many sketches of the complete scene, all the way down
to smallest piece of evidence.

Collecting and Preserving Electronic Evidence

When an incident is reported in which a computer is thought to have played a part, that computer
can Incorrectly be the first and only item seized. The crime scene should be investigated in a way
that covers the entire area, with the computer being at the middle of the circle.

All collected evidence should be marked clearly so that it can be easily identified later. Pieces of
evidence found at the crime scene should be first photographed, identified within documents, and
then properly gathered.

Markings on the evidence should, at the very least, include date and time of collection and the
initials of the collecting person. Evidence should be identified, recorded, seized, bagged, and tagged
on-site, with no attempts to determine contents or status.

Order of Volatility

Volatility is the measure of how perishable electronically stored data are. When collecting evidence,
the order of collection should proceed from the most volatile to the least volatile. The following list
is the order of volatility for a typical system, beginning with the most volatile:

1. Registers and cache

2. Routing table, process table, kernel statistics, and memory
3. Temporary file systems
4. Disks or other storage media

118
5. Remote logging and monitoring data that is related or significant to the system in question
6. Physical configuration and network topology
7. Archival media

Dealing with Powered-Off Computers

At this point in the investigation, an investigator should not change the state of any electronic
devices or equipment. If it is switched off, the investigator should leave it off and take it into
evidence.

Dealing with Powered-On Computers

When dealing with a powered-on computer, the investigator should stop and think before taking any
action. The contents of RAM may contain vital information. For example, data that is encrypted on
the hard disk may be unencrypted in RAM. Also, running process information is stored in RAM. All of
this vital information will be lost when the computer is shut down or when the power supply is
removed.

If a computer is switched on and the screen is viewable, the investigator should photograph the
screen and document the running programs. If a computer is on and the monitor shows a
screensaver, the investigator should move the mouse slowly without pressing any mouse button,
and then photograph and document the programs.

Dealing with a Networked Computer

If the victim’s computer is connected to the Internet, the first responder must follow this procedure
in order to protect the evidence:

• Unplug the network cable from the router and modem in order to prevent further attacks.

• Do not use the computer for the evidence search because it may alter or change the integrity of
existing evidence.

• Photograph all devices connected to the victim’s computer, particularly the router and modem,
from several angles. If any devices, such as a printer or scanner, are present near the computer, take
photographs of those devices as well.

• If a screensaver is visible, move the mouse slowly.

• If the computer is on, take a photograph of the screen and document any running programs.

• Unplug all cords and devices connected to the computer and label them for later identification.

• Unplug the main power cord from the wall socket.

• Pack the collected electronic evidence properly and place it in a static-free bag.

• Keep the collected evidence away from magnets, high temperatures, radio transmitters, and other
elements that may damage the integrity of the evidence.

• Document all steps involved in searching and seizing the victim’s computer for later investigation.

119
Dealing with Open Files and Startup Files

When malware attacks a computer system, some files are created in the startup folder to run the
malware program. The first responder can get vital information from these files by following this
procedure:

• Open any recently created documents from the startup or system32 folder in Windows and the
rc.local file in Linux.

• Document the date and time of the files.

• Examine the open files for sensitive data such as passwords or images.

• Search for unusual MAC (modified, accessed, or changed) times on vital folders and startup files.

• Use the dir command for Windows or the ls command for Linux to locate the actual access times
on the files and folders.

Operating System Shutdown Procedure

It is important to shut down the system in a manner that will not damage the integrity of any files.
Different operating systems have different shutdown procedures. Some operating systems can be
shut down by simply unplugging the power cord from the wall socket, while others have a more
elaborate shutdown procedure that must be followed, as detailed below:

MS-DOS/Windows 3.x/Windows 9x, Windows NT, Windows XP, Windows Vista, Windows 7:

• Take a photograph of the screen.

• Document any running programs.

• Unplug the power cord from the wall socket.

UNIX/Linux:

• Right-click on Menu and click Console.

• If root user is logged in, enter the password and type sync;sync;halt to shut down the system.

• If the root user is not logged in and the password is available, type su to switch to the root user,
enter the password, and type sync;sync;halt to shut down the system.

• If password is not available, unplug the power cord from the wall socket.

Mac OS:

• Record the time from the menu bar.

• Click Special and then Shut Down.
• Unplug the power cord from the wall socket.

Preserving Electronic Evidence

120
The following are the steps that should be taken to preserve electronic evidence:

• Document the actions and changes observed in the monitor, system, printer, and other
electronic devices.

• Verify whether the monitor is on, off, or in sleep mode.

• Remove the power cable if the device is off. Do not turn the device on.

• Take a photo of the monitor screen if the device is on.

• Check dial-up, cable, ISDN, and DSL connections.

• Remove the power cord from the router or modem.

• Remove any floppy disks that are available at the scene to safeguard the potential evidence.

• Keep tape on drive slots and power connectors.

• Photograph the connections between the computer system and related cables, and label them
individually.

• Label every connector and cable connected to peripheral devices.

Seizing Portable Computers

• Photograph the computer and connected equipment.

• Record which cables are connected to which ports.

• Photograph the connectors at the back of the computer and individually label them.

• Remove the battery.

Packaging and Transporting Electronic Evidence

Evidence Bag Contents List

The panel on the front of evidence bags must, at the very least, contain the following details:

• Date and time of seizure

• Investigator who seized the evidence

• Names of the officers who took photographs or prepared a sketch

• Exhibit number

• Where the evidence was seized from

• Sites where individual items were found

121
• Names of the suspected persons

• A short summary of the details of the seizure

• Details of the contents of the evidence bag

Packaging Electronic Evidence

Investigators should keep these items in mind when packaging electronic evidence:

• Make sure the gathered electronic evidence is correctly documented, labeled, and listed
before packaging.

• Pay special attention to hidden or trace evidence, and take the necessary actions to safeguard it.

• Pack magnetic media in antistatic packaging.

• Do not use materials such as plastic bags for packaging because they may produce static electricity.

• Avoid folding and scratching storage devices such as diskettes, CD-ROMs, and tapes.

• Make sure that all containers that contain evidence are labeled in the appropriate way.

Chain of Custody

The CFP must follow the correct chain of custody when documenting a case. The chain of custody is
a written description created by individuals who are responsible for the evidence from the beginning
until the end of the case. The chain of custody form is easy to use. The individual who takes
ownership of a piece of evidence has the responsibility to safeguard and preserve it so that it can be
later used for legal inquiry.

Chain of Custody Documentation

A chain of custody document contains the following information about the obtained evidence:

• Case number

• Name, title, address, and telephone number of the person from whom the evidence was received

• Location where obtained

• Reason for evidence being obtained

• Date/time evidence was obtained

• Item number/quantity/description

• Name of the evidence

122
• Color

• Manufacturing company name

• Marking information

• Packaging information

First Responder Common Mistakes

Often, when a computer crime incident occurs, the system or network administrator assumes the
role of the first responder at the crime scene. The system or network administrator might not know
the standard first responder procedure or have a complete knowledge of forensic investigation, so
he or she might make the following common mistakes:

• Shutting down or rebooting the victim’s computer. In this case, all volatile data is lost. The
processes that are running on the victim’s computer are also lost.

• Assuming that some components of the victim’s computer may be reliable and usable. In this case,
using some commands on the victim’s computer may activate Trojans, malware, and time bombs
that delete vital data.

• Not having access to baseline documentation about the victim’s computer.

• Not documenting the data collection process.

123
Chapter 7: Emerging Cyber Concept

Cloud Computing

Simply put, cloud computing is the delivery of computing services—servers, storage, databases,
networking, software, analytics and more—over the Internet (“the cloud”). Companies offering
these computing services are called cloud providers and typically charge for cloud computing
services based on usage, similar to how you are billed for water or electricity at home.

Advantages

Cloud computing is a big shift from the traditional way businesses think about IT resources. What is
it about cloud computing? Why is cloud computing so popular? Here are 6 common reasons
organizations are turning to cloud computing services:

1. Cost

Cloud computing eliminates the capital expense of buying hardware and software and setting up and
running on-site datacenters—the racks of servers, the round-the-clock electricity for power and
cooling, the IT experts for managing the infrastructure. It adds up fast.

2. Speed

Most cloud computing services are provided self service and on demand, so even vast amounts of
computing resources can be provisioned in minutes, typically with just a few mouse clicks, giving
businesses a lot of flexibility and taking the pressure off capacity planning.

3. Global scale

The benefits of cloud computing services include the ability to scale elastically. In cloud speak, that
means delivering the right amount of IT resources—for example, more or less computing power,
storage, bandwidth—right when its needed and from the right geographic location.

4. Productivity

On-site datacenters typically require a lot of “racking and stacking”—hardware set up, software
patching and other time-consuming IT management chores. Cloud computing removes the need for
many of these tasks, so IT teams can spend time on achieving more important business goals.

5. Performance

The biggest cloud computing services run on a worldwide network of secure datacenters, which are
regularly upgraded to the latest generation of fast and efficient computing hardware. This offers
several benefits over a single corporate datacenter, including reduced network latency for
applications and greater economies of scale.

6. Reliability

124
 Cloud computing makes data backup, disaster recovery and business continuity easier and less
expensive, because data can be mirrored at multiple redundant sites on the cloud provider’s
network.

Types of cloud services: IaaS, PaaS, SaaS

Most cloud computing services fall into three broad categories: infrastructure as a service (IaaS),
platform as a service (PaaS) and software as a service (Saas). These are sometimes called the cloud
computing stack, because they build on top of one another. Knowing what they are and how they
are different makes it easier to accomplish your business goals.

Infrastructure-as-a-service (IaaS)

The most basic category of cloud computing services. With IaaS, you rent IT infrastructure—servers
and virtual machines (VMs), storage, networks, operating systems—from a cloud provider on a pay-
as-you-go basis.

Platform as a service (PaaS)

Platform-as-a-service (PaaS) refers to cloud computing services that supply an on-demand

environment for developing, testing, delivering and managing software applications. PaaS is
designed to make it easier for developers to quickly create web or mobile apps, without worrying
about setting up or managing the underlying infrastructure of servers, storage, network and
databases needed for development.

Software as a service (SaaS)

Software-as-a-service (SaaS) is a method for delivering software applications over the Internet, on
demand and typically on a subscription basis. With SaaS, cloud providers host and manage the
software application and underlying infrastructure and handle any maintenance, like software
upgrades and security patching. Users connect to the application over the Internet, usually with a
web browser on their phone, tablet or PC.

Types of cloud deployments: public, private, hybrid

Not all clouds are the same. There are three different ways to deploy cloud computing resources:
public cloud, private cloud and hybrid cloud.

Public cloud

Public clouds are owned and operated by a third-party cloud service provider, which deliver their
computing resources like servers and storage over the Internet. Microsoft Azure is an example of a
public cloud. With a public cloud, all hardware, software and other supporting infrastructure is
owned and managed by the cloud provider. You access these services and manage your account
using a web browser.

Private cloud

A private cloud refers to cloud computing resources used exclusively by a single business or
organization. A private cloud can be physically located on the company’s on-site datacenter. Some
125
 companies also pay third-party service providers to host their private cloud. A private cloud is one in
which the services and infrastructure are maintained on a private network.

Hybrid cloud

Hybrid clouds combine public and private clouds, bound together by technology that allows data and
applications to be shared between them. By allowing data and applications to move between private
and public clouds, hybrid cloud gives businesses greater flexibility and more deployment options.

How cloud computing works

Cloud computing services all work a little differently, depending on the provider. But many provide a
friendly, browser-based dashboard that makes it easier for IT professionals and developers to order
resources and manage their accounts. Some cloud computing services are also designed to work
with REST APIs and a command-line interface (CLI), giving developers multiple options.

Solid State Devices, Flash Memory

Flash memory is a solid-state chip that maintains stored data without any external power
source. It is commonly used in portable electronics and removable storage devices, and to
replace computer hard drives

In computer lingo, there's a difference between memory and storage. Random-access memory, or
RAM (or simply memory), holds the program a computer is executing, as well as any data. Like a
person's short-term memory, RAM is fleeting and requires power to do its job. Storage, on the other
hand, holds all the stuff of your digital life -- apps, files, photos and music. It retains that stuff even if
the power is switched off. Both RAM and storage boast their capacity based on the number of bytes
they can hold. For a modern computer, RAM typically comes in 4, 6 or 8 gigabytes. Storage can have
almost 100 times more capacity -- the hard drive of a typical laptop, for example, can hold 500
gigabytes.

Here's where it gets a little sticky. Some storage devices have what's referred to as flash memory, a
confusing term that blurs the line between RAM and storage. Devices with flash memory still hold
lots of info, and they do it whether the power's on or not. But unlike hard drives, which contain
spinning platters and turntable-like arms bearing read-write heads, flash-memory devices have no
mechanical parts. They're built from transistors and other components you'd find on a computer
chip. As a result, they enjoy a label -- solid state -- reserved for devices that take advantage of
semiconductor properties.

Here are a few examples of flash memory:

 Your computer's BIOS chip

 CompactFlash (most often found in digital cameras)
 SmartMedia (most often found in digital cameras)
 Memory Stick (most often found in digital cameras)
 PCMCIA Type I and Type II memory cards (used as solid-state disks in laptops)
 Memory cards for video game consoles

126
Flash memory is a type of EEPROM chip, which stands for Electronically Erasable Programmable
Read Only Memory. It has a grid of columns and rows with a cell that has two transistors at each
intersection.

The two transistors are separated from each other by a thin oxide layer. One of the transistors is
known as a floating gate, and the other one is the control gate. The floating gate's only link to
the row, or word line, is through the control gate. As long as this link is in place, the cell has a
value of 1. To change the value to a 0 requires a curious process called Fowler-Nordheim
tunneling.

Raid Configurations

RAID

RAID is a technology that is used to increase the performance and/or reliability of data storage. The
abbreviation stands for Redundant Array of Inexpensive Disks. A RAID system consists of two or
more drives working in parallel. These disks can be hard discs, but there is a trend to also use the
technology for SSD (solid state drives). There are different RAID levels, each optimized for a specific
situation. These are not standardized by an industry group or standardization committee. This
explains why companies sometimes come up with their own unique numbers and implementations.
This article covers the following RAID levels:

 RAID 0 – striping
 RAID 1 – mirroring
 RAID 5 – striping with parity
 RAID 6 – striping with double parity
 RAID 10 – combining mirroring and striping

The software to perform the RAID-functionality and control the drives can either be located on a
separate controller card (a hardware RAID controller) or it can simply be a driver. Some versions of
Windows, such as Windows Server 2012 as well as Mac OS X, include software RAID functionality.
Hardware RAID controllers cost more than pure software, but they also offer better performance,
especially with RAID 5 and 6.

RAID-systems can be used with a number of interfaces, including SCSI, IDE, SATA or FC (fiber
channel.) There are systems that use SATA disks internally, but that have a FireWire or SCSI-interface
for the host system.

Sometimes disks in a storage system are defined as JBOD, which stands for ‘Just a Bunch Of Disks’.
This means that those disks do not use a specific RAID level and acts as stand-alone disks. This is
often done for drives that contain swap files or spooling data.

Below is an overview of the most popular RAID levels:

RAID level 0 – Striping

In a RAID 0 system data are split up into blocks that get written across all the drives in the array. By
using multiple disks (at least 2) at the same time, this offers superior I/O performance. This
performance can be enhanced further by using multiple controllers, ideally one controller per disk.

Advantages
127
  RAID 0 offers great performance, both in read and write operations. There is no overhead
caused by parity controls.
 All storage capacity is used, there is no overhead.
 The technology is easy to implement.

Disadvantages

 RAID 0 is not fault-tolerant. If one drive fails, all data in the RAID 0 array are lost. It should
not be used for mission-critical systems.

Ideal use

RAID 0 is ideal for non-critical storage of data that have to be read/written at a high speed, such as
on an image retouching or video editing station.

If you want to use RAID 0 purely to combine the storage capacity of twee drives in a single volume,
consider mounting one drive in the folder path of the other drive. This is supported in Linux, OS X as
well as Windows and has the advantage that a single drive failure has no impact on the data of the
second disk or SSD drive.

RAID level 1 – Mirroring

Data are stored twice by writing them to both the data drive (or set of data drives) and a mirror
drive (or set of drives). If a drive fails, the controller uses either the data drive or the mirror drive for
data recovery and continues operation. You need at least 2 drives for a RAID 1 array.

Advantages

 RAID 1 offers excellent read speed and a write-speed that is comparable to that of a single
drive.
 In case a drive fails, data do not have to be rebuild, they just have to be copied to the
replacement drive.
 RAID 1 is a very simple technology.

Disadvantages

 The main disadvantage is that the effective storage capacity is only half of the total drive
capacity because all data get written twice.
 Software RAID 1 solutions do not always allow a hot swap of a failed drive. That means the
failed drive can only be replaced after powering down the computer it is attached to. For
servers that are used simultaneously by many people, this may not be acceptable. Such
systems typically use hardware controllers that do support hot swapping.

Ideal use

RAID-1 is ideal for mission critical storage, for instance for accounting systems. It is also suitable for
small servers in which only two data drives will be used.

RAID level 5

128
RAID 5 is the most common secure RAID level. It requires at least 3 drives but can work with up to
16. Data blocks are striped across the drives and on one drive a parity checksum of all the block data
is written. The parity data are not written to a fixed drive, they are spread across all drives, as the
drawing below shows. Using the parity data, the computer can recalculate the data of one of the
other data blocks, should that data no longer be available. That means a RAID 5 array can withstand
a single drive failure without losing data or access to data. Although RAID 5 can be achieved in
software, a hardware controller is recommended. Often extra cache memory is used on these
controllers to improve the write performance.

Advantages

 Read data transactions are very fast while write data transactions are somewhat slower (due
to the parity that has to be calculated).
 If a drive fails, you still have access to all data, even while the failed drive is being replaced
and the storage controller rebuilds the data on the new drive.

Disadvantages

 Drive failures have an effect on throughput, although this is still acceptable.

 This is complex technology. If one of the disks in an array using 4TB disks fails and is
replaced, restoring the data (the rebuild time) may take a day or longer, depending on the
load on the array and the speed of the controller. If another disk goes bad during that time,
data are lost forever.

Ideal use

RAID 5 is a good all-round system that combines efficient storage with excellent security and decent
performance. It is ideal for file and application servers that have a limited number of data drives.

RAID level 6 – Striping with double parity

RAID 6 is like RAID 5, but the parity data are written to two drives. That means it requires at least 4
drives and can withstand 2 drives dying simultaneously. The chances that two drives break down at
exactly the same moment are of course very small. However, if a drive in a RAID 5 systems dies and
is replaced by a new drive, it takes hours or even more than a day to rebuild the swapped drive. If
another drive dies during that time, you still lose all of your data. With RAID 6, the RAID array will
even survive that second failure.

Advantages

 Like with RAID 5, read data transactions are very fast.

 If two drives fail, you still have access to all data, even while the failed drives are being
replaced. So RAID 6 is more secure than RAID 5.

Disadvantages

 Write data transactions are slower than RAID 5 due to the additional parity data that have to
be calculated. In one report I read the write performance was 20% lower.
 Drive failures have an effect on throughput, although this is still acceptable.
 This is complex technology. Rebuilding an array in which one drive failed can take a long
time.

Ideal use
129
RAID 6 is a good all-round system that combines efficient storage with excellent security and decent
performance. It is preferable over RAID 5 in file and application servers that use many large drives
for data storage.

RAID level 10 – combining RAID 1 & RAID 0

It is possible to combine the advantages (and disadvantages) of RAID 0 and RAID 1 in one single
system. This is a nested or hybrid RAID configuration. It provides security by mirroring all data on
secondary drives while using striping across each set of drives to speed up data transfers.

Advantages

 If something goes wrong with one of the disks in a RAID 10 configuration, the rebuild time is
very fast since all that is needed is copying all the data from the surviving mirror to a new
drive. This can take as little as 30 minutes for drives of 1 TB.

Disadvantages

 Half of the storage capacity goes to mirroring, so compared to large RAID 5 or RAID 6 arrays,
this is an expensive way to have redundancy.

What about RAID levels 2, 3, 4 and 7?

These levels do exist but are not that common (RAID 3 is essentially like RAID 5 but with the parity
data always written to the same drive). This is just a simple introduction to RAID-systems.

RAID is no substitute for back-up!

All RAID levels except RAID 0 offer protection from a single drive failure. A RAID 6 system even
survives 2 disks dying simultaneously. For complete security, you do still need to back-up the data
from a RAID system.

 That back-up will come in handy if all drives fail simultaneously because of a power spike.
 It is a safeguard when the storage system gets stolen.
 Back-ups can be kept off-site at a different location. This can come in handy if a natural
disaster or fire destroys your workplace.
 The most important reason to back-up multiple generations of data is user error. If someone
accidentally deletes some important data and this goes unnoticed for several hours, days or
weeks, a good set of back-ups ensure you can still retrieve those files.

Disclaimer: Different topics on this study material are referred from books and internet and credit
goes to author of those books/content. For any error/discrepancy, please contact me at
[email protected].

130
 Paper- II

Paper-II: Regulatory Framework of the Cyber world

1) Role of Law in Cyber World - Regulation of Cyber Space in India, US, Australia, UK,
European Union etc.
2) Cyber Law Jurisprudence-an overview
3) General Principle of Contract Law with reference to online contract
4) Jurisdiction in Cyber World - Civil & Criminal
5) Cyber Space & Government Regulation
6) Freedom of Speech & Expression – Government Regulation
7) Cyber Space, Democracy & Sovereignty
8) E-Governance
9) Concept, Component, Rational and Legal Frame Work in India
10) Convergence of Communication, Spectrum, Internet Telephony
11) Privacy Policy, Usage Policy, Disclaimer, Digital Payment Mechanism, Payment &
Settlement Act, 2007.
12) Adjudicating Officer and Their Powers & Duty with special reference to Information
Technology (Qualification & Experience of Adjudicating Officer and Manner of
Holding Enquiry Rules 2003)
13) Cyber Appellate Tribunal with reference to the Cyber Regulation Appellate Tribunal
(Procedures) Rules 2000
14) ISPs, their working in India with special reference to the Information Technology
(Intermediaries Guidelines) Rules 2011 & The information Technology (Guidelines for
Cyber Cafe) Rules 2011 and Corresponding International Legislation in US, UK &
Europe
15) Controller of Certifying Authority with special reference to the Information
Technology Certifying (Authorities) Regulations 2001
16) Social media and its role in Cyber World

131
Module 1
Role of Law in the Cyber World- Regulation of Cyber Space in India, US,
Australia, UK, European Union

Introduction

Cyberspace is today one of the great legal frontiers. The man-made cyberspace has been
generated by the use of information and communication technology (ICT) and is essentially
composed of interdependent distributed infrastructure of sensor, computer and network,
hardware and software and transmission media that collects, carries, stores, transforms and
uses information. Cyberspace Domain is embedded in traditional domains (land, maritime,
air and space domains), but is characterized by “virtual activity. It is, thus, virtual, borderless
and anonymous.

Fundamental to cyberspace is the internet, which is typically described as a ‘network of

networks’, a system of hardware (computers, routers, cables or wireless transmitters and
receivers) and software (the protocols that provide rules for connecting between different
machines). The Internet serves as a giant computer nervous system connecting millions of
devices around the world. As such, it is the most important development ever in the
transformation of cyberspace from an idea into a practical reality. In order to use
cyberspace, one must have an Internet connection and understand how to collect and
transmit information via email, browsers, and so on.

The most important rules for exchanging information across the Internet have been
collected together as TCP/IP (transfer control protocol/internet protocol). While TCP/IP
offers a series of rules for connecting different machines across the Internet to a range of
servers, a much more specific protocol, the hypertext transfer protocol (HTTP) was
developed alongside HTML to establish the basic rules for connecting documents via
hypertext. As such, HTTP defines such things as how a uniform resource locator (URL) works
to locate a specific document, as well as operations to be performed by a browser, or
applications to be launched, when it downloads different types of files. The developments
of internet access technologies or web facilitated a single, uniform interface for different
types of information contained on different servers.

Cyberspace and national law

Use of internet has evolved exponentially over the last ten years as individuals,
governments and companies began making available huge amounts of data in open and
immediately accessible forms. The growth of the Internet is but an extreme example of one
of the key areas where technology is changing the national law for adapting to the realm of
cyberspace.

Cyberspace has brought into sharp focus some of the issues facing national law. Key areas of

132
law and policy development with regard to new media have been around electronic
commerce, intellectual property, privacy and freedom of expression, as well as the concern
of how best to deal with criminal activity such as fraud, exchanges of illegal material such as
images of child abuse, and even terrorism.

The borderless nature of the Internet makes some issues of regulation difficult to deal with.
For example, the Internet offers criminals a huge and easy-to-reach pool of potential
victims; so law enforcement agencies will increasingly need to respond to cybercrimes that
are perpetrated and located outside the boundaries of territorial jurisdiction. In addition to
presenting challenges to state law enforcement in the context of both civil and criminal
jurisdiction, the Internet also creates new investigative challenges for state authorities. For
example, the Internet can offer wrongdoers a veil of anonymity due to difficulties in tracing
the source of electronic connections. Moreover, the architecture of the Internet permits
Internet Service Providers (“ISPs”) to provide services and store electronic data for persons
located anywhere in the world. To conduct investigations in this environment, state
investigators need to gather electronic evidence located in other jurisdictions.
At the same time, countries have become increasingly concerned about the effect of
information and communication technologies on their social and cultural life. For example,
many nations fear that the availability of obscene, racist or blasphemous speech on the
Internet will have a corrupting influence on their societies.

Regulation of Cyber World in India

The United Nations Commission on International Trade Law (UNCITRAL) adopted the
Model Law on e-commerce in 1996. The General Assembly of United Nations passed a
resolution in January 1997 inter alia, recommending all States in the UN to give favorable
considerations to the said Model Law, which provides for recognition to electronic records
and according it the same treatment like a paper communication and record. India being a
signatory to it had to revise its laws as per the said model law.
Information Technology Act, 2000 is Indian legislation regulating the use of computers,
computer systems, computer networks, computer resources and communication devices as
also data and information in the electronic format. This legislation has provided for legality
of the electronic format and electronic contracts.Many legal provisions recognized paper
based records and documents which should bear signatures. Since electronic commerce
eliminates the need for paper based transactions, therefore to facilitate e-commerce there
was a need felt for certain legal changes. Thus Parliament enacted the Information
Technology Act,2000 to facilitate e-commerce and with a view to facilitate Electronic
Governance. .

The object of The Information Technology Act, 2000 as defined therein is “to provide legal
recognition for transactions carried out by means of electronic data interchange and other
means of electronic communication, commonly referred to as “electronic methods of
communication and storage of information, to facilitate electronic filing of documents with
the Government agencies and further to amend the Indian Penal Code, the Indian Evidence
Act, 1872, the Banker’s Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934
and for matters connected therewith or incidental thereto.”

133
The Information Technology Act,2000 addresses the following issues-
 Legal Recognition of Electronic Records
 Legal Recognition of Electronic Signatures
 Offences and Contraventions
 Justice Systems for Cybercrimes

Legislations in the U.K

Electronic Communications Act 2000

The object of the Electronic Communications Act, 2000 is to make provisions to facilitate the
use of Electronic Communications and Electronic data storage, to make provision about the
modification of license granted under section of 7 of the Tele Communications Act 1984 and
for connected Purpose.
UK Data Protection Act 1998
The UK Data Protection Act 1998 was legislated for the regulation of the processing of
information relating to individuals, including the obtaining,holding, use or disclosure of such
information.
Computer Misuse Act 1990
The computer Misuse Act 1990 provided a solution for securing computer materials against
unauthorized access or modification, and for connected purpose. This act was amended by
the Police and Justice Act, 2006. The Computer Misuse Act, 1990 addresses the problem of
computer hacking and sets forth three main offences relating to hacking (a) unauthorized
access to computer material (b) unauthorized access to facilitate a further offence and (c)
unauthorized modification of computer material.

Legislations in the USA

 Uniform Computer Information Transaction Act (Amended 2000,2002)-

Uniform Computer Informstion Transaction Act is a commercial contract code for computer
information transactions. Includes various chapters of – Construction, Warranties, Transfer
of interests and Rights, Performance, Breach of Contract, Remedies, Damages etc.
 Electronic Signature in Global and National , Commerce Act,2000-
This act was framed keeping in mind the growing international trade andfacilitates the use
of electronic records and signatures in interstate or foreign commerce.
 Computer Fraud and Abuse Act 18 USC $1030-
In 1986, the United States Congress enacted the Computer Fraud and Abuse Act to combat
the problems related to computer crimes. In 1996, the Act was amended by the national
Information Infrastructure Protection Act and codified as 18 USC $1030. The Act was
amended in 2001 by the US Patriot Act and in 2008 by the Identity Theft Enforcement and
Restitution Act. The Computer Fraud and Abuse Act, contained in 18USC $1030, applies to
computer related criminal acts in respect of Government computers and protected
computers. Criminal acts with regard to computer other than protected and Government
computers fall outside the realm of this act.

In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal
interest computer” with the term “protected computer.” Since CFAA is primarily a criminal

134
law intended to reduce the instances of malicious interferences with computer systems and
to address federal computer offenses, an amendment was made in 1994 to allow civil
actions to brought under the statute. The offences enumerated in the CFAA are obtaining
national security information, compromising confidentiality, trespassing in a government
computer, accessing to defraud and obtain value,espionage, damaging a computer or
information, trafficking in passwords, and threatening to damage a computer. Attempts to
commit these crimes are also criminally punishable.

 Children’s Online Privacy Protection Act 1998–with the aim to protect the children
from in the cyberspace USA came up with an act to prescribe regulations to protect the
privacy of personal information collected from and about children on the Internet, to
provide greater parental control over the collection and use of that information, and for
other purposes.

 Uniform Electronic Transaction Act 1999- this act aims at Legal recognition of the
electronic record, electronic signature, electronic contract, Attribution and effect of
electronic record and electronic signature, time and place of sending and receipt ,
transferable record, creation and retention of electronic record etc.

European Convention on Cybercrime (Budapest 23.XI.2001,Council of Europe treaty Series

No 185)-

The main aim of European Convention on Cybercrimeas highlighted in its Preamble was to
achieve a greater unity between its members and as a matter of priority to pursue a
common criminal policy aimed at the protection of society against cybercrime by adopting
appropriate legislation and fostering international cooperation. The document attempts to
define various cybercrimes and to develop policies to prevent particular crimes committed
with use of the internet. The treaty includes provisions geared toward fighting terrorism,
child sexual exploitation, organized crime, copyright infringement, hacking, and internet
fraud. The Convention also acts as a framework for international cooperation between
countries in investigating, extradition procedures and prosecuting possible cybercrimes. The
Council of Europe has responded to threats of cybercrime with a comprehensive Convention
on Cybercrime. The Convention on Cybercrime was adopted in 2001 to address several
categories of crimes committed via the Internet and other information networks. It is the first
and only international treaty on Cybercrime, and its primary goal is to “pursue a common
criminal policy aimed at the protection of society against cybercrime, especially by adopting
appropriate legislation and fostering international co-operation.” To date, 47 countries are
signatories to the convention and 31 of these have ratified it. India has neither signed nor
ratified it.

A country party to the convention must define criminal offences and sanctions under their
domestic laws for four categories of computer-related crimes: (1) security breaches such as
hacking, illegal data interception, and system interferences that compromise network
integrity and availability; (2) fraud and forgery; (3) child pornography; and (4) copyright

135
infringements.

The convention also requires a country party to establish domestic procedures for detecting,
investigating, and prosecuting computer crimes, as well as collecting electronic evidence of
any criminal offence. It also facilitates international cooperation for fighting cybercrime.

Some other European Union Directives on Internet and E-Commerce Laws

 Directive on Value Added Tax Arrangements Applicable to Electronically supplied

service.
 Directive of Legal Protection of Computer Programs
 Directive on Personal Data and The Protection of E- Privacy
 Directive on Electronic Signatures
 Directive on Electronic Commerce
 Directive on Privacy in Electronic Communications
 Directive on Distance Marketing of Consumer Financial Service
 Directive on Unfair Commercial Practice

Other International Regulations

 Uniform Domain Name Dispute Resolution Policy by ICANN ( Internet Corporation

For Assigned names and Numbers )
 OECD Guidelines on Consumer Protection in E- Commerce (Organization For
Economic Co- Operation and Development)
 OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal
Data
 UNCITRAL ( United Nations Commission on International Trade Law) Model Law on
Electronic Signatures
 United Nations Convention on the Use of Electronic Communications in International
Contracts
Cyber crime

Cyber Crimes are a new class of crimes rapidly increasing due to extensive use of Internet
and I.T. enabled services. This term covers all sorts of crimes committed with computers,
from viruses to worms to Trojan horses; from hacking into private email to undermining
defense and intelligence systems; from electronic thefts of bank accounts to disrupting web
sites.
Some activities relating to crime online, such as breaking into networks or exploiting
weaknesses in systems using applications designed to take advantage of such networks, did
not exist before the invention of computers. Others, however, such as fraud, spying or even
terrorism, are simply the extension of actions that existed long before information
technologies broke into the realms of cyberspace. These are offences against computer
systems and by means of computer systems.

136
Statistics from the Indian Computer Emergency Response Team (CERT-In) indicate a growing
trend, with reported incidents of cyber crime up from 23 to 22,060 from 2004 to 2012. At
the same time, these statistics probably underestimate the real extent of cybercrime, as
many companies that are affected by hackers or potential fraudsters do not always report
such incidents because they believe it will affect public perception of their sites.
Nonetheless, it is clear that cybercrime incidents are growing. Cybercrime covers the
following areas: hacking into a system, theft of information or espionage, fraud, sabotage of
data, denial of service, virus writing and spoofing (pretending to be at a different IP
address).

To prosecute cyber criminals and provide justice to the victims, Law Enforcement Agencies
(LEA) and Judiciary need to be sensitized and trained in cybercrime investigations and
prosecution. It is because evidence related to any crime increasingly takes the form of
electronic evidence stored on a computer system or cyberspace. Without a well-
trainedcybercrime investigators and prosecutors, we will not be able to curb the growing
menace of cybercrimes and ensure effective implementation of IT Act, 2000. Indian LEAs
must keep pace with technology and increase their cyber forensics capabilities. Some of the
cybercrimes are as follows:

(1) Identity Theft

E-theft may be understood as an extension of theft in the normal legal parlance to an online
atmosphere. Identity theft is the unauthorized collection and fraudulent use of key pieces of
information, such as bank account numbers and passwords, in order to impersonate
someone else. Identity theft is a truly modern crime, being crafted out of the sight of, and
often beyond the effective reach of, the victim. It is carried out by compromising electronic
data systems, obtaining false primary documents, directing mail to new addresses, obtaining
new credit accounts and improperly charging existing ones. It can be accomplished by a
neighbour next door or by criminals hunting from thousands of miles away. It relies on the
internet connectivity. The information can be used to obtain credit, merchandise, and
services in the name of the victim, or to provide the thief with false credentials. Victims of
identity theft suffer financial loss, damage to their reputation, and emotional distress, and
are left with the complicated and sometimes arduous task of clearing their names.

(2) Phishing

A new form of identity theft is phishing, which occurs when scammers send mass e-mails
posing as banks, credit card companies, or popular commercial web-sites, asking recipients
to confirm or update personal and financial information in a hyperlink to a look-alike web-
site for the spoofed company, and usually threaten suspension or deactivation of accounts
for non-compliance.

137
(3) Fraud

E-fraud is the unlawful and intentional use or deployment of an electronic medium and/or
peripheral to make a misrepresentation, which causes actual prejudice or which is
potentially prejudicial to another. An E-Fraud exists when the following ingredients are
present: (a) When there is a material false statement, (b) There is knowledge on the
perpetrator's part that the statement was false when it was uttered; (c) There was a reliance
on the false statement by the victim; (d) There was a damage or injury. It also can be said
that an E-Fraud is an extension of Real space Fraud to the Cyberspace. Various examples of
fraud online are Fictitious Merchants, Identity Theft, Credit Card Numbers and Password
Theft, Purchase Scams, Phishing, Stock Market Manipulation Schemes, Online Casinos etc.

(4) Espionage

Cyber-espionage refers to malicious activities aimed at penetrating an computer system for

purposes of extracting sensitive or protected information for economic, or technical or intelligence
gain. Technological developments have fostered the growth of cyber-espionage. Cyber espionage is
making it increasingly easy for malign actors — whether malevolent insiders, foreign intelligence
services, or hackers for hire — to steal sensitive information with instant results, minimal cost, and
relative anonymity. In case of economic espionage, primary focus is that of the infiltration and theft
of sensitive data from private companies.

Certain underground hacking communities in cyberspace encourage tool sharing, code

swapping, and the proliferation of malicious software, as well as facilitating black-markets
trading in stolen data. These clandestine forums consist of an array of programmers who
understand network protocols, can write code, create viruses, malware, and root kits, and
who may even operate botnet infrastructures. There are also technicians who compile,
package, and effectively utilise pre-built, open source, hacking tools, the so-called novice
‘script-kiddies’ who dabble with the execution of basic code, and surreptitious traders who
actually buy and sell stolen data. It is also extremely likely that nation-states covertly utilise
these forums.

The majority of sophisticated cyber-espionage attacks suggest Chinese, Russian or Israeli

involvement, although directly attributing responsibility for these incidents has proven recurrently
nebulous and, often, politically strenuous. The intentional global distribution and obscurity of
attacks, via numerous proxy servers across multiple countries, has meant competent hackers enjoy
relative anonymity in committing cyber-espionage. Although often framed as an exclusively
technical problem, the attribution issue is far more multifarious. Attempts have been further
confounded by the blurring of criminal and political acts, as well as conventional notions of ‘state’
and ‘non-state’ actors.

(5) Obscene Publications: The Internet has given rise to a new industry for the online
publication and consumption of obscene materials. Millions of people around the world are

138
visiting web-sites catering to this product. These Internet sites represent the largest growth
sector of the digital economy. An obscene publication is generally understood to be any
publication whose dominant characteristic is the undue exploitation of sex, or of sex
together with crime, horror, cruelty or violence. Whether a publication’s dominant theme is
the undue exploitation of sex is determined by reference to a “social standards” test.
Obscene article contains an image or a description of sexual behavior which is, arguably,
carry the risk that viewers of the material may be encouraged or corrupted into such
practices. Obscene publication violates the law and lead to the general corruption of morals.

The exhibition of an obscene picture is an indictable offence in law, if it be averred that the
picture was exhibited to sundry persons for money. It is a crime against the modesty of
women and children. Section 292 of the Indian Penal Code is related to the punishment for
such offence. Even though the Indian Penal Code prohibits pornography the implementation
of this prohibition becomes a problem when it comes to internet. However, some argue
that for something to be obscene it must be shown that the average person, applying
contemporary community standards and viewing the material as a whole, would find it
depicts sexual conduct in a patently offensive way; and that it lacks serious literary, artistic,
political or scientific value.

Internet pornography detracts from the social and economic benefits of e-commerce, and
government is being driven to regulate the Internet to control these harmful practices.
However, there appears to be no single solution to the regulation of illegal and harmful
content on the Internet because the exact definition of offences related to obscene
publications and what is considered harmful varies from one country to another.

(6) Cyber- terrorism

Cyber terrorism is the disruptive use of information technology by terrorist groups to

further their ideological or political agenda. This takes the form of attacks on networks,
computer systems, and telecommunication infrastructures. Following 11 September 2001
terrorist attack in the US, the focus on cybercrime has shifted from concentrating on
perceived threats from hackers to terrorism. There is a potential threat of cyber-terrorism
to the Internet-connected systems, particularly for the critical information infrastructures of
nation states. While a definition of terrorism has eluded the international community for
decades, it is generally agreed that a terrorist act implies the use of violence for political
objectives and for the purpose of sowing fear within a target population.

Terrorism in cyber-space is generally understood to mean unlawful attacks and threats of

attack against computers, networks, and the information stored therein when done to
intimidate or coerce a government or its people in furtherance of political or social
objectives. Cyber-terrorism is but one form of cyber-attack. Too often the terms cyber-
terrorism and cyber-attack are used interchangeably and may result in a misunderstanding
of the cyber-threat in general, and the threat of cyberterrorism in particular. Politically

139
motivated cyber-attacks that lead to death or bodily injury, explosions, or severe economic
loss would be clear examples of cyber-terrorism.

To qualify as cyber-terrorism, an attack should result in violence against persons or

property, or at least cause enough harm to generate fear. The use of video by Osama bin
Laden indicated his own perception of how the media could be effective as a tool for
propaganda and led to the threat that the Internet was vulnerable to cyber terrorists. Cyber
terrorism concerns the ways in which future terrorists could target commerce and
communication.

(7) Cyber attack

Distributed Denial of Service (“DDOS”) attacks have been the most prevalent form of cyber-
attack in recent years. In these attacks, coordinated botnets—collections of thousands of
“zombie” computers hijacked by insidious viruses—overwhelm servers by systematically
visiting designated websites.

One of the most popular visions of hacking is of the individual hacker infiltrating military
systems, causing damage to critical information infrastructure in the targeted country. For
example, in 2007, Estonia was subjected to a mass cyber-attack in the wake of the removal
of a Russian World War II war memorial from downtown Talinn. The attack was a
distributed denial-of-service attack in which selected sites were bombarded with traffic in
order to force them offline; nearly all Estonian government ministry networks as well as two
major Estonian bank networks were knocked offline. Recently in December 2009 India
witnessed a similar attack from Chinese hackers where most of the government websites
were attacked. Similarly, Stuxnetattack on Iran’s nuclear facilities put the program ground to a
halt. This was an example of a sophisticated cyber attack that sent centrifuges spinning wildly
out of control.

Cyber attacks against critical infrastructures can have far-reaching effects on businesses,
governments and even on societies. For example, the use of malware or botnets for large-
scale attacks against information and communication technology (ICT) infrastructures can
disrupt the provision of vital goods or services. These kinds of attacks can also disrupt the
maintenance of other critical infrastructures, such as transport or energy networks.

Fighting cyber crime

While technologies are frequently used to perpetrate offences, they are also increasingly
employed to solve crime both online and off. Equally important is the legislative and regulatory
infrastructure to deal with crimes that, by taking place in cyberspace, fall outside the remit of
national legal jurisdictions. In 2002, the Council of Europe adopted signed a Convention on
Cybercrime, aimed at harmonisation of cybercrime laws and cross-border cooperation among
states for prosecuting cyber criminals. The Convention covered four main areas: fraud, viruses,
child pornography and copyright violation. Nonetheless, Council of Europe Convention on

140
Cybercrime is not applicable globally because a large number of States have not ratified this
convention. In case of India, IT Act 2000 has incorporated many of the provisions of the
Convention on Cybercrime.

Other Legal Problems: Similar to the above problems there are many more issues. The issues
like ‘Online Defamation’, 'Problems in the enforcement of online contracts', 'online infringement
of Intellectual Property rights like copyright and trademarks' etc. cause challenges for law
and its institutions. Judiciary can play a role in fighting crime through judicial intervention in
appropriate way.

Challenges in Fighting Cyber Crime

Cybercrime consists of criminal acts that are committed online by using electronic
communications networks and information systems. It is a problem that knows no borders
and that can take on different forms. Yet, all these forms have two characteristics in
common: they can be committed with across a national boundaries and jurisdictions with
anonymity and a great geographical distance can lie between the location of the criminal
and the effects of the crime. Some of the issues in fighting crime are as follows:

(i) Location of Crimes and Criminals

Cybercriminals often target victims in one or more different countries. Further, given the nature
of the cyber world, crimes can be routed through servers in countries entirely separate from
those where the perpetrators and victims are located. The perpetrators take advantage of the
near anonymity that can sometimes be achieved through internet communication on the
internet, as well as the difficulty in following the path of communication links from one internet
server to another.

(ii) Problem of anonymity is the state of not being identifiable within a specific set. When
referring to human beings, we say that a person is anonymous when the identity of that
person is not known. In the Internet, the sender of information cannot necessarily be
presumed to be who he or she is. It is also not always possible for the sender to know the
recipient’s true identity. Some of the most egregious abuse of cyber-space is attributable in
part to the ease of concealing identity, using no names or false names. Because cyber-space
enables truly anonymous communication to flourish, its existence promotes anonymous
criminal acts. As a result, cyber criminals can often escape almost all of the consequences of
their actions.

Today, cyber-stalking is easier than ever, considering the anonymity provided by electronic
communication. On the Web, it is not difficult to conceal one’s identity or to provide
incorrect personal information. Websites, e-mail, chat rooms, and discussion forums
provide stalkers with a variety of opportunities to harass others. They also offer stalkers

141
access to the private information of their victims.

In order to stop the boom in criminal cyber-conduct and to prevent the anonymity of cyber-
crimes, cyber law must criminalize the use of any kind of techniques which aim at
concealing a person’s true identity with the intentional scope of committing any kind of
cyber-crime. The perpetrators should be punished at a level corresponding to the
seriousness of the crime committed; the fact of concealing ones identity should be
considered as an aggravating circumstance.

(iii) Absence of Geographical Boundaries The cyber space has no real connection with the
real space. It cannot be divided on the basis of physical boundaries. Beyond the cables,
telephone lines, satellites and computers that are known as backbones, the Internet has no
connection with the real world. Away from these backbones the Internet creates a separate
world, which is built of passwords and electronic data. The place of the residence of the
defendant or the cause of action of the suit, which are the traditional basis for fixing
jurisdiction, cannot be established with certainty in the Internet. Even a childish act can
create a confusing issue of jurisdiction in the cyberspace.

(iv) Jurisdictional Issues As the community of Internet users grows exponentially and
becomes increasingly diverse, geographic boundaries become more and more porous. As
that happens, disputes of every kind will occur. On-line contracts will be breached, on-line
torts will be committed, on-line crimes will be perpetrated. Although many of these disputes
will be settled informally, others may require formal mechanisms for dispute resolution.
Among the most serious questions raised by the need for Internet regulation are those
relating to jurisdiction, or a courts’ ability to subject an individual to adjudication in a
particular forum.

Jurisdiction, defines three kinds of power: the power to prescribe, the power to adjudicate,
and the power to enforce. The first of these relates principally to the power of a government
to establish and prescribe criminal and regulatory sanctions; the second, to the power of the
courts to hear disputes, especially civil disputes; and the third, to the power of a government
to compel compliance or to punish non-compliance with its laws, regulations, orders, and
judgments.

Since Internet is borderless, the commission of a crime can take place anywhere on the
Internet due to this the Internet user finds himself, the subject matter of the jurisdiction of
many countries for a single act. The many issues on Internet cannot be managed by the
existing principles of jurisdiction. The courts all over the world are facing difficulty in finding
out solutions to the Internet litigations.

The geographic transparency of the Internet may well place such adjudication of trans-
border disputes outside of any jurisdictional analysis as yet contemplated by territorially-
bound law. Although problems of multi-jurisdictional problems are not unique to the

142
regulation of the Internet, the peculiar nature of the Internet may trigger legal limitations
which are designed to limit governmental jurisdiction within a state’s physical borders.

The challenge in determining if and when courts have jurisdiction over activities conducted
on the Internet would not be great if the Internet were confined to a single geographical
area, or if it were neatly divisible along territorial boundaries into distinct local networks.
Today, countries worldwide are learning that traditional domestic laws are inadequate when
dealing with trans-national cyber-crime, or in attempting to bring perpetrators on foreign soil
to justice. It is evident that laws would have to transcend physical boundaries to remedy this
ongoing problem.

(v) Problem of Evidence Most electronic records have begun to be admitted in litigations.
However, courts struggle with the traditional rules of evidence, with inconsistent results.
This is still uncertainties over the admissibility of electronic evidences in the courts.

Digital evidence differs from tangible evidence in various respects, some of which raise
important issues as to how digital evidence is to be authenticated, ascertained to be
reliable, or determined to be admissible in criminal or civil proceedings. Another instance
where the cyber crime prosecution becomes difficult is with regard to obtaining the digital
evidence. The current laws regarding the search and seizure of digital evidence are mostly
ambiguous. When evidence is to be proved in a court two principal situations have to be
considered. One is where the offence is mainly by the individual's use of the Internet. He
can do any crime to other individuals, websites, or some other entities. In this case the
Individual is the culprit. The second situation is where the remote site holds the evidence of
the offence. The examples of such situations are the publication of obscenity in the website,
or any other situation in which the content of a website is illegal in any country. These
perpetrations can be proved from four sources such as individuals' own computer, his
telephone bill, from the Internet Service Provider and from the remote sites.

Morality and Culture Absence of physical boundaries in cyber space may lead to a
situation where the basis of morality and culture will be shaken in a society. The morals of a
society could vary from the morals of another society. The Internet being a global
communication medium can encroach upon the morality of a society while it is conformity
with another community's morality standards. An example is the publication of obscene
materials on the Internet.

The Indian law makes the sale of obscene materials punishable under section 292 of the
Indian Penal Code. With the advent of Internet, people can view and download obscene
materials irrespective of their age. Even if the true address of the host website is known, an
Indian court cannot punish the offenders who are in a foreign country. The publication of
obscene materials may not be an offence in the country where the server of the host web
site is situated. The criterion for punishment varies from countries to countries.

143
MODULE 2:

Cyberspace law Jurisprudence: An Overview

Introduction

Legal issues relating to human activities in the cyberspace are giving rise to the question as to
what extent can the present laws be transposed to the cyber domain. Applying pre-existing legal
rules, concepts and terminology to the cyber domain may entail certain difficulties in view of its
specific characteristics. It also poses significant challenges to traditional legal jurisprudence,
principles and philosophy.

It has been seen that prevailing laws and systems are not capable enough to address cross
border issues arising out of human activities in cyberspace. A greater difficulty lies with respect
to diverse legal systems, difference in laws governing cyberspace activities and complexities of
law enforcement in cyberspace. It has necessitated of new kind of jurisprudence, specifically for
the cyberspace. This branch of jurisprudence may be called cyber jurisprudence. It may be
generally stated that cyber jurisprudence is still in the evolutionary phase.

144
Cyberspace theories & Philosophies

(a) Is Cyberspace a “Global Common”?

Cyberspace has been defined as a global domain within the information environment consisting of
the interdependent network of information technology infrastructures, including the Internet,
telecommunications networks, computer systems, and embedded processors and controllers. It is
thus not a physical place – it defies measurement in any physical dimension or time space
continuum. It is a shorthand term that refers to the environment created by the confluence of
cooperative networks of computers, information systems, and telecommunication infrastructures
commonly referred to as the World Wide Web. Cyberspace is also characterized by anonymity
and ubiquity. Therefore, it seems logical to consider it as the global commons such high seas,
international airspace and outer space or legally as res communis omnium. In other words,
cyberspace in its entirety is not subject to the sovereignty of a single State or of a group of States.
In view of its characteristics it is immune from appropriation.

The Commons refers to resources that are collectively owned. This can include everything
from land to software. There are a number of important features that can be used to
describe true commons. The first is that true commons cannot be commodified - and if they
are - they cease to be commons. The second aspect is that while they are neither public nor
private they tend to be managed by local communities. While this may be true to a degree,
commons cannot be exclusionary. That is, they cannot have borders built around them
otherwise they become private property. The third aspect of the commons is that, unlike
resources, they are not scarce but abundant. In fact, if managed properly, they work to
overcome scarcity.

However, state practices suggest that cyberspace is not immune from sovereignty and from the
exercise of jurisdiction. States tend to exercise and will continue to exercise, their criminal
jurisdiction vis-à-vis cyber crimes and attempt to regulate activities in cyberspace.

(b) Sovereignty in cyberspace

States have continuously emphasized their right to exercise control over the cyber
infrastructure located in their respective territory, to exercise their jurisdiction over cyber
activities on their territory, and to protect their cyber infrastructure against any trans-border
interference by other States or by individuals.

The basic applicability of the principle of territorial sovereignty to cyberspace entails that the
cyber infrastructure located in a state’s jurisdiction is covered by the respective State’s
territorial sovereignty. Hence, in principle, the State is entitled to exercise control over that
cyber infrastructure and over cyber activities in those areas.

145
( c) Jurisdiction in cyberspace

The concept of jurisdiction refers to a State’s lawful power to act and hence to its power to
decide whether and, if so, how to act, whether by legislative, executive or judicial means. In this
sense, jurisdiction denominates primarily, but not exclusively, the lawful power to make and
enforce rules. The exercise of jurisdiction is not limited to a State’s territory. For instance, a
State exercises exclusive jurisdiction onboard vessels flying its flag and onboard aircraft
registered in that State. Moreover, according to the principles of active and of passive
nationality, a State is entitled to exercise its jurisdiction over the conduct of individuals that
occurred outside its territory. Under the universality principle, the same holds true even if
neither the perpetrator nor the victim are nationals of the State in question. Also, the exercise
of jurisdiction can be based upon the protective principle.

It may be noted in this context that territorial jurisdiction does not necessarily presuppose
territorial sovereignty. For instance, the jurisdiction conferred on coastal States in their Exclusive
Economic Zone or on their continental shelf, although it may be conceived of as quasi-territorial
in character, is only analogous to territorial jurisdiction because it is limited to certain activities.

It seems to be undisputed that cyber infrastructure located within the territory of a State and
cyber activities occurring therein are susceptible to almost unlimited prescriptive and
enforcement measures by the respective State. Territorial jurisdiction includes the right of a
State to regulate, restrict or prohibit access to its cyber infrastructure either within its territory
or from outside that territory. It must be re-emphasized that integration of physical
components, i.e., of cyber infrastructure located within a State’s territory, into the ‘global
domain’ of cyberspace cannot be interpreted as a waiver of the exercise of territorial
sovereignty and jurisdiction.

However, by construction, the Internet is a global, technically borderless. The cross-border

nature of the Internet challenges an international system based on separate national
jurisdictions. This leads to jurisdictional problems in dealing with issues such as cyber crimes. As
a result, conflicts proliferate regarding privacy, freedom of expression, security or intellectual
property. The development of a patchwork of national legislations and jurisdictional overlap
generates legal uncertainty for users, difficulties of law enforcement and challenges for global
intermediaries.

(d) Internet governance

The Internet has, in a relatively short time, become an essential instrument for today’s society.
The growing awareness of the social, economic, and political impact of the Internet on society has
brought the question of Internet Governance into sharper focus. In the case of the Internet,
governance is needed, among other things, to prevent the risk of the fragmentation of the
Internet; maintain compatibility and interoperability; safeguard the rights and define the

146
responsibilities of the various stakeholders; protect end users from misuses and abuse; and
encourage its further development. The issues in internet governance are follows:

(i) Democratisation of ICANN

One of the fascinating aspects of the Internet during its development and early growth was its
unique multi-stakeholder governance. When it became necessary to find stable structures for the
administration of the internet Domain Name System (DNS), the task was neither conferred upon a
state authority nor an international organization such as the International Telecommunications
Union, but upon the private non-profit organization Internet Company for Assigned Names and
Numbers (ICANN). Since 1998 and the establishment of ICANN, debate on Internet Governance
has been characterised by the more intensive involvement of national governments, mainly
through the UN framework.

The World Summit on the Information Society (WSIS), held in Geneva in December 2003, officially
placed the question of Internet Governance at international level. The Declaration of Principles
and Action Plan adopted at WSIS proposed a number of actions in the field of Internet. This
included setting up a working group on Internet Governance, in an open and inclusive process
that ensures a mechanism for the full and active participation of governments, the private sector,
and civil society from both developing and developed countries.

(ii) Root Servers

Root servers play an important role in the function and robustness of Domain Name System
(DNS). There are concerns that the Internet would collapse if the root servers were ever
disabled. There are currently 13 root servers distributed around the world (10 in the USA, 3
elsewhere; of the 10 in the USA, several are operated by US government agencies). If one
server crashes, the remaining 12 would continue to function. Even if all 13 root servers went
down simultaneously, the resolving of domain names (the main function of root servers)
would continue on other domain name servers, distributed hierarchically throughout the
Internet. However, it is theoretically possible for the US government to introduce unilateral
changes to the entire DNS. This is a source of concern for many governments.

(iii) International Regulation

One view about Internet Governance is that the global nature of the Internet requires global
regulation. The need for a global approach is frequently confirmed by the lack of
effectiveness of national measures against spam or cyber crime and other undesirable
activities. At the same time, the importance of a global approach does not mean that some
issues cannot or should not be regulated at the national and regional levels. Global
regulation will require a universal consensus, achievable only through a long negotiation
process, if at all. Various international law mechanisms might be used in the development of
an Internet Governance regime.

147
Indian Cyber Law

The primary source of cyber law in India is the Information Technology Act, 2000 (IT Act). It
was amended in 2008 for addressing cyber security concerns. The main objective of IT Act is
to provide legal recognition to electronic commerce, to establish institutions and
mechanisms for cyber governance, to penalise cyber crimes and offences and enhance
cyber security.

It also provides for setting up adjudicatory and appellate bodies for settlement of disputes
and to adjudicate on cyber crime cases such as unauthorized access, unauthorized copying
of data, spread of viruses, denial of service attacks, disruption of computers, computer
manipulation etc.

The Indian Penal Code was amended by the IT Act for penalizing several cyber crimes which
have certain common elements as traditional crimes. These include forgery of electronic
records, cyber frauds, destroying electronic evidence etc. Digital evidence is to be collected
and proven in court as per the provisions of the Indian Evidence Act as amended by the IT
Act. In case of bank records, the provisions of the Bankers’ Book Evidence Act as amended
by the IT Act are relevant. Investigation and adjudication of cyber crimes is done in
accordance with the provisions of the Code of Criminal Procedure and the IT Act.

Important IT Rules include Information Technology (Procedure and Safeguards for

Interception, Monitoring and Decryption of Information) Rules, 2009; Information
Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or
Information) Rules, 2009; Information Technology (Procedure and Safeguards for Blocking
for Access of Information by Public) Rules, 2009; The Cyber Appellate Tribunal (Salary,
Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules,
2009; and Cyber Appellate Tribunal (Procedure for Investigation of Misbehaviour or
Incapacity of Chairperson and Members) Rules, 2009.

Select Cyber cases

(1) Arif Azim (2002)

A complaint was filed in by Sony India Private Ltd, which runs a website called sony-
sambandh.com, targeting Non-Resident Indians. The website was used by NRIs to send Sony
products to their friends and relatives in India after paying for it online. In May 2002, the
accused logged onto the website under the identity of Barbara Campa and ordered a Sony
Colour Television set and a cordless head phone. The accused made the payment through a

148
credit card number belonging to the victim and requested that the products be delivered to
Arif Azim in Noida. The payment was duly cleared by the credit card agency and the
transaction processed. After following the relevant procedures of due diligence and
checking, the company delivered the items to Arif Azim. At the time of delivery, the
company took digital photographs showing the delivery being accepted by Arif Azim.

The transaction closed at that, but after one and a half months the credit card agency
informed the company that this was an unauthorized transaction as the real owner had
denied having made the purchase. The company lodged a complaint for online cheating at
the Central Bureau of Investigation which registered a case under Section 418, 419 and 420
of the Indian Penal Code.

The matter was investigated into and Arif Azim was arrested. Investigations revealed that
Arif Azim, while working at a call centre in Noida gained access to the credit card number of
an American national which he misused on the company’s site. The CBI recovered the colour
television and the cordless head phone. The accused admitted his guilt and the Delhi Court
convicted Arif Azim under Section 418, 419 and 420 of the Indian Penal Code. This was the
first cyber crime case in India in which the accused was convicted.

(2) Facebook case

In November 2012, two girls were arrested after they posted comments on the social
networking site facebook opposing the shutdown in Mumbai. One of them allegedly said
that one should not observe bandh in the wake death of a political leader. The other girl was
arrested for ‘liking’ the post. The duo was arrested following a police complaint lodged by a
local political leader. The girls were arrested under Section 295 (a) of the Indian Penal Code
for hurting religious sentiments and Section 64 (a) of the Information Technology Act, 2000.
Subsequently, the girl withdrew her comment from Facebook and also apologized for having
posted it.

(3) Bazee.com case

In December 2004, CEO of Bazee.com was arrested because a CD with objectionable

material was being sold on the website. The CD was also being sold in the markets in Delhi.
The CEO was later released on bail. This opened up the question as to what kind of
distinction can be drawn between Internet Service Provider (ISP) and Content Provider. The
accused was an internet service provider (ISP) and not the Content Provider. It also raises a
lot of issues regarding how the police should handle the cyber crime cases.

149
(4) Syed Asifuddin&Ors. v State of Andhra Pradesh& another (2005)

A big mobile services company launched a famous scheme wherein this company was giving
an expensive hand-set at a very low cost but with a lock-in period of 3 years in which the
mobile subscriber has to pay a fixed monthly rental and a premium call charge to such
mobile services company.

A special computer program was used by this mobile services company wherein the hand-
set can only be used with these mobile services and not with other mobile services.
Employees of a completing mobile services company lured the customers of this company
to alter / tamper with the special computer locking program so that the hand-set can be
used with the competing mobile services. The court held that such tampering is an offence
under section 65 of IT Act as well as copyright infringement under section 63 of Copyrights
Act.

(5) SMC Pneumatics (India) Private Limited v. JogeshKwatra

A company’s employee started sending derogatory, defamatory and obscene emails about
company’s Managing Director. The emails were anonymous and frequent and were sent to
many company’s business associates to tarnish the image and goodwill of the company.

The accused was identified by the company by the private computer expert. This was India’s
first case of cyber defamation. A Delhi Court assumed jurisdiction over a matter of
defamation involving the company’s reputation. Delhi High Court granted an injunction
and restrained the employee from sending, publishing and transmitting emails which are
defamatory or derogatory to the plaintiffs.

This order of Delhi High Court assumes tremendous significance as this is for the first time
that an Indian Court assumed jurisdiction in a matter concerning cyber defamation and
granted an ex-parte injunction restraining the defendant from defaming the plaintiffs by
sending derogatory, defamatory, abusive and obscene emails either to the plaintiffs or their
subsidiaries

(6) State of Tamil Nadu v SuhasKatti (2004)

This case related to posting of obscene, defamatory and annoying message about a divorcee
woman in the yahoo message group. E-Mails were also forwarded to the victim for
information by the accused through a false e-mail account opened by him in the name of
the victim. The posting of the message resulted in annoying phone calls to the lady in the
belief that she was soliciting.

The accused was a known family friend of the victim and was reportedly interested in
150
marrying her. She however married another person. This marriage later ended in divorce
and the accused started contacting her once again. On her reluctance to marry him, the
accused took up the harassment through the Internet by creating an email ID using the
name of a lady and had used this email ID to post messages on five Web pages describing
her as a call girl along with her contact numbers.

On investigation, the IP address and log details were obtained from ISP which were
traced to two cyber cafes in Mumbai. Complainant admitted that she had refused a former
college mate who had proposed to marry her. Police arrested this person and examined his
SIM card which contained complainant’s number and cyber caféowner also identified the
culprit. The accused was charge-sheeted under section 67 of IT Act 2000, 469 and 509 IPC.
Subsequently, the accused was sentenced for the offence to undergo RI for 2 years.

(7) Infinity e-Search BPO Case

The case involved an employee of a Gurgaon based BPO Company in fraud activities. A
British newspaper had reported that one of its undercover reporters had purchased
personal information of 1,000 British customers from an Indian call-center employee.
However, the employee of Infinity eSearch, who was reportedly involved in the case denied
any wrongdoing. The company also said that it had nothing to do with the incident.

In the instant case the journalist used an intermediary, offered a job, requested for a
presentation on a CD and later claimed that the CD contained some confidential data. It was
revealed that the journalist had used bribery to induce out of normal behavior of an
employee. However, it raised the issue of confidentiality of the data and breach of secrecy
by BPO Company.

(8) Nasscom vs. Ajay Sood& Others Case (2005)

A landmark judgment in the case of National Association of Software and Service Companies
vs Ajay Sood& Others was delivered by the Delhi High Court in March 2005 whereby it
declared 'phishing' on the internet to be an illegal act, entailing an injunction and recovery
of damages. The court laid precedent in this case by stating that ‘phishing’ is a form of
internet fraud where a person pretends to be a legitimate association, such as a bank or an
insurance company in order to extract personal data from a customer such as access codes,
passwords, etc. Personal data so collected by misrepresenting the identity of the legitimate
party is commonly used for the collecting party's advantage. The plaintiff in this case was
the National Association of Software and Service Companies (Nasscom), India's premier

151
software association. The defendants were operating a placement agency involved in head-
hunting and recruitment. In order to obtain personal data, which they could use for
purposes of headhunting, the defendants composed and sent e-mails to third parties in the
name of Nasscom.

The court also stated, by way of an example, that typical phishing scams involve persons
who pretend to represent online banks and siphon cash from e-banking accounts after
conning consumers into handing over confidential banking details.

The Delhi HC stated that even though there is no specific legislation in India to penalize
phishing, it held phishing to be an illegal act by defining it under Indian law as "a
misrepresentation made in the course of trade leading to confusion as to the source and
origin of the e-mail causing immense harm not only to the consumer but even to the person
whose name, identity or password is misused." The court held the act of phishing as passing
off and tarnishing the plaintiff's image.

152
Module 3:

General Principles of Contract law and Cyberspace

Introduction

The rapid growth of computer-based commerce as well as transactions over the Internet has made
e-commerce a reality. The business community uses a system known as electronic data
interchange (EDI) to fasten commercial transactions. But EDI’s development has not been as quick
as initially expected due to numerous technical and legal obstacles standing in its way such as the
law’s insistence on paper-based documentation. Nonetheless, Traders and individuals are
becoming more and more reliant on information technology to smooth the progress of
international business transactions.

E-Commerce creates new issues like new contract types e-contracts, but the essence of business
transactions remains the same. “On line” contracts are not different from “off line” contracts and
conventional contract law has not become obsolete as the medium of a transaction is generally
irrelevant for the law. Nevertheless, it requires some adaptation. In this respect, several significant
steps have been taken to promote the use of EDI and e-commerce in the cyberspace. Adoption of
the UNCITRAL Model Law on E-Commerce in 1997 was the most fundamental step in this direction.
It has been adopted by many countries including India at domestic level to promote and facilitate
e-commerce.

Major Advantages of E-Commerce

a) Easy access to global market- Through Internet, a seller can reach all the customers in the
world simultaneously cutting across the geographical and time barrier.

b) Reduction in distribution costs- It establishes direct link between the customers and the
suppler. Commission paid to middlemen is done away with. Moreover, cost of documentation,
transportation cost (in case of digital products only) and cost of collection from customers are
negligible.

c) Time saving- A transaction can be completed in a few seconds without physically reaching out

153
to the customer. Moreover there is no office hour in case of e-Commerce transactions. A
customer also need not visit the place of the supplier. He/she can make transaction seating in
his/her home/office.

d) Building customer relationship- For business success, building long term relation with the
customers is a must. Internet is a good medium to build this relationship. Regular feedback from
the customers can easily be obtained with the help of e-mail. After sales service seems to
become easy through internet.

e) Electronic Payment System - In e-commerce, customers are generally unknown and may be
from any part of the world. Naturally payments are to be ensured first before delivery of goods
and services. Payments are made through Electronic Fund Transfer (EFT). Electronic payment
may be made through Debit Card, Credit Card, Electronic Cash, and Electronic Cheques etc

Legal Aspects of the electronic contract

While e-commerce is changing traditional way of doing business, fundamental ingredient for
doing e-commerce remains the same, i.e., a legally enforceable contract between the parties.
However, this development may be hindered by the lack of a globally accepted means of
using the Internet to create a contract and make payment. Businesses may run into legal
difficulty because they are completely unaware of some of the legal issues that are associated
by its nature with E-Commerce.

Indian Contract Act and e-commerce

Fundamentally, electronic commerce is likely to continue to have a fundamental similarity to

its counterpart in the physical world. This implies that elements of e-contract should be
similar to contract in the physical world. The contracts conditions are governed by Indian
Contract Act, 1872. Section 2(h) of the Indian Contract Act, 1872 says, “An agreement
enforceable by law is contract”. So there are two requirements. First one is that there should
be an agreement and secondly the said agreement should be enforceable by law. In order
to have an enforceable agreement the requirements of the Indian Contract Act are to be
followed. The essential requirements of a contract are as follows:

154
(1) Essential Requirement I: Formation of an Agreement

(a) Offer or Proposal: In order to have an Agreement, there must first be an Offer. The
‘Offer’ can be an offer for a good or a service or almost anything else for that matter. For
example A offers to by a car from B for Rs 1,00,000/-. In another example X says to Z "If you
pay me Rs 50/- I will paint that room". Both of those statements are called as 'Offers'. For
the most part, the Offer will be along the lines of someone promising to do something, buy
something or give up something (section 2 (a)). At the same time an offer is to be
differentiated from an Invitation to Offer. The invitation to Offer is a particular action or
statement, which is intended to provoke an offer from another party

(b) Acceptance: The next step in Agreement formation is called an Acceptance. The
Acceptance regarding the above scenarios would be B'’ reply "Yes, I will sell you my car for Rs
1,00, 000" or Z's reply "Yes, I will pay you Rs 50/- to paint the room". Take note that a Counter-
Offer will not act as an Acceptance, but rather as a Rejection. Referring to the above
scenarios, if B says, "I will sell you my car for Rs 2,00,000/- instead of Rs1,00,000/-" This is a
rejection of the initial offer, and becomes a Counter - Offer to A. A must now choose to
Accept or Reject B's Counter- Offer. If A rejects the Counter-Offer, the Original Offer is no
longer on the table. The process must begin again(section 2(b)).

(c) Consideration: The third aspect of Agreement formation is called Consideration.

Consideration means that something of value must be exchanged. The Consideration in the
car scenario for A would be receiving the car. The Consideration for B would be receiving
the Rs 1,00, 000. Consideration in a Contract must be mutual, that is, both parties must
receive something of value. Take note, that the value need not be equal or necessarily fair.
A can offer to buy B's brand new Maruti Alto for Rs 1,00, 000/-. If B Accepts, then a Contract
will be made, even though it should be obvious that this is not a fair deal. (Sections 2(d) and
25).

(2) Essential Requirement II: When an Agreement becomes a Contract?

Section 10 of the Indian Contract Act says, “All agreements are contracts if they are made by
the free consent of parties competent to contract, for a lawful consideration and with a
lawful object, and are not hereby expressly declared to be void.” The following are the
requirements for an Agreement to become a Contract:

155
 (a) Parties Competent to contract

Section 11 of the Indian Contract Act says "Every person is competent to contract who is of
the age of majority according to the law to which he is subject, and who is of unsound mind,
and is not disqualified from contracting by any law to which he is subject." So a agreement
made by Minors, Persons of unsound mind and Persons disqualified by law are not contracts.

(b) Free Consent

Section 14 of the Indian Contract Act says that consent is said to be free when it is not
caused any of the following:

i. Coercion (section 15)

ii. Undue Influence (section 16)
iii. Fraud (section 17)
iv. Misrepresentation (section 18)
v. Mistake (sections 20, 21 and 22)

(c) Legality of the object

Section 23 of the Indian Contract Act says that the consideration or object of an

agreement is lawful, unless:

i. It is forbidden by law
ii. Is of such a nature that, if permitted, it would defeat the provision of any law; or
iii. is fraudulent; or
iv. Involves injury to the person or property of another;
v. the court regards it as immoral or opposed to public policy.

Once an agreement is made by duly following these requirements that agreement becomes
a Contract, which is legally enforceable by the court of law. Similar ingredients are essential for
entering into e-contracts. However, satisfying the requirement for formation of e-contract in
accordance with the Contract Act is necessary but sufficient condition for legal validity of the e-

156
transactions relating to e-contracts.

Issues relating to E-Contracts

In a broad sense Electronic Commerce (E-Commerce) includes not only Internet commerce but
also transactions through other electronic medium. In other words, it can be described as
follows:

(1) Transaction between a company and its customers i.e. buying and selling of goods, services
and information (including after-sale service and support);

(2) Exchange of structured business information between two or more companies, e.g.
Electronic Data Interchange (EDI); and

(3) internal commerce involving work flow reengineering, product and service customization,
Supply Chain Management (SCM) etc; by using electronic devices.

Electronic commerce has the ability to reduce the time span between ordering, delivery,
invoicing and payment by using the Internet. However, electronic contracting brings new
challenges regarding the enforcement and validity of such contracts. Computer documentation
which is transmitted electronically will require an adjustment to legal practice which is mainly
geared towards dealing with paper-based documentation. The main problems regarding
electronic contracting will be to comply with the statutory or formal requirements of contracts.
These requirements, for example that the contract has to be in a written form, were devised
and developed mostly before electronic contracting became a reality.

In order words, trust and legal certainty are the most important issue regarding e-contracts.
Legal certainty in Internet transactions does not primarily mean well-balanced substantive rules
but rather legal recognition and enforcement of e-contract. Some of the contractual issues
raised by the electronic commerce are: can a contract be formed by the exchange of electronic
communications? How can communications over the Internet be “authenticated”? Is a digital
signature the legal equivalent of a handwritten signature?

E-Commerce aspects of IT Act

Information Technology Act, 2000 (amended in 2008), is a landmark Act in the direction of
boosting E-commerce in India. This is based on the UNCITRAL Model Law on Electronic

157
Commerce which paved the way for countries to apply these new legal rules for electronic
commerce in a uniform or harmonized manner despite the different legal traditions. The
General Assembly of the United Nations had adopted the Model Law on Electronic Commerce
adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its
General Assembly Resolution A/RES/51/162 dated January 30, 1997. The Indian Act is in keeping
with this resolution that recommended that member nations of the UN enact and modify their
laws according to the Model Law.

The Preamble to the IT Act states that it aims at providing ‘legal recognition for transactions
carried out by means of electronic data interchange and other means of electronic
communication, commonly referred to as “electronic commerce”, which involve the use of
alternatives to paper-based methods of communication and storage of information and aims at
facilitating electronic filing of documents with the Government agencies. Thus with the
enactment of this Act, Internet transactions will now be recognised, on-line contracts will be
enforceable and e-mails will be legally acknowledged. It will tremendously augment domestic as
well as international trade and commerce.

Salient features of E-Commerce transactions

Salient features of the IT Act include legal recognition to any transaction relating to e-commerce
which is done by electronic way or use of internet. legal recognition to electronic records
(Section 4 of the Act), legal recognition to digital signatures (Section 5 of the Act), provides for
Certifying Authorities and Subscribers in connection with digital signature (Section 17 to 42 of
the Act), provision for penalties for cyber offences (Section 43 to 47 of the Act), listing of cyber
offences (Section 65 to 78 of the Act).

(1) Digital Signature

Role of digital signature in E-Commerce security system is highly important. For this reason the
Information Technology Act, 2000 has made detailed provision on digital signature. It refers to
authentication of any electronic record by a subscriber by means of an electronic method or
procedure in accordance with the provision of section 3. The use of a digital signature shall have
the same force and effect as the use of a manual signature if and only if it embodies all the
characteristics as required under the IT Act.

The Act has adopted the Public Key Infrastructure (PKI) for securing electronic transactions. As
per Section 2(1)(p) of the Act, a digital signature means an authentication of any electronic

158
record by a subscriber by means of an electronic method or procedure in accordance with the
other provisions of the Act.

Section 3(2) states, “The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the initial electronic
record into another electronic record”. Section 2(1)(f) defines ‘asymmetric crypto system’, as –
“asymmetric crypto system means a system of a secure key pair consisting of a private key for
creating digital signature and a public key to verify the digital signature”, Section 2(1)(zc) and
Section 2(1)(zd) defines ‘private key’ and ‘public key’ as - “private key means the key of a key
pair used to create digital signature” and “public key means the key of a key pair used to verify a
digital signature and listed in the Digital Signature Certificate”. It may be noted that digital
signature is unlike a conventional signature. It is nothing but transformation of an electronic
record into another electronic record with the help of private key.

Thus a subscriber can authenticate an electronic record by affixing his digital signature. A private
key is used to create a digital signature whereas a public key is used to verify the digital
signature and electronic record. They both are unique for each subscriber and together form a
functioning key pair.

Section 5 provides that when any information or other matter needs to be authenticated by the
signature of a person, the same can be authenticated by means of the digital signature affixed in
a manner prescribed by the Central Government. Under Section 10, the Central Government
has powers to make rules prescribing the type of digital signature, the manner in which it shall
be affixed, the procedure to identify the person affixing the signature, the maintenance of
integrity, security and confidentiality of electronic records or payments and rules regarding any
other appropriate matters.

Furthermore, these digital signatures are to be authenticated by Certifying Authorities (CAs)

appointed under the Act. These authorities would inter alia, have the license to issue Digital
Signature Certificates (DSCs). The applicant must have a private key that can create a digital
signature. This private key and the public key listed on the DSC must form the functioning key
pair.

Once the subscriber has accepted the DSC, he shall generate the key pair by applying the
security procedure. Every subscriber is under an obligation to exercise reasonable care and
caution to retain control of the private key corresponding to the public key listed in his DSC. The
subscriber must take all precautions not to disclose the private key to any third party. If
however, the private key is compromised, he must communicate the same to the Certifying
Authority (CA) without any delay.

(2) Writing requirements

159
Section 4 of the Act states that when under any particular law, if any information is to be
provided in writing or typewritten or printed form, then notwithstanding that law, the same
information can be provided in electronic form which can also be accessed for any future
reference. This provision will make it possible to enter into legally binding contracts on-line.

(3) Attribution, Acknowledgement and Dispatch

Chapter IV of the Act explicates the manner in which electronic records are to be attributed,
acknowledged and dispatched. These provisions play a vital role while entering into agreements
electronically. Section 11 states that an electronic record shall be attributed to the originator as
if it was sent by him or by a person authorized on his behalf or by an information system
programmed to operated on behalf of the originator.

As per Section 12, the addressee may acknowledge the receipt of the electronic record either in
a particular manner or form as desired by the originator and in the absence of such
requirement, by communication of the acknowledgement to the addresses or by any conduct
that would sufficiently constitute acknowledgement. Normally if the originator has stated that
the electronic record will be binding only on receipt of the acknowledgement, then unless such
acknowledgement is received, the record is not binding. However, if the acknowledgement is
not received within the stipulated time period or in the absence of the time period, within a
reasonable time, the originator may notify the addressee to send the acknowledgement, failing
which the electronic record will be treated as never been sent.

Section 13 specifies that an electronic record is said to have been dispatched the moment it
leaves the computer resource of the originator and said to be received the moment it enters the
computer resource of the addressee.

(4) Certifying Authorities (CAs)

A CA is a person who has been granted a license to issue digital signature certificates. These CAs
are to be supervised by the Controller of CAs appointed by the Central Government. Deputy or
Assistant Controllers may also assist the Controller. The Controller will normally regulate and
monitor the activities of the CAs and lay down the procedure of their conduct.

The Controller has the power to grant and renew licenses to applicants to issue DSCs and at the
same time has the power to even suspend such a license if the terms of the license or the

160
provisions of the Act are breached. The CAs have to follow certain prescribed rules and
procedures and must comply with the provisions of the Act.

(5) Issuance, Suspension and Revocation of Digital Signature Certificates (DSCs):

As per Section 35, any interested person shall make an application to the CA for a DSC. The
application shall be accompanied by filing fees not exceeding Rs. 25,000 and a certification
practice statement or in the absence of such statement; any other statement containing such
particulars as may be prescribed by the regulations. After scrutinizing the application, the CA
may either grant the DSC or reject the application furnishing reasons in writing for the same.

While issuing the DSC, the CA must inter alia, ensure that the applicant holds a private key
which is capable of creating a digital signature and corresponds to the public key to be listed on
the DSC. Both of them together should form a functioning key pair.

The CA also has the power to suspend the DSC in public interest on the request of the
subscriber listed in the DSC or any person authorised on behalf of the subscriber. However, the
subscriber must be given an opportunity to be heard if the DSC is to be suspended for a period
exceeding fifteen days. The CA shall communicate the suspension to the subscriber.

There are two cases in which the DSC can be revoked. Firstly, as per Section 38 (1), it may be
revoked either on the request or death of the subscriber or when the subscriber is a firm or
company, on the dissolution of the firm or winding up of the company. Secondly, according to
Section 38(2), the CA may suo moto revoke it if some material fact in the DSC is false or has
been concealed by the subscriber or the requirements for issue of the DSC are not fulfilled or
the subscriber has been declared insolvent or dead. A notice of suspension or revocation of the
DSC must be published by the CA in a repository specified in the DSC.

The Controller has the power to issue directions for complying with the provisions of the Act.
Failure to comply with his directions is punishable. Moreover, the interference with ‘protected
systems’ or the reluctance to assist a Government Agency to intercept information in order to
protect state sovereignty and security is also made punishable. The adjudicating court also has
the powers to confiscate any computer, computer system, floppies, compact disks, tape drives
or any accessories in relation to which any provisions of the Act are being violated. No penalty
or confiscation made under this Act will affect the imposition of any other punishment under
any other law in force. If penalties that are imposed under the Act are not paid, they will be
recovered as arrears of land revenue and the licence or DSC shall be suspended till the penalty is
paid.

161
MODULE 4:
Jurisdiction in Cyber World - Civil & Criminal

An Introduction

Technology and the Internet have allowed new types of interaction and transactions
between individuals that are not always benign and may cause injuries giving rise to tort
claims in a way not previously contemplated. To address cyber torts, the courts may follow
age old tradition in developing and evolving the legal concepts in such as to incorporate new
situations and circumstances into established legal principles.

However, the development of the common law of torts related to cyberspace creates
problems when it involves a third party, internet computer service provider. Legal protection
available to ISPs is typically driven by policy reasons that have diverse rationales and concern
about a potential flood of tort claims that overwhelm internet service providers. The general
practice is to follow the line of reasoning that would give absolute immunity to all internet
service providers who utilize materials or information provided by others regardless of
knowledge, litigation can provide a new interpretation that may be persuasive to courts in
considering cyber tort cases and to reclaim the common law of torts in case of cyber space.

Torts

A tort is a civil, legal injury to a person or property caused by a breach of a legal duty. The duty
that is violated by the tortfeasor (the wrongdoer) must exist as a matter of law, not as a
consequence of any agreement between the tortfeasor and the injured party. Plaintiff (the
injured party) sues the Defendant (the Tortfeasor) for damages. Tort law is a body of law that
addresses and provides remedies for civil wrongs not arising out of contractual obligations.
A person who suffers legal damages may be able to use tort law to receive compensation
from someone who is legally responsible, or liable, for those injuries. Generally speaking,
tort law defines what constitutes a legal injury and establishes the circumstances under
which one person may be held liable for another's injury.

162
Salient Features of Tort Law

Tort law spans intentional and negligent acts. There are three types of torts: intentional;
unintentional (negligence-no fault) and strict liability (absolute liability).For instance, A throws
a ball and accidentally hits B in the eye. B may sue A for losses occasioned by the accident
(e.g., costs of medical treatment, lost income during time off work). Whether or not B wins
the case depends on if she can prove A engaged in tortious conduct. Here, B would attempt
to prove that A had a duty and failed to exercise the standard of care which a reasonable
person would render in throwing the ball.

Intentional Tort

A wrongful act committed knowingly and with the intent to commit the act (not necessarily
with the intent to do harm).Assault is an intentional, unexcused act creating in another person
a reasonable apprehension or fear of immediate harmful or offensive contact (e.g., pointing a
gun at someone).Battery is an intentional, unexcused and harmful or offensive contact (e.g.,
firing the gun).False Imprisonment is the intentional confinement of another person or
restraint of another person’s activities without justification. The confinement may occur
through the use of physical barriers, physical restraint, or threats of physical force. Infliction of
Emotional Distress is an intentional act that amounts to extreme and outrageous conduct
resulting in severe emotional distress to another.

There are certain defenses in case of intentional tort. When a plaintiff consents to the act that
damages him or her, the alleged tortfeasor generally is not liable for any damage done. In case
of Self-Defense, an individual defending his or her life or physical well-being, either from real or
apparent danger, may use reasonably necessary force, or resort to reasonably necessary
action, to prevent harmful contact. For defense or assistance of others, an individual can act in
a reasonable manner to protect or assist others who are in real or apparent danger. In case of
defense of Property, an individual may use reasonable force to remove an intruder from the
individual’s home or to restrain the intruder for a reasonable time. Force that is likely to cause
death or serious bodily injury (i.e., deadly force) normally may not be used solely to protect
property. Necessity is also a good defence, wherein an otherwise tortious act may be excused
if the tortfeasor acted in accordance with law or the public good.

Defamation

Defamation is a tort wherein anything published or publicly spoken results in causing injuries to
another’s character, reputation, or good name. Libel is defamation in written form, whereas
slander is defamation in oral form. Defamation as a tort has a publication requirement. The
speaker must have communicated the statement to persons other than the defamed party.

Certain defences are available in case of defamation. Truth is normally an absolute defense. In

163
other words, if the allegedly defamatory words were objectively true, the defendant cannot be
held liable for publishing them. Statements made or actions taken in judicial and certain
legislative proceedings are privileged against any claim of wrongful conduct. In other
situations, statements or actions made in good faith and, in the case of statements, made only
to those who have a legitimate interest in the statement, are qualified privilege. Generally
speaking, otherwise false and defamatory statements made about public figures are privileged
unless they are made with actual malice – that is, with either knowledge of falsity or reckless
disregard of the truth or falsity.

Invasion of Privacy

Common law recognizes four acts that qualify as improperly infringing on another’s privacy.
The use of a person’s name, picture, or other likeness for commercial purposes without their
permission is considered as Appropriation; Intrusion in an individual’s affairs or seclusion in an
area in which the person has a reasonable expectation of privacy; Publication of information
that places a person in false light;andPublic disclosure of private facts about an individual that
an ordinary person would find objectionable.

Salient Features

(1) Standard of care

Duty of Care refers to the duty of all persons to exercise reasonable care in their dealings
with others. The degree of care expected of a hypothetical “reasonable person”.One of the
main topics of the substance of tort law is determining the standard of care—a legal phrase
that means distinguishing between when conduct is or is not tortious. Put another way,
the big issue is whether a person suffers the loss from his own injury, or whether it gets
transferred to someone else.

In the example above, if A threw the ball at B purposely, B could sue for the intentional tort
of battery (and the action might also, separately, be pursued as a criminal matter). If it was
an accident, B must prove negligence. To do this, B must show that her injury was reasonably
foreseeable, that A owed B a duty of care not to hit her with the ball, and that A failed to
meet the standard of care required.

(2) Injury in tort cases

In tort law, injury is defined broadly. Injury does not just mean a physical injury, such as

164
where B was struck by a ball. Injuries in tort law reflect any invasion of any number of
individual interests. This includes interests recognized in other areas of law, such as
property rights. Actions for nuisance and trespass to land can arise from interfering with
rights in real property. Conversion and trespass to chattels can protect interference with
movable property. Interests in prospective economic advantages from contracts can also be
injured and become the subject of tort actions. A number of situations caused by parties in
a contractual relationship may nevertheless be tort rather than contract claims, such as
breach of fiduciary duty.

(3) Redressal for Intangible injury

Tort law may also be used to compensate for injuries to a number of other individual
interests that are not recognized in property or contract law, and are intangible. This includes
an interest in freedom from emotional distress, privacy interests, and reputation. These are
protected by a number of torts such as infliction, privacy torts, and defamation. Defamation
and privacy torts may, for example, allow a celebrity to sue a newspaper for publishing an
untrue and harmful statement about him. Other protected interests include freedom of
movement, protected by the intentional tort of false imprisonment.

Torts in Cyberspace

A cyber Tort is a tort committed via the internet. While concepts embodied in traditional
tort cases address some of the possible transgressions that may give rise to criminal
penalties and, in some cases, civil liability, the applicability of common law torts concepts
may get obviated in the cyber domain. The extent to which tort law has evolved to continue
its traditional redress for individuals injured by the wrongful acts of others has been
severely restricted in the case of some torts, particularly when the act is one involving third
party content and service providers.

Tort law has yet to expand to defend the consuming public against a wide variety of
wrongdoing on the World Wide Web because of the overly broad immunity conferred on
ISPs. In the case of torts committed in cyberspace, the development of the common law of
torts related has been abruptly halted when it involves a third party computer service
provider. This situation is exacerbated by anonymity offered by cyber domain to the tort-
feasor.

Electronic documents, intangible information and invisible systems deserve the same

165
protections as tangible personal property. Also, definition of “property” may be expanded
to include these intangible and invisible aspects created by technological development.
Then, Torts that protect property interests, such as conversion, misappropriation of trade
secrets and trespass to chattels, can also apply to cyber domain as well. In the United
States, the state courts have followed age old tradition in developing and evolving the legal
concepts in such as to incorporate new situations and circumstances into established legal
principles.

Online injury

In the Bazee.com case, CEO of Bazee.com was arrested in December 2004 because a CD
with objectionable material was being sold on the website. The ISP was negligent in its
oversight of its service when it failed to recognize or take action against a subscriber who
was using the service to market and distribute objectionable material. This opened up the
question as to who was responsible for causing any emotional injury to the victim - Internet
Service Provider or Content Provider. In other words, can a person be liable for a tort
committed in cyberspace? Should an Internet Service Provider (ISP) be liable for the actions
of its subscriber?

Online Defamation

Perhaps the most prominent intentional cyber tort that has been alleged to have arisen
because of online conduct is defamation. It is online message attacking another person or
entity in harsh, often personal, and possibly defamatory, terms. The ease of “publishing” to
the Internet makes it tantalizing for people with a grudge, malicious motives or in some
cases for purposes of a mere practical joke, to utter false statements about someone that
has the effect of subjecting them to the negative consequences of defamation. Issues that
are being defined are those of “publication”, authorship or ownership and disclosure of
authorship by Internet service providers. Who is the publisher of defamatory statements? Is
right to freedom of expressions involved?

Online defamation is difficult to combat because Internet service providers (ISPs) are
exempted from liability for disseminating defamatory material; and the Internet affords a
high degree of anonymity to the person who posted the defamatory message. The
development of IT regulation and case laws provide the opportunity for attempting to deal
with this issue.

In India's first case of cyber defamation, SMC Pneumatics (India) Pvt. Ltd. v. JogeshKwatraa,
Delhi court assumed jurisdiction over a matter where a corporate’s reputation was being
defamed through emails and passed an important ex-parte injunction. In this case, the

166
defendant JogeshKwatra being an employ of the plaintiff company started sending
derogatory, defamatory, obscene, vulgar, filthy and abusive emails to his employers as also
to different subsidiaries of the said company all over the world with the aim to defame the
company and its Managing Director Mr. R K Malhotra. The plaintiff filed a suit for
permanent injunction restraining the defendant from doing his illegal acts of sending
derogatory emails to the plaintiff. Another case - State of Tamil Nadu Vs SuhasKatti -
related to posting of obscene, defamatory and annoying message about a divorcee woman
in the yahoo message group. E-Mails were also forwarded to the victim for information by
the accused through a false e-mail account opened by him in the name of the victim. The
posting of the message resulted in annoying phone calls to the lady in the belief that she
was soliciting.

Online spam

Spam is the use of electronic messaging systems to send unsolicited bulk messages,
especially advertising, indiscriminately. While the most widely recognized form of spam is e-
mail spam, the term is applied to similar abuses in other media. This raise the following
questions - Does the dissemination of Spam constitute a “taking of property” from either ISP
or the e-mail recipient. Who should be liable for “spam” and computer viruses that cause
injury?

Online Breach of Privacy

Communications and personal information that are posted online are usually accessible to a
vast number of people. Yet when personal data exist online, they may be searched,
reproduced and mined by advertisers, merchants, service providers or even stalkers. Many
users know what may happen to their information, while at the same time they act as
though their data are private or intimate. They expect their privacy will not be infringed
while they willingly share personal information with the world via social network sites,
blogs, and in online communities.

It is somewhat paradoxical that, on the one hand, social network sites are thriving on
users’ willingness to disclose and consume personal information reflect, plus the fact most of
one’s Facebook “friends” are known to a profile owner offline to at least some extent, but that,
on the other hand, users have concerns about privacy issues as Internet communication
technologies continue to evolve.

Invasions of privacy happen when internet users lose control of the type of personal
information revealed about them. Privacy provides people with some protection against harmful

167
or unpleasant experiences – against punishment and exploitation by others, against
embarrassment or lowered self-esteem, against threats to the integrity and autonomy of the
individual. Invasions of privacy can increase the likelihood of harm because they deprive the
individual of that protection.

A lack of understanding of the technical components/limits of the Internet may further

complicate issues of privacy and confidentiality. With respect to technology, confidentiality can
be compromised during data transmission and storage. Unauthorized persons may be able to
access messages transmitted through the system as multiple copies of messages are transferred
from computer network to computer network. E-mail is also vulnerable in transmission as a
result of computer or human error. E-mail communication may sometimes be re-routed to
unanticipated locations, perhaps with minimal security systems, due to technical malfunctions
within the computer network. There are also occasions when people mistakenly sends e-mail to
the wrong address, or when they wish to respond privately to a message posted on a site, but
end up sending a private response to the entire group.

Factors Affecting Online Privacy Concerns

The fundamental problem is not in the collection of user data, but rather that digital
services often gather highly sensitive personal information - political preferences, location,
religious affiliation etc - despite users not actively consenting to share this data. Google's
recent privacy policy changes have put into focus just how much data they are actually
collecting, and a storm was raised globally when Google's reply was that users must accept
this data collection if they want to use Google's services. Two major factors that may be the
major influencers of online privacy concerns are: 1) the consumers perceived vulnerability
to the unauthorized gathering and misuse of personal information; and 2) the consumers
perceived ability to control the manner in which personal information is collected and used
Perceived vulnerability describes the perceived potential risk when personal information is
revealed. The revelation of private information could be caused by many factors, such as
accidental disclosure, unauthorized access, hacking into networks, etc.
The possible negative consequences for consumers include identity theft, undesirable
consumer profiling, and being targeted by unwanted advertising messages on the Internet,
i.e. spam emails. These factors contribute to consumers feeling increasingly vulnerable to
the risk of misuse of their private information on the Internet and, therefore, experiencing
increased online privacy concerns.
The perceived ability to control is the extent to which consumers think they can prevent
personal information from being disclosed online. Consumers tend to think that information
disclosure is less invasive to their privacy, and less likely to lead to negative consequences
when they believe that they can control when and how such information is disclosed and
used in the future. Hence, consumers’ online privacy concerns are likely to be reduced by
their perceived ability to control information collection and dissemination. There is also a
likely relationship between the perceived ability to control personal information collection
and usage, and the perceived vulnerability to information misuse. If consumers feel that
they can actually control how their private information is collected and used by Websites,
they will also feel less vulnerable to the potential negative outcomes of information misuse.

168
Therefore, perceived ability to control private information flow on the part of consumers
will reduce their perceived vulnerability and, in turn, will reduce their online privacy
concerns.

International human rights law and Right to Privacy

Article 12 of the UDHR states that "No one should be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to attack on his honour or reputation.
Every one has the right to the protection of the law against such interferences or attacks."

Similar provision are there in other documents also like article 17 of the ICCPR, Article 14 of
the UN Convention on Migrant Workers, Article 16 of the Convention on the Rights of the
Child.

IT Act and Privacy

The IT Act defines a ‘computer resource’ expansively as including a “computer, computer

system, computer network, data, computer data base or software. This definition is wide
enough to cover most intrusions which involve any electronic communication devices or
networks –including mobile networks.

IT Act provides for both civil liability and criminal penalty for a number of specifically
proscribed activities involving use of a computer– many of which impinge on privacy directly
or indirectly.

Intrusions into computers and mobile devices

Section 43 of the IT Act forbids the following actions when performed on, or in relation to a
‘computer resource’ without obtaining the permission of the owner or person in charge of
it:

(a) accessing, (b) downloading/copying/extraction of data or extracts any data,

(c)introduction of computer contaminant or computer virus, (d) causing damage either to
the computer resource or data residing on it, (e) disruption, (f) denial of access,
(g)facilitating access by an unauthorized person, (h) charging the services availed of by a
person to the account of another person, (i) destruction or diminishing of value of
information, (j) stealing, concealing, destroying or altering source code with an intention to
cause damage.

The Act provides for the civil remedy of “damages by way of compensation” for damages
caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently”

169
does any of these specified acts is liable to be punished with imprisonment and/or with a
fine.

Children’s privacy online

As computers and the internet become ubiquitous children have increasingly become
exposed to crimes such as pornography and stalking that make use of their private
information. The newly inserted Section 67B of the IT Act (2008) attempts to safeguard the
privacy of children below 18 years by creating a new enhanced penalty for criminals who
target children.

The section firstly penalizes anyone engaged in child pornography. Thus, any person who
“publishes or transmits” any material which depicts children engaged in sexually explicit
conduct, or anyone who creates, seeks, collects, stores, downloads, advertises or exchanges
this material may be punished with imprisonment and with a fine.

Secondly, this section punishes the online enticement of children into sexually explicitly
acts, and the facilitation of child abuse, which are also punishable as above. Viewed
together, these provisions seek to carve out a limited domain of privacy for children from
would-be sexual predators.

Spam and Offensive Messages

Although the advent of email has greatly enhanced our communications capacities, most
email networks today remain susceptible to attacks from spammers who bulk-email
unsolicited promotional or even offensive messages to the nuisance of users.

Section 66A of the IT Act attempt to address this situation by penalizing the sending ofa) any
message which is grossly offensive or has a menacing character; b) false information for the
purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity,
hatred or ill-will; c) any electronic email for the purpose of causing annoyance or
inconvenience, or to deceive the addressee about the origin of such messages. This offence
is punishable with imprisonment and with a fine.

Hacking & Offensive Messages:

Section 66 (B) of Information Technology Act provides penalty for hacking. Any person who
intentionally causes wrongful loss, damages, destroys, deletes, or alters information in a
computer or commits a hacking offence is held criminally liable with imprisonment and/or with
fine. This provision works to protect the privacy and integrity of entire computer systems

170
belonging to the individual.

Lawful Interception and monitoring of electronic communications

The Information Technology Act provides for lawful online surveillance, monitoring, and
identification of data by government agencies, thus reducing Internet privacy. At the same
time, there are no robust provisions for protecting the privacy rights of Internet users from
potentially unauthorized gathering and use of information by private parties.

Section 69 empowers the “Central Government or a State Government or any of its officers
specially authorised by the Central Government or the State Government, as thecase may
be” to exercise powers of interception under this section. Under the Interception Rules
2009 provides the safeguards against its potential misuse. The Secretary in the Ministry of
Home Affairs has been designated as the “competent authority”, with respect to the Central
Government, to issue directions pertaining to interception, monitoring and decryption. In
such cases it would be permissible to carry out interception after obtaining the orders of the
Head or Second Senior most officers of security and law enforcement at the Central level.
The order must be communicated to the competent authority within three days of its issue,
and approval must be obtained from the authority within seven working days, failing which
the order would lapse.

In addition to Section 69, the Government has been empowered under the newly inserted
Section 69B to “monitor and collect traffic data or information generated, transmitted,
received or stored in any computer resource”. “Traffic data” has been defined in the section
to mean “any data identifying or purporting to identify any person, computer system or
computer network or any location to or from which communication is or maybe
transmitted.” Safeguards are similar to the rules issued under Section 69.

Criminal Law and cyberspace

Introduction

Rapidly growth of cyberspace has created new opportunities for criminals in perpetrating
crimes by exploiting the vulnerabilities related to the computers, systems and networks.
These criminals can easily leverage the Internet to carry out traditional crimes such as fraud,
theft. In addition, they exploit the cyberspace to facilitate crimes that are often technology
driven, including identity theft, payment card fraud, and intellectual property theft.

This new class of crimes, commonly known as cyber crimes, is rapidly increasing due to
extensive use of computers, Internet and related services. Any criminal activity that uses a
171
computer either as an instrumentality, target or a means for perpetuating further crimes
comes within the ambit of cyber crime. Cases of spam, hacking, cyber stalking and email
fraud are rampant.

Cyber crime issues have become high-profile, particularly those surrounding hacking,
copyright infringement, child pornography, and inappropriate and sensitive on-line contents
or data. There are also problems of privacy when confidential information is posted on-line
or intercepted, lawfully or otherwise. Malicious activities in the cyberspace relating to
cybercrimes constitute a threat to individuals, industry, data, and to safety and confidence
in the information society.

Cybercrime is currently one of the fastest-growing areas of crime. Many businesses are
depending on “electronic-commerce” to become more efficient and competitive, and
cybercrime would seriously inhibit the growth of “electronic-commerce” and which in turn
will deprive us all of its benefits. Cybercrimes have economic, social, and national security
implications, among others.

Cyber crime

Cyber crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool, a target, or a place of criminal activity and include everything
from electronic cracking to denial of service attacks. Technology-enabled cyber crime
encompasses the following:

(a) crimes where a computer is the target of the crime,

(b) crimes where a computer is a tool of the crime, and

(c )crimes where a computer is incidental to the commission of the crime.

Cyber crimes, involving a computer as the target of the crime, include hacking (trespass),
cracking (burglary), malicious code (viruses, worms, Trojan horses), vandalism (web site
defacement) and denial of service (DOS) attacks. Cyber crimes, using computer as a tool,
include fraud, theft, extortion, stalking, forgery, child pornography. Cyber crimes, where a
computer is incidental to the commission of the crime, include using computer to write
blackmail letters, stealing records stored on computer.

Types of computer crime

There are a good number of cyber crime variants. Some of the cyber crimes are as under:

172
(a) Hacking :The term “hacking” is used to describe the unlawful access of a computer
system. It is a crime, which entails cracking systems and gaining unauthorized access to the
data stored in computers. It is one of the oldest computer-related crimes, and in recent
years has become a mass phenomenon.

By targeting computer systems that host large databases, offenders can obtain identity-
related data and this is an increasingly popular approach. Another highly dangerous
computer crime is the hacking of IP addresses in order to transact with a false identity, thus
remaining anonymous while carrying out the criminal activities.

(b) Spam: Spam, or the unsolicited sending of bulk email for commercial purposes, is
unlawful to varying degrees. As applied to email, specific anti-spam laws are relatively new,
however limits on unsolicited electronic communications have existed in some forms for
some time.

(c) Fraud: Computer fraud is any dishonest misrepresentation of fact intended to let
another to do or refrain from doing something which causes loss. In this context, the fraud
will result in obtaining a benefit by altering computer input in an unauthorized way. This
requires little technical expertise. Other forms of fraud may be facilitated using computer
systems, including bank fraud, identity theft, extortion, and theft of classified information.

(d) Harassment: Whereas content may be offensive in a non-specific way, harassment

directs obscenities and derogatory comments at specific individuals focusing for example on
gender, race, religion, nationality, sexual orientation. This often occurs in chat rooms,
through newsgroups, and by sending hate e-mail to interested parties. Any comment that
may be found derogatory or offensive is considered harassment.

(e) Phishing :Phishing is just one of the many frauds on the Internet, trying to fool
people into parting with their money. Phishing refers to the receipt of unsolicited emails by
customers of financial institutions, requesting them to enter their username, password or
other personal information to access their account for some reason. Customers are directed
to a fraudulent replica of the original website when they click on the links on the email to
enter their information, and so they remain unaware that the phishing has occurred. The
fraudster then has access to the customer’s online bank account and to the funds contained
in that account.

(f) Identity Theft: Identity theft is one of the most serious frauds as it involves stealing
money and obtaining other benefits through the use of a false identity. It is the act of
pretending to be someone else by using someone else’s identity as one’s own. Financial
identity theft involves the use of a false identity to obtain goods and services and a

173
commercial identity theft is the using of someone else’s business name or credit card details
for commercial purposes. Identity cloning is the use of another user's information to pose as
a false user.

(g) Computer Viruses: Computer viruses are computer programs that can replicate
themselves and harm the computer systems on a network without the knowledge of the
system users. Viruses spread to other computers through network file system, through the
network, Internet or by the means of removable devices like USB drives and CDs. Computer
viruses are in forms of malicious codes written with an aim to harm a computer system and
destroy information. Writing computer viruses is a criminal activity as virus infections can
crash computer systems, thereby destroying great amounts of critical data.

(h) Cyber stalking :Cyber stalking is use of the Internet or other electronic means to
stalk someone. This term is used interchangeably with online harassment and online abuse.
Stalking generally involves harassing or threatening behavior that an individual engages in
repeatedly, such as following a person, appearing at a person’s home or place of business,
making harassing phone calls, leaving written messages or objects, or vandalizing a person's
property.

(i) Dissemination of Offensive Materials

Content considered by some to be objectionable exists in abundance in cyberspace. This

includes, among much else, sexually explicit materials, racist propaganda, and instructions
for the fabrication of incendiary and explosive devices.

The content of websites and other electronic communications may be distasteful, obscene
or offensive for a variety of reasons. In some instances these communications may be
illegal. Many jurisdictions place limits on certain speech and ban racist, blasphemous,
politically subversive, libelous or slanderous, seditious, or inflammatory material that tends
to incite hate crimes. The extent to which these communications are unlawful varies greatly
between countries, and even within nations. One area of Internet pornography that has
been the target of the strongest efforts at curtailment is child pornography.

(j) Intellectual Property Theft: With advancements in Internet technologies and

increasing demands on online multimedia businesses, digital copyright has become a major
concern for businesses. This is because a perfect copy of the distributed content can be
reproduced at close-to-zero cost. Losses due to copyright infringement have increased
dramatically. Intellectual property protection is a pressing concern for content owners who
are exhibiting digital representations of music, photographs, rare books and manuscripts,
and original artworks on the World Wide Web.

174
Given the capabilities and characteristics of digital network technologies, e-commerce has
had a tremendous impact on the system of copyright and related rights, and the scope of
copyright and related rights in turn is affecting how e-commerce evolves. It is essential that
legal rules are set and applied appropriately, to ensure that digital technology does not
undermine the basic tenets of copyright and related rights.

To address legal issues recently created by the development of the Internet and other new
digital delivery services, the international legal framework for updating copyright laws for
the digital era was laid down in two World Intellectual Property Organization (WIPO)
Treatiesconcluded in Geneva in December 1996. These include the WIPO Copyright Treaty
(WCT) and the WIPO Performances and Phonograms Treaty (WPPT).

Although the WCT and the WPPT now provide basic norms clarifying and safeguarding the
protection of copyright and related rights in relation to the digital environment, and serve
both as a guide and a model for national legislation, certain unresolved questions remain.
One such unresolved issue is the issue of penalizing the infringement of IPRs. The threat
from invasion and unauthorized usage of digital content over the Internet is very real.

(k) Cyber terrorism: A cyber terrorist is someone who intimidates or coerces a

government or organization to advance his or her political or social objectives by launching
computer- based attack against computers, network, and the information stored on them.
Cyber terrorism in general, can be defined as an act of terrorism committed through the use
of cyberspace or computer resources. As such, a simple propaganda in the Internet that there
will be bomb attacks during the holidays can be considered cyber terrorism. At worst, cyber
terrorists may use the Internet or computer resources to carry out an actual attack.

Difference between real-world crime and cybercrime

Real-world crime and cybercrime differ in several respects. Real-world crime are
characterised by proximity, limited Scale, physical, constraints, particular patterns. Cyber
crimes differ from most traditional crimes in four ways as under:

(a) They are easy to learn how to commit;

(b) they require few resources relative to the potential damage caused;
(c) they can be committed in a jurisdiction without being physically present in it;
(d) they are often not clearly illegal.

Cyber crime are characterised by anonymity, easier to avoid, leaving trace evidence, speed
in committing crimes and easy to conceal. Cyber crimes may be trans-border and
translational nature. Cybercrime is a 24/7 international problem. It is a must-have if law

175
enforcement agencies decide to exchange operational cybercrime data. If only tactical
information is being exchanged then there is not really a need for 24/7 support. Considering
how cybercrime is evolving and how incident response requires multiple organisations in
different time zones to collaborate, 24/7 could be seen as a strong requirement to cover the
needs of cooperation between law enforcement agencies.

These differences between the basic elements constituting real-world crime and cybercrime
make it difficult to apply traditional principles of criminal law and law enforcement to
cybercrime. However, Cybercrime is real and it does form a realistic threat. Individuals,
industry and governments are increasingly falling victim to all forms of cybercrime, including
phishing, botnets, etc. It is essential that these challenges be addressed.

Combating cyber crime requires different approach and methodology, which includes
prevention and mitigation measures, sharing of information, cooperation between law
enforcement agencies and internet service providers (ISPs), and international cooperation.
The emphasize should be on prevention and mitigation measures as because of the
difficulties involved in attribution and prosecution of cyber criminals.

Cyber crime aspects of IT Act

The existing Information Technology Act, 2000 provides for legal framework to prevent cyber
crimes. Further, the Act has been amended in 2008 to include provisions to address computer
crimes like phishing, spamming, online frauds and identity theft as also for data protection.
The Indian Computer Emergency Response Team (CERT-In) has been set up as the national
nodal agency under Section 70B for the prevention and mitigation of cyber incidents. It issues
alerts, advisories and vulnerability report regularly.

As per IT Act, cyber-crime, has to be voluntary and wilful, an act or omission that adversely
affects a person or property. The Information Technology Act covers various types of cyber
crimes and the penalties provided for such crimes. Some of the important provisions of the
Act in respect of the cyber crimes are as under:

(a) Cyber Stalking : When a victim is repeatedly and persistently followed and pursued
online by e-mail or other electronic communication. In such crimes Sections 66A, 66C and 66E
of Information Technology Act along with Section 506, 509 IPC can be invoked depending
upon the nature and facts of the case.

(b) Cyber Bullying: Acts of harassment, embarrassment, taunting, insulting or threatening

behaviour towards a victim by using internet, e-mail or other electronic communication
device. In such crimes Sections 66A, 66C and 66E along with Section 506, 509 IPC can be
invoked depending upon the nature and facts of the case.

176
(c) Child Pornography: This has been defined in Section 67B of IT Act. Section 67 and 67A
and Section 292, 293 IPC can also be invoked as per the facts of the case.

(d) Hacking of E-mails or social networking accounts: Section 43 and 66C of IT Act can be
invoked to deal with unauthorized use or access to the e-mail or social networking accounts
such as Facebook, Orkut, Gmail, Hotmail etc.

(e) Unwanted exposure to sexually explicit material etc: Section 67 deals with publishing
or transmitting obscene material in electronic form. Publishing or transmitting obscene
material in electronic form is dealt with here. Whoever publishes or transmits any material
which is lascivious or appeals to the prurient interest or if its effect is such as to tend to
deprave and corrupt persons who are likely to read the matter contained in it, shall be
punished with first conviction for a term upto three years and fine of five lakh rupees and in
second conviction for a term of five years and fine of ten lakh rupees or both. Section 67-A
deals with publishing or transmitting of material containing sexually explicit act in electronic
form. Contents of Section 67 when combined with the material containing sexually explicit
material attract penalty under this Section.

(f) Child Pornography: Child Pornography has been exclusively dealt with under Section
67B. Depicting children engaged in sexually explicit act, creating text or digital images or
advertising or promoting such material depicting children in obscene or indecent manner etc
or facilitating abusing children online or inducing children to online relationship with one or
more children etc come under this Section. ‘Children’ mean persons who have not completed
18 years of age, for the purpose of this Section. Punishment for the first conviction is
imprisonment for a maximum of five years and fine of ten lakh rupees and in the event of
subsequent conviction with imprisonment of seven years and fine of ten lakh rupees.
Screening videographs and photographs of illegal activities through Internet all come
under this category, making pornographic video or MMS clippings or distributing such
clippings through mobile or other forms of communication through the Internet fall under this
category. Section 67C fixes the responsibility to intermediaries that they shall preserve and
retain such information as may be specified for such duration and in such manner as the
Central Government may prescribe. Non-compliance is an offence with imprisonment upto
three years or fine.

(g) Cyber terrorism: Section 66Fdeals with intent to threaten the unity, integrity, security or
sovereignty of the nation and denying access to any person authorized to access the
computer resource or attempting to penetrate or access a computer resource without
authorization. Acts of causing a computer contaminant (like virus or Trojan Horse or other
spyware or malware) likely to cause death or injuries to persons or damage to or destruction
of property etc. come under this Section. Punishment is life imprisonment.

177
(h) Tempering with computer source code: Under section 65 refers computer source code
including the listing of programmes, computer commands, design and layout etc in any form.
Concealing, destroying, altering any computer source code when the same is required to be
kept or maintained by law is an offence punishable with three years imprisonment or two lakh
rupees or with both. Fabrication of an electronic record or committing forgery by way of
interpolations in CD produced as evidence in a court attract punishment under this Section.

(i) Identity Theft: Section 66C of IT Act can be invoked to deal with identity theft.

(j) Data theft: Computer related offences such as data theft are dealt with under section
66. Such offences attracts imprisonment upto three years or a fine of five lakh rupees or both.

(k) IP or email spoofing: Sending offensive messages thro communication service, causing
annoyance etc through an electronic communication or sending an email to mislead or
deceive the recipient about the origin of such messages, commonly known as IP or email
spoofing, are all covered under section 66A. Punishment for these acts is imprisonment upto
three years or fine.

(l) Section66B: Dishonestly receiving stolen computer resource or communication device

leads to punishment upto three years or one lakh rupees as fine or both.

(m) Electronic signature: Section 66C refers to offence relating to electronic signature or
other identity theft like using others’ password or electronic signature etc. Punishment is
three years imprisonment or fine of one lakh rupees or both.

(n) Cheating by impersonation: Section 66D provides that cheating by impersonation using
computer resource or a communication device shall be punished with imprisonment of either
description for a term which extend to three years and shall also be liable to fine which may
extend to one lakh rupee.

(o) Privacy violation: Section66E deals with violation of privacy, which is publishing or
transmitting private area of any person without his or her consent etc. Punishment is three
years imprisonment or two lakh rupees fine or both.

(p) Blocking undesirable contents: Wherever any material which is covered under Sections
67, 67 (A) and 67 (B) of Information Technology Act, 2000 and seen on the Web, which is
covered under Section 69 (A) of the IT Act under ‘Public Order’ or ‘preventing incitement to
commissioning of cognizable offence’ in such cases, law enforcement agencies may request
Social Networking sites to remove undesirable contents by invoking IT Act and rules.

178
Evidence in Cyber Crimes prosecution

The nature of evidence in the real world and the virtual world is different. This discrepancy is
evident in all the stages of evidence detection, gathering, storage and exhibition before the
court. The critical part is that the law enforcement agencies that are responsible right from
the stage of collection of the evidence to the presentation of the evidence before the court
must understand the distinguishing attributes of the evidence so that they can preserve the
evidence collected by them.

Contrary to the real world crimes where any tangible evidence in the form of finger prints,
weapon of crime, blood stain marks etc can be traced, in the cyberspace such evidences
become very difficult to collect. Cyberspace poses challenges in the process of cyber evidence
detection, gathering, storage and exhibition before the court. There is thus a need for capacity
building in cyber forensics. The role of the judiciary also becomes vital as the judiciary must
also be in the position to appreciate the computer evidence presented before them.

Council of Europe Convention on Cybercrime

The Council of Europe has responded to threats of cybercrime with a comprehensive

Convention on Cybercrime. The Convention on Cybercrime was adopted in 2001 to address
several categories of crimes committed via the Internet and other information networks. It is
the first and only international treaty on Cybercrime, and its primary goal is to “pursue a
common criminal policy aimed at the protection of society against cybercrime, especially by
adopting appropriate legislation and fostering international co-operation.” To date, 47
countries are signatories to the convention and 31 of these have ratified it. India has neither
signed nor ratified it.

A country party to the convention must define criminal offences and sanctions under their
domestic laws for four categories of computer-related crimes: (1) security breaches such as
hacking, illegal data interception, and system interferences that compromise network
integrity and availability; (2) fraud and forgery; (3) child pornography; and (4) copyright
infringements.

The convention also requires a country party to establish domestic procedures for detecting,
investigating, and prosecuting computer crimes, as well as collecting electronic evidence of
any criminal offence. It also facilitates international cooperation for fighting cybercrime.

179
MODULE 5:
Cyber Space & Government Regulation

Cyberspace is today one of the great legal frontiers. The man-made cyberspace has been
generated by the use of information and communication technology (ICT) and is essentially
composed of interdependent distributed infrastructure of sensor, computer and network,
hardware and software and transmission media that collects, carries, stores, transforms and
uses information. Cyberspace Domain is embedded in traditional domains (land, maritime,
air and space domains), but is characterized by “virtual activity. It is, thus, virtual, borderless
and anonymous. Fundamental to cyberspace is the internet, which is typically described as
a ‘network of networks’, a system of hardware (computers, routers, cables or wireless
transmitters and receivers) and software (the protocols that provide rules for connecting
between different machines). The Internet serves as a giant computer nervous system
connecting millions of devices around the world. As such, it is the most important
development ever in the transformation of cyberspace from an idea into a practical reality.
In order to use cyberspace, one must have an Internet connection and understand how to
collect and transmit information via email, browsers, and so on.

The most important rules for exchanging information across the Internet have been
collected together as TCP/IP (transfer control protocol/internet protocol). While TCP/IP
offers a series of rules for connecting different machines across the Internet to a range of
servers, a much more specific protocol, the hypertext transfer protocol (HTTP) was
developed alongside HTML to establish the basic rules for connecting documents via
180
hypertext. As such, HTTP defines such things as how a uniform resource locator (URL) works
to locate a specific document, as well as operations to be performed by a browser, or
applications to be launched, when it downloads different types of files. The developments
of internet access technologies or web facilitated a single, uniform interface for different
types of information contained on different servers.
Use of internet has evolved exponentially over the last ten years as individuals,
governments and companies began making available huge amounts of data in open and
immediately accessible forms. The growth of the Internet is but an extreme example of one
of the key areas where technology is changing the national law for adapting to the realm of
cyberspace.

Cyberspace has brought into sharp focus some of the issues facing national law. Key areas of
law and policy development with regard to new media have been around electronic
commerce, intellectual property, privacy and freedom of expression, as well as the concern
of how best to deal with criminal activity such as fraud, exchanges of illegal material such as
images of child abuse, and even terrorism.

The borderless nature of the Internet makes some issues of regulation difficult to deal with.
For example, the Internet offers criminals a huge and easy-to-reach pool of potential
victims; so law enforcement agencies will increasingly need to respond to cyber crimes that
are perpetrated and located outside the boundaries of territorial jurisdiction. In addition to
presenting challenges to state law enforcement in the context of both civil and criminal
jurisdiction, the Internet also creates new investigative challenges for state authorities. For
example, the Internet can offer wrongdoers a veil of anonymity due to difficulties in tracing
the source of electronic connections. Moreover, the architecture of the Internet permits
Internet Service Providers (“ISPs”) to provide services and store electronic data for persons
located anywhere in the world. To conduct investigations in this environment, state
investigators need to gather electronic evidence located in other jurisdictions.
At the same time, countries have become increasingly concerned about the effect of
information and communication technologies on their social and cultural life. For example,
many nations fear that the availability of obscene, racist or blasphemous speech on the
Internet will have a corrupting influence on their societies.

Legislating for Technology

The Internet and related e-commerce activities are not lawless; there is a requirement for
law to regulate, protect and enforce. E-commerce has the potential to change traditional
business models; there is a need for a coherent yet flexible legal network to felicitate the e-
entrepreneurs spirit and the confidence of consumers. The question is how to respond to
the novel requirements of such activity. There are three options, first, ‘do nothing’, that is to
recognize that traditional legal principles can be utilized in these novel contexts and as such
there is no need to create new or adapted code. The law can evolve, as and where
necessary. The second approach is to accept that the challenges that will arise are so novel
and unique that the existing legal principles have no application, and that a new principles

181
and approaches need to be adopted, in other words the creation of an Internet law. Finally
an approach somewhere in between the previous two, to allow the law to evolve with the
technology but where the law is seen to be failing to provide adaptations of the existing law

The internet is known to have no physical boundaries or territorial boundaries and thus
framing of uniform laws to govern the cyberspace is difficult. There is no control of any
single state over the internet as a whole. The fact that there are no physical boundaries has
far reaching consequences. The dispute often arises as to which state has prescriptive
jurisdiction and which state will adjudicate the cross border dispute. The fact is that the
effect of such dispute is seen over multiple jurisdictions the question arises as to how to
enforce a law and the law which states law would be applied. It has been observed by
Johnson and Post that the “cyberspace radically undermines the relationship between
legally significant (online) phenomenon and physical location.

The rise of the global computer network is destroying the link between geographical
locations and (1) the power of the local government to assert, control over online
behaviour;(2)the effects of online behaviour on individuals or things ,(3) the legitimacy of
the effort of a local sovereign to enforce rules applicable to global phenomenon;(4) the
ability of physical location to give notice of which sets of rules apply”.

Self-Regulation versus Government Regulation

There are different schools of thought on the issue of whether the cyberspace needs to be
regulated through the government intervention or the self-regulation by the digital world
can regulate our actions. According to few scholars like John Perry Barlow in the Declaration
of Independence for the internet in 1996. Alfred C.Yen, advocate internet is a free space
which needs no regulation. Subsequently, around 1997 the then President of USA issued a
declaration titled “A Framework for global electronic commerce”. He emphasized the notion
of “private sector should lead “, “facilitation of e-commerce by government” and
“encouraging industry self-regulation”. According to Professor Lessig, as architecture in real
space can constrain our actions the architecture in the digital world can regulate our
actions. In 1996 WIPO Copyright Treaty came into force wherein Article 11 provided that
states should enact laws to prevent circumvention of technological protection measures
that protect copyright information. Likewise USA adopted the Digital Millennium Copyright
Act,1998 and European Union adopted the same principles in its Directive on harmonisation
of Copyright and other related rights in Information Society,2001.

Regulation of Cyber World in India

182
 The United Nations Commission on International Trade Law (UNCITRAL) adopted the
Model Law on e-commerce in 1996. The General Assembly of United Nations passed a
resolution in January 1997 inter alia, recommending all States in the UN to give favorable
considerations to the said Model Law, which provides for recognition to electronic records
and according it the same treatment like a paper communication and record. India being a
signatory to it had to revise its laws as per the said model law.
Information Technology Act, 2000 is Indian legislation regulating the use of computers,
computer systems, computer networks, computer resources and communication devices as
also data and information in the electronic format. This legislation has provided for legality
of the electronic format and electronic contracts. Many legal provisions recognized paper
based records and documents which should bear signatures. Since electronic commerce
eliminates the need for paper based transactions, therefore to facilitate e-commerce there
was a need felt for certain legal changes. Thus Parliament enacted the Information
Technology Act, 2000 to facilitate e-commerce and with a view to facilitate Electronic
Governance.

The object of The Information Technology Act, 2000 as defined therein is “to provide legal
recognition for transactions carried out by means of electronic data interchange and other
means of electronic communication, commonly referred to as “electronic methods of
communication and storage of information, to facilitate electronic filing of documents with
the Government agencies and further to amend the Indian Penal Code, the Indian Evidence
Act, 1872, the Banker’s Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934
and for matters connected therewith or incidental thereto.”
The Information Technology Act, 2000 addresses the following issues-
 Legal Recognition of Electronic Records
 Legal Recognition of Electronic Signatures
 Offences and Contraventions
Justice Systems for Cybercrimes

India's Information Technology Act (ITA) recognizes the legal validity of E-documents, E-
signatures and E-contracts, and also promotes E-government. E-documents are not allowed
in wills, trusts, sales of real property, negotiable instruments and powers-of-attorney. An E-
document may be used to satisfy a statutory requirement of: writing; authentication;
retention; publication; and governmental filing, issuance or payment. A digital signature
complies with a statutory requirement for a handwritten signature to be affixed on paper.
The ITA includes E-contract rules relating to: attribution, acknowledgement of receipt, and
time and place of transmission and reception of an electronic message. Rules are provided
for the regulation of Certification Authorities (CA) and third parties whose duty is to vouch
for the authenticity and integrity of an electronic message that has been signed with a
digital signature. Those rules are implemented by the Controller. India has adopted a
compulsory system of CA licensing; no party may offer certification services without a
license. A CA is mandated to: publicly display its license; issue certificates to successful
applicants; and manage outstanding certificates by keeping the information in them current,
and suspending or revoking them if they contain inaccuracies. A CA's license may be
suspended or revoked for good cause shown. Subscribers are responsible for ensuring that
all information given to the CA is accurate and that all information contained in the
certificate is correct. Ordinarily, net offenses and related penalties. The Controller appoints

183
adjudicating officers to hear both civil and criminal cases relating to the ITA and to render
decisions accordingly. Appeal may be taken to the Cyber Regulations Appellate Tribunal and
eventually to the High Court. The government of lndia and the Controller are empowered to
issue regulations necessary for implementation of the IT work service providers have limited
liability. The ITA includes civil and criminal.

The ITA's purposes are to: recognize the legal validity of electronic transactions that are
used in E-commerce; promote the growth of E-government, i.e., the acceptance and
utilization of documents in electronic form by government departments; and accordingly, to
amend the criminal law, evidence law and banking law insofar as they are affected by the
legal recognition of electronic transactions.Ostensibly, deference was shown by the drafters
of the ITA to the United Nations' Model Law on Electronic Commerce. The following items
are excluded from coverage of the ITA: (1) negotiable instruments; (2) powers-of-attorney;
(3) trusts; (4) wills and other testamentary dispositions; (5) contracts for the sale or transfer
of real property; and (6) other documents or transactions which may be specified by the
government in the Official.

MODULE 6:
Freedom of Speech & Expression – Government Regulation

Introduction

The development of cyberspace has fundamentally changed the way in which people
communicate with each other. While facilitating a vast range of interpersonal
communications, internet is fast becoming a key instrument for the exercise of the right to
freedom of expression. It combines within one medium both the right to receive as well as
the right to express and disseminate information, ideas and opinions, be it in the form of
writing, or through audio or video.

Millions of users are providing and accessing content on a daily basis in rapidly expanding
on-line environment. For this reason, the Internet offers an unprecedented variety and
quantity of content that is continually changing as new content is created, and existing
content is updated, deleted and/or moved around computers located all over the world.
One of the reasons for the growth in internet usage flows from the relatively low costs of
participation relative to other media. The necessary equipment comprises computer, a
modem and access to a telephone line, the cost of which, while not insignificant, is within

184
the reach of many individuals.

An important feature of the Internet is that it enables any person with access to the Internet
to create their own material and make it available to others, wherever they may be located.
This means that the internet has enormous potential as a means to increase the diversity of
information and views that are expressed by and accessible to users around the world.
Although content can be accessed from any computer connected to the network, the
content may be actually stored on a number of different computers or servers, which may
be located in a different country and jurisdiction. The situation becomes much complex
when countries have different social, cultural and political values in respect of the contents
of the materials uploaded on the internet websites. In other words, cyberspace poses
significant challenges in preserving freedom of expression.

Freedom of expression in cyberspace

The growth in use of the Internet in the 1990s led to growing concerns about the
problematic content contained on the Internet. Some of the inappropriate contents posted
online have adverse political, religious, social and cultural implications. In response, states
are trying to control the online contents, which they consider to be objectionable,
inflammatory, inappropriate and sensitive and have potential to disturb social and cultural
harmony. Material that is perfectly legal in the country where it is ‘uploaded’ may be illegal
in the country where it is ‘downloaded’, wherein it is considered to be obscene or politically
subversive.

Information technologies do not change what freedom of speech is. But they change
the social conditions in which people speak, and by changing the social conditions of speech,
they bring to light features of freedom of speech that have always existed in the
background but now came to the forefront. The digital revolution makes possible
widespread cultural participation and interaction that previously could not have existed on
the same scale. The digital revolution offers unprecedented opportunities for creating a
vibrant platform of free expression on social, cultural or political issues.

Use of social media is also playing an important role in mass political movements.
The 2011 was a turbulent year as it saw mass movements, facilitated by the social media
site like facebook, playing an important role in toppling dictatorships all around the Arab
World. Former president Hosni Mubarak’s fall in Egypt was ably aided by social media that
helped citizens rally together for a cause. Similarly, 2011 also saw a huge anti-corruption
movement in India under the leadership of Anna Hazare. This movement saw a huge
participation by the Indian middle class, which also has a presence on the Internet. The
movement that called itself ‘India Against Corruption’ (IAC) had a very active presence on

185
social media including sites like YouTube, Facebook, Twitter etc. Coincidently, it was in 2011
that the Government increased its curbs on the internet.In practice, the right to freedom of
speech is not absolute in any country and the right is commonly subject to limitations.
Therefore, some people advocate for stronger Internet regulation. This raises important
issues with regard to the right to freedom of expression. In 2012 a 21-year-old girl was
arrested from Palghar for posting a message on Facebook and criticising the shutdown in
Mumbai for the funeral of Bal Thackeray. Another 20-year-old girl was arrested for "liking"
the post. They were initially charged under Section 295A of the Indian Penal Code (hurting
religious sentiments) and Section 66A of the IT Act. In 2015, a teenaged boy was arrested
from Bareilly, Uttar Pradesh, for making a post on Facebook insulting politician Azam Khan.
The post allegedly contained hate speech against a community and was falsely attributed to
Azam Khan by the boy. He was charged under Section 66A of the IT Act, and Sections 153A
(promoting enmity between different religions), 504 (intentional insult with intent to
provoke breach of peace) and 505 (public mischief) of Indian Penal Code.

Aspects of Freedom of Speech and Expression

Content Control vs. Freedom of Expression

When it comes to content control, the other side of the coin is very often restriction of
freedom of expression. This is especially important when freedom of speech and expression
is recognised as one of the human rights at international level and guaranteed under Indian
constitution. Achieving a proper balance between content control and freedom of
expression is considerable challenge. Most of the recent debates on freedom of speech and
expression in cyberspace as well as the court cases have been related to finding this
balance. The Supreme Court has declined to permit stricter content control and sought to
protect the freedom of speech and expression.

On the other hand, some groups of individual users, such as parents, are keen to introduce a
more efficient content policy to protect children. Content control is also performed by
private companies and universities to restrict access to some materials.

Human Rights

The Internet has enabled new forms of communication and interaction between people and
in due course has influenced traditional concepts of human rights. A basic set of Internet-
186
related human rights includes privacy, freedom of expression, the right to receive
information, and various rights relating to protection of social, cultural, linguistic, and
religious diversity. For example, internet has opened new opportunities for those engaging
in exploitation and abuse of woman and children. Nowadays, exploitation is more open than
ever before as cyberspace offers a platform for practicing this kind of anti-social behavior in
secrecy.

Therefore, there remain some open questions related to the scope of international human
rights law, the extent of protection on private sphere and individual responsibility in
accordance to both national and international human rights law. The issue of individual
responsibility is very interesting because actions taken in cyberspace, for instance, may be
difficult to control by states due to its borderless nature.

Censorship

Freedom of speech is the freedom to speak without censorship and/or limitation. The
internet has become a vital communications tool which individuals can use to exercise their
right to freedom of expression and exchange information and ideas. States must ensure that
everyone enjoys his or her right to freedom of opinion and expression by maintaining free
flow of information on the Internet, and ensuring that the Internet is available, accessible
and affordable to all. The synonymous term freedom of expression is sometimes used to
indicate not only freedom of verbal speech but any act of seeking, receiving and imparting
information or ideas, regardless of the medium used.

Internet censorship is a rising trend, with approximately 40 countries filtering the internet in
varying degrees, including democratic and non-democratic governments. Freedom of
expression is gradually being compromised in cyberspace with social networking sites and
Internet companies buckling under pressure from governments to monitor and block
“objectionable” content. YouTube and Gmail, WikiLeaks, Twitter and Facebook have all
been censored, at different times, in China, Iran, Egypt, India and other countries.

The freedom of expression may be restricted in very exceptional cases in line with
international human rights instruments and the domestic laws. However, there cannot be
absolute ban or censorship over the access to the internet websites. Nevertheless,
Sometimes State governments tend to block certain website and social media platforms in
the name of cyber security and national security threats. Allegations of government
overreach tend to provoke an intense debate over the censorship in cyberspace. In order to
avoid such situations, the controls on internet access and social media platforms must be
balanced with the need for free speech and expression.

187
International Dimension of freedom of Speech

The right to freedom of speech is recognized as a human right under Article 19 of the
Universal Declaration of Human Rights and the International Covenant on Civil and Political
Rights (ICCPR). Article 19 of the Universal Declaration of Human Rights provides that
everyone has the right to freedom of opinion and expression; this right includes freedom to
hold opinions without interference and to seek, receive and impart information and ideas
through any media and regardless of frontiers. States parties are required to ensure that the
rights contained in article 19 of the ICCPR are given effect to in the domestic law of the State.

States parties are required to guarantee the right to freedom of expression, including the right
to seek, receive and impart information and ideas of all kinds regardless of frontiers. This right
includes the expression and receipt of communications of every form of idea and opinion
capable of transmission to others, subject to the provisions in article 19(3) and article 20 of the
ICCPR. It includes political discourse, commentary on one’s own and on public affairs, discussion
of human rights, journalism, cultural and artistic expression, teaching, and religious discourse.

However, Article 19 (3) of ICPR expressly states that the exercise of the right to freedom of
expression carries with it special duties and responsibilities. For this reason two limitative areas
of restrictions on the right are permitted, which may relate either to respect of the rights or
reputations of others or to the protection of national security or of public order or of public
health or morals. Nevertheless, when a State party imposes restrictions on the exercise of
freedom of expression, these may not put in jeopardy the right itself. Restrictions must be
“necessary” for a legitimate purpose.

The World Summit on the Information Society (WSIS) Declaration of Principles adopted in
2003 makes specific reference to the importance of the right to freedom of expression for
the Information Society in stating the following:

“We reaffirm, as an essential foundation of the Information society, and as outlined in

Article 19 of the Universal Declaration of Human Rights, that everyone has the right to
freedom of opinion and expression; that this right includes freedom to hold opinions
without interference and to seek, receives and impart information and ideas through any
media and regardless of frontiers. Communication is a fundamental social process, a basic
human need and the foundation of all social organisations. It is central to the Information
Society. Everyone everywhere should have the opportunity to participate and no one should
be excluded from the benefits of the Information Society offers.”

Freedom of Speech in India

188
In India, Article 19(1) (a) of the Indian Constitution recognises it as a fundamental right and
protects free speech and expression in India. Any restriction on speech in India has to comply
with both the test of reasonableness under Article 19(2) of the Constitution, as well as ensuring
that the grounds of censorship are located within 19(2). As per Article 19(2), grounds of
curtailing freedom of speech and expression include Security of the State, Public Order,
Decency and morality, Contempt of Court, Defamation, Incitement of an offence,
Sovereignty and integrity of India.

In Maneka Gandhi v. Union of India (AIR 1978 SC 597), it was mentioned that “Democracy
is based essentially on free debate and open discussion, for that is the only corrective of
government action in democratic set up. If Democracy means government of the people, by
the people, it is obvious that every citizen must be entitled to participate in the democratic
process and in order to enable him to intelligently exercise his right of making choice, free
and general discussion of public matters is absolutely essential.”

Facebook case

In 2012 arrest of two girls in Mumbai over a Facebook comment criticising the bandh called
after the death of a political leader has created a furore across the country. It has also raised
the question on whether the Information Technology Act, 2000, should be amended. Some
people have expressed the view that the Act needs to be amended to be in sync with the
changing times and development in the social media.

Other incidents

In October 2012, a small scale industrialist in Puducherry, Ravi Srinivasan, was arrested for
posting "offensive" messages against political leader’s son. The person had tweeted that
this political leader’s son had amassed wealth more than that of relative of another political
leader.

Similarly, cartoonist Aseem Trivedi was arrested in September 2012 by the cyber
crime branch of the Mumbai Police for sedition, as his cartoons poked fun of the corrupt
politicians and Parliament. The police had to drop all charges against Trivedi after the
Bombay high court blasted the police for its high handedness.

Shreya Singhal v. Union of India

189
 It was contended that section 66 (A) of the IT Act is in direct conflict with Article 19
of the Constitution, which guarantees freedom of speech and expression. It has been argued
that section 66 (A) can be misused and therefore this section should be completely removed
or narrowed down in its scope, otherwise the IT Act, 2000, can act as a tool for oppressing
freedom of speech. The landmark judgement Shreya Singhal v. Union of India of resolved
the controversy associated with Section 66A of the IT Act,2000.

A division bench of the Supreme Court Consisting of justices J.Chelameshwar and R.F.
Nariman decided on 24th March, 2015 in Shreya Singhal v. Union of India to struck down
section 66A of Information Technology Act ,2000 as unconstitutional, as it violative of Article
19(1) (a) related withfreedom of speech and expressions. The effect of this judgment is that
ow comments on social networking sites are not offensive unless they come under the
provisions of the Indian Penal Code,1860. It was an enlightening judgement that pushed the
frontiers of laws envisaged for the regulation of the Internet. The Supreme Court quashed
the controversial Section 66 A of the IT ACT (amended in 2009) and Section 118 (d) of the
Kerela Police Act. The scope of provisions clearly violated constitutional guarantees of
freedom of speech. Section 66A penalised anyone using the internet to send messages that
were “grossly offensive” and “ menacing” or which caused “annoyance,” “inconvenience,”
or “obstruction.” This judgement has upheld the constitutionality of Section 69A that
defines the rules and procedure for the government to block websites based on a set of
legislatively provided grounds. Section 66A was not only declared vague and arbitrary but
also that it “disproportionately invades the right of free speech.”

The section 66 (A) of IT Act reads as under:

“66A. Punishment for sending offensive messages through communication service, etc..-
Any person who sends, by means of a computer resource or a communication device,-

(a) any information that is grossly offensive or has menacing character; or

(b) any information which he knows to be false, but for the purpose of causing
annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation,
enmity, hatred, or ill will, persistently makes by making use of such computer resource or
a communication device,

(c) any electronic mail or electronic mail message for the purpose of causing annoyance
or inconvenience or to deceive or to mislead the addressee or recipient about the origin
of such messages shall be punishable with imprisonment for a term which may extend to
three years and with fine.

190
Explanation: For the purposes of this section, terms “Electronic mail” and “Electronic
Mail Message” means a message or information created or transmitted or received on a
computer, computer system, computer resource or communication device including
attachments in text, image, audio, video and any other electronic record, which may be
transmitted with the message.” [Inserted vide Information Technology Amendment Act,
2008]

MODULE 7:
Cyber Space, Democracy & Sovereignty

Today we are collectively entering a new era of enormous potential, that of the Information
Society and expanded human communication. In this emerging society, information and
knowledge can be produced, exchanged, shared and communicated through all the
networks of the world. All individuals can soon, if we take the necessary actions, together
build a new Information Society based on shared knowledge and founded on global
solidarity and a better mutual understanding between peoples and nations. It is believed
that these measures will open the way to the future development of a true knowledge
society.

The Internet inspires grand visions of a more democratic future, both for existing nations
and for a more harmonious global community. These visions express the hope - or, more
properly, the desire - that information technology will either join the historical march
toward greater universal enlightenment or, in another version of the story, cure
democracy's current ills. Grand narratives like these are of course mainly rhetorical,
projecting an idealized image against or toward which the actual work of producing such a
future can be measured.
The delegates to the United Nations' World Summit on the Information Society can be
counted among the champions of the Internet's democratic potential, for whom computer
networking provides solutions to many of the problems of space, population density, access,

191
and participation that confront large societies - including, of course, global ones. Such
statements imagine a function for the Internet in assisting and strengthening offline
national and international democratic institutions. They rely on the general assumption that
greater capacity to communicate improves democratic process and that greater capacity to
disseminate information naturally leads to a democratically empowered populace.
The union of democracy and the Internet has been a prominent object of discussion in legal
scholarship, generally falling into six categories:
 the possibilities enabled by direct democratic self-governance of the Internet;
 the Internet's threat to national sovereignty;
 the Internet's capacity to augment, alter, or suppress current democratic political
practices;
 the capacity of particular Internet policies to enhance or suppress democratic values,
such as freedom of expression and privacy;
 criticism of Internet policies implemented by non-democratic nations;
 and the dangers or promise of particular Internet technologies to democratic
practices or values.
A subset of these studies considers the spatial dimensions of the Internet: that is, whether
cyberspace is a 'place' for jurisdictional purposes or, alternatively, whether it is a social
space within which actors engage in activities that are either novel or roughly parallel to
offline life. The former approach mainly took root in early debates about the sovereignty of
a cyberspace distinct from the offline world, and by the early 2000s had been roundly
criticized and made moot by the proliferation of case law and legislation that firmly
established that territorial governments could and would take jurisdiction over online
phenomena.
The latter approach, viewing cyberspace as a social space, appears less self-consciously and
so has not been scrutinized with the same sharp critical eye that met arguments promoting
cyberspace as a place unconnected to the offline world. Space, both physical and social,
shapes online as well as offline democracy, for instance in the ways that democratic
societies must adjust their practices to deal with issues of scale and population density.
Political philosophers since Aristotle have tended to assume that direct democracy is
possible only in small-scale societies, leaving larger-scale societies the task of working out
how best to represent a large populace. Density is a problem for democracy, in that widely
dispersed populations generally lack the resources to assemble as a coherent group. Scale
and density consequently bear upon the manner and quality of political participation by
individual citizens. If cyberspace is a social space suitable for democratic practices, what
actual (as opposed to rhetorically hopeful) effect does the Internet have on these spatial
problems?

Public Space and the Internet provides a useful starting point for this project, in that it
develops a theory of democracy in cyberspace that unpacks both 'democracy' and
'cyberspace' as fundamentally spatial concepts. According to, Saco there are four major
areas of inquiry into cyberspace how cyberspace can be theorized as a social and political
space; how the fact of the bodylessness of actors (in other words, one exists only as data in
cyberspace) confounds established notions of citizenship and governability; how cyberspace
operates as a public sphere; and how cyberspace can be characterized as a postmodern

192
arena fraught with contradictions that complicate modern notions of governance and
democratic practice.

Peer-to-peer (p2P) file-sharing networks are another active focus of legal debate
wherein issues of democratic practice are either foregrounded or implied. Champions of
P2P networks characterize their practices as democratic because of their non-hierarchical,
decentralized information dissemination capacities. These arguments rely on assumptions,
similar to those relied upon by proponents of widely available Internet access , that any
practice that encourages the broad dissemination of information is inherently more
democratic than practices that limit dissemination. Further, some P2P programs encourage
posting material (rather than merely downloading itby rewarding people who contribute to
the network's library with expanded search capabilities, thereby encouraging active rather
than passive participation in the dissemination of information. The relative anonymity of
participants in file-sharing networks has led to a crisis of accountability, however, making
such networks particularly attractive to illegal or unethical information trading rather than
developing broad political uses for these applications. According to Saco'sthe physical
proximity heightens accountability for the effects of speech, with consequences for online
democratic practice.

Freenet requires users to contribute bandwidth and part of their hard drive for
storing other users' encrypted files. The network is not searchable, given the high premium
placed on making content untraceable, and so access to content depends on a user's
knowing the 'key' that locates and decrypts what he or she is looking for. People who post
content can make keys known through a variety of means (including posting on a Freenet
site, which is similarly anonymized, or through newsgroups). This design makes the network
very attractive to people who share illegal content, since the people who share need not be
traceable to one another at all. Freenet further encourages users to be indifferent to the
possibility that their hard drives will be used to house illegal content and that there will be
no way for them to object.
Efforts to apply off line laws to cyberspace serve as an opportunity to test the
fundamentality of a new tension between the virtual and the physical brought on by the
Internet. The fundamental tension of the modern era (between freedom and control)
centrally characterizes liberal democracy as we have so far known it. If indeed a new tension
is rising to central importance, it has the potential to affect how we think about democracy.
The potential tension between physical and virtual also finds expression in cases involving
the applicability of local zoning by-laws to Internet based businesses the physical aspects of
which are located within a particular municipality
The legal confrontation of online and offline spaces has taken at least three forms: in
efforts to apply disability rights and other human rights legislation to online 'public
facilities'; in efforts to apply residential zoning ordinances to Internet businesses run from
residential homes; and in the slippery application of offline trespass law to computer
servers.
The information controls are broadly actions conducted in and through cyberspace
that seek to deny, disrupt, manipulate, and shape information and communications for
strategic and political ends. Information controls include an array of technologies,
regulatory measures, laws, policies, and tactics. These can include media regulation,
licensing regimes, content removal, libel and slander laws, and content filtering. Countries

193
vary widely in terms of their transparency and accountability around such practices and in
terms of the methods by which they carry out information controls. Invariably, the private
sector actors who own and operate the vast majority of cyberspace infrastructure are being
compelled or coerced to implement controls on behalf of states.
Perhaps the most basic form of state control in cyberspace is Internet filtering or
censorship, which is the prevention of access to information online within territorial
boundaries. Rationales for national filtering regimes vary. Some states justify Internet
filtering to control access to content that violates copyright, concerns the sexual
exploitation of children, or promotes hatred and violence. Other countries filter access to
content related to minority rights, religious movements, political opposition, and human
rights groups.
Some states provide "block pages" for banned content that explain the rationale and legal
basis for the blocking; others provide only error pages, some of which are misleading and
meant to misdirect users from the states' intentions. It is now fair to say that there is a
growing norm worldwide for national Internet filtering, although the rationale for
implementing filtering varies widely from country to country.
The trajectory of greater government intervention into cyberspace has developed beyond
Internet filtering. Governments have shown a greater willingness to employ a broader range
of regulatory, legal, covert, and offensive means to shape cyberspace in their strategic
interests. For example, there have been a growing number of incidents where states have
disrupted or tampered with communication networks for political purposes, including
around elections and public demonstrations. Open net initiative calls these actions just-in-
time blocking—a phenomenon in which access to information is denied during important
political moments when the content may have the greatest potential impact such as
elections, protests, or anniversaries of social unrest.
One important element of growing cyberspace controls is the downloading of
responsibilities to the private sector, a phenomenon known as intermediary liability. For
example, both industrialized and developing governments have begun to legislate greater
responsibilities on ISPs, telecommunications companies, and mobile operators to "police the
Internet." These companies are being required by law to retain and archive user data, and
share that data with law enforcement and intelligence agencies, in some cases without
judicial oversight. What is perhaps most interesting is that the international institutions
whose missions are primarily focused around technical coordination of the Internet—the
Internet Assigned Numbers Authority (IANA), ICANN, the IETF, and RIRs—have become
increasingly politicized and subject to securitization pressures. As Brenden Kuerbis and
Milton Mueller note, while Internet authority is highly distributed, "elements of hierarchy
do exist, especially around critical resource allocation, and it is likely that security and other
concerns will lead to continuing efforts to leverage those hierarchies into more powerful
governance arrangements.'

Cyberspace and Sovereignty

According to Saco, the virtual world is a place where government cannot exercise its
established methods of control (where the virtual becomes synonymous with freedom) but
also argues that virtual practices and the social spaces they produce cannot be mapped
exactly onto offline practices and spaces. In order to further define the distinction between
these positions, an examination of the calls by the Internet's early champions of online
community for its autonomy can be fruitfully compared to the critique of the self-regulation

194
argument that followed shortly on its heels. John Perry Barlow's famous 'Declaration of
Independence for Cyberspace,' for instance, boldly (if somewhat whimsically) told the
'governments of the Industrial world' at the World Economic Forum in Davos, Switzerland,
in 1996 that they had no legitimate authority over cyberspace, since the inhabitants of
cyberspace did not consent to be governed by them.
David Johnson and David Post, arguing less bombastically for a self regulated cyberspace in
their 1996 article 'Law and Borders: The Rise of Law in Cyberspace,' similarly invoke the
image of cyberspace as a place distinct from offline places and so entitled to unique self-
generated forms of government. They suggest that territorial boundaries have no meaning
in cyberspace and offer that a more meaningful border arises between online and offline
worlds. Because of the way in which we gain access to cyberspace (especially at that time,
when passwords weregenerally required), no one goes online accidentally, and so people
using the Internet will always have notice that they are entering a new legal jurisdiction.
The 'borders' within cyberspace - for instance, those between different communities
constructed via different Internet service providers (ISPs) - similarly feature some sort of
gateway, and so rules that emerge by consensus within these communities could be applied
to anyone who chose to enter, again assuming that by so choosing a user assents to the
rules of that community. Johnson and Post also argue the quite radical concept that online
identities should be treated as discrete individuals for the purposes of online legal
personhood, without any necessary reference back to an offline physical person (who might
have several personas online).
Online personas (i.e., e-mail addresses or nicknames) would be liable to other online
personas for wrongs committed in cyberspace. Since liabilities would be determined by the
particular online community affected, each online persona would choose to inhabit
communities whose rule systems most closely suited the values that persona ascribed to.
This approach, of course, naively ignores the ease with which an offline person can abandon
an online persona that has incurred liability and the fact that the same offline person might
return, under a new name, to the online community in which he offended and repeat the
offence. Johnson and Post (and others who espoused similar positions) were roundly
criticized for assuming that consensus-based rule making and choice-based rule avoidance
are superior to the authority of offline representative democracy. Neil Netanel, for instance,
argues that these majoritarian, choice-oriented practices could easily lead to the
suppression of minority interests.
Indeed, claims for the independence of cyberspace sound quaint and idealistic now, largely
because they are based on a false dichotomy between virtual and physical phenomena.
Physical and virtual are not opposed; rather, the virtual complicates the physical, and vice
versa.
Territorial law gains authority over online activities, and hence its legitimacy, from the fact
that virtual actions are rarely only virtual but instead have consequences in the physical
world. The connection of online personas with offline physical people is justified by these
physical effects - the collection of physical money through fraud, the luring of physical
children to physical meetings with unsavoury physical people, the damage online
defamatory statements cause to offline business reputations - and so the tension between
physical and virtual that Saco names is not a tension grounded in opposition so much as a
friction inspired by the ways in which the virtual is a new arena with some novel
characteristics wherein the long-standing tension between freedom and control must be
played out. The persistent link between the physical and the virtual, the offline and the

195
online, is precisely where most of the social problems lie - and, hence, where law
intervenes, largely as a response to complaints lodged by offline citizens through
established offline democratic means.

MODULE 8:
E-Governance

Defining e-government and e- governance

According to the World Bank “E-Government refers to the use by government agencies of
information technologies (such as Wide Area Networks, the Internet, and mobile
computing) that have the ability to transform relations with citizens, businesses, and other
arms of government. These technologies can serve a variety of different ends: better
delivery of government services to citizens, improved interactions with business and
industry, citizen empowerment through access to information, or more efficient
government management. The resulting benefits can be less corruption, increased
transparency, greater convenience, revenue growth, and/or cost reductions.”

196
United Nations (the Working Group on E-government in the Developing World) describes e-
government which uses information and communication technologies (ICTs) to promote
more efficient and effective government, facilitate more accessible government services,
allow greater public access to information, and make government more accountable to
citizens. E-government might involve delivering services via the Internet, telephone,
community centers (self-service or facilitated by others), wireless devices or other
communications systems. While definitions of e-government by various sources may vary
widely, there is a common theme. E-government involves using information technology, and
especially the Internet, to improve the delivery of government services to citizens,
businesses, and other government agencies. The Internet and the world-wide-web for
delivering government information and services to citizens.

Global Business Dialogue on Electronic Commerce defines e- governance as an “Electronic

government (hereafter e-Government) refers to a situation in which administrative,
legislative and judicial agencies (including both central and local governments) digitize their
internal and external operations and utilize networked systems efficiently to realize better
quality in the provision of public services.”

According to UNESCO E-governance is the public sector’s use of information and

communication technologies with the aim of improving information and service delivery,
encouraging citizen participation in the decision-making process and making government
more accountable, transparent and effective. E-governance involves new styles of
leadership, new ways of debating and deciding policy and investment, new ways of
accessing education, new ways of listening to citizens and new ways of organizing and
delivering information and services. E-governance is generally considered as a wider
concept than e-government, since it can bring about a change in the way citizens relate to
governments and to each other. E-governance can bring forth new concepts of citizenship,
both in terms of citizen needs and responsibilities. Its objective is to engage, enable and
empower the citizen.

According to Keohane and Nye , “Governance implies the processes and institutions, both
formal and informal, that guide and restrain the collective activities of a group. Government
is the subset that acts with authority and creates formal obligations. Governance need not
necessarily be conducted exclusively by governments. Private firms, associations of firms,
nongovernmental organizations , and associations of NGOs all engage in it, often in
association with governmental bodies, to create governance; sometimes without
governmental authority.” Clearly, this definition suggests that e-governance need not be
limited to the public sector. It implies managing and administering policies and procedures
in the private sector as well.

Backus defined e-governance as the, application of electronic means in (1) the interaction
between government and citizens and government and businesses, as well as (2) in internal
government operations to simplify and improve democratic, government and business
aspects of Governance.

According to Kettl (2002), "Governance" is a way of describing the links between

government and its broader environment - political, social, and administrative.The

197
application of electronic links means the interaction between government and citizens and
government and businesses, as well as in internal government operations to simplify and
improve democratic, government and business aspects of Governance .

The concept of Governance traditionally relates to protect and safeguard the legal rights of
all citizens with the changing concept of governance ensuring equitable access to public
services and the benefits of economic growth to all citizens is an equally important aspect.
Effective governance also ensures government to be transparent in its dealings, accountable
for its activities and faster in its responses as part of good governance. However, this would
require the government to change itself – its processes, its outlook, laws, rules and
regulations and also its way of interacting with the citizens. It would also require capacity
building within the government and creation of general awareness about e-Governance
among the citizens. In e-government, the government uses information technology and
particularly the Internet to support government operations, engage citizens, and provide
government services.

E-government refers to the delivery of national or local government information and

services via the Internet or other digital means to citizens or businesses or other
governmental agencies. E-government is a one-stop Internet gateway to major government
services. E-government facilitates provision of relevant government information in
electronic form to the citizens in a timely manner; better service delivery to citizens;
empowerment of the people through access to information without the bureaucracy;
improved productivity and cost savings in doing business with suppliers and customers of
government; and participation in public policy decision-making.

E-Governance refers to how the governments utilize IT and Internet to execute their
functions of supervising, planning, organizing, coordinating, and staffing effective E-
government is a generic term for web-based services from agencies of local, state and
federal governments.

According to Backus, “the three main target groups that can be distinguished in e-
governance (we call it e-Government) concepts are government, citizens and
businesses/interest groups. The external strategic objectives focus on citizens and
businesses and interest groups, the internal objectives focus on government itself.” Thus as
per OECD the e –governance focuses on the following:

 User focused e-government,making e-services more responsive to the needs of

citizen
 Creating multi-channel service delivery –improving links between traditional and
electronic services to promote innovation
 Approaches to common business processes by identifying common processes within
government in order to achieve economies scale, reduce duplication and provide seamless
services
 The business case for e-government measuring and demonstrating costs and
benefits of ICT investments in order to prioritize and better manage e- government projects

198
 E-government co-ordination by bringing a whole of government perspective to e-
government initiatives and their management, while taking into account existing structures
and cultures of government institutions.

Advantages of e-governance

Today countries all over the world have been promoting the use of information and
communication technology for better and efficient governance.Technology makes
communication speedier. Internet, Phones, Cell Phones have reduced the time taken in
normal communication.Most of the Government expenditure is appropriated towards the
cost of stationary. Paper-based communication needs lots of stationary, printers,
computers, etc. which calls for continuous heavy expenditure. Internet and Phones makes
communication cheaper saving valuable money for the Government.Use of ICT makes
governing profess transparent. All the information of the Government would be made
available on the internet.. ICT helps make the information available online eliminating all the
possibilities of concealing of information.Once the governing process is made transparent
the Government is automatically made accountable. Accountability is answerability of the
Government to the people. It is the answerability for the actions, policies etc ..of the
Government. An accountable Government is a responsible Government.E-Government
brings public services to citizens on their schedule and their venue.E-Government allows to
redeploy resources from back-end processing to the front line of customer service.E-
Government improves the accessibility of government information to citizens allowing it
become an important resource in the making the decisions that affect daily life and so it
helps in empowerment of citizens.

The OECD in its report “The E-Government Initiative” has outlined the reasons for the
advantages provided by e- government-

a) Helps improve efficiency in government in public administration and internal

operation systems
b) Enhanced quality of services and reduction of dissatisfaction of citizens with
government services
c) More effective outcomes in key policy areas like health, welfare services, security
and education through use of internet
d) Provides valuable reform tools for service delivery and governance systems
e) Improve overall trust relationship between government and citizens.

E-Government provisions under the IT Act

The Information Technology Act,2000 chapter III has laid down certain provisions for e-
governance. These may be classified into two categories-(a) provisions facilitating and
creating Functional evivalence between electronic and paper based documents and (b)
provisions establishing a framework for an e-governance system.

199
Provisions facilitating and creating Functional equivalence between electronic and paper
based documents

Section 4,5,7,7A and 10A deal with the creation of Functional equivalence between
electronic and paper based documents

“4. Legal recognition of electronic records.–Where any law provides that information or any
other matter shall be in writing or in the typewritten or printed form, then, notwithstanding
anything contained in such law, such requirement shall be deemed to have been satisfied if
such information or matter is– (a) rendered or made available in an electronic form; and (b)
accessible so as to be usable for a subsequent reference.“

“5. Legal recognition of 1[electronic signatures].–Where any law provides that information
or any other matter shall be authenticated by affixing the signature or any document shall
be signed or bear the signature of any person, then, notwithstanding anything contained in
such law, such requirement shall be deemed to have been satisfied, if such information or
matter is authenticated by means of 1[electronic signature] affixed in such manner as may
be prescribed by the Central Government. Explanation.–For the purposes of this section,
“signed”, with its grammatical variations and cognate expressions, shall, with reference to a
person, mean affixing of his hand written signature or any mark on any document and the
expression “signature” shall be construed accordingly.”

“7. Retention of electronic records.–(1) Where any law provides that documents, records or
information shall be retained for any specific period, then, that requirement shall be deemed
to have been satisfied if such documents, records or information are retained in the
electronic form, if– (a) the information contained therein remains accessible so as to be
usable for a subsequent reference; (b) the electronic record is retained in the format in which
it was originally generated, sent or received or in a format which can be demonstrated to
represent accurately the information originally generated, sent or received; (c) the details
which will facilitate the identification of the origin, destination, date and time of dispatch or
receipt of such electronic record are available in the electronic record:

Provided that this clause does not apply to any information which is automatically generated
solely for the purpose of enabling an electronic record to be dispatched or received. (2)
Nothing in this section shall apply to any law that expressly provides for the retention of
documents, records or information in the form of electronic records.”

“7A. Audit of documents, etc., maintained in electronic form.–Where in any law for the time
being in force, there is a provision for audit of documents, records or information, that
provision shall also be applicable for audit of documents, records or information processed
and maintained in the electronic form.”

This section ensures a level of security and transparency that is prescribed by law with
regard to a paper based record will also be applicable to electronic record.

“10A. Validity of contracts formed through electronic means.–Where in a contract

formation, the communication of proposals, the acceptance of proposals, the revocation of

200
proposals and acceptances, as the case may be, are expressed in electronic form or by
means of an electronic records, such contract shall not be deemed to be unenforceable
solely on the ground that such electronic form or means was used for that purpose.”

Section 10 A provides for the validity of a contract which has been formed using electronic
means .

Provisions establishing a framework for an e-governance system.

Section 6 enables the government agencies to accept forms and payments for various
services to issue permits or licenses in an electronic form. The sub clause (2) provides the
government with the authority to make rules with respect to the matter and format of e-
filing and e-payment , in pursuance of which the government has issued the IT (Use of
Electronic Records and Digital Signatures )Rules,2004. Section 6A provides that the
appropriate Government may, for the purposes of this Chapter and for efficient delivery of
services to the public through electronic means authorize, by order, any service provider to
set up, maintain and upgrade the computerized facilities and perform such other services as
it may specify, by notification in the Official Gazette.Section8 lays law with respect to the
‘Publication of rule, regulation, etc., in Electronic Gazette., that where any law provides that
any rule, regulation, order, bye-law, notification or any other matter shall be published in
the Official Gazette, then, such requirement shall be deemed to have been satisfied if such
rule, regulation, order, bye-law, notification or any other matter is published in the Official
Gazette or Electronic Gazette. As per section 9 ,nothing contained in sections 6, 7 and 8 shall
confer a right upon any person to insist that any Ministry or Department of the Central
Government or the State Government or any authority or body established by or under any
law or controlled or funded by the Central or State Government should accept, issue, create,
retain and preserve any document in the form of electronic records or effect any monetary
transaction in the electronic form. Section 10 gives rule making power to the Central
Government in respect of electronic signature.

In India, the main thrust for e-Governance was provided by the launching of NICNET in 1987
– the national satellite-based computer network. This was followed by the launch of the
District Information System of the National Informatics Centre (DISNIC) programme to
computerize all district offices in the country for which free hardware and software was
offered to the State Governments. NICNET was extended via the State capitals to all district
headquarters by 1990. In the ensuing years, with ongoing computerization, tele-connectivity
and internet connectivity established a large number of e-Governance initiatives, both at
the Union and State levels.

There are four categories of Government Interaction in e-governance.G2G: Government to

Government ;G2B: Government to Business;G2E: Government to EmployeeG2C
andGovernment to Citizen.Government to Business (G2B) Initiatives-In G2B, the
government deals with businesses such as suppliers using the Internet and other ICTs. G2B
includes two two-way interactions and transactions, government-to-business and business-
to-government (B2G). B2G refers to businesses selling products and services to
government.Government to Government (G2G) Initiatives: G2G deals with those activities
that take place between different government organizations/agencies. Many of these

201
activities are aimed at improving the efficiency and effectiveness of overall government
operations. Government to Citizen (G2C) Initiatives: G2C: Government to Citizen G2C –
Government to Citizen G2C are those activities in which the government provides one-stop,
on-line access to information and services to citizens. Below mentioned are a few examples
of e- governance G2C initiative in India. Few examples are given below-

 Computerization of Land Records: In collaboration with NIC. Ensuring that

landowners get computerized copies of ownership, crop and tenancy and updated copies of
Records ;
 Bhoomi Project: Online delivery of Land Records. Self-sustainable e-Governance
project for the computerized delivery of 20 million rural land records to 6.7 million farmers
through 177 Government-owned kiosks in the State of Karnataka;
 Gyandoot: It is an Intranet-based Government to Citizen (G2C) service delivery
initiative. It was initiated in the Dhar district of Madhya Pradesh in January 2000 with the
twin objective of providing relevant information to the rural population and acting as an
interface between the district administration and the people;
 Lokvani Project in Uttar Pradesh: Lokvani is a public-private partnership project at
Sitapur District in Uttar Pradesh which was initiated in November, 2004. Its objective is to
provide a single window, self-sustainable e-Governance solution with regard to handling of
grievances, land record maintenance and providing a mixture of essential services;
 Project FRIENDS in Kerala: FRIENDS (Fast, Reliable, Instant, Efficient Network for the
Disbursement of Services) is a Single Window Facility providing citizens the means to pay
taxes and other financial dues to the State Government;
 e-Mitra Project in Rajasthan: e-Mitra is an integrated project to facilitate the urban
and the rural masses with maximum possible services related to different state government
departments;
 e-Seva (Andhra Pradesh): This project is designed to provide ‘Government to Citizen’
and ‘e-Business to Citizen’ services. The highlight of the eSeva project is that all the services
are delivered online to consumers /citizens by connecting them to the respective
government departments and providing online information at the point of service delivery;
 Admission to Professional Colleges – Common Entrance Test (CET)

 Khajane Project in Karnataka: It is a comprehensive online treasury computerization

project of the Government of Karnataka. The project has resulted in the computerization of
the entire treasury related activities of the State Government and the system has the ability
to track every activity right from the approval of the State Budget to the point of rendering
accounts to the government.
 SmartGov (Andhra Pradesh): SmartGov has been developed to streamline
operations, enhance efficiency through workflow automation and knowledge management
for implementation in the Andhra Pradesh Secretariat.

 National E-governance Plan-The National e-Governance Plan (NeGP) has been

formulated by the Department of Electronics and Information Technology (DEITY) and
Department of Administrative Reforms and Public Grievances (DARPG) in 2006.The NeGP
aims at improving delivery of Government services to citizens and businesses with the
following vision: “Make all Government services accessible to the common man in his
locality, through common service delivery outlets and ensure efficiency, transparency &
202
reliability of such services at affordable costs to realise the basic needs of the common
man.”

 Immigration, Visa and Foreigner’s Registration & Tracking (IVFRT)-India has emerged
as a key tourist destination, besides being a major business and service hub. Immigration
Check Post is the first point of contact that generates public and popular perception about
the country, thus necessitating a state of the art system for prompt and user-friendly
services.
 UID-The unique identification project was conceived as an initiative that would
provide identification for each resident across the country and would be used primarily as
the basis for efficient delivery of welfare services. It would also act as a tool for effective
monitoring of various programs and schemes of the government.

 Pensions-The pensions MMP is primarily aimed at making the pension/ retirement

related information, services and grievances handling mechanism accessible online to the
needy pensioners, through a combination of interactive and non-interactive components,
and thus, help bridge the gap between the pensioners and the government.

 Banking-The Banking MMP is yet another step towards improving operational

efficiency and reducing the delays and efforts involved in handling and settling transactions.
The MMP which is being implemented by the banking industry aims at streamlining various
e-services initiatives undertaken by individual banks. Implementation is being done by the
banks concerned, with the banking Department providing a broad framework and guidance.

 Posts-Modernization of Postal Services has been undertaken by the Department of

Posts through computerization and networking of all post offices using a central server-
based system, and setting up of computerized registration centers (CRCs).
 Aadhar Enabled Payment system (AEPS) : AEPS is a bank led model which allows
online interoperable financial inclusion transaction through the Business correspondent of
any bank using the Aadhaar authentication. This has helped in financial inclusion. The four
Aadhaar enabled basic types of banking transactions are as follows-Balance Enquiry, Cash
Withdrawal, Cash Deposit, and Aadhaar to Aadhaar Funds TransferDigitalIndia Program. This
program has been envisaged by Department of Electronics and Information Technology. The
vision of Digital India aims to transform the country into a digitally empowered society and
knowledge economy. The programme will be implemented in phases from the current year
till 2018.The Digital India is transformational in nature and would ensure that Government
services are available to citizens electronically. It would also bring in public accountability
through mandated delivery of government’s services electronically, a Unique ID and e-
Pramaan based on authentic and standard based interoperable and integrated government
applications and data basis.The program aims at providing digital infrastructure as a utility
to every citizen as well as high-speed internet as a core utility in all gram panchayats. The
overall scope of this program is “to prepare India for a knowledge future”, “to
make technology central to enabling change” and “to become an umbrella program
covering many departments”
 E-Kranti scheme-This is project for linking the internet with remote villages in the
country. This scheme will broaden the reach of internet services to the rural areas in the
country. The fundamental features of this scheme will be making the records handy to the
203
government with ease. It also includes Expansion of internet and commencement of IT-
based jobs in rural areas. It will also boost the use of mobile phones and computers in rural
areas. It will also expand the use of IT in agriculture and retail trade too.
 Digital Cloud for every Indian-Certificates issued by the government — education,
residential, medical records, birth certificates, etc. — are to be stored in individual ‘digital
lockers’ and a communication protocol established for government departments to access
them without physically having to see the hard copy. The purpose of government is that
copies of certificates issued by the government itself not to be carried around by people to
government offices for various services.
 M-governance-M-Governance is not a replacement for e-Governance, rather it
complements e- Governance. M-Governance, is the use of mobile or wireless to improve
Governance service and information “anytime, anywhere”. Mobile applications also rely on
good back office ICT infrastructure and work processes. It has potential of using mobile
phones as input devices in certain areas where last mile connectivity becomes issues for
simple data inputs of critical importance for decision making in government
departments.M-Governance is not a new concept. The private sector has been greatly
leveraging these of mobile phones for delivery of value added services for the following
which however are mostly SMS based: Banking, Media, Airlines, Telecom, Entertainment,
News, Sports, Astrology, and Movie Tickets Etc.M-governance has increased the productivity
of public service personnel, improving the delivery of government information and services,
increasing channels for public interactions and Lower costs leading to higher participation of
people.

 Few other initiatives are -E-Governance in Municipalities; Crime and Criminal

Tracking Network & Systems; Public Distribution System ;Health; e-panchayat; e-office;
National Land Records Modernization Programme (NLRMP);e-procurement; e-Courts

Disadvantages of e-governance

Electronic governments also consist on certain disadvantage. The main disadvantage of an

electronic government is to move the government services into an electronic based system.
This system loses the person to person interaction which is valued by a lot of people.
In addition, the implementation of an e-government service is that, with many technology
based services, it is often easy to make the excuse (e.g. the server has gone down) that
problems with the service provided are because of the technology. The implementation of
an e government does have certain constraints. Literacy of the users and the ability to use
the computer, users who do not know how to read and write would need assistance. An
example would be the senior citizens. In general, senior citizens do not have much computer
education and they would have to approach a customer service officer for assistance. And
also in case of rural people, it gives scope for middle man, who distort the
information.Studies have shown that there is potential for a reduction in the usability of
government online due to factors such as the access to Internet technology and usability of
services and the ability to access to computers. Even though the level of confidence in the
security offered by government web sites are high, the public are still concerned over
security, fear of spam from providing email addresses, and government retention of
transaction or interaction history. There has been growing concern about the privacy of data

204
being collected as part of UID project. The security of cyber space and misuse of data is still
holding back the citizens to full adaptation of Aadhar card.

Shortcomings and Challenges of e-governance legislations

Some shortcomings as highlighted in a report of UNDP are (a)The legislations have ignored
providing for delivery standards and quality marks. The focus is on timely delivery of
services but there are no provisions that enforce quality standards yet.(b)There is shortage
of manpower and financial resources.(c)There is lack of effective implementation.There are
large numbers of potential barriers in the implementation of e-Governance. Some
hindrance in the path of implementation, like security, unequal access to the computer
technology by the citizen, high initial cost for setting up the e government solutions and
resistance to change. Challenges identified as trust, resistance to change, digital divide, cost
and privacy and security concerns.We have seen how the concept of e-governance and m-
governance has evolved in Indian scenario and how much it is required for transparency and
accountability on the part of government and at the same time it is also a toll to increase
the participation of people in policy making by empowering them with the right information
at right time. The penetration of internet, telecommunication services in India has increased
in the last decade and this gives a ray of hope to the citizens of India to fight with the long
persisting problems of poverty, corruption, regional disparity and unemployment. But at the
same time, due to slow pace of project completion, red-tape and resistance from the side of
government employees and citizens too has not given the desired result.

MODULE 9:
Concept, Component, Rational and Legal Frame Work in India

The growth of Electronic Commerce has propelled the need for vibrant and effective
regulatory mechanisms which would further strengthen the legal infrastructure, so crucial to
the success of Electronic Commerce. All these regulatory mechanisms and legal
infrastructures come within the domain of Cyber law. Cyber law is important because it

205
touches almost all aspects of transactions and activities on and involving the internet, World
Wide Web and cyberspace. Every action and reaction in cyberspace has some legal and
cyber legal perspectives. There has been significant activity by several nations, conscious of
the need to become beneficiaries of the e-commerce explosion

Need for Cyber law

In today’s techno-savvy environment, the world is becoming more and more digitally
sophisticated and so are the crimes. Internet was initially developed as a research and
information sharing tool and was in an unregulated manner. As the time passed by it
became more transactional with e-business, e-commerce, e-governance and e-procurement
etc. All legal issues related to internet crime are dealt with through cyber laws. As the
number of internet users is on the rise, the need for cyber laws and their application has
also gathered great momentum. Technology per se is never a disputed issue but for whom
and at what cost has been the issue in the ambit of governance. The cyber revolution holds
the promise of quickly reaching the masses as opposed to the earlier technologies, which
had a trickledown effect. Such a promise and potential can only be realized with an
appropriate legal regime based on a given socio-economic matrix.

Importance of Cyber Law

Cyber law is important because it touches almost all aspects of transactions and activities on
and concerning the internet, the World Wide Web and Cyberspace. Initially it may seem that
Cyber laws are a very technical field and that it doesn’t have any bearing to most activities in
Cyberspace. But the actual truth is that nothing could be further than the truth. Whether we
realize it or not, every action and every reaction in Cyberspace has some legal and Cyber
legal perspectives. It is imperative to sense the unenthusiastic impacts of internet and to
give check to the Cyber crime . As the nature of Internet is changing and this new medium is
being seen as the ultimate medium ever evolved in human history, every activity of yours in
Cyberspace can and will have a Cyber legal perspective. From the time you register your
Domain, to the time you setup your website, to the time you conduct electronic commerce
transactions on the said site, at every point of time, and there are various cyber law issues
involved. You may not be bothered about these issues today because you may feel that they
have not impact on your Cyber activities. But sooner or later, you will have to tighten your
belts and take note of Cyber law for your benefit.
Cyber law is constantly being evolved. As new and new opportunities and challenges are
surfacing, Cyber law, being a constantly evolving process, is suitably modifying itself to fit
the call of time. As the internet grows, numerous legal issues arise. These issues vary from
domain names, to intellectual property rights to Electronic Commerce to Privacy to
Encystations to Electronic contracts to Cybercrime to Online Banking to Spamming and
soon. The list is very long. Whenever the Cybercrime evolves and the mind of cyber
criminals appraise to do cyber related crimes, the Cyber law also evaluates to fix the crime .
Today, the awareness about Cyber law is beginning to grow. Many technical experts in the
beginning felt that legal regulation is not necessary. But with the rapid growth of
technologies and internet, it is crystal clear that no activity in the internet can remain free
from the influence of Cyber law. Publishing a Web page is an excellent way for any

206
commercial business or entity to vastly increase its exposure to millions of persons,
organizations and governments worldwide. It is that feature of the internet which is causing
much controversy in the legal community.
Objectives- As internet has grown in our Country, the need has been felt to enact the
relevant Cyber laws which are necessary to regulate internet in India. This need for Cyber
laws was propelled by numerous factors.

Firstly, India has an extremely detailed and well defined legal system in place. Numerous
laws have been enacted and implemented and the foremost amongst them is The
Constitution of India. We have inter alia, amongst others, the Indian Penal Code, the Indian
Evidence Act 1872, the Banker’s Book Evidence Act, 1891 and the Reserve Bank of India Act,
1934, the Companies Act, and so on. However the arrival of the internet signalled the
beginning of the rise of new and complex legal issues. It may be pertinent to mention that
all the existing laws in place in India were enacted way back keeping in mind the relevant
political, social, economic and cultural scenario of that relevant time. Nobody then could
really visualize about the internet. Despite the brilliant acumen of our master draftsmen,
the requirements of cyberspace could hardly ever be anticipated as such, the coming of the
internet led to the emergence of numerous ticklish legal issues and problems which
necessitated the enactment of Cyber laws.
Secondly, the existing laws of India, even with the most benevolent and liberal
interpretation, could not be interpreted in the light of the emerging cyberspace, to include
all aspects relating to different activities in Cyber space. In fact, the practical experience and
the wisdom of judgment found that it shall not be without major perils and pitfalls, if the
existing laws were to be interpreted in the scenario of emerging Cyberspace, without
enacting new Cyber law. As such, the need for enactment of relevant Cyber laws.
Thirdly, none of the existing laws gave any validity or sanctions to the activities in
Cyberspace.
Fourthly, internet requires an enabling and supportive legal infrastructure in tune with
times. This legal infrastructure can only be given by the enactment of the relevant Cyber
laws as the traditional laws have failed to grant the same. E-commerce, the biggest future of
internet, can only be possible if necessary legal infrastructure compliments the same to
enable its vibrant growth

THE INFORMATION TECHNOLOGY ACT, 2000

In India, the Information Technology Bill was drafted in 1998 but had to wait some 18
months before being introduced into the House by the newly created Information
Technology Ministry. The bill was then referred to the 42-member Parliamentary Standing
Committee where several amendments were suggested. Only those suggestions that were
approved by the Ministry of Information Technology were incorporated.
The Union Cabinet approved the bill on 13 May 2000 and both the Houses of Parliament
passed it by 17 May 2000. The Presidential Assent was received in the third week of June
2000. The Information Technology Act 2000 is based on the Model Law on E-Commerce
adopted by the United Nations Commission on International Trade Law (UNCITRAL), and no
doubt was prompted by the passing of such legislation by neighbouring countries such as

207
Singapore’s Electronic Transactions Act 1998 and the Malaysian Electronic Signatures Act, as
well as the significant growth of e-commerce activity in India due to the expanding IT sector.
The essence of the Act is captured in its long title: ‘An act to provide for the legal
recognition of transactions carried out by ... alternatives to paper-based methods of
communication and storage of information ... ’ Information Technology Act, 2000 is India’s
mother legislation regulating the use of computers, computer systems and computer
networks as also data and information in the electronic format. This legislation has touched
varied aspects pertaining to electronic authentication, digital (electronic) signatures,
cybercrimes and liability of network service providers.
The Act comprises the following main aspects:
 Legal recognition of electronic records and communications: contractual framework,
evidentiary aspects, digital signatures as the method of authentication, rules for
determining time and place of dispatch and receipt of electronic records.
 Regulation of Certification Authorities (CAs): appointment of a Controller of CAs,
grant of licenses to CAs, duties Vis-a `-Vis subscribers of digital signature certificates,
recognition of foreign CAs.
 Cyber contraventions: civil and criminal violations, penalties, establishment of the
Adjudicating Authority and the Cyber Regulatory Appellate Tribunal, etc.

The Information Technology Act was enacted with a view to give a fillip to the growth of
electronic based transactions, to provide legal recognition for ecommerce and e-
transactions, to facilitate e-governance, to prevent computer based crimes and ensure
security practices and procedures in the context of widest possible use of information
technology worldwide.
Applicability of the Act
The Act will apply to the whole of India unless otherwise mentioned. It applies also to any
offence or contravention there under committed outside India by any person.
The Act shall not apply to the following documents or transactions –
A negotiable instrument as defined in Sec.13 of the Negotiable Instruments Act, 1881; A
power of attorney as defined in Sec.1A of the Powers of Attorney Act, 1882;
A trust as defined in Section 3 of the Indian Trusts Act, 1882; A Will as defined in Sec.2(h) of
the Indian Succession Act, 1925 including any other testamentary disposition by whatever
name called ;any contract for the sale or conveyance of immovable property or any interest
in such property.

Important provisions of the Act

Digital signature and Electronic signature

Digital Signatures provide a viable solution for creating legally enforceable electronic
records, closing the gap in going fully paperless by completely eliminating the need to print
documents for signing. Digital signatures enable the replacement of slow and expensive
paper-based approval processes with fast, low-cost, and fully digital ones. The purpose of a
digital signature is the same as that of a handwritten signature. Instead of using pen and
paper, a digital signature uses digital keys (public-key cryptography). Like the pen and paper
method, a digital signature attaches the identity of the signer to the document and records
a binding commitment to the document. However, unlike a handwritten signature, it is

208
considered impossible to forge a digital signature the way a written signature might be. In
addition, the digital signature assures that any changes made to the data that has been
signed cannot go undetected.
Digital signatures are easily transportable, cannot be imitated by someone else and can be
automatically time-stamped. A digital signature can be used with any kind of message,
whether it is encrypted or plaintext. Thus Digital Signatures provide the following three
features:-
Authentication - Digital signatures are used to authenticate the source of messages. The
ownership of a digital signature key is bound to a specific user and thus a valid signature
shows that the message was sent by that user.
Integrity - In many scenarios, the sender and receiver of a message need assurance that the
message has not been altered during transmission. Digital Signatures provide this feature by
using cryptographic message digest functions.
Non Repudiation – Digital signatures ensure that the sender who has signed the information
cannot at a later time deny having signed it.
A handwritten signature scanned and digitally attached with a document does not qualify as
a Digital Signature. An ink signature can be easily replicated from one document to another
by copying the image manually or electronically. Digital Signatures cryptographically bind an
electronic identity to an electronic document and the digital signature cannot be copied to
another document.

Digital Signature under the IT Act, 2000

Digital signature means authentication of any electronic record by a subscriber by means of

an electronic method or procedure in accordance with the provisions of section 3. Section 3
deals with the conditions subject to which an electronic record may be authenticated by
means of affixing digital signature which is created in two definite steps.
First, the electronic record is converted into a message digest by using a mathematical
function known as ‘Hash function’ which digitally freezes the electronic record thus ensuring
the integrity of the content of the intended communication contained in the electronic
record. Any tampering with the contents of the electronic record will immediately invalidate
the digital signature.
Secondly, the identity of the person affixing the digital signature is authenticated through
the use of a private key which attaches itself to the message digest and which can be
verified by anybody who has the public key corresponding to such private key. This will
enable anybody to verify whether the electronic record is retained intact or has been
tampered with since it was so fixed with the digital signature. It will also enable a person
who has a public key to identify the originator of the message.
‘Hash function’ means an algorithm mapping or translation of one sequence of bits into
another, generally smaller, set known as "Hash Result" such that an electronic record yields
the same hash result every time the algorithm is executed with the same electronic record
as its input making it computationally infeasible to derive or reconstruct the original
electronic record from the hash result produced by the algorithm; that two electronic
records can produce the same hash result using the algorithm.
Digital signatures are a means to ensure validity of electronic transactions however who
guarantees about the authenticity that such signatures are indeed valid or not false. In order

209
that the keys be secure the parties must have a high degree of confidence in the public and
private keys issued.
Digital Signature is not like our handwritten signature. It is a jumble of letters and digits. It
looks something like this.

Electronic Signature

Electronic signature has also been dealt with under Section 3A of the IT Act, 2000. A
subscriber can authenticate any electronic record by such electronic signature or electronic
authentication technique which is considered reliable and may be specified in the Second
Schedule. Any electronic signature or electronic authentication technique will be considered
reliable if-
(a) the signature creation data or the authentication data are, within the context in which
they are used, linked to the signatory or , as the case may be, the authenticator and of no
other person;
(b) the signature creation data or the authentication data were, at the time of signing, under
the control of the signatory or, as the case may be, the authenticator and of no other
person;
(c) any alteration to the electronic signature made after affixing such signature is
detectable;
(d) any alteration to the information made after its authentication by electronic signature is
detectable; and
(e) itfulfills such other conditions which may be prescribed.
An electronic signature will be deemed to be a secure electronic signature if- (i) the
signature creation data, at the time of affixing signature, was under the exclusive control of
signatory and no other person; and (ii) the signature creation data was stored and affixed in
such exclusive manner as may be prescribed. (Sec.15)
An Amendment to the IT Act in 2008 introduced the term electronic signatures. The
implication of this Amendment is that it has helped to broaden the scope of the IT Act to
include new techniques as and when technology becomes available for signing electronic
records apart from Digital Signatures.

E-Governance

E-governance or Electronic Governance is dealt with under Sections 4 to 10A of the IT Act,
2000.
It provides for legal recognition of electronic records and Electronic signature and also
provides for legal recognition of contracts formed through electronic means.
Filing of any form, application or other documents, creation, retention or preservation of
records, issue or grant of any license or permit or receipt or payment in Government offices
and its agencies may be done through the means of electronic form.
The Government may authorise any any service provider to set up, maintain and upgrade
the computerized facilities and perform such other services as it may specify, by notification
in the Official Gazette for efficient delivery of services to the public through electronic
means. Service provider so authorized includes any individual, private agency, private
company, partnership firm, sole proprietor form or any such other body or agency which

210
has been granted permission by the appropriate Government to offer services through
electronic means in accordance with the policy governing such service sector.
Where any law provides that documents, records or information should be retained for any
specific period, then such documents, records or information retained in the electronic form
will also be covered, if the information contained therein remains accessible; the electronic
record is retained in the format in which it was originally generated, sent or received or in a
format which can be demonstrated to represent accurately the information originally
generated, sent or received and the details which will facilitate the identification of the
origin, destination, date and time of dispatch or receipt of such electronic record are
available in the electronic record.
Where any law provides for audit of documents, records or information, then that provision
will also be applicable for audit of documents, records or information processed and
maintained in electronic form.
Where any law provides that any rule, regulation, order, bye-law, notification or any other
matter should be published in the Official Gazette, then, such requirement shall be deemed
to have been satisfied if such rule, regulation, order, bye-law, notification or any other
matter is published in the Official Gazette or Electronic Gazette. However, the above
mentioned provisions do not give a right to anybody to compel any Ministry or Department
of the Government to use electronic means to accept, issue, create, retain and preserve any
document or execute any monetary transaction. The following are some of the
eGovernance applications already using the Digital Signatures:- • MCA21 – a Mission Mode
project under NeGP (National e-governance plan) which is one of the first few e-Governance
projects under NeGP to successfully implement Digital Signatures in their project • Income
Tax e-filing • Indian Railway Catering and Tourism Corporation (IRCTC) • Director General
of Foreign Trade (DGFT) • RBI Applications (SFMS : structured Financial Messaging System) •
National e-Governance Services Delivery Gateway (NSDG) • eProcurement • eOffice •
eDistrict applications of UP, Assam etc

Attribution, Acknowledgement and Dispatch of Electronic Records

Attribution of electronic records is dealt with under Sec.11 of the IT Act, 2000. An electronic
record will be attributed to the originator - if it was sent by the originator himself; by a
person who had the authority to act on behalf of the originator in respect of that electronic
record; or by an information system programmed by or on behalf of the originator to
operate automatically.
According to Section 12, the addressee may acknowledge the receipt of the electronic
record either in a particular manner or form as desired by the originator and in the absence
of such requirement, by communication of the acknowledgement to the addresses or by
any conduct that would sufficiently constitute acknowledgement. Normally if the originator
has stated that the electronic record will be binding only on receipt of the
acknowledgement, then unless such acknowledgement is received, the record is not
binding. However, if the acknowledgement is not received within the stipulated time period
or in the absence of the time period, within a reasonable time, the originator may notify the
addressee to send the acknowledgement, failing which the electronic record will be treated
as never been sent
Time and place of dispatch and receipt of electronic record is covered under Sec.13 of the IT
Act, 2000. The dispatch of an electronic record occurs when it enters a computer resource

211
outside the control of the originator. Unless otherwise agreed between the originator and
the addressee, the time of receipt of an electronic record will be determined as follows,
namely – a) if the addressee has designated a computer resource for the purpose of
receiving electronic records – i. receipt occurs at the time when the electronic record enters
the designated computer resource; or ii. if the electronic record is sent to a computer
resource of the addressee that is not the designated computer resource, receipt occurs at
the time when the electronic record is retrieved by the addressee; b) if the addressee has
not designated a computer resource along with specified timings, if any, receipt occurs
when the electronic record enters the computer resource of the addressee. An electronic
record is generally deemed to be dispatched at the place where the originator has his place
of business, and is deemed to be received at the place where the addressee has his place of
business.
If the originator or the addressee has more than one place of business, the principal place of
business will be the place of business. If the originator or the addressee does not have a
place of business, his usual place of residence will be deemed to be the place of business.
"Usual Place of Residence", in relation to a body corporate, means the place where it is
registered

Certifying Authorities

A Certifying Authority is a trusted body whose central responsibility is to issue, revoke,

renew and provide directories of Digital Certificates. Certifying Authority means a person
who has been granted a license to issue an Electronic Signature Certificate under section 24.
Provisions with regard to Certifying Authorities are covered under Chapter VI i.e. Sec.17 to
Sec.34 of the IT Act, 2000. It contains detailed provisions relating to the appointment and
powers of the Controller and Certifying Authorities.

Controller of Certifying Authorities (CCA)

The IT Act provides for the Controller of Certifying Authorities (CCA) to license and regulate
the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature
certificates for electronic authentication of users. The CCA certifies the public keys of CAs
using its own private key, which enables users in the cyberspace to verify that a given
certificate is issued by a licensed CA. For this purpose it operates, the Root Certifying
Authority of India (RCAI). The CCA also maintains the National Repository of Digital
Certificates (NRDC), which contains all the certificates issued by all the CAs in the country.

Root Certifying Authority of India (RCAI)

The Controller of Certifying Authorities (CCA) has established the RCAI under Section 18(b)
of the IT Act to digitally sign the public keys of Certifying Authorities (CAs) in the country.
The RCAI is operated as per the standards laid down under the Act.

Certifying Authorities Certifying Authorities (CAs) are responsible for issuing Digital
Signature Certificates to the end users. In order to facilitate greater flexibility to Certifying
Authorities, the CCA has allowed the creation of sub-CAs. As per this model, a Certifying

212
Authority can create a sub-CA to meet its business branding requirement. However the sub-
CA will be part of the same legal entity as the CA. The sub-CA model will be based on the
following principles: The CAs must not have more than one level of sub-CA. A sub-CA
certificate issued by the CA is used for issuing end entity certificates. A CA with sub-CA must
necessarily issue end entity certificates only through its sub-CA. The only exception will be
for code signing and time stamping certificates, which may directly be issued by the CA.

Duties of Subscribers

"Subscriber" means a person in whose name the Electronic Signature Certificate is issued.
Chapter VIII i.e. Secs.40 to 42 of the IT Act, 2000 deals with the duties of subscribers.

Intermediaries

Sec.79 deals with the immunity available to intermediaries. The Information Technology
(Intermediaries guidelines) Rules, 2011 governs the duties of intermediaries.
"Intermediary" with respect to any particular electronic records, means any person who on
behalf of another person receives, stores or transmits that record or provides any service
with respect to that record and includes telecom service providers, network service
providers, internet service providers, web hosting service providers, search engines, online
payment sites, online-auction sites, online market places and cyber cafes

Salient features of the Information Technology (Amendment) Act, 2008

Information Technology Act, 2000 was amended by Information Technology Amendment

Bill, 2008 which was passed in Lok Sabha on 22nd December, 2008 and in Rajya Sabha on
23rd December, 2008. It received the assent of the President on 5th February 2009 and was
notified with effect from 27/10/2009.
The IT Act of 2000 was developed to promote the IT industry, regulate e- commerce,
facilitate e-governance and prevent cybercrime. The Act also sought to foster security
practices within India that would serve the country in a global context. The Amendment was
created to address issues that the original bill failed to cover and to accommodate further
development of IT and related security concerns since the original law was passed.
The IT Act, 2000 consists of 90 sections spread over 13 chapters [Sections 91, 92, 93 and 94
of the principal Act were omitted by the Information Technology (Amendment) Act 2008
and has 2 schedules.[ Schedules III and IV were omitted by the Information Technology
(Amendment) Act 2008].

i. The term 'digital signature' has been replaced with 'electronic signature' to make the Act
more technology neutral.
ii. A new section has been inserted to define 'communication device' to mean cell phones,
personal digital assistance or combination of both or any other device used to
communicate, send or transmit any text video, audio or image.

213
iii. A new section has been added to define cyber cafe as any facility from where the access
to the internet is offered by any person in the ordinary course of business to the members
of the public.
iv. A new definition has been inserted for intermediary.
v. A new section 10A has been inserted to the effect that contracts concluded electronically
shall not be deemed to be unenforceable solely on the ground that electronic form or
means was used.
vi. The damages of Rs. One Crore prescribed under section 43 of the earlier Act of 2000 for
damage to computer, computer system etc. has been deleted and the relevant parts of the
section have been substituted by the words, 'he shall be liable to pay damages by way of
compensation to the person so affected'.
vii. A new section 43A has been inserted to protect sensitive personal data or information
possessed, dealt or handled by a body corporate in a computer resource which such body
corporate owns, controls or operates. If such body corporate is negligent in implementing
and maintaining reasonable security practices and procedures and thereby causes wrongful
loss or wrongful gain to any person, it shall be liable to pay damages by way of
compensation to the person so affected.
viii. Sections 66A to 66F has been added to Section 66 prescribing punishment for offences
such as obscene electronic message transmissions, identity theft, cheating by impersonation
using computer resource, violation of privacy and cyber terrorism.
ix. Section 67 of the IT Act, 2000 has been amended to reduce the term of imprisonment for
publishing or transmitting obscene material in electronic form to three years from five years
and increase the fine thereof from Rs.100,000 to Rs. 500,000. Sections 67A to 67C have also
been inserted. While Sections 67A and B deals with penal provisions in respect of offences
of publishing or transmitting of material containing sexually explicit act and child
pornography in electronic form, Section 67C deals with the obligation of an intermediary to
preserve and retain such information as may be specified for such duration and in such
manner and format as the central government may prescribe.
x. In view of the increasing threat of terrorism in the country, the new amendments include
an amended section 69 giving power to the state to issue directions for interception or
monitoring of decryption of any information through any computer resource. Further,
sections 69A and B, two new sections, grant power to the state to issue directions for
blocking for public access of any information through any computer resource and to
authorize to monitor and collect traffic data or information through any computer resource
for cyber security.
xi. Section 79 of the Act which exempted intermediaries has been modified to the effect
that an intermediary shall not be liable for any third party information data or
communication link made available or hosted by him if;
(a) The function of the intermediary is limited to providing access to a communication
system over which information made available by third parties is transmitted or temporarily
stored or hosted;
(b) The intermediary does not initiate the transmission or select the receiver of the
transmission and select or modify the information contained in the transmission;
(c) The intermediary observes due diligence while discharging his duties. However, section
79 will not apply to an intermediary if the intermediary has conspired or abetted or aided or
induced whether by threats or promise or otherwise in the commission of the unlawful act
or upon receiving actual knowledge or on being notified that any information, data or

214
communication link residing in or connected to a computer resource controlled by it is being
used to commit an unlawful act, the intermediary fails to expeditiously remove or disable
access to that material on that resource without vitiating the evidence in any manner.
xii. A proviso has been added to Section 81 which states that the provisions of the Act shall
have overriding effect. The proviso states that nothing contained in the Act shall restrict any
person from exercising any right conferred under the Copyright Act, 1957.

The Indian Penal Code of 1860 and the Indian Evidence Act of 1872 was amended by the IT
Act of 2000 to keep in tune with the technological changes that were rising rapidly.

Overview of the Rules Issued under IT Act, 2000

a) The Information Technology (Reasonable security practices and procedures and

sensitive personal data or information) Rules, 2011
These rules are regarding sensitive personal data or information and are applicable to the
body corporate or any person located within India. It basically require entities holding
sensitive personal information of users to maintain certain specified security standards.
b) The Information Technology (Electronic Service Delivery) Rules, 2011
These rules provide for creation of a system of electronic delivery of services. Under the
Electronic Service Delivery Rules the government can specify certain services, such as
applications, certificates, licenses etc, to be delivered electronically.
c) The Information Technology (Intermediaries guidelines) Rules, 2011
These rules provide the rights and responsibilities of internet intermediaries in India. If the
Internet intermediaries follow these rules and exercise proper cyber due diligence, they are
entitled to a “safe harbour protection”. Otherwise, they are liable for various acts or
omission occurring at their respective platforms once the matter has been brought to their
notice.
d) The Information Technology (Guidelines for Cyber Cafe) Rules, 2011
According to these guidelines, cyber cafes should register themselves with an appropriate
government agency, and provide services to users only after establishing their identity. It
also deals with maintenance of records of such identity as well as log of sites visited, among
others.
e) The Cyber Appellate Tribunal (Salary, Allowances and other terms and conditions of
service of Chairperson and Members) Rules, 2009
These rules provide for the salary, allowances and terms of service of the Chairperson and
members of the Cyber Appellate Tribunal.
f) The Cyber Appellate Tribunal (Procedure for investigation of Misbehaviour or Incapacity of
Chairperson and Members) Rules, 2009
These rules provide for the procedure for investigation of misbehaviour or incapacity of the
Chairperson and members of the Cyber Appellate Tribunal.
g) The Information Technology (Procedure and Safeguards for Blocking for Access of
Information by Public), 2009
The rules provide for the designation of an officer of the Central Government for the
purpose of issuing direction for blocking for access by the public any information generated,
transmitted, received, stored or hosted in any computer resource. It provides the procedure
and the safeguards to be followed by the designated officer.

215
h) The Information Technology (Procedure and Safeguards for interception, monitoring and
decryption of information) Rules, 2009
These rules explain the procedure and safeguards subject to which such interception or
monitoring or decryption may be carried out.
i) The Information Technology (Procedure and Safeguard for Monitoring and Collecting
Traffic Data or Information) Rules, 2009
It contains the procedure for aggregate monitoring of communications and the procedural
safeguards to be observed in them.
j) The Information Technology (Use of electronic records and digital signatures) Rules, 2004
These rules deal with the manner and format in which the electronic records should be filed,
created or issued. It also states the manner or method of payment of any fees or charges for
filing or creating any electronic record.
k) The Information Technology (Security Procedure) Rules, 2004
These rules prescribe the provisions relating to secure digital signatures and secure
electronic records.
l) The Information Technology (Other Standards) Rules, 2003
The rules deal with the standards to be observed by the Controller to ensure that the
secrecy and security of the digital signatures are assured.
m) The Information Technology (Certifying Authority) Regulations, 2001
The regulation details the technical standards and procedures to be used by a Certifying
Authority.
n) Information Technology (Certifying Authorities) Rules, 2000

This rule deals with licensing of Certifying authorities and the procedures that need to be
complied by them. It also prescribed the eligibility, appointment and working of Certifying
Authorities.

216
MODULE 10:
Convergence of Communication, Spectrum, Internet Telephony

Introduction

Convergence, in its usual sense, means coming together. In the world of communications
technology, it is the major communications platforms (broadcasting, telecommunications
and online) that are coming together so that their once separate functions now overlap.
Video content, for example, that used to be available only on television can be viewed easily
over the internet.

In the area of communications, convergence may be conceptualised as a process called the

“convergence of modes” leading to blurring the lines between media. A single physical
means, may carry services that in the past were provided in separate ways. Conversely, a
service that was provided in the past by anyone medium can now be provided in several
different physical ways.

Perspectives on Convergence

Convergence can be defined from many perspectives such as technological, economic, and
regulatory dimensions. In terms of the technological dimension, broadband can be provided
not only by DSL, but also by cable modem. In addition to TV, cable operators can also
provide cable telephony. A person can now watch exactly the same TV program on a TV set,
laptop, or mobile phone. However, the underlying networks that are used to transmit the
program are very different—broadcast spectrum or cable networks, the internet or mobile
networks.

From an economic dimension, a single business such as cable TV or a fixed network can
provide triple-play or quadruple-play bundled services on the same platform. From a
regulatory perspective, there are discussions regarding the convergence laws and unified
regulator. The trend toward convergence poses challenges to the currently separate laws
for telecommunications, broadcasting, cable TV, and satellite TV, not only in India, but also
everywhere else. “The convergence of the telecommunications, media and information
technology sectors means that all transmission networks and services should be covered by
a single regulatory framework.

Convergence Communications & Broadband technologies have been recognized world over
as the key technologies for economic growth and development. Moreover, the Next
generation Communication, Network and Broadband technologies are making tremendous

217
impact towards increased business productivity, social transformation and in bridging the
digital divide.

Broadband enabled internet applications have huge potential in all sectors of the economy
and particularly in e-governance, e-health, e-learning, e-commerce and e-entertainment
sectors. The components of the numerous services and applications would evolve around
the following: Broadband Access Network, Mobile and Wireless Network, Broadband
Transport Network, CPE & Terminals, Management of Services and Network, Multimedia &
Content and Security.

ICT Convergence Impacts

The rapid convergence of ICT has significant meaning for consumers, industries, and
governments. Consumers and industries are benefiting from this transformation, and
governments are in a position to facilitate this transformation.

The mobile Internet is one of the most important sectors of the ICT industry. In many places
around the world, mobile Internet users (e.g., 3G, or third-generation, mobile phone
subscribers) outnumber fixed Internet users and there are far more users who access the
Internet with their mobile phones than those who access the Internet with their PCs.
Moreover, the increasing popularity of mobile phones and widespread network
deployments has given rise to new businesses, such as mobile phone–based shopping and
payment.

As ICT convergence gains momentum, multiple networks will continue to converge, using a
combination of IP and optical technology to drive down costs and improve the user
experience.

ICT convergence and consumers

Users will also be able to access the network with their smart devices while on weekend or
extended road trips to get recommendations from online friends about scenic spots and
nearby restaurants, or easily reserve hotel rooms. In addition, users will be able to play
content, such as music, stored in their smart devices on their automobile’s sound system to
make driving more enjoyable. Giving full play to the power of this integration will impact
users in all aspects of their lives.

Combining smart devices and peripheral devices leads to a smarter lifestyle. Linking a smart
phone to a conventional television set through an interface device allows users to
effortlessly transfer songs, photos, and videos stored in their smart phones to their
television sets. This capability not only revolutionizes the functionality of a conventional

218
television set, it gives users a fresh new experience.

ICT convergence and Business

One huge advantage that ICT convergence introduces is cloud computing for businesses,
which allows employees to work anywhere that has network coverage rather than merely in
their offices. By connecting devices, such as mobile phones and PCs, to the cloud,
employees can handle urgent tasks at home, on-the-go during business trips. The access to
resources and the manageability of the deliverables are similar to being physically present in
the office.

Another advantage of ICT convergence for enterprises is that employees can boost their
production efficiency by leveraging collaborative tools that synchronously deliver intense
functions, such as instant messaging, audio and video communications, data sharing,
whiteboard sharing, and interactive polling. This applicability allows multinational enterprise
teams to cooperate across geographic regions while slashing communications costs. Having
virtual teams across the world that work as “one world, one team” is no longer just a dream.

Regulations

With ICT industries already subject to volatile technological and market changes, it is
important for regulators of the telecommunications, IT, and broadcasting network
industries to respond to changing conditions. By effectively enabling ICT convergence,
government regulations can act as catalysts for network and economic development. For
example, to build a national broadband network, government agencies need to provide
adequate spectrum so the ICT industry can deploy mobile broadband networks that enable
rural area residents to benefit from national initiatives. However, the spectrum in many
countries is a scarce resource mainly used by the military, broadcasting,
telecommunications, and IT industries. This lack of broadband spectrum availability restricts
services, ICT convergence, and opportunities for economic development. One way to
maximize this scarce resource is to allocate spectrum resources based on industry
efficiency.

Policymakers today have the opportunity to promote competition as they undertake policy
reform. Creating a competitive market for a variety of different service providers has been
recognized as the most effective means to drive growth and encourage efficiency in ICT
while reducing prices and improving quality.

Drivers for ICT Convergence

Convergence is primarily a process driven by technology and demand. Convergence results

219
from service providers’ adopting new technologies and business practices. The fundamental
technology drivers are the digitalization of communication and the falling costs of
computing. Both, coupled to rapidly growing demand, led to a proliferation of digital
devices. Further, digital data processing and increases in computing power allowed data
compression, increasing a network’s carrying capacity even if its bandwidth remains fixed.
And cable and wireless network capacities have been growing steadily.

More recently, the growing and widespread use of Internet Protocol (IP) based and packet
switched data transmission has made it possible for different devices and applications to
use the same networks. This has sharply reduced costs and significantly eased the design
and deployment of access devices. Improved device capability is a significant contributor to
convergence.

Another market factor supporting the introduction of convergence is the deployment of

broadband networks. Broadband connectivity facilitates convergence because it allows the
provision of multimedia content—such as CD-quality audio and streaming video—at
reasonable prices.

With these technical and market factors evolving, convergence has now found significant
traction with service providers seeking to increase revenues and cut costs of service
provision. Service providers in both the telecommunications and broadcasting sectors have
seen convergence as a powerful means to leverage existing infrastructure to provide a wider
range of services at lower costs, generating higher revenues and reaching new subscribers.
Convergence allows service providers to enter new markets, making it possible for them to
compete in a larger market for more subscribers, and grow their businesses beyond their
traditional sector or technology domains.

Internet Telephony

The traditional services performed over the telephone have been replaced by the broad
range of services over the internet referred to as Internet Telephony. These services include
transmitting voice, video, fax etc.Internet telephony is also interchangeably used as VoIP
(Voice over Internet Protocol), IP Telephony, broadband telephony, and VoBB (Voice over
Broadband). However, there is a distinction between Internet telephony and VoIP
depending on the source of the information.Internet telephony is thought of as the entire
range of services available with digital phone systems, while VoIP simply refers to digital
phone calls. In other words, VoIP is a subset of Internet telephony.
Internet telephony can be utilized in a variety of ways .It may be(a)-PC
(b)PC-to-Phone(C)PC-to-Fax(d)Phone-to-Phone.(e)Mobile Phone-to-PC or Phone .

Transmitting voice and video via the Internet works much in the same way that all transfers
over the Internet in packets. Speech and video are sampled by the computer and are
typically compressed to save space. There are a number of different ways to compress audio
using technology called “CODECs,” or compressor/de-compressor. For example, a speech
CODEC selectively subtracts sounds that are outside the frequency of human speech,

220
making the sample size smaller without sacrificing too much quality. The compressed
samples are then broken into small packets. Generally, an IP packet contains around 20 to
30 milliseconds of audio. These smaller packets are then sent via the Internet to their
destination, where they must be re-assembled. As a result of this technological process,
there is a delay from end-to-end of anywhere between 100 and 400 milliseconds, perfectly
acceptable to carry on a conversation.Occasionally packets are lost or delayed. CODECs use
packet-loss concealment (PLC) to fill in the missing packet with audio that is acceptable to
the human ear. One technique of PLC is to repeat the last good packet. A newer method is
to reconstruct the missing packet by analyzing the neighboring packets.

The Internet telephony provides multiple advantages to its users like low cost; video
transmission; portability of devices like laptop, mobile phonesetc.; special features like call
waiting ,caller Id, call forwarding etc. ; changing of area codes.

221
MODULE 11:
Privacy Policy, Usage Policy, Disclaimer, Digital Payment Mechanism,
Payment & Settlement Act, 2007.

The payment and settlement system comprises of various arrangements that is used to
systematically, efficiently and securely transfer money/currency, cheques, demand drafts,
and money through various electronic channels. In most countries the Central Bank is
generally the regulatory authority and is responsible for development of the National
Payment System. The present legal framework governing payment systems in India is set
forth in the Payment and Settlement Systems Act, 2007 and the Regulations and
Notifications made thereunder. Pursuant to the provisions of the Board for Regulation and
Supervision of Payment and Settlement System Regulations, the BPSS, a sub-committee of
the Central Board of the RBI is in charge of discharging the regulatory functions vested in
the RBI by the Payment and Settlement Systems Act, 2007. The BPSS is empowered for
authorising, prescribing policies and setting standards for regulating and supervising all the
payment and settlement systems in the country. In addition, the RBI has issued several
Master Circulars (MCs), Guidelines and Notifications under the Payment and Settlement
Systems Act, 2007, relating to operation of payment systems, access to payment systems,
operation of PPIs and other PSPs.

The Reserve Bank of India continually strives towards providing more secure, convenient
and efficient payments systems in the country. RBI continuously works towards upgradation
of the existing systems and pushes for innovation and development new ones, thus slowly
and steadily revamping the payment and settlement facilities in India. The central bank of
any country is usually the driving force in the development of national payment systems.
The Reserve Bank of India as the central bank of India has been playing this developmental
role and has taken several initiatives for Safe, Secure, Sound, Efficient, Accessible and
Authorized payment systems in the country.

The Board for Regulation and Supervision of Payment and Settlement Systems (BPSS), a sub-
committee of the Central Board of the Reserve Bank of India is the highest policy making
body on payment systems in the country. The BPSS is empowered for authorising,
prescribing policies and setting standards for regulating and supervising all the payment and
settlement systems in the country. The Department of Payment and Settlement Systems of
the Reserve Bank of India serves as the Secretariat to the Board and executes its directions.

In India, the payment and settlement systems are regulated by the Payment and Settlement
Systems Act, 2007 (PSS Act) which was legislated in December 2007. The PSS Act as well as
the Payment and Settlement System Regulations, 2008 framed thereunder came into effect
from August 12, 2008. In terms of Section 4 of the PSS Act, no person other than the
Reserve Bank of India (RBI) can commence or operate a payment system in India unless
authorised by RBI. Reserve Bank has since authorised payment system operators of pre-paid
payment instruments, card schemes, cross-border in-bound money transfers, Automated
Teller Machine (ATM) networks and centralised clearing arrangements.

222
Payment Systems

The Reserve Bank has taken many initiatives towards introducing and upgrading safe and
efficient modes of payment systems in the country to meet the requirements of the public
at large. The dominant features of large geographic spread of the country and the vast
network of branches of the Indian banking system require the logistics of collection and
delivery of paper instruments. These aspects of the banking structure in the country have
always been kept in mind while developing the payment systems.

Paper-based Payments

Use of paper-based instruments (like cheques, drafts, and the like) accounts for nearly 60%
of the volume of total non-cash transactions in the country. In value terms, the share is
presently around 11%. This share has been steadily decreasing over a period of time and
electronic mode gained popularity due to the concerted efforts of Reserve Bank of India to
popularize the electronic payment products in preference to cash and cheques.

Since paper based payments occupy an important place in the country, Reserve Bank had
introduced Magnetic Ink Character Recognition (MICR) technology for speeding up and
bringing in efficiency in processing of cheques.

Later, a separate High Value Clearing was introduced for clearing cheques of value Rupees
one lakh and above. This clearing was available at select large centres in the country (since
discontinued). Recent developments in paper-based instruments include launch of Speed
Clearing (for local clearance of outstation cheques drawn on core-banking enabled branches
of banks), introduction of cheque truncation system (to restrict physical movement of
cheques and enable use of images for payment processing), framing CTS-2010 Standards
(for enhancing the security features on cheque forms) and the like.

While the overall thrust is to reduce the use of paper for transactions, given the fact that it
would take some time to completely move to the electronic mode, the intention is to
reduce the movement of paper – both for local and outstation clearance of cheques.

Electronic Payments

The initiatives taken by RBI in the mid-eighties and early-nineties focused on technology-
based solutions for the improvement of the payment and settlement system infrastructure,
coupled with the introduction of new payment products by taking advantage of the
technological advancements in banks. The continued increase in the volume of cheques
added pressure on the existing set-up, thus necessitating a cost-effective alternative system.

Electronic Clearing Service (ECS) Credit

The Bank introduced the ECS (Credit) scheme during the 1990s to handle bulk and repetitive
payment requirements (like salary, interest, dividend payments) of corporates and other
institutions. ECS (Credit) facilitates customer accounts to be credited on the specified value
date and is presently available at all major cities in the country.

223
During September 2008, the Bank launched a new service known as National Electronic
Clearing Service (NECS), at National Clearing Cell (NCC), Mumbai. NECS (Credit) facilitates
multiple credits to beneficiary accounts with destination branches across the country
against a single debit of the account of the sponsor bank. The system has a pan-India
characteristic and leverages on Core Banking Solutions (CBS) of member banks, facilitating
all CBS bank branches to participate in the system, irrespective of their location across the
country.

Regional ECS (RECS)

Next to NECS, RECS has been launched during the year 2009.RECS, a miniature of the NECS
is confined to the bank branches within the jurisdiction of a Regional office of RBI. Under the
system, the sponsor bank will upload the validated data through the Secured Web Server of
RBI containing credit/debit instructions to the customers of CBS enabled bank branches
spread across the Jurisdiction of the Regional office of RBI. The RECS centre will process the
data, arrive at the settlement, generate destination bank wise data/reports and make
available the data/reports through secured web-server to facilitate the destination bank
branches to afford credit/debit to the accounts of beneficiaries by leveraging the CBS
technology put in place by the bank. Presently RECS is available in Ahmedabad, Bengaluru,
Chennai and Kolkata

Electronic Clearing Service (ECS) Debit

The ECS (Debit) Scheme was introduced by RBI to provide a faster method of effecting
periodic and repetitive collections of utility companies. ECS (Debit) facilitates consumers /
subscribers of utility companies to make routine and repetitive payments by ‘mandating’
bank branches to debit their accounts and pass on the money to the companies. This
tremendously minimises use of paper instruments apart from improving process efficiency
and customer satisfaction. There is no limit as to the minimum or maximum amount of
payment. This is also available across major cities in the country.

Electronic Funds Transfer (EFT)

This retail funds transfer system introduced in the late 1990s enabled an account holder of a
bank to electronically transfer funds to another account holder with any other participating
bank. Available across 15 major centers in the country, this system is no longer available for
use by the general public, for whose benefit a feature-rich and more efficient system is now
in place, which is the National Electronic Funds Transfer (NEFT) system.

National Electronic Funds Transfer (NEFT) System

In November 2005, a more secure system was introduced for facilitating one-to-one funds
transfer requirements of individuals / corporates. Available across a longer time window,
the NEFT system provides for batch settlements at hourly intervals, thus enabling near real-
time transfer of funds. Certain other unique features viz. accepting cash for originating
transactions, initiating transfer requests without any minimum or maximum amount

224
limitations, facilitating one-way transfers to Nepal, receiving confirmation of the date / time
of credit to the account of the beneficiaries, etc., are available in the system.

Real Time Gross Settlement (RTGS)System

RTGS is a funds transfer systems where transfer of money takes place from one bank to
another on a "real time" and on "gross" basis. Settlement in "real time" means payment
transaction is not subjected to any waiting period. "Gross settlement" means the
transaction is settled on one to one basis without bunching or netting with any other
transaction. Once processed, payments are final and irrevocable.

Clearing Corporation of India Limited (CCIL)

CCIL was set up in April 2001 by banks, financial institutions and primary dealers, to function
as an industry service organisation for clearing and settlement of trades in money market,
government securities and foreign exchange markets.

The Clearing Corporation plays the crucial role of a Central Counter Party (CCP) in the
government securities, USD –INR forex exchange (both spot and forward segments) and
Collaterised Borrowing and Lending Obligation (CBLO) markets. CCIL plays the role of a
central counterparty whereby, the contract between buyer and seller gets replaced by two
new contracts - between CCIL and each of the two parties. This process is known as
‘Novation’. Through novation, the counterparty credit risk between the buyer and seller is
eliminated with CCIL subsuming all counterparty and credit risks. In order to minimize the
these risks, that it exposes itself to, CCIL follows specific risk management practices which
are as per international best practices.In addition to the guaranteed settlement, CCIL also
provides non guaranteed settlement services for National Financial Switch (Inter bank ATM
transactions) and for rupee derivatives such as Interest Rate Swaps.CCIL is also providing a
reporting platform and acts as a repository for Over the Counter (OTC) products.

Other Payment Systems

Pre-paid Payment Systems

Pre-paid instruments are payment instruments that facilitate purchase of goods and
services against the value stored on these instruments. The value stored on such
instruments represents the value paid for by the holders by cash, by debit to a bank
account, or by credit card. The pre-paid payment instruments can be issued in the form of
smart cards, magnetic stripe cards, internet accounts, internet wallets, mobile accounts,
mobile wallets, paper vouchers, etc.

Subsequent to the notification of the PSS Act, policy guidelines for issuance and operation of
prepaid instruments in India were issued in the public interest to regulate the issue of
prepaid payment instruments in the country.The use of pre-paid payment instruments for
cross border transactions has not been permitted, except for the payment instruments
approved under Foreign Exchange Management Act,1999 (FEMA).

Mobile Banking System

225
Mobile phones as a medium for providing banking services have been attaining increased
importance. Reserve Bank brought out a set of operating guidelines on mobile banking for
banks, according to which only banks which are licensed and supervised in India and have a
physical presence in India are permitted to offer mobile banking after obtaining necessary
permission from Reserve Bank. The guidelines focus on systems for security and inter-bank
transfer arrangements through Reserve Bank's authorized systems. On the technology front
the objective is to enable the development of inter-operable standards so as to facilitate
funds transfer from one account to any other account in the same or any other bank on a
real time basis irrespective of the mobile network a customer has subscribed to.

ATMs / Point of Sale (POS) Terminals / Online Transactions

To address the customer service issues arising out of failed ATM transactions where the
customer's account gets debited without actual disbursal of cash, the Reserve Bank has
mandated re-crediting of such failed transactions and mandated compensation for delays
beyond the stipulated period. Furthermore, a standardized template has been prescribed
for displaying at all ATM locations to facilitate lodging of complaints by customers.

There are over five lakh POS terminals in the country, which enable customers to make
payments for purchases of goods and services by means of credit/debit cards. To facilitate
customer convenience the Bank has also permitted cash withdrawal using debit cards issued
by the banks at PoSterminals.ThePoS for accepting card payments also include online
payment gateways. This facility is used for enabling online payments for goods and services.
The online payment are enabled through own payment gateways or third party service
providers called intermediaries. In payment transactions involving intermediaries, these
intermediaries act as the initial recipient of payments and distribute the payment to
merchants. In such transactions, the customers are exposed to the uncertainty of payment
as most merchants treat the payments as final on receipt from the intermediaries. In this
regard safeguard the interests of customers and to ensure that the payments made by them
using Electronic/Online Payment modes are duly accounted for by intermediaries receiving
such payments, . Directions require that the funds received from customers for such
transactions need to be maintained in an internal account of a bank and the intermediary
should not have access to the same.

Further, to reduce the risks arising out of the use of credit/debit cards over internet/IVR
(technically referred to as card not present (CNP) transactions), Reserve Bank mandated
that all CNP transactions should be additionally authenticated based on information not
available on the card and an online alert should be sent to the cardholders for such
transactions.

National Payments Corporation of India

The Reserve Bank encouraged the setting up of National Payments Corporation of India
(NPCI) to act as an umbrella organisation for operating various Retail Payment Systems
(RPS) in India. NPCI became functional in early 2009. NPCI has taken over National Financial
Switch (NFS) from Institute for Development and Research in Banking Technology (IDRBT).
NPCI is expected to bring greater efficiency by way of uniformity and standardization in

226
retail payments and expanding and extending the reach of both existing and innovative
payment products for greater customer convenience.

Overview of The Payment and Settlement Systems Act, 2007

Oversight of the payment and settlement systems is a central bank function whereby the
objectives of safety and efficiency are promoted by monitoring existing and planned
systems, assessing them against these objectives and, where necessary, inducing change. By
overseeing payment and settlement systems, central banks help to maintain systemic
stability and reduce systemic risk, and to maintain public confidence in payment and
settlement systems.

The Payment and Settlement Systems Act, 2007 and the Payment and Settlement Systems
Regulations, 2008 framed thereunder, provide the necessary statutory backing to the
Reserve Bank of India for undertaking the Oversight function over the payment and
settlement systems in the country.

The PSS Act, 2007 provides for the regulation and supervision of payment systems in India
and designates the Reserve Bank of India (Reserve Bank) as the authority for that purpose
and all related matters. The Reserve Bank is authorized under the Act to constitute a
Committee of its Central Board known as the Board for Regulation and Supervision of
Payment and Settlement Systems (BPSS), to exercise its powers and perform its functions
and discharge its duties under this statute. The Act also provides the legal basis for “netting”
and “settlement finality”. This is of great importance, as in India, other than the Real Time
Gross Settlement (RTGS) system all other payment systems function on a net settlement
basis.

The Board for Regulation and Supervision of Payment and Settlement Systems Regulation,
2008 deals with the constitution of the Board for Regulation and Supervision of Payment
and Settlement System (BPSS), a Committee of the Central Board of Directors of the Reserve
Bank of India. It also deals with the composition of the BPSS, its powers and functions,
exercising of powers on behalf of BPSS, meetings of the BPSS and quorum, the constitution
of Sub-Committees/Advisory Committees by BPSS, etc., The BPSS exercises the powers on
behalf of the Reserve Bank, for regulation and supervision of the payment and settlement
systems under the PSS Act, 2007.

The Payment and Settlement Systems Regulations, 2008 covers matters like form of
application for authorization for commencing/ carrying on a payment system and grant of
authorization, payment instructions and determination of standards of payment systems,
furnishing of returns/documents/other information, furnishing of accounts and balance
sheets by system provider etc.,

“Payment obligation” is defined as what is owed by one participant in a payment system to

another such participant which results from clearing or settlement or payment instructions
relating to funds, securities or foreign exchange or derivatives or other transactions

227
“Payment Instruction” is defined as any instrument, authorization or order in any form,
including by electronic means, to effect a payment by a person to a participant in a payment
system or from one participant in such a system to another participant in that system.. The
payment instruction can be communicated either manually i.e. through an instrument like a
cheque , draft , payment order etc or through electronic means, so that a payment can be
made by either a person to the participant in such a system or between two participants.

Settlement” means the settlement of payment instructions received and these include
settlement of securities, foreign exchange or derivatives or other transactions. Settlement
can take place either on a net basis or on a gross basis. Both netting and gross settlement
system are defined under the Act.

Section 2(1) (i) of the PSS Act 2007 defines a payment system to mean a system that enables
payment to be effected between a payer and a beneficiary, involving clearing, payment or
settlement service or all of them, but does not include a stock exchange (Section 34 of the
PSS Act 2007 states that its provisions will not apply to stock exchanges or clearing
corporations set up under stock exchanges). It is further stated by way of an explanation
that a “payment system” includes the systems enabling credit card operations, debit card
operations, smart card operations, money transfer operations or similar operations.

All systems (except stock exchanges and clearing corporations set up under stock
exchanges) carrying out either clearing or settlement or payment operations or all of them
are regarded as payment systems. All entities operating such systems will be known as
system providers. Also all entities operating money transfer systems or card payment
systems or similar systems fall within the definition of a system provider. To decide whether
a particular entity operates the payment system, it must perform either the clearing or
settlement or payment function or all of them.

In terms of Section 4 of the PSS Act, 2007 no person other than the Reserve Bank can
operate or commence a payment system unless authorized by the Reserve Bank. Any
person desirous of commencing or operating a payment system needs to apply for
authorization under the PSS Act, 2007(Section 5).

The application for authorization has to be made as per Form A under Regulation 3(2) of the
Payment and Settlement Systems Regulations, 2008. The application is required to be duly
filled up and submitted with the stipulated documents to the Reserve Bank.

All entities operating payment systems or desirous of setting up such systems are required
to apply for authorization under the Act. Any unauthorized operation of a payment system
would be an offence under the PSS Act, 2007 and accordingly liable for penal action under
that Act.
The Reserve Bank will consider factors like the need for the proposed payment system, the
technical standards and design of proposed system, the security procedures and terms and
conditions of operation of the proposed system, the procedure for netting of payment
instructions, risk management processes, financial status of the applicant, experience of

228
management and integrity of applicant, consumer interests, monetary and credit policies
and other relevant factors while deciding on an application for authorization for
commencing or operating a payment system (Section 7 of PSS Act, 2007).The Reserve Bank
will endeavor to dispose of all applications received for authorization within six months
from the date of their receipt.The Reserve Bank is empowered to prescribe the format of
payment instructions, size and shape of instructions, timings to be maintained by payment
systems, manner of funds transfer criteria for membership including continuation,
termination and rejection of membership, terms and conditions for participation in the
payment system etc. (Section 10 of PSS Act, 2007).

The Reserve Bank is empowered to call for from the system provider returns, documents
and other information relating to the operation of the payment system. The system
provider and all system participants are required to provide Reserve Bank access to any
information relating to the operation of the payment system (Section 12 and 13 of PSS Act,
2007).The Reserve Bank, in order to ensure compliance of the provisions of the PSS Act,
2007 and the Regulations made thereunder, can depute an officer authorized by it to enter
any premises where a payment system is being operated, inspect any equipment, including
any computer system or document, and call upon any employee of the system provider or
participant to provide any document or information as required by it (Section 14 of PSS Act,
2007).The Reserve Bank is authorized to issue directions to a payment system or system
participant to cease or desist from engaging in any act, omission or course of conduct or
direct it to perform any acts as well as issue general directions in the interests of the smooth
operation of the payment system (Section 17 and 18 of the PSS Act, 2007).

The PSS Act 2007 defines “netting” and legally recognizes settlement finality. It states that a
settlement, whether gross or net, will be final and irrevocable as soon as the money,
securities, foreign exchange or derivatives or other transactions payable as a result of such
settlement is determined, whether or not such money, securities or foreign exchange or
other transactions is actually paid. In case a system participant is declared insolvent, or is
dissolved or is wound up, no other law can affect any settlement which has become final
and irrevocable and the right of the system provider to appropriate the collaterals
contributed by the system participants towards settlement or other obligations. This Act
also legally recognizes the loss allocation among system participants and payment system,
where the rules provide for this mechanism

The PSS Act, 2007 lays down the duties of the system provider. The system provider is
required to operate the payment system in accordance with the provisions of the Act and
the Regulations, the terms and conditions of authorization and the directions given by the
Reserve Bank from time to time. The system provider is also required to act in accordance
with the contract governing the relationship among the system participants and the rules
and regulations which deal with the operation of the payment system. The Act requires the
system provider to disclose the terms and conditions including the charges, limitations of
liability etc., under the payment system to the system participants. The Act also requires the
system provider to provide copies of all the rules and regulations governing the operation of
the payment system and other relevant documents to the system participants. The system
provider is required to keep the documents and its contents, provided to it by the system

229
participants, as confidential and is prohibited from disclosing the same, except in
accordance with the provisions of law.(Sections 20 to 22 of the Act)

The Act lays down an elaborate mechanism for settlement of disputes between system
participants in a payment system, between system participant and system provider and
between system providers. The Act requires the system provider to make provision in its
rules or regulations for creation of a panel to decide disputes between system participants.
Where any system participant is dissatisfied with the decision of the panel, or where
disputes arises between system participant and system provider or between system
providers, such disputes are required to be referred to the Reserve Bank for adjudication,
whose decision shall be final and binding on the parties. In cases where the Reserve Bank, in
its capacity either as a system participant or system provider, is itself a party to the dispute,
then there is a provision for referring such cases to the Central Government for
adjudication. (Section 24 of Act)

Under the PSS Act, 2007, dishonor of an electronic fund transfer instruction due to
insufficiency of funds in the account etc., is an offence punishable with imprisonment or
with fine or both, similar to the dishonor of a cheque under the Negotiable Instruments Act
1881. Subject to complying with the procedures laid down under the PSS Act, 2007, criminal
prosecution of defaulter can be initiated in such cases. This provision was introduced to
discourage dishonor of electronic payment instructions. (Section 25 of the Act).Under the
PSS Act, 2007, operating a payment system without authorization, failure to comply with
the terms of authorization, failure to produce statements, returns information or
documents or providing false statement or information, disclosing prohibited information,
non-compliance of directions of Reserve Bank violations of any of the provisions of the Act ,
Regulations, order, directions etc., are offences punishable for which Reserve Bank can
initiate criminal prosecution. Reserve Bank is also empowered to impose fine for certain
contraventions under the Act. (Sections 26 and 30 of the PSS Act, 2007).

Changing Nature of the Payments Industry

According to a Report ‘Medium Term Recommendations to Strengthen Digital Payments

Ecosystem’ by Ministry of Finance,Government of India in 2016 ,as of August 2016, there
were 931 million active mobile subscriptions in India, which is over 74% of India’s
population, whereas 52.8% of the population had access to accounts in financial institutions
as of 2014.13 Simultaneously, the emergence of technology led payments solutions,
continue to deliver more efficient and inclusive services. Given the significant leverage that
exists on account of the high level of mobile penetration, technology based innovations
provide an immense opportunity for growth of the payments industry in India. In the course
of its deliberations, the Committee noted several such innovations, which provide immense
potential in terms of future scale, efficiencies and benefits. These include:

USSD Based Banking Services

USSD communication uses a mobile network’s signalling channels, to provide a robust

channel for communication. Services provided by way of USSD do not require sophisticated

230
hardware (such as smartphones) nor do they require an active data connection. Therefore,
USSD communications can be utilised to provide reliable payment services on basic feature
phones. Even applications with rich user-interfaces, typically developed for smartphones,
can communicate over the USSD channel. The NPCI has developed a platform in
collaboration with most major mobile operators in India, which enables users to carry out
basic banking activities, such as money transfer and balance queries. High tariff ceilings for
USSD transactions had so far hindered wider adoption of the platform.

Direct Carrier Billing

DCB is a form of mobile payment, facilitated entirely by mobile operators. Every mobile
operator, creates a unique account associated with each of their subscribers. In a pre-paid
subscription, this account contains certain value, which is utilised towards talk-time. In a
post-paid subscription, this account functions as a credit facility, where charges towards
communications services are paid by a subscriber, at the end of a billing cycle. A DCB facility,
utilises the stored value in these accounts, and enables subscribers to use their mobile
phones as payment instruments. The Committee notes that at present, DCB is already
offered in a limited manner by mobile operators for the purchase of various mobile Value
Added Services (VASs), which have evolved globally to include mobile apps and content.16
However, there remains ambiguity over whether offering wider DCB facilities could
potentially contravene the provisions of RBI’s PPI Guidelines, and the Department of
Telecommunications (DoT)’s license conditions. TRAI has in the past indicated that DCB and
other mobile commerce platforms would fall under the category of VASs, there is no
regulatory clarity on this issue from the DoT.
The Committee feels that DCB has the potential of providing increased access to digital
payments to large sections of the population. Globally, DCB is a recognized form VAS
provided by telecom operators. Accordingly, DCB should be expressly allowed by the RBI,
TRAI and the DoT under the applicable regulatory framework. The Committee further notes
that mobile accounts need to be KYC compliant in terms of the directions of the DoT, and
that the DoT has allowed “Aadhaar” based e KYC for subscriber verification. Mobile Money
and Social Network Payments - Mobile money has witnessed some growth in India with the
introduction of the PPI license by RBI. However, there are several other platforms for
transacting in mobile money, that have not been made possible in India. Some of the newer
innovations in this context, relate to social network-based payments such as those offered
by WeChat in China, and by Facebook in certain other jurisdictions. The lack of
interoperability, and significant entry barriers in the market have prevented the roll-out of
social network based payments in India.

Blockchain Technology

Blockchain technology is a database solution, which has several applications in the

payments space, including the development of crypto-currencies such as Bitcoin. As
opposed to having a physical ledger maintained by a centralised authority, blockchain
enables a distributed ledger which resides on each market participant’s device. This enables
a more robust authentication process, where a transaction is not completed unless
authenticated by each individual ledger. In this manner, the blockchain ensures
transparency and integrity of transactions purely through mathematics, and not trust.

231
Blockchain can be used to develop smart self-monitoring systems that can authenticate and
monitor payments at lower costs.

Digitally Issued Currency

Digital currencies are currency issued in a digital form. This could include crypto-currencies
such as Bitcoins (which are an independent form of money separate from any country’s
central bank issued legal tender) or digitally issued central bank currencies. In the course of
consultations, the Committee was presented with a case for digitally issued Indian currency,
as a means to substitute physical currency. Central bank issued digital currency seeks to
retain the characteristics of central bank issued M0 currency, but merely change the form
factor from paper to digital. Such a digital currency would have to be issued by the RBI, and
used by way of hardware modules. The security of the currency is ensured by cryptographic
technology, inspired by existent security features on physical currency. The Committee
notes that several benefits of digital currency, including the instantaneous settlement of
transactions, reduction of costs of cash, ability to provide a more comprehensive and
unified source of credit history and reduction in instances of tax avoidance. The most
significant benefit however, is that the technology makes it extremely difficult to
counterfeit, and more importantly enables the central bank to detect the existence of
counterfeit currency on a real-time basis.

Payments Software Development Kit

Several e-Commerce and financial technology innovations can potentially harness their
adjacency with payments. A notable initiative in this regard, is the development of
IndiaStack, which is a set of Application Programming Interfaces (APIs) which integrate
application layers supporting Aadhaar based authentication, UPI based payments, eKYC and
other publicly managed services.26 The incorporation of IndiaStack APIs into an increasing
number of mobile based applications, could lay the foundations for greater innovation in
the space of mobile driven digital payments growth.
Presently, the payments ecosystem in India remains largely bank-centric. Given the
emergence of technology led payment solutions, it is important to ensure that such
technology innovations are not constrained by their dependence on the banking sector.
Further, given the competitive pressures imposed by new payment technologies upon bank-
led systems and PSPs, it is imperative to ensure a level playing field, and provide an enabling
framework for technology innovations in the payments industry.

232
MODULE 12:
Adjudicating Officer and Their Powers & Duty with special reference to
Information Technology (Qualification & Experience of Adjudicating Officer
and Manner of Holding Enquiry Rules 2003)

Adjudicating Officer as defined under the Information Technology Act,2000

The power of the adjudicating officer is to adjudge any person who has committed a
contravention under the Act. He is one of the statutory authorities under the Act. The
Section 2 (1) (c) of the Information Technology Act,2000 defines “Adjudicating Officer” to
mean an adjudicating officer appointed under sub-section (1) of section 46 of the Act this is
similar to the definition provided in the Information Technology (Qualification & Experience
of Adjudicating Officer and Manner of Holding Enquiry Rules 2003). Below are a few
relevant provisions –

Power to Adjudicate

According to Section 46 of the Information Technology Act,2000 the power to adjudicate for
the purpose of adjudging under this Chapter whether any person has committed a
contravention of any of the provisions of this Act or of any rule, regulation, direction or
order made thereunder which renders him liable to pay penalty or compensation.The
Central Government shallappoint any officer not below the rank of a Director to the
Government of India or an equivalent officer of a State Government to be an adjudicating
officer for holding an inquiry in the manner prescribed by the Central Government.
The adjudicating officer appointed shall exercise jurisdiction to adjudicate matters in which
the claim for injury or damage does not exceed rupees five crore: Provided that the
jurisdiction in respect of the claim for injury or damage exceeding rupees five crore shall
vest with the competent court.
After giving the person referred to a reasonable opportunity for making representation in
the matter and if, on such inquiry, he is satisfied that the person has committed the
contravention, he may impose such penalty or award such compensation as he thinks fit in
accordance with the provisions of that section.
No person shall be appointed as an adjudicating officer unless he possesses such experience
in the field of Information Technology and legal or judicial experience as may be prescribed
by the Central Government.
Where more than one adjudicating officers are appointed, the Central Government shall
specify by order the matters and places with respect to which such officers shall exercise
their jurisdiction.
Every adjudicating officer shall have the powers of a civil court which are conferred on the
Cyber Appellate Tribunal under sub-section (2) of section 58, and— (a) all proceedings
before it shall be deemed to be judicial proceedings within the meaning of sections 193 and

233
228 (45 of 1860) of the Indian Penal Code (b) shall be deemed to be a civil court for the
purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973 (2 of 1974). (c)
shall be deemed to be a civil court for purposes of Order XXI of the Civil Procedure Code,
1908 (5 of 1908)."

The aforesaid provisionunder Chapter IX : Penalties and Adjudication specifies the purpose
of adjudging under this section whether any person has committed a contravention of any
of the provisions of this act or any rule , regulation ,direction or order made thereunder ,
there shall be an adjudicating officer for holding an inquiry in the manner prescribed by the
Central Government.

The Information Technology (Qualification and Experience of Adjudicating Officers and

Manner of Holding Enquiry) Rules, 2003

The Information Technology (Qualification and Experience of Adjudicating Officers and

Manner of Holding Enquiry) Rules, 2003 were passed by the Central Government to
prescribe for the eligibility of Adjudicating Officer to be appointed under Section 46 of the IT
Act,2000. The Adjudicating Officer is required to possess a University Bachelor Degree or
equivalent qualification recognized by the Central Government or the state Government for
recruitment to Grade I service in a government department through Union/State Public
Service Commission and is required to possess Information Technology experience and legal
or judicial experience or work experience as Grade I officer in the government department,
not below the rank of Director to the government of India or State Government.

The Rules provides that as per Rule 2 (a) “Act” means the Information Technology Act,
2000 (21 of 2000); as per Rule 2 (b) “Adjudicating Officer” to mean an adjudicating officer
appointed under sub-section (1) of section 46 of the Act .Rule 2(d) gives a clarity that the
words and expressions used herein and not defined but defined in the Act shall have the
meaning respectively assigned to them in the Act.

The Rules delineate the scope and manner of holding an enquiry for contraventions
under the IT Act,2000 and sets a time frame of six months to decide the matters. It
prescribes criteria for adjudging the quantum of compensation or penalty including the
amount of gain of unfair advantage as a result of the default, the amount of loss caused to
any person as a result of the default, the repetitive nature of the default. The rules provide
procedure to serve notice and orders and provisions for compounding of contraventions.

According to Rule4of the Information Technology (Qualification & Experience of

Adjudicating Officer and Manner of Holding Enquiry Rules 2003) the Scope and manner of
holding inquiry is as under —
(a)The Adjudicating Officers shall exercise jurisdiction in respect of the contraventions in
relation to Chapter IX of I T Act, 2000 and the matter or matters or places or area or areas in
a State or Union Territory of the posting of the person.
(b) The complaint shall be made to the Adjudicating Officer of the State or Union Territory
on the basis of location of Computer System, Computer Network as defined in sub-section 2

234
of section 75 of I T Act on a plain paper on the proforma attached to these rules together
with the fee payable calculated on the basis of damages claimed by way of compensation.
(c) The Adjudicating Officer, shall issue a notice together with all the documents to all the
necessary parties to the proceedings, fixing a date and time for further proceedings. The
notice shall contain such particulars as far as may be as to the time and place of the alleged
contravention, and the person (if any) against whom, or the thing (if any) in respect of
which, it was committed.
(d) On the date so fixed, the Adjudicating Officer shall explain to such person or persons to
whom notice is issued about the contravention alleged to have been committed in relation
to any of the provisions of the Act or of any rule, regulation, direction or order made
thereunder.
(e) If the person in respect of whom notice is issued pleads guilty, the Adjudicating Officer
shall record the plea, and may impose penalty or award such compensation as he thinks fit
in accordance with the provisions of the Act, rules, regulations, order or directions made
thereunder.
(f) Alternatively on the date fixed the person or persons against whom a matter is filed may
show cause why an enquiry should not be held in the alleged contravention or that why the
report alleging the contravention should be dismissed.
(g) The Adjudicating Officer on the basis of the report of the matter, investigation report (if
any), other documents and on the basis of submissions shall form an opinion that there is
sufficient cause for holding an enquiry or that the report into the matter should be
dismissed and on that basis shall either by order dismiss the report of the matter, or shall
determine to hear the matter.
(h) If any person or persons fails, neglects or refuses to appear, or present himself as
required by sub-rule (d), before the Adjudicating Officer, the Adjudicating Officer shall
proceed with the inquiry in the absence of such person or persons after recording the
reasons for doing so.
(i) At any time or on receipt of a report of contravention from an aggrieved person, or by a
Government agency or suomoto, the Adjudicating Officer, may get the matter or the report
investigated from an officer in the Office of Controller or CERT-IND or from the concerned
Deputy Superintendent of Police, to ascertain more facts and whether prima facie there is a
case for adjudicating on the matter or not.
(j) The Adjudicating Officer, shall fix a date and time for production of documents or
evidence and for this purpose may also rely on electronic records or communications and as
far as may be, shall use or make available the infrastructure for promoting on-line
settlement of enquiry or disputes or for taking evidence including the services of an
adjudicating officer and infrastructure in another State.
(k) As far as possible, every application shall be heard and decided in four months and the
whole matter in six months.
(l) Adjudicating Officer, when convinced that the scope of the case extends to the Offence(s)
(under Chapter XI of I T Act) instead of contravention, needing appropriate punishment
instead of mere financial penalty, should transfer the case to the Magistrate having
jurisdiction to try the case, through Presiding Officer.

If, upon consideration of the evidence produced before the Adjudicating Officer and other
records and submissions, the Adjudicating Officer is satisfied that the person has become
liable to pay damages by way of compensation or to pay penalty under any of the provisions

235
of the Act or rules, regulations, directions or orders, the Adjudicating Officer may, by order
in writing, order payment of damages by way of compensation or impose such penalty, as
deemed fit.

Certain Guidelines have been laid by the Rules for Adjudicating Officer while adjudging the
quantum of compensation or penalty and the Adjudicating Officer shall have due regard to
the following factors, namely:—
 the amount of gain of unfair advantage, wherever quantifiable, made as a result of
the default;
 the amount of loss caused to any person as a result of the default;
 the repetitive nature of the default.

Adjudicating Officers shall deliver a certified copy of the order to the complainant and
respondent.The manner of Service of notices and orders has been laid down under Rule7 .
The notice or the order shall be served by the following manners-
(a) by delivering or tendering it to that person or the person’s authorized agent in an
electronic form
(b) by sending it to the person by registered post with acknowledgement;
(c) if it cannot be served under clause (a) or (b) above then by affixing it, in the presence of
two witnesses, on the outer door or some other conspicuous part of the premises in which
that person resides or is known to have last resided, or carried on business or personally
works or last worked for gain.

Further a Fee is prescribed for every complaint of a matter to the Adjudicating Officer .The
Rules provide for avoiding Duplicity of proceedings before Adjudicating Officer and any
other Court or Tribunal or authority .The same matter shall not be pursued before any court
or Tribunal or Authority in any proceeding whatsoever and if there is already filed report in
relation to the same matter, the proceedings before such other court, Tribunal or Authority
shall be deemed to be withdrawn.
In case of any frivolous complaints a damage of not exceeding rupees twenty five thousand
and a fine up to an amount not exceeding rupees ten thousand only may be imputed upon
the complainant by the Adjudicating Officer.
Under Rule 11, a person, against whom a report of contravention of the Act, Rules or
Regulations, directions or orders or conditions has been filed before an Adjudicating Officer,
may make an application for compounding the contravention during the adjudicating
proceedings to the concerned adjudicating officer. The applicant desirous of compounding
the contravention shall deposit the sum determined by the officer compounding the
contravention into the office of Adjudicating Officer provided that sum determined as
compounding fee shall not exceed the maximum amount of penalty, which may be imposed
under this Act for the contraventions so compounded.

The licensed Certifying Authorities (CAs) in India are –

i. Safescrypt – a private Certifying Authority
ii. NIC – an organisation of Govt. of India, issuing certificates to Government
organisations
iii. IDRBT – established by Reserve Bank of India for issuing certificates to the banking
industry

236
 iv. TCS – private certifying authority to issue certificates to individuals, company and
government users
v. MTNL
vi. Customs and Central Excise
vii. Code Solutions CA (GNFC)
viii. e-Mudhra

MODULE 13:
Cyber Appellate Tribunal with reference to the Cyber Regulation Appellate Tribunal
(Procedures) Rules 2000

The Information Technology Act, 2000 has led to the establishment of Cyber Appellate
Tribunal having the appellate jurisdiction. The Cyber Appellate Tribunal has been
established by the Central Government in accordance with the provisions contained under
section 48(1) of the Information Technology Act,2000. This appellate body initially started in
October 2006 as The Cyber Regulations Appellate Tribunal (CRAT).
Chapter X of the IT Act ,2000 deals with The Cyber Appellate Tribunal (sections 48 -64).
Being an appellate authority the tribunal exercises jurisdiction both of fact and law over a
decision or order passed by the Controller of Certifying Authorities or the Adjudicating
Officer. Its power to examine the correctness, legality or propriety of the decision or order
passed by the controller of certifying Authorities or Adjudicating Officer is absolute.
Along with the Information Technology Act 2000 ()sections 48-64) there are corresponding
Rules prescribed under The Cyber Regulation Appellate Tribunal (Procedures) Rules 2000
which need to be read together for a better understanding of this chapter.

Establishment and Composition of Cyber Appellate Tribunal

Section 48 Stipulates the establishment of a statutory authority called The Cyber Appellate
Tribunal .At present there is one Cyber Appellate Tribunal in India located at New Delhi.
Section 49(has been amended in 2009 ) earlier it consisted of a single person known as
Presiding Officer of the Tribunal who was appointed by the Central Government by
notification. After amendment now the composition of the appellate tribunal is of a
chairman and such number of other members (including judicial members) as the Central
Government may decide. Further, the bench may be constituted by the Chairperson of the
Cyber Appellate Tribunal .It may either be a Single Bench or a Double Bench or a Full Bench.
The Central Government may specify the areas in relation to which each Bench of the Cyber
Appellate Tribunal may exercise its power.The Chairperson of the Cyber Appellate Tribunal
may transfer a Member of such Tribunal from one Bench to another Bench. If at any stage of
the hearing of any case or matter it appears to the Chairperson or a Member of the Cyber
Appellate Tribunal that the case or matter is of such a nature that it ought to be heard by a
Bench consisting of more Members, the case or matter may be transferred by the
Chairperson to such Bench as the Chairperson may deem fit.

Qualifications for appointment as Presiding Officer of the Cyber Appellate Tribunal

A person shall not be qualified for appointment as a Chairperson of the Cyber Appellate
Tribunal unless he is, or has been, or is qualified to be, a Judge of a High Court (Section 50

237
(1)). The members of the Cyber Appellate Tribunal have been categorised in two categories
of Ordinary Members and Judicial Members.The Members of the Cyber Appellate Tribunal,
except the Judicial Member shall be appointed by the Central Government from amongst
persons, having special knowledge of , and professional experience in, information
technology, telecommunication, industry, management or consumer affairs. There is a
proviso which says that a person shall not be appointed as a Member, unless he is, or has
been, in the service of the Central Government or a State Government, as has held the post
of Additional Secretary to the Government of India or any equivalent post in the Central
Government or State Government for a period of not less than one year or Joint Secretary
to the Government of India or any equivalent post in the Central Government or State
Government for a period of not less than seven years.

The Judicial Members of the Cyber Appellate Tribunal shall be appointed by the Central
Government from amongst persons who is or has been an member of the Indian Legal
Service and has held the post of Additional Secretary for a period of not less than one year
or Grade I post of that Service for a period of not less than five years. Section 50(3)

Term of office, conditions of service, etc., of Chairperson and Members

(1) The Chairperson or Member of the Cyber Appellate Tribunal shall hold office for a term
of five years from the date on which he enters upon his office or until he attains the age of
sixty-five years, whichever is earlier.
(2) Before appointing any person as the Chairperson or Member of the Cyber Appellate
Tribunal, the Central Government shall satisfy itself that the person does not have any such
financial or other interest as is likely to affect prejudicially his functions as such Chairperson
or Member.
(3) An officer of the Central Government or State Government on his selection as the
Chairperson or Member of the Cyber Appellate Tribunal, as the case may be, shall have to
retire from service before joining as such Chairperson or Member.

Powers of superintendence, direction, etc.

The Chairperson of the Cyber Appellate Tribunal shall have certain powers as under-
 Power of general superintendence and directions in the conduct of the affairs of that
Tribunal.
 Distribution of business among Benches—Where Benches are constituted, the
Chairperson of the Cyber Appellate Tribunal may, by order, distribute the business of that
Tribunal amongst the Benches and also the matters to be dealt with the each Bench.
 Power of Chairperson to transfer cases—On the application of any of the parties and
after notice to the parties, and after hearing such of them as he may deem proper to be
heard, or suomotu without such notice, the Chairperson of the Cyber Appellate Tribunal
may transfer any case pending before one Bench, for disposal to any other Bench.
 Decision by majority—If the Members of a Bench consisting of two Members differ
in opinion on any point, they shall state the point or points on which they differ, and make a
reference to the Chairperson of the Cyber Appellate Tribunal who shall hear the point or

238
points himself and such point or points shall be decided according to the opinion of the
majority of the Members who have heard the case, including those who first heard it.
 Filling up of vacancies—If, for reason other than temporary absence, any vacancy
occurs then the Central Government shall appoint another person in accordance with the
provisions of this Act.

Resignation and removal—

 The Chairperson or the memberof a Cyber Appellate Tribunal may, by notice in

writing under his hand addressed to the Central Government, resign his office and continue
to hold office until the expiry of three months from the date of receipt of such notice or
until a person duly appointed as his successor enters upon his office or until the expiry of his
term of office, whichever is the earliest.
 The Chairperson or the member of a Cyber Appellate Tribunal shall not be removed
from his office except by an order by the Central Government on the ground of proved
misbehaviour or incapacity after an inquiry made by a Judge of the Supreme Court in which
the Presiding Officer concerned has been informed of the charges against him and given a
reasonable opportunity of being heard in respect of these charges.
 The Central Government may, by rules, regulate the procedure for the investigation
of misbehaviour or incapacity of the aforesaid Chairperson or the member


Orders constituting Appellate Tribunal to be final and not to invalidate its proceedings-
Section 55 of this Act has given finality to two following points-

(i) An order of the Central Government appointing any person as the Chairperson or the
member of a Cyber Appellate Tribunal shall be final and
(ii) an act or proceeding before a Cyber Appellate Tribunal shall not be called in
question in any manner on the ground merely of any defect in the constitution of a Cyber
Appellate Tribunal.

Salary, allowances and other terms and conditions of service of Chairperson and Members

The salary and allowances payable to, and the other terms and conditions of service
including pension, gratuity and other retirement benefits of, the Chairperson or a Member
of the Cyber Appellate Tribunal shall be such as may be prescribed. The Central Government
has framed Cyber Appellate Tribunal (Salary allowances and other terms and condition of
Service of Chairperson and Members) Rules 2009.

Staff of the Cyber Appellate Tribunal

The Central Government shall provide the Cyber Appellate Tribunal with such officers and
employees as that Government may think fit. The officers and employees of the Cyber
Appellate Tribunal shall discharge their functions under general superintendence of the
Chairperson.

239
 The salaries and allowances and other conditions of service of the officers and employees
of the Cyber Appellate Tribunal shall be such as may be prescribed by the Central
Government. In compliance to this section Cyber Appellate Tribunal (Salary allowances and
other terms and condition of Service of Chairperson and Members) Rules 2009 have been
framed.

Appeal to Cyber Appellate Tribunal

Any person aggrieved by an order made by an Adjudicating Officer or Controller under this
Act may prefer an appeal to a Cyber Tribunal having jurisdiction in the matter.
If an adjudicating officer has passed an order with the consent of the parties no appeal shall
lie to the Cyber Appellate Tribunal. The Limitation period of 45 has been provided and the
Tribunal has power to condone this delay. An opportunity of being heard is provided under
Section 57(4). The Cyber Appellate Tribunal shall send a copy of every order made by it to
the parties to the appeal and to the concerned controller or adjudicating officer. The appeal
filed before the Cyber Appellate Tribunal under sub-section (1) shall be dealt with by it as
expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally
within six months from the date of receipt of the appeal.

Procedure and powers of the Cyber Appellate Tribunal

As regards the procedure to be adopted by the Tribunal, section 58 laid three basic
principles-

(a) The Cyber Appellate Tribunal shall not be bound by the procedure laid down by the
Code of Civil Procedure.
(b) The tribunal shall be guided by the Principles of Natural Justice
(c) The Tribunal shall have power to regulate its own procedure.
(d)
As per section 58 (2) The Cyber Appellate Tribunal shall have, for the purposes of
discharging its functions under this Act, the same powers as are vested in a civil court under
the Code of Civil Procedure, 1908 (5 of 1908), while trying a suit, in respect of the following
matters, namely:—
(a) summoning and enforcing the attendance of any person and examining him on oath;
(b) requiring the discovery and production of documents or other electronic records;
(c) receiving evidence on affidavits;
(d) issuing commissions for the examination of witnesses or documents;
(e) reviewing its decisions;
(f) dismissing an application for default or deciding it ex parte;
(g) any other matter which may be prescribed.
Every proceeding before the Cyber Appellate Tribunal shall be deemed to be a ju- dicial
proceeding within the meaning of sections 193 and 228, and for the purposes of section 196
of the Indian Penal Code and the Cyber Appellate Tribunal shall be deemed to be a civil

240
court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure,
1973 (2 of 1974).

Right to legal representation and Appeal to High Court

The appellant may either appear in person or authorise one or more legal practitioners or
any of its officers to present his or its case before the Cyber Appellate Tribunal. The
provisions of the Limitation Act, 1963 (36 of 1963) , shall, as far as may be, apply to an
appeal made to the Cyber Appellate Tribunal.
While Civil court not to have jurisdiction to entertain any suit or proceeding in respect of
any matter which an adjudicating officer appointed under this Act or the Cyber Appellate
Tribunal constituted under this Act is empowered by or under this Act to determine and no
injunction shall be granted by any court or other authority in respect of any action taken or
to be taken in pursuance of any power conferred by or under this Act.
Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an
appeal to the High Court within sixty days from the date of communication of the decision
or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of
such order.

Compounding of contraventions

Any contravention under this Act may, either before or after the institution of adjudication
proceedings, be compounded by the Controller or such other officer as may be specially
authorised by him in this behalf or by the adjudicating officer.Where any contravention has
been compounded, no proceeding or further proceeding, as the case may be, shall be taken
against the person guilty of such contravention in respect of the contravention so
compounded.
Recovery of penalty or compensation awarded shall be recovered as an arrear of land
revenue and the licence or the Electronic SignatureCertificate, as the case may be, shall be
suspended till the penalty is paid.

CYBER REGULATIONS APPELLATE TRIBUNAL (PROCEDURE) RULES, 2000

In exercise of the powers conferred by section 87 of the Information Technology Act, 2000
(21 of 2000), the Central Government hereby framed the Cyber Regulations Appellate
Tribunal (Procedure) Rules, 2000. Section 2 of this Act defines an act, an agent, an
application,a legal practitioner, a registrar of,registry, section, transferred, tribunal.
Procedure for filing applications
The applicant may sent the application either himself ,or by an agent or by a duly
authorized legal practitioner in the prescribed format . The application is presented in six
complete sets in a paper-book form along with one empty file size envelope bearing full
address of the respondent. Where the number of respondents is more than one, sufficient

241
number of extra paper-books together with required number of empty file size envelopes
bearing the full address of each respondent shall be furnished by the applicant.
The Tribunal may permit:
(a) more than one person to join together and file a single application if it is satisfied, having
regard to the cause of action and the nature of relief prayed for, that they have the same
interest in the service matter; or
(b) an Association representing the persons desirous of joining in a single application
provided.
On receipt of the application the Registrar, or the officer authorised by the Registrar shall
scrutinise the application and if any defect is found the Registrar may allow the party to
rectify the same in his presence. If the defects are not removed the registrar has the right to
decline the application. Once the application is denied an appeal lies against the order of
the registrar within 15 days of the making of the order of the registrar.
The rules guide towards the details of what Contents of application should be
,presentation of the application and paperbook, Service of notice of application on the
respondents, procedure to file reply within one month;Action on application for applicant’s
default, hearing application ex-parte; Adjournment of application .

Powers and functions of the Registrar

 The Register shall have the custody of the records of the Tribunal and shall exercise
such other functions as may be assigned to him under these rules or by the Presiding
Officer.
 The Registrar may(with the approval of the Presiding Officer) delegate to another
officer of the Tribunal any functions required by these rules to be exercised by the Registrar.
 In the absence of the Registrar, officer of the Tribunal authorised in writing by the
Presiding Officer in his behalf may perform or exercise ail or any of tlie functions and powers
of the Registrar.
 The Registrar shall keep in his custody the official seal of the Tribunal.
 The Registrar shall, subject to any general or special direction by the Presiding
Officer, affix the official seal of the Tribunal on any order, notice or other process.
 The Registrar has the power to authorise in writing the affixing of the seal of the
Tribunal on a certified copy of any order of the Tribunal.
(i) In addition to the powers conferred elsewhere in these rules, the Registrar has the
following powers and duties subject to any general or special order of the
Presiding Officer namely— to receive all applications and other documents
including transferred applications;
(ii) to decide all questions arising out of the scrutiny of the applications before they are
registered;

242
(iii) to require any application presented to the Tribunal to be amended in accordance
with the Act and the rules;
(iv) subject to the directions of the Tribunal (to fix dates of hearing of the applications or
other proceedings and issue notices thereof ;
(v) to direct any formal amendment of records;
(vi) to order grant of copies of documents to parties to the proceedings;
(vii) to dispose of all matters, relating to the service of notices of other processes,
applications for the issue of fresh notices or for extending the time therefore;
(viii) to requisition records from the custody of any court or other authority;
(ix) to receive applications for the substitution of legal representatives of the deceased
parties, during the pendency of the application;
(x) to receive and dispose of applications for substitution, except where the
substitution would involve setting aside an order or abatement; and
(xi) to receive and dispose of application by parties for return of documents.

243
MODULE 14:
ISPs, their working in India with special reference to the Information Technology
(Intermediaries Guidelines) Rules 2011 &The information Technology (Guidelines for
Cyber Cafe) Rules 2011 and Corresponding International Legislation in US, UK & Europe

An ISP is a company that provides internet connectivity to a user. An ISP may provide
internet access via dial up. A symmetric Digital Subscriber Line,Ethernet,leased line,cable
connection, or wireless or fibre optics and also provide other services of web hosting or
registration of domain names and cloud computing wherein customers can operate their
specialised software or store and process information in a virtual. An intermediary is a
network service provider or telecom service provider or any party that receives , stores,
sends, receives messages or any data over internet on behalf of another without selecting
or modifying the content being transmitted . For example, Twitter and Facebook are
intermediaries. Webhosting companies, online payment sites, cyber cafes, search engines
are all covered by definition of Intermediary under IT Act, 2000.
According to Section 2 (w) of the Information Technology Act,2000 an “intermediary”, with
respect to any particular electronic records, means any person who on behalf of another
person receives, stores or transmits that record or provides any service with respect to that
record and includes telecom service providers, network service providers, internet service
providers, web-hosting service providers, search engines, online payment sites, online-
auction sites, online-market places and cyber cafes.

Position In Law After the IT (Amendment),2008

Section 79 of the IT Act covers the aspect of liability of the intermediaries including internet
service providers. The amended section 79 lays down that an intermediary is not liable for
any third party information, data or communication link made available or hosted by him
except as specified in Section 79 (2) and (3). The third party information is described in
Explanation to Section 79 as any information dealt with by an intermediary in his position as
an Intermediary. Section 79 (2) provides that an intermediary is not liable if it only provides
access to a communication system over which information is posted by third parties and
‘transmitted or temporarily stored or hosted’. An intermediary cannot be made liable in
case where it does not initiate the transaction, select the recipient and select or change the
information contained in the message (section 79 (2)(b)).

244
Position before the Amendment

Before the amendment of IT Act,2008, section 79 was not so clear in its meaning and effect.
Earlier, section 79 provided that an internet service provider was not liable under the act for
any third party information or data made available by him if he could prove that the
offence or contravention was committed without his knowledge or he has exercised ‘due
diligence’ to prevent the commission of such offence or such contravention. There was a lot
of ambiguity in the scope and application of section 79. The onus to prove lack of knowledge
was without describing whether it is actual or constructive and the exercise of ‘due
diligence’ was also without any describing standards.
Before the amendment the intermediary was liable for any civil wrong as well as for any
offence under this section. Now after 2008, a new section 67 C was inserted which has fixed
the criminal liability of intermediary to preserve and retain such information as may be
specified for such duration and in such manner and format as the Central Government may
prescribe. If any intermediary intentionally or knowingly contravenes the provisions of
section 67 C (1), he shall be criminally liable and shall be punished under that section. In
accordance with section 79 (2) there shall be civil liability to the intermediary if he does not ;
observe due diligence while discharging his duties under this act and observe such other
guidelines as the Central Government may prescribe in this behalf.

Section 79 and 69Aare as under

“79. Exemption from liability of intermediary in certain cases–

(1) Notwithstanding anything contained in any law for the time being in force but subject to
the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third
party information, data, or communication link made available or hosted by him.
(2) The provisions of sub-section (1) shall apply if– (a) the function of the intermediary is
limited to providing access to a communication system over which information made
available by third parties is transmitted or temporarily stored or hosted; or (b) the
intermediary does not– (i) initiate the transmission, (ii) select the receiver of the
transmission, and (iii) select or modify the information contained in the transmission; (c) the
intermediary observes due diligence while discharging his duties under this Act and also
observes such other guidelines as the Central Government may prescribe in this behalf.
(3)The provisions of sub-section (1) shall not apply if– (a) the intermediary has conspired or
abetted or aided or induced, whether by threats or promise or otherwise in the commission
of the unlawful act; (b) upon receiving actual knowledge, or on being notified by the
appropriate Government or its agency that any information, data or communication link
residing in or connected to a computer resource controlled by the intermediary is being used
to commit the unlawful act, the intermediary fails to expeditiously remove or disable access
to that material on that resource without vitiating the evidence in any manner.
Explanation.–For the purposes of this section, the expression “third party information”
means any information dealt with by an intermediary in his capacity as an intermediary.”

69A. Power to issue directions for blocking for public access of any information through any
computer resource.–

245
(1) Where the Central Government or any of its officers specially authorised by it in this
behalf is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and
integrity of India, defence of India, security of the State, friendly relations with foreign States
or public order or for preventing incitement to the commission of any cognizable offence
relating to above, it may subject to the provisions of sub-section (2), for reasons to be
recorded in writing, by order, direct any agency of the Government or intermediary to block
for access by the public or cause to be blocked for access by the public any information
generated, transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public
may be carried out, shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall
be punished with an imprisonment for a term which may extend to seven years and also be
liable to fine.

Bazee.com case

This case was tried under earlier section 79 of the IT Act,2000 the court observed
that the Director and CEO of Bazee.com could not prove lack of knowledge and that he had
adopted due diligence in performing its duties when MMS clip was placed on its auction site
named Bazee.com. The court held that internet service provider was liable under section 75
of the ITAct, 2000 and also explained the vicarious liability of the service providers. The
court clarified that when a third party places some obscene material on a website under
section 292 of Indian Penal Code,1860 the element of ‘mens rea’ needs to be proved and
there is no ‘automatic liability’ of the director in such cases. FIR under section 67 read with
section 85 of the IT Act,2000 cannot be quashed. In Avanish Bajaj Case, vicarious liability
was held to exist as enterprise liability. This decision was overruled in AneetaHada v M/s.
Godfather Travels & Tours (P) Ltd. the Hon’ble Supreme Court considered the case
ofAvanish Bajaj v State along with other criminal appeals involving the same question of law,
whether a director can be held liable even where a company is not arraigned as an accused.
The Court took the view that under section 85 of the Information Technology Act, 2000
which provides for deemed liability of directors in cases of offences committed by
companies, a director cannot be held liable without impleading the company as an accused.
The court quashed the proceedings against the appellant director as the company was not
even arraigned as an accused. The court applied the doctrine of and took the view that
commission of offence by the company is an express condition precedent to attract the
vicarious liability of others.After the amendment in section 79 of the IT Act,2000 the law has
become clearer as an intermediary is not liable unless there is actual knowledge with the
intermediary.

Shreya Singhal v Union of India

The Supreme Court of India in Shreya Singhal vs. Union of India examine the validity of
various provisions in Information Technology Act,2000. Further it was held that
Section 79(3)(b) has to be read down to mean that the intermediary upon receiving actual
knowledge that a court order has been passed asking it to expeditiously remove or disable
access to certain material must then fail to expeditiously remove or disable access to that

246
material. This is for the reason that otherwise it would be very difficult for intermediaries
like Google, Facebook etc. to act when millions of requests are made and the intermediary is
then to judge as to which of such requests are legitimate and which are not.Section 66A of
the Information Technology Act, 2000 is struck down in its entirety being violative of Article
19(1)(a) and not saved under Article 19(2). Section 69A and the Information Technology
(Procedure & Safeguards for Blocking for Access of Information by Public) Rules 2009 are
constitutionally valid. Section 79 is valid subject to Section 79(3)(b) being read down to
mean that an intermediary upon receiving actual knowledge from a court order or on being
notified by the appropriate government or its agency that unlawful acts relatable to Article
19(2) are going to be committed then fails to expeditiously remove or disable access to such
material.Similarly, the Information Technology "Intermediary Guidelines" Rules, 2011 are
valid subject to Rule 3 sub-rule (4) being read down in the same manner as indicated in the
judgment.

Information Technology (Intermediaries Guidelines) Rules,2011

Information Technology (Intermediaries Guidelines) Rules,2011 were rules laid down by the
Ministry of Communication and Information Technology . These rules lay down the due
diligence requirements of Intermediaries as prescribed by Central Government to avail
exclusions from liability under Section 79 (1) and 79 (2) of the IT Act,2000.

According to Section 79(1) “Notwithstanding anything contained in any law for the time
being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall
not be liable for any third party information, data, or communication link made available or
hosted by him”.As per Section 79 2(c) the intermediary observes due diligence while
discharging his duties under this Act and also observes such other guidelines as the Central
Government may prescribe in this behalf.

According to Rule3 of theInformation Technology (Intermediaries Guidelines) Rules,2011

‘due diligence’ has to be observed by intermediary
The intermediary shall publish the rules and regulations, privacy policy and user agreement
for access-or usage of the intermediary's computer resource by any person. The
intermediary is responsible for informing the users of computer resource not to host,
display, upload, modify, publish, transmit, update or share any information that —
(a) belongs to another person and to which the user does not have any right to; (b) is grossly
harmful, harassing, blasphemous defamatory, obscene, pornographic, pedophilic, libelous,
invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging,
relating or encouraging money laundering or gambling, or otherwise unlawful in any manner
whatever;(c) harm minors in any way; infringes any patent, trademark, copyright or other
proprietary rights;(e) violates any law for the time being in force;(f) deceives or misleads the
addressee about the origin of such messages or communicates any information which is
grossly offensive or menacing in nature;(g) impersonate another person;(h) contains
software viruses or any other computer code, files or programs designed to interrupt,
destroy or limit the functionality of any computer resource;(i) threatens the unity, integrity,
defence, security or sovereignty of India, friendly relations with foreign states, or public

247
order or causes incitement to the commission of any cognizable offence or prevents
investigation of any offence or is insulting any other nation.
Rule 3(2) states that the intermediary shall not ‘knowingly host or publish’ any
information or shall not initiate the transmission, select the receiver of transmission, and
select or modify the information contained in the transmitted information. The ambiguous
words used in Rule 3(2) on the nature of content that should not be posted by users make it
difficult for the users as well as for the intermediaries to determine the type of content that
will be classified as objectionable. Words and phrases like grossly harmful, harassing,
blasphemous, disparaging and 'harm minors in any way' are not defined in these Rules or in
the Act or in any other legislation. These ambiguous words make the Rules susceptible to
misuse.
The proviso to Rule 3 (2) states that the following actions by an intermediary shall not
amount to hosing, publishing, editing or storing of any such information as specified (a)
temporary or transient or intermediate storage of information automatically within the
computer resource as an intrinsic feature of such computer resource, involving no exercise
of any human editorial control, for onward transmission or communication to another
computer resource; (b) removal of access to any information, data or communication link by
an intermediary after such information, data or communication link comes to the actual
knowledge of a person authorized by the intermediary pursuant to any order or direction as
per the provisions of the Act.
As per Rule 3(4) The intermediary, on whose computer system the information is stored
or hosted or published, upon obtaining knowledge by itself or been brought to actual
knowledge by an affected person in writing or through email signed with electronic
signature about any such information, shall act within thirty six hours and work with user or
owner of such information to disable such information that is in contravention of sub-rule
(2). Further the intermediary shall preserve such information and associated records for at
least ninety days for investigation purposes.
The Intermediaries duty also include informing its users that in case of non-compliance with
rules and regulations ,the Intermediary has the right to immediately terminate the access or
usage lights of the users to the computer resource of Intermediary and remove non-
compliant information. Rule 3(7) states that
When required by lawful order, the intermediary shall provide information or any such
assistance to Government Agencies who are lawfully authorised for investigative,
protective, cyber security activity. The information or any such assistance shall be provided
for the purpose of verification of identity, or for prevention, detection, investigation,
prosecution, cyber security incidents and punishment of offences under any law for the time
being in force, on a request in writing stating clearly the purpose of seeking such
information or any such assistance.
Rule 3(8) The intermediary shall take all reasonable measures to secure its computer
resource and information contained therein following the reasonable security practices and
procedures as prescribed in the Information Technology (Reasonable security practices and
procedures and sensitive personal Information) Rules, 2011.The intermediary shall report
cyber security incidents and also share cyber security incidents related information with the
Indian Computer Emergency Response Team (3 (9)).Rule 3 (10) prohibits intermediaries

248
from circumvention of any law by employing technical means to affect computers resources
normal functioning. It also requires intermediaries to publish name of grievance officer and
establishment of a redressal mechanism for complaints by users against other persons who
act in violation of Rule 3.

An intermediary is required as per Section 67 C of the ITAct to preserve and retain

information as the Central Government may specify. Failure to abide by such directions is
punishable with imprisonment of upto 3 years and fine. For the purpose of enhancing
cyber security, under Section 69B an intermediary is required to provide technical assistance
to the authorized government agency for online access to computer resource transmitting,
receiving, storing of traffic data. Failure to do so is also punishable with 3 years of
imprisonment and fine. Section 70B(7) provides that as regards the protection of critical
infrastructure , intermediaries are required to provide information to Indian Computer
Emergency Response Team and failure to do so is punishable for one year or fine which may
extend to one lakh rupees or with both.

The information Technology (Guidelines for Cyber Cafe) Rules 2011

The information Technology (Guidelines for Cyber Cafe) Rules 2011 were issued by the
Ministry of Communications and Information Technology in 2011. The Central Government
have the power under clause (zg) of sub- section (2) of section 87 read with sub-section (2)
of section 79 of the Information Technology Act, 2000 (21 of 2000 to make the following
rules which prescribe the regulations for registration and operational guidelines which are
required to be followed by the cyber café.With a view to regulate the activities of the cyber
cafes, ‘cyber café’ under 2 (1) (na) has been defined as any facility from where access to the
internet is offered by any person in the ordinary course of business to the members of the
public. In other words, access to internet implies use of use of internet by members of
public by accessing computer, computer system, and computer network or communication
device facilitated by cyber café.

Rule 3 provides that there shall be an Agency for registration of cyber café.The registered
cyber cafes shall be given a unique registration number by the registration agency as
notified by the Appropriate Government . The broad terms of registration shall include:
(i) name of establishment;
(ii) address with contact details including email address;
(iii) whether individual or partnership or sole properitership or society or company;
(iv) date of incorporation;
(v) (v) name of owner/partner/properiter/director;
(vi) (vi) whether registered or not (if yes, copy of registration with Registrar of Firms or
Registrar of Companies or Societies); and
(vii) (vii) type of service to be provided from cyber cafe Registration of cyber cafe may
be followed up with a physical visit by an officer from the registration agency.

249
As per Rule 3(2)The details of registration of cyber cafe shall be published on the website of
the registration agency. The Appropriate Government is required to set up on-line
registration facility to enable cyber cafe to register on-line and the detailed process of
registration to be mandatorily followed by each Registration Agency. The detailed process of
registration is to be mandatorily followed by each Registration Agency.
The Cyber Cafes are required to verify the identity of a user before allowing such user to
avail its services which may be identified by identity card of school or college; Photo Credit
Card or debit card issued by a Bank or Post Office; Passport, Voter Identity Card; Permanent
Account Number (PAN) card issued by Income-Tax Authority; Photo Identity Card issued by
the employer or any Government Agency; ; Driving License issued by the Appropriate
Government; Unique Identification (UID) Number issued by the Unique Identification
Authority of India (UIDAI).

Identification of User (Rule 4)

The Cyber Cafe are guided to keep a record of the user identification document by either
storing a photocopy or a scanned copy of the document duly authenticated by the user and
authorised representative of cyber café and such record shall be securely maintained for a
period of at least one year.
For the purpose of establishing identity the cyber café owners have an authority to take the
photograph of the user by using a web camera installed on one of the computers in the
Cyber Café. Such web camera photographs need to be duly authenticated by the user and
authorised representative of cyber café and this shall be a part of the log register which may
be maintained in physical or electronic form. In case of a minor without photo Identity card,
the adult may accompany and provide the abovementioned documents to establish the
identity of the minor user.
The Cyber cafe is required to immediately report to the concerned police, if they have
reasonable doubt or suspicion regarding any user.

Log Register

The Cyber Cafe shall record and maintain the required information of each user as well as
accompanying person, if any, in the log register for a minimum period of one year. The
Cyber Cafe may maintain an online version of the log register. Such online version of log
register shall be authenticated by using digital or electronic signature. The log register shall
contain at least the following details of the user, namely : — (ii) Name (iii) Address (iv)
Gender (v) Contact Number (vi) Type and detail of identification document (vii) Date (vii)
Computer terminal identification (viii) Log in Time (ix) Log out Time .The cyber café owneto r
is required prepare a monthly report of the log register showing date- wise details on the
usage of the computer resource and submit a hard and soft copy of the same to the person
or agency as directed by the registration agency by the 5th day of next month. The cyber
cafe owner shall be responsible for storing and maintaining backups of following log records
for each access or login by any user of its computer resource for a t l e a s t one year. Cyber
cafe shall ensure that log register is not altered and maintained in a secure manner for a
period of at least one year.

Inspection of Cyber Café

250
Rule 6 lays down details of the Management of Physical Layout and computer resource. Rule
7lays down that an officer authorised by the registration agency shall check or inspect cyber
cafe and the computer resource of network established therein, at any time for the
compliance of these rules. It is mandatory for the cyber cafe owner to provide every related
document, registers and any necessary information to the inspecting officer on demand.

MODULE 15:
Controller of Certifying Authority with special reference to the Information
Technology Certifying (Authorities) Regulations 2001

The IT Act, 2000 provides for the Controller of certifying Authorities (CCA) to license and
regulate the working of Certifying Authorities. It aims at promoting the growth of the E-
commerce and E-Governance through the wide use of digital signatures.
The Certifying Authorities (CAs) issue digital signature certificates for electronic
authentication of users. Section 17 of the IT Act, 2000 deals with the appointment of the
Controller of Certifying Authorities (CCA). The term ‘Controller’ as defined in clause (m) of
section 2, means the Controller of Certifying Authorities appointed under sub-section (1) of
section 17 to perform functions of the Controller under this Act. The Central Government
may, by notification in the Official Gazette, appoint any person as the Controller of
Certifying Authorities. Being an appointing authority, the Central Government may also
remove him and may take such action as it may deem proper. The Deputy Controllers and
Assistant Controllers shall perform the functions assigned to them by the controller under
the general superintendence and control of the Controller.

The Controller of Certifying Authorities (CCA) has established the Root Certifying Authorities
(RCAI) of India under section 18 (b) of the IT Act,2000 to digitally sign the public keys of
Certifying Authorities (CA) in the country. The RCAI is operated as per the standards
provided in the ActRule 3 of Information Technology (Certifying Authority) Regulations,
2001.

Functions of Controller

The controller of certifying Authority is responsible for controlling the Information

Technology movement in India. Most of these functions are relating to supervision and
control of the certifying Authorities,their employees, their business and maintaining of their
accounts, contents of Electronic signature certificate and the key, their dealings with the
subscribers and about resolving conflict between them and the subscribers. The Controller
shall lay down the duties of the certifying authorities and also maintain a data base

251
containing the disclosure record of every certifying authority.The Controller may perform
the following functions-
(a) Exercising supervision over the activities of the Certifying Authorities;
(b) Certifying public keys of the Certifying Authorities;
(c) Laying down the standards to be maintained by the Certifying Authorities;
(d) Specifying the qualifications and experience which employees of the Certifying Authority
should possess;
(e) Specifying the conditions subject to which the Certifying Authorities shall conduct their
business;
(f) Specifying the contents of written, printed or visual materials and advertisements that
may be distributed or used in respect of electronic signature Certificate and the public key;
(g) Specifying the form and content of an electronic signature Certificate and the key;
(h) Specifying the form and manner in which accounts shall be maintained by the Certifying
Authorities;
(i) Specifying the terms and conditions subject to which auditors may be appointed and the
remuneration to be paid to them;
(j) Facilitating the establishment of any electronic system by a Certifying Authority either
solely or jointly with other Certifying Authorities and regulation of such systems;
(k) Specifying the manner in which the Certifying Authorities shall conduct their dealings
with the subscribers;
(l) resolving any conflict of interests between the Certifying Authorities and the subscribers;
(m) laying down the duties of the Certifying Authorities;
(n) Maintaining a data base containing the disclosure record of every Certifying Authority
containing such particulars as may be specified by regulations, which shall be accessible to
public.

Since the computer network is transnational i.e, it links the whole world and the offences
may be committed by the person residing outside the country it was essential to recognise
the foreign certifying authorities therefore section 19 deals with the recognition of the
foreign Certifying Authorities.

License to issue Electronic Signature Certificates

Section 21 of the Information Technology Act 2000 read with IT Certifying Authorities Rules,
2000 (Rule 8 and Rule 10). Section 21 of the IT Act,2000 deals with the licence required to
become a Certifying Authority for issuing Electronic Signatures. As per Rule 8 of the IT
Certifying Authorities Rules, 2000, an individual, being a citizen of India, can apply to
become a Certifying Authority, provided he has a capital of five crores of rupees or more in
his business. A Partnership firm under the Indian Partnership act,1956 can also apply to
become a Certifying Authority, provided they have paid up capital of not less than five
crores of rupees and net worth of not less than fifty crores of rupees.
No licence shall be issued under section 21 (1), unless the applicant fulfils such
requirements with respect to qualification, expertise, manpower, financial resources and
other infrastructure facilities, which arc necessary to issue electronic signature certificates
as may be prescribed by the Central Government. A licence granted under this section shall
be valid for such period as may be prescribed by the Central Government; license granted is
not be transferable or heritable and is subject to such terms and conditions as the

252
regulations specify. Under rule 10 of the IT Certifying Authorities Rules, 2000, the applicant
has to submit a detailed application (Section 22) along with the Certification Practice
Statement and Statements regarding procedures with respect to identification of the
applicant. The applicant has to satisfy the Controller about the purpose and the scope of
anticipated Electronic Signature Certificate technology, management, or operations to be
outsourced. The applicant under the IT Certifying Authorities Rules, 2000, to the satisfaction
of the Controller of Certifying Authorities before a license shall be issued to the applicant.

Renewal and Rejection of License

An application for renewal of a licence shall be in form prescribed by the central

government and accompanied by such fees, not exceeding five thousand rupees, as may be
prescribed by the Central Government and shall be made not less than forty-five days
before the date of expiry of the period of validity of the licence. The tenure of a license is 5
years. The Controller may after considering the documents accompanying the application
and such other factors, as he deems fit, grant the licence or reject the application. The
proviso to section 24 specifies that no application shall be rejected under this section unless
the applicant has been given a reasonable opportunity of presenting his case.

Suspension of licence

The Controller may, if he is satisfied after making such inquiry, as he may think fit, that a
Certifying Authority has–
(a) made a statement in, or in relation to, the application for the issue or renewal of the
licence, which is incorrect or false in material particulars;
(b) failed to comply with the terms and conditions subject to which the licence was granted;
(c) failed to maintain the procedures and standards specified in section 30;
(d) contravened any provisions of this Act, rule, regulation or order made thereunder,
revoke the licence: Provided that no licence shall be revoked unless the Certifying Authority
has been given a reasonable opportunity of showing cause against the proposed revocation.
The Controller has power to suspend the license pending the completion of any enquiry
ordered by him,if he has reasonable cause to believe that there is any ground for revoking a
licence.

Notice of suspension or revocation of Licence

Section 26 lays down certain mandatory requirement which need to be fulfilled. The
Controller has to maintain a comprehensive database. This database is necessary to be
maintained by the controller. This database is necessary to be maintained by the controller.
The database has to contain the disclosure record of every Certifying Authority containing
such particulars as may be specified. The database shall be accessible to the public.
Under section 26 (1) Where the licence of the Certifying Authority is suspended or revoked,
the Controller shall publish notice of such suspension or revocationin the data base
maintained by him. There are two provisos under section 26 (2) providing that the data
base containing the notice of such suspension or revocationshall be made available through

253
a web site which shall be accessible round the clock and that the Controller may publicise
the contents of data base in such electronic or other media to inform the public .

Power to delegate and investigate contraventions

The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any
officer to exercise any of the powers of the Controller .Section 28 empowers the controller
to investigate any contravention of the provisions of the Information Technology Act,2000.
Other rules or regulations made thereunder. This power to investigate the contravention
may be exercised by the Controller or by any officer who is duly authorised by the Controller
in his behalf.
The Controller or any officer authorised by him in this behalf shall exercise the like powers
which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act,
1961 (43 of 1961), and shall exercise such powers, subject to such limitations laid down
under that Act. The Controller shall be deemed to be a civil court for the purposes of section
195, but not for purposes of chapter XXVI of the Code of Criminal Procedure,1973.

Access to computers and data

Section 29 confers a wide power on the Controller of Certifying Authorities with respect to
the access to computer and data.Section provides that‘without prejudice to the provisions of
sub-section (1) of section 69’, suggest that action under this section shall be in addition to
the action which may be taken under section 69 (1).The Controller or any person authorised
by him shall, if he has reasonable cause to suspect that any contravention of the provisions
of this Chapter has been committed, have access to any computer system, any apparatus,
data or any other material connected with such system, for the purpose of searching or
causing a search to be made for obtaining any information or data contained in or available
to such computer system.
Rule 34 of the IT Act (Certifying Authorities) Rules, 2000 deals with the access to
confidential information. It has permitted access to confidential information by certifying
Authority’s permitted access to confidential information by Certifying Authority’s
operational staff on a need to know and need to use basis.
The controller may authorise the Certifying Authority‘s operational staff to conduct search
of the confidential information. Rule 34 (3) has provided that the confidential information
shall not be taken out of the country except with the permission of the Controller.29 (2) For
the purposes of sub-section (1), the Controller or any person authorised by him may, by
order, direct any person in charge of, or otherwise concerned with the operation of, the
computer system, data apparatus or material, to provide him with such reasonable technical
and other assistance as he may consider necessary.

Duties of the Certifying Authority (sections 30 -34)

The Certifying Authority shall follow the following procedure (section 30) as mentioned
below-
 make use of hardware, software and procedures that are secure from intrusion and
misuse;

254
  provide a reasonable level of reliability in its services which are reasonably suited to
the performance of intended functions;
 adhere to security procedures to ensure that the secrecy and privacy of the
electronic signatures are assured;
 be the repository of all electronic signature Certificates issued under this Act;
 publish information regarding its practices, electronic signature Certificates and
current status of such certificates; and
 Observe such other standards as may be specified by regulations.
 Every Certifying Authority shall ensure that every person employed or otherwise
engaged by it complies, in the course of his employment or engagement, with the
provisions of this Act, rules, regulations and orders made thereunder.
 Every Certifying Authority shall display its licence at a conspicuous place of the
premises in which it carries on its business.
 Every Certifying Authority whose licence is suspended or revoked shall immediately
after such suspension or revocation, surrender the licence to the Controller.
 Where any Certifying Authority fails to surrender a licence, the person in whose
favour a licence is issued, shall be guilty of an offence and shall be punished with
imprisonment which may extend up to six months or a fine which may extend up to
ten thousand rupees or with both.
 Under section 34. every Certifying Authority shall disclose in the manner specified by
regulations– (a) its electronic signature Certificate (b) any certification practice
statement relevant thereto; (c) notice of the revocation or suspension of its
Certifying Authority certificate, if any; and (d) any other fact that materially and
adversely affects either the reliability of an electronic signature Certificate, which
that Authority has issued, or the Authority's ability to perform its services. (2) Where
in the opinion of the Certifying Authority any event has occurred or any situation has
arisen which may materially and adversely affect the integrity of its computer system
or the conditions subject to which an electronic signatureCertificate was granted,
then, the Certifying Authority shall– (a) use reasonable efforts to notify any person
who is likely to be affected by that occurrence; or (b) act in accordance with the
procedure specified in its certification practice statement to deal with such event or
situation.

Information Technology (Certifying Authority) Regulations, 2001.

The Terms and conditions of licence to issue Digital Signature Certificate are

provided under Rule 3 . Rule 3 provides that every licence to issue Digital Signature

Certificates shall be granted under the Act subject to the following terms and

conditions, namely: -
(i) General-
(a) The licence shall be valid for a period of five years from the date of issue.
(b) The licence shall not be transferable or heritable;
(c) The Controller can revoke or suspend the licence in accordance with the
provisions of the Act.

255
(d) The Certifying Authority shall be bound to comply with all the parameters
against which it was audited prior to issue of licence and shall consistently and
continuously comply with those parameters during the period for which the licence
shall remain valid.
(e) The Certifying Authority shall subject itself to periodic audits to ensure that all
conditions of the licence are consistently complied with by it. As the cryptographic
components of the Certifying Authority systems are highly sensitive and critical, the
components must be subjected to periodic expert review to ensure their integrity
and assurance.
(f) The Certifying Authority must maintain secure and reliable records and logs for
activities that are core to its operations.
(g) Public Key Certificates and Certificate Revocation Lists must be archived for a
minimum period of seven years to enable verification of past transactions.
(h) The Certifying Authority shall provide Time Stamping Service for its subscribers.
Error of the Time Stamping clock shall not be more than 1 in 10.
(i) The Certifying Authority shall use methods, which are approved by the
Controller, to verify the identity of a subscriber before issuing or renewing any Public
Key Certificate.
(j) The Certifying Authority shall publish a notice of suspension or revocation of
any certificate in the Certificate Revocation List in its repository immediately after
receiving an authorised request of such suspension or revocation.
(k) The Certifying Authority shall always assure the confidentiality of subscriber
information.
(l) All changes in Certificate Policy and certification practice statement shall be
published on the web site of the Certifying Authority and brought to the notice of
the Controller well in advance of such publication. However any change shall not
contravene any provision of the Act, rule or regulation or made there under.
(m) The Certifying Authority shall comply with every order or direction issued by the
Controller within the stipulated period.

(ii) Overall Management and Obligations-

(a) The Certifying Authority shall manage its functions in accordance with the levels
of integrity and security approved by the Controller from time to time.

(b) The Certifying Authority shall disclose information on the assurance levels of the
certificates that it issues and the limitations of its liabilities to each of its subscribers
and relying parties.

(c) The Certifying Authority shall as approved, in respect of security and risk
management controls continuously ensure that security policies and safeguards are
in place. Such controls include personnel security and incident handling measures to
prevent fraud and security breaches.

(iii) Certificate and Key Management-

256
(a) To ensure the integrity of its digital certificates, the Certifying Authority shall
ensure the use of approved security controls in the certificate management
processes, i.e. certificate registration, generation, issuance, publication, renewal,
suspension, revocation and archival.
(b) The method of verification of the identity of the applicant of a Public Key
Certificates shall be commensurate with the level of assurance accorded to the
certificate.
(c) The Certifying Authority shall ensure the continued accessibility and availability
of its Public Key Certificates and Certificate Revocation Lists in its repository to its
subscribers and relying parties.
(d) In the event of a compromise of the private key the Certifying Authority shall
follow the established procedures for immediate revocation of the affected
subscribers’ certificates.
(e) The Certifying Authority shall make available the information relating to
certificates issued and/or revoked by it to the Controller for inclusion in the National
Repository.
(f) The private key of the Certifying Authority shall be adequately secured at each
phase of its life cycle, i.e. key generation, distribution, storage, usage, backup,
archival and destruction.
(g) The private key of the Certifying Authority shall be stored in high security
module in accordance with FIPS 140-1 level 3 recommendations for Cryptographic
Modules Validation List.
(h) Continued availability of the private key be ensured through approved backup
measures in the event of loss or corruption of its private key.
(i) All submissions of Public Key Certificates and Certificate Revocation Lists to the
National Repository of the Controller must ensure that subscribers and relying
parties are able to access the National Repository using LDAP ver 3 for X.500
Directories.
(j) The Certifying Authority shall ensure that the subscriber can verify the
Certifying Authority’s Public Key Certificate, if he chooses to do so, by having access
to the Public Key Certificate of the Controller.

(iv) Systems and Operations-

(a) The Certifying Authority shall prepare detailed manuals for performing all its
activities and shall scrupulously adhere to them.
(b) Approved access and integrity controls such as intrusion detection, virus
scanning, prevention of denial-of service attacks and physical security measures shall
be followed by the Certifying Authority for all its systems that store and process the
subscribers' information and certificates.
(c) The Certifying Authority shall maintain records of all activities and review
them regularly to detect any anomaly in the system.

(v) Physical, procedural and personnel security-

257
(a) Every Certifying Authority shall get an independent periodic audit done through
an approved auditor. Such periodic audits shall focus on the following issues among
others: -

(i) changes/additions in physical controls such as site location, access, etc ;

(ii) re-deployment of personnel from an approved role/task to a new one;
(iii) appropriate security clearances for outgoing employees such as deletion of keys
and all access privileges;
(iv) thorough background checks, etc. during employment of new personnel.

(b) The Certifying Authority shall follow approved procedures to ensure that all the
activities referred to in (i) to (iv) in sub-regulation (a) are recorded properly and
made available during audits.

(vi) Financial-

(a) Every Certifying Authority shall comply with all the financial parameters during
the period of validity of the licence, issued under the Act.
(b) Any loss to the subscriber, which is attributable to the Certifying Authority, shall
be made good by the Certifying Authority.

(vii) Compliance Audits-

(a) The Certifying Authority shall subject itself to Compliance Audits that shall be
carried out by one of the empanelled Auditors duly authorized by the Controller for
the purpose. Such audits shall be based on the Internet Engineering Task Force
document RFC 2527 – Internet X.509 PKI Certificate Policy and Certification Practices
Framework.

(b) If a Digital Signature Certificate issued by the Certifying Authority is found to be

fictitious or that proper identification procedures have not been followed by the
Certifying Authority while issuing such certificate, the Certifying Authority shall be
liable for any losses resulting out of this lapse and shall be liable to pay
compensation as decided by the Controller.

The Standards

Every Certifying Authority shall observe the standards (under Rule 4 )for carrying out
different activities associated. According to Rule 5 every Certifying Authority shall
disclose(a) its Digital Signature Certificate which contains the public key corresponding to
the private key used by that Certifying Authority to digitally sign another Digital Signature
Certificate;(b) any Certification Practice Statement relevant thereto;(c) notice of the
revocation or suspension of its Certifying Authority Certificate, if any; and(d) any other
fact that materially or adversely affect either the reliability of a Digital Signature Certificate,
which that Authority has issued by it or the Authority's ability to perform its services.

258
 The above disclosure shall be made available to the Controller through filling up of online
forms on the Web site of the Controller on the date and time the information is made public
and the Certifying Authority shall digitally sign the information.Rule 6 provides that in case
of a compromise of Private Key it shall be communicated to the Certifying Authority
without any delay.

MODULE 16:
Social media and its role in Cyber World

Defining Social Media

Andreas Kaplan and Michael Haenlein define social media as “a group of internet- based
applications that build on the ideological and technological foundations of Web 2.0, and
that allow the creation and exchange of user- generated content

The Organization for Economic Cooperation and Development (OECD) specifies three
criteria for content to be classified as “user generated:” (1) it should be available on a
publicly accessible website or on a social networking site that is available to a select group,
(2) it entails a minimum amount of creative effort, and (3) it is “created outside of
professional routines and practices.” Social media includes web- based and mobile
technologies used to turn communication into interactive dialogue. Social media comprises
primarily internet and mobile phone based tools for sharing and discussing information. It
blends technology, telecommunications, and social interaction and provides a platform to
communicate through words, pictures, films, and music.Today the users spend most of their
time on smart phones/smart devices for accessing the social networking sites in comparison
to traditional web access.All social media websites are seeing dramatic increase in their
adoption across the world. Some websites like Facebook have become predominant. There
is an important observation to be made with respect to absence of a definition of social
media under the law of India. However, the amendment made by the IT Act,2000 have
come up with the concept of Intermediary and the term intermediary has been defined to
mean any person with respect to any particular electronic record who on behalf of another

259
person receives, stores, or transmits that record and specifically includes telecom service
providers, online auction portals, online market places, online payment sites, search engines
and cyber cafes. The social media has enabled everyone to become a creator, publisher,
transmitter as also a repository for information including third party data or information as
also sensitive personal data or information.

Section 2(w) of the Information Technology Act, 2000 defines “intermediary” with
respect to any particular electronic records as any person who on behalf of another person
who on behalf of another person receives, stores or transmits that record or provides any
service with respect to that record and includes telecom service, network service, internet
service, web- hosting service providers, search engines, online payment sites, online auction
sites, online market places and cyber cafes.

The smart devices are the future of technology. New models are emerging with each
passing month, bringing far more computing capacities and capabilities in the hand of users.
While the smart devices are intending to make the users more smart, productive and
efficient, the fact still remains that misuses of these devices are already beginning to
happen. In India, the IT Act,2009 deals with the various rules and regulations dealing with
all the activities done using I Pads, Tablets, Smart phones, Smart Devices etc.

Social Media-Types

In 2010, Kaplan and Haenlein classified social media into six different types: a) collaborative
projects (e.g., Wikipedia), b) blogs and micro blogs (e.g., Twitter), c) content communities
(e.g., YouTube), d) social networking sites (e.g., Facebook), e) virtual game worlds, and f)
virtual social worlds .Social Media can be broadly divided into following categories:

1. Social networking

Social networking is an online service that enables its users to create virtual networks with
likeminded people. It offers facilities such as chat, instant messaging, photo sharing, video
sharing, updates etc. The most popular are Facebook and LinkedIn.

2. Blogs

Blogs are descriptive content created and maintained by individual users and may contain
text, photos and links to other websites. The interactive feature of blogs is the ability of
readers to leave comments and the comment trail can be followed.

3. Micro blogs

Micro blogs are similar to blogs with a typical restriction of 140 characters or less, which
allows users to write and share content. Twitter is a micro blogging site that enables its
users to send and read ‘tweets’.

4. Vlogs and Video Sharing sites

260
Video blogs (Vlogs) are blogging sites that mainly use video as the main form of content
supported by text. You Tube is the world’s largest video sharing site. You Tube is a video live
casting and video sharing site where users can view, upload, share videos and even leave
comments.

5. Wikis

Wiki is a collaborative website that allows multiple users to create and update pages on
particular or interlinked subjects. While a single page is referred to as ‘wiki page’, the entire
related content on that topic is called a ‘Wiki’. These multiple pages are linked through
hyperlinks and allow users to interact in a complex and non- linear manner.

6. Social Bookmarking

These services allow one to save, organize and manage links to various websites and
resources around the internet. Interaction is by tagging websites and searching through
websites bookmarked by other people. The most popular are Delicious and Stumble Upon.

7. Social News

These services allow one to post various news items or links to outside articles. Interaction
takes place by voting for the items and commenting on them. Voting is the core aspect as
the items that get the most votes are prominently displayed. The most popular are Digg,
Reddit and Propeller.

8. Media Sharing

These services allow one to upload and share photos or videos. Interaction is by sharing and
commenting on user submissions. The most popular are YouTube and Flickr.

It is pertinent to note that whatever is written by a user on the social media websites is legal
evidence and can be used against the concerned person in legal proceedings and for legal
purposes.

Internet is open to misuse as well, which gives the State a justification to regulate online
content in the interests of the public at large. Several cyber-crimes, defamation, invasion of
privacy, incitement of offences, racist remarks, stalking, abuse, hacking, harassment and
many more can be easily committed through social media and once such objectionable
content is uploaded, it becomes viral and consequently, very difficult to contain. Hence, the
importance of the State regulating social media also cannot be denied.

Freedom of Speech and Expression and Social Media/ Internet

The Internet and Social Media has become a vital communications tool through which
individuals can exercise their right of freedom of expression and exchange information and
ideas. In the past year or so, a growing movement of people around the world has been

261
witnessed who are advocating for change, justice, equality, accountability of the powerful
and respect for human right.

Emphasising the importance of internet, the UN Special Rapporteur on the promotion and
protection of the right to freedom of opinion and expression in his Report, which was
submitted to the Human Rights Council, stated that the internet has become a key means by
which individuals can exercise their right to freedom and expression and hence, internet
access is a human right. The States have a positive obligation to promote and facilitate the
enjoyment of the right of freedom of expression. In most of the nations the right to freedom
of speech and expression comes along with certain reasonable restrictions and are not
absolute in nature. The freedom of speech and expression does not confer on the citizens
the right to speak or publish without responsibility. Article 19(3) of the ICCPR imposes
restrictions on the following grounds: (a) For respect of the rights of reputations of others
;(b) For protection of national security, or public order, or public health or morals. As per
Article 19(2) of the Constitution of India, the legislature may enact laws to impose
restrictions on the right to speech and expression on the following grounds: (a) Sovereignty
and integrity of India (b) Security of the State (c) Friendly relations with foreign States (d)
Public order (e) Decency or morality (f) Contempt of court (g) Defamation (h) Incitement to
an offence

The Information Technology Act, 2000

Sections 65, 66, 66A, 6C, 66D, 66E, 66F, 67, 67A and 67B contain punishments for computer
related offences which can also be committed through social media viz. tampering with
computer source code, committing computer related offences given under Section 43,
sending offensive messages through communication services, identity theft, cheating by
personation using computer resource, violation of privacy, cyber terrorism, publishing or
transmitting obscene material in electronic form, material containing sexually explicit act in
electronic form, material depicting children in sexually explicit act in electronic form,
respectively. Section 69 of the Act grants power to the Central or a State Government to
issue directions for interception or monitoring or decryption of any information through any
computer resource in the interest of the sovereignty or integrity of India, defence of India,
security of the State, friendly relations with foreign States, public order, for preventing
incitement to commission of any cognizable offence, for investigation of any offence.

Section 69A grants power to the Central Government to issue directions to block public
access of nay information through any computer resource on similar grounds. Section 69B
grants power to the Central Government to issue directions to authorize any agency to
monitor and collect traffic data or information through any computer resource for cyber
security.

Section 79 provides for liability of intermediary. An intermediary shall not be liable for any
third party information, data or communication link made available or hosted by him in the

262
following cases- this function is limited to providing access to a communication system over
which such information is transmitted, stored or hosted; he does not initiate, select the
receiver and select or modify the information contained in the transmission; intermediary
observes due diligence and other guidelines prescribed by the Central Government while
discharging his duties.

Again, an intermediary shall be liable in the following cases: if he has conspired, abetted,
aided or induced by threats, promise or otherwise in the commission of the unlawful act;
fails to expeditiously remove or disable access to the material which is being used to commit
the unlawful act, upon receiving actual knowledge or on being not ; failure to assist, comply
with direction and intentionally contravene provisions under Sections 69, 69A and 69B
respectively, he shall be liable to punishment.

Section 43A provides that where a body corporate possessing, dealing or handling any
sensitive personal data or information in a computer resource owned, controlled or
operated by it, is negligent in implementing and maintaining reasonable security practices
and procedures thereby causing wrongful loss or wrongful gain to any person, it shall be
liable to pay damages by way of compensation to the affected person. Section 70B provides
for an agency of the Government to be appointed by the Central Government called the
Indian Computer Emergency Response Team, which shall serve as the national agency for
performing functions relating to cyber security.

It is imperative for social media websites to ensure that while they deal with sensitive
personal information in their capacity as an intermediary, they are duty bound to observe
reasonable security practices and procedures in order to safeguard and protect the said
information from unauthorised access or exposure. The law has now specifically talked
about content which is offensive or which has got menacing character. Under section 66 A
of the Information Technology Act,2000 if any information is send from I Pads, Tablets,
Smart Phones and Smart Devices that is offensive or menacing character, then it will
amount to an offence. Also, any information which is sent and the sender knows it to be
false but has sent for the purpose of causing insult, hatred, ill will , annoyance is also an
offence as per section 66A .

According to Rule3 of the Information Technology (Intermediary Guidelines)Rules,2011

‘due diligence’ has to be observed by intermediary .The intermediary is responsible for
informing the users of computer resource not to host, display, upload, modify, publish,
transmit, update or share any information that —
(a) belongs to another person and to which the user does not have any right to; (b) is grossly
harmful, harassing, blasphemous defamatory, obscene, pornographic, pedophilic, libelous,
invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging,
relating or encouraging money laundering or gambling, or otherwise unlawful in any manner
whatever;

263
(c) harm minors in any way; infringes any patent, trademark, copyright or other proprietary
rights;
(e) violates any law for the time being in force;
(f) deceives or misleads the addressee about the origin of such messages or communicates
any information which is grossly offensive or menacing in nature;
(g) impersonate another person;
(h) contains software viruses or any other computer code, files or programs designed to
interrupt, destroy or limit the functionality of any computer resource;
(i) threatens the unity, integrity, defence , security or sovereignty of India, friendly relations
with foreign states, or public order or causes incitement to the commission of any
cognizable offence or prevents investigation of any offence or is insulting any other nation.
Rule 3(2) states that the intermediary shall not ‘knowingly host or publish’ any
information or shall not initiate the transmission, select the receiver of transmission, and
select or modify the information contained in the transmitted information. The ambiguous
words used in Rule 3(2) on the nature of content that should not be posted by users make it
difficult for the users as well as for the intermediaries to determine the type of content that
will be classified as objectionable. Words and phrases like grossly harmful, harassing,
blasphemous, disparaging and 'harm minors in any way' are not defined in these Rules or in
the Act or in any other legislation. These ambiguous words make the Rules susceptible to
misuse.
The proviso to Rule 3 (2) states that the following actions by an intermediary shall not
amount to hosing, publishing, editing or storing of any such information as specified
(a) temporary or transient or intermediate storage of information automatically within the
computer resource as an intrinsic feature of such computer resource, involving no exercise
of any human editorial control, for onward transmission or communication to another
computer resource;
(b) removal of access to any information, data or communication link by an intermediary
after such information, data or communication link comes to the actual knowledge of a
person authorized by the intermediary pursuant to any order or direction as per the
provisions of the Act.
As per Rule 3(4) The intermediary, on whose computer system the information is stored
or hosted or published, upon obtaining knowledge by itself or been brought to actual
knowledge by an affected person in writing or through email signed with electronic
signature about any such information, shall act within thirty six hours and work with user or
owner of such information to disable such information that is in contravention of sub-rule
(2). Further the intermediary shall preserve such information and associated records for at
least ninety days for investigation purposes.
The Intermediaries duty also include informing its users that in case of non-compliance with
rules and regulations ,the Intermediary has the right to immediately terminate the access or
usage lights of the users to the computer resource of Intermediary and remove non-
compliant information. Rule 3(7) states that

264
When required by lawful order, the intermediary shall provide information or any such
assistance to Government Agencies who are lawfully authorized for investigative,
protective, cyber security activity. The information or any such assistance shall be provided
for the purpose of verification of identity, or for prevention, detection, investigation,
prosecution, cyber security incidents and punishment of offences under any law for the time
being in force, on a request in writing stating clearly the purpose of seeking such
information or any such assistance.
Rule 3(8) The intermediary shall take all reasonable measures to secure its computer
resource and information contained therein following the reasonable security practices and
procedures as prescribed in the Information Technology (Reasonable security practices and
procedures and sensitive personal Information) Rules, 2011.The intermediary shall report
cyber security incidents and also share cyber security incidents related information with the
Indian Computer Emergency Response Team (3 (9)).
Rule 3 (10) prohibits intermediaries from circumvention of any law by employing technical
means to affect computers resources normal functioning. It also requires intermediaries to
publish name of grievance officer and establishment of a redressal mechanism for
complaints by users against other persons who act in violation of Rule 3.

The Information Technology (Procedure and Safeguards for Blocking for Access of
Information by Public) Rules, 2009

These rules are made by the Central Government in exercise of its powers under Section
87(2) (z) with regard to the procedure and safeguards for blocking for access by the public
under Section 69A (2). Rules 3, 4, 5, 6, 7 and 8 contain the regular method of sending
request for blocking to the Nodal officer of concerned organization who shall examine it and
forward it to the Designated Officer of the Central Government who shall further examine it
along with a Committee and then, their recommendation shall be sent to the Secretary,
Department of IT for his approval, upon which the Designated Officer shall direct such
blocking. Rule 9 grants power to the Designated Officer to take a decision regarding blocking
in cases of emergency where delay is unacceptable. Rule 13 provides that every
intermediary shall designate a person to receive and handle directions for blocking of
information, who shall acknowledge receipt of the directions to the Designated Officer
within two hours of receipt through acknowledgment letter or fax or e- mail. Rule 10
provides that the Designated Officer, on receipt of a court order directing blocking of any
information, shall submit it to the Secretary, Department of Information and Technology
and initiate action immediately.

265
 CYBER LAW (Paper- III)

INTELLECTUAL PROPERTY RIGHTS IN THE CYBERWORLD

CHAPTER-I

Introduction

1.1 The Internet

In over forty years of its existence, the Internet has evolved from being a United States
Government project into most prominent mode of communication mankind has ever
witnessed. In its initial phase, the Internet was merely a technical curiosity. However, with
the passage of time, it has become an important and pervasive aspect of human existence.
The Internet has redefined our methods of communication, work, study, education,
interaction, leisure, entertainment, health, trade and commerce. The growth of the Internet
has been phenomenal. In the past decade, the Internet has made a huge impact on the daily
activities of our lives. It has made shopping while sitting in the comforts of our houses and
offices a reality. It has brought malls, grocery stores and other places that sell articles of daily
requirements, right into the centre our houses and offices. Using the Internet any person can
purchase essentially anything that one could ever need, from online services like eBay,
Amazon, Simon Delivers and a whole host of other web sites that sell various types of
merchandise and services. The Internet has also changed the ways through which we obtain
and disseminate information and communicate with each other. The Internet is like a huge
storehouse of information that can be accessed and downloaded by any user sitting in any
part of the globe. Before the advent of the Internet, communication and exchange of
information between people sitting in remote corners of the globe used to be possible but at
very expensive costs. But today, the Internet with its services like e-mail, messenger and
virtual chat rooms has made such communication and exchange of information a lot cheaper
and easier. Apart from affecting our daily activities and the way we communicate and deal
with information, the Internet has also created large-scale changes in the market economy and
affected the way we do business. The growth of the Internet has brought into existence an
entire new industry of dot.com corporations like AOL, Google, and Yahoo which have led to
the rise of the global e-commerce industry. In a very short span of time, the Internet has
emerged as a powerful tool capable of creating new jobs, advancing technology, shortening
product life cycles, and circumventing international communication barriers.

The growth of the Internet can be divided into various phases:

a) The Birth of the Internet (ARPANET)

The ARPRANET marks the birth point of the Internet. It came into existence in 1969. It
comprised of four computers placed at the University of California at Los Angeles
(“UCLA”), the University of California at Santa Barbara (“UCSB”), Stanford Research
Institute (“SRI”), and the University of Utah. These four computers were connected via

266
IMPs. A software called the Network Control Protocol (“NCP”) provided communication
between the computers.

b) The Advent of Transfer Control Protocol/Internet Protocol (“TCP/IP Protocol”)

In 1972, two engineers, Vint Cerf and Bob Kahn, both of whom were part of the ARPANET
group, came up with the idea of ‘Internetting’ i.e. connecting one computer network with
another. The idea resulted in the advent of ‘Gateway’, a hardware device that allowed free
flow of information between two different networks. It also resulted in the invention of the
TCP/IP Protocol, a successor to the NCP. IP handled datagram routing while TCP managed
higher level functions such as segmentation, reassembly, and error detection. In 1981, TCP/IP
was included in UNIX, the most popular operating system of that time.

c) The Advent of the Domain Name System (“DNS”)

Every computer on the Internet has a unique identification number, known as the Internet
Protocol Address (“IP Address”). The IP Address of a computer comprises of four numbers
from 0 to 255 separated by a period each. An example of an IP Address is 198.41.0.108. By
using the system of IP Addresses computers are contact, communicate and share data with
each other on the Internet. The early users of the Internet used to find it difficult and
cumbersome to remember the IP Address of various computers and thus the need to find a
more user-friendly system had arisen. Consequently, in 1984, the DNS was adopted.
A domain name is a user-friendly substitute of the unique IP Address of a computer hosting a
website. For example, the alphabetical string ‘www.google.com’ is a substitute for
64.233.161.19, the IP address of the computer hosting the ‘Google’ website. The advent and
use of the DNS assisted internet users in locating computers on the internet with a lot more
ease.

d) The Advent of the World Wide Web (“WWW”)

The Internet, as we know it today, is based on the World Wide Web (WWW), a concept
introduced in 1993. The introduction of the World Wide Web made the Internet graphical,
interactive and extremely user-friendly. The World Wide Web is a network of websites that
can be searched and retrieved by a special protocol known as Hyper Text Transfer Protocol
(HTTP). This protocol simplified the writing of addresses; automatically searched the
Internet for the address indicated and ‘called up’ the document for viewing. HTTP was
written by Tim Berners-Lee in 1989, but came online only in 1993.

1.2 Intellectual Property Rights

The term ‘Intellectual Property Rights’ refers to rights associated with property that is a
product of human intellect. Intellectual Property includes the following:
a) Copyright
b) Trademarks
c) Patents
d) Industrial Designs
e) Trade Secrets
f) Geographical Indications
g) Plant Varieties
h) Semiconductors Integrated Circuit Layout Design

267
There exist three principle theories regarding the need to protect Intellectual Property Rights
(“IPRs”).
1. Labor Theory: This theory originates from the writings of John Locke. According to this
theory, a person who labors on facts and concepts that are either not owned by anybody or
held in common by the society, has a natural property right to the fruits of his or her labor and
the State has a duty to respect and force such natural right. Thus, intellectual property
generated by an individual from common pool of knowledge should be protected as his/her
natural right.

2. Personality Theory: This theory originates from the writings of Kant and Hegel. According
to this theory, intellectual property rights require protection because they protect products
through which individuals express themselves and attain their personhood. This theory is
based on the premise that a work created by an individual is an extension of his/her
personality and by creating more works a person is able to attain his/her best human abilities.

3. Utilitarian Theory: This theory is best explained in the works of William Landes and
Richard Posner. According to this theory, intellectual property rights are require protection in
order to create incentive for individuals to create more and more socially valuable intellectual
products. Such a scenario would ultimately result in an economically efficient and intelligent
society.

CHAPTER-II: TRADEMARKS ON THE INTERNET

2.1 Overview of the Law on Trademarks

2.1.1 Origin of Trademarks

The origin of trademarks can be traced back to India. Over 3000 years ago, Indian craftsmen
used to etch their signatures on their creations before sending them to the middle-east
countries. Later, the Romans started using trademarks. However under the Roman law, the
onus was on the cheated buyer to take action against infringer of trademark. It was during the
Middle Ages that the use of trademarks gained currency. In the modern day world,
trademarks are granted significant protection and they play a pivotal role in fostering
economic growth of competing national economies.

2.1.2 Functions of Trademarks

In a competitive economy, a trademark performs the following functions:

1. Identification Function: A trademark assists the consumers in indentifying the goods and
services originating from a particular manufacturer or service provider from the goods and
services of other manufacturers and service providers. For example the trademark TATA,
printed on a particular product informs the consumer that the product originated from the
TATA Group and from any other enterprise.

2. Quality Function: A trademark acts as a guarantee of quality to a consumer and assists

traders in building a reputation/goodwill. This happens because consumers formulate and
carry impressions about various brands/trademarks. In a free market, every time a consumer

268
purchases a product and uses it, he/she makes a judgment regarding the product and
remembers its identity/trademark. If the consumer finds the product to be satisfactory, he/she
prefers to purchase it, ahead of any other unknown product. As a consequence of this habit
amongst consumers, owners of trademarks invest a lot in the quality of the goods and
services, a trademark identifies.

3. Advertisement Function: In a number of ways, a trademark is a species of an

Advertisement. Once a trademark attains significance in the market, it can be placed on any
new product of the company in order to convince/advertise to the consumers that the new
product bears the same quality as earlier goods manufactured by the company under the
particular trademark. For example, a new laptop under trademark VIAO by Sony Corporation
gives an impression to the consumers that the laptop is of the same class as other laptops
being sold under the trademark VIAO.

4. Economic Function: At the micro-economic level, trademarks foster competition by

encouraging the traders to produce higher quality goods and services and they assist the
consumers in making faster decisions regarding their purchases.

2.1.3 Meaning of Trademark

A trademark is a sign that individualizes the goods of a given enterprise and distinguishes them
from the goods of its competitors.

Section 2(1)(zb) of the Trademarks Act, 1999, defines a trademark as a mark capable of
being represented graphically and which is capable of distinguishing the goods or services of
one person from those of others and may include shape of goods, their packaging and
combination of colors.

Section 2(1)(m) of the Trade Marks Act, 1999 provides an inclusive definition of mark and
states, ‘Mark’ includes a device, brand, heading, label, ticket, name, signature, word, letter,
shape of goods, packaging of combination of colors numeral shape of goods, packaging of
combination of colors or any combination thereof.

Examples of conventional trademarks:

Device: The Star on the hood of Mercedez Benz, The Flying Lady on the Rolls Royce.
Letters: GM (General Motors), VW (Volkswagen), KLM (Dutch Airlines).
Numeral: 555 (Cigarettes), 4711 (Cologne).
Words: Adidas, Nike, Reebok, Kodak.
Picture: Crocodile (Lacoste).

Combination of Colors:

Examples of unconventional trademarks

269
Smell (Olfactory): Floral fragrance applied to tires by a UK company, Sumitomo Tyres.
Sound: Nokia’s default ringtone; Roar of the MGM lion.
Taste: Stamp or Envelope where the glue has a particular flavor.
Hologram:

Color per se: A shade of torquoise on Heinz baked beans.

2.1.4 Conditions for Registration of a Trademark

In India, a trademark is registered if it satisfies two conditions:

a) It has to be capable of being represented graphically. 1
b) It should be capable of distinguishing the goods and services of one trader from that of
another.

Having satisfied these conditions, a trademark has to pass the muster of Sections 9 and 11 of
the Trademarks Act, 1999. Section 9 provides ‘Absolute Grounds for Refusal of Registration
of a Trademark’ and Section 11 provides ‘Relative Grounds for Refusal of Registration of a
Trademark’.

A. Absolute Grounds for Refusal of Registration of a Trademark

1. Lack of Distinctive Character [Section 9(1)(a)]

According to Section 9(1)(a) of the Act, trademarks which are devoid of any distinctive
character, that is to say, not capable of distinguishing the goods or services of one person
from those of another shall not be registered.

What is meant by distinctive character?

Distinctive character of a trademark is understood to be some quality in the trademark which

earmarks the goods so marked as distinct from those of other products or such goods. 2

The distinctiveness of a mark may be:-

a) Inherent
A mark is said to be inherently distinctive if there exists sufficient distinguishing
characteristics in the mark itself whereby distinctiveness results irrespective of the type and
scale of the user of the mark.
Arbitrary and fanciful marks are deemed to be inherently distinctiveness. Examples of
arbitrary marks are Kodak for cameras, Polaroid for lens, Adidas for shoes etc. Examples of
fanciful marks are Apple for computers, Camel for cigarettes, Shell for gasoline etc.

b) Acquired over a period of time

1
There requirement is not mandated by the TRIPS Agreement, 1994.
2
Imperial Tobacco v Registrar of Trademarks, AIR 1977 Cal 413

270
A mark is said to have acquired distinctiveness if it acquires distinctiveness by virtue of its
continuous usage and popularity amongst the consumers. Surnames and other generic marks
usually acquire distinctiveness over a period of time. Examples of marks having acquired
distinctiveness are TATA, FORD etc.

2. Use of Descriptive Marks in the Trademark

According to Section 9(1) (b) of the Act, trademarks which consist exclusively of marks or
indications which may serve in trade to designate the kind, quality, quantity, intended
purpose, values, geographical origin or the time of production of the goods or rendering of
the service or other characteristics of the goods or service shall not be registered.

This provision prohibits registration of descriptive marks. Such marks are denied registration
because they lack the capability to distinguish the goods or services of one person from those
of others. It is commonly believed that the more apt a mark is to describe the goods or
services of a person the less apt it is to distinguish them.

Examples of descriptive marks that have been denied registration are:

“Easyload” for tape recorders
“Quickprint” for printing and duplication service
“Trim” for fingernail clippers
“Solar Glo” for sunlit signs
“SAFFO” for cleaning powder3
“Update” for printed matter4

3. Use of Generic Marks in the Trademark

According to Section 9(1) (c) of the Act, trademarks which consist exclusively of marks or
indications which have become customary in the current language or in the bona fide and
established practices of the trade are not registrable.

This provision prevents the registration of generic words as trademarks. For example ‘Apple’
cannot be registered by a wholesale dealer of apples or ‘Vehicles’ cannot be registered by a
car dealer.

4. According to section 9(2) and 9(3) of the Act, the following trademarks cannot be
registered:
(a) A trademark which by its very nature will deceive the public or cause confusion.
(b) A trademarks that contains matter likely to hurt the religious susceptibilities of persons;
(c) A trademarks that contains or consists of any matter the use of which is prohibited by the
Emblems and Names (Prevention of Improper Use) Act 1950;
(d) A trademark comprising of the shape of goods shall not be registered if:
(i) The shape of the goods results from the nature of the goods themselves, i.e. to say,
it is the natural shape of the goods.
(ii) The shape of the goods is necessary to obtain a technical result; or
(iii) The shape which gives substantial value to the goods.

3
Hindustan Lever v Kilts (1982) PTC 38.
4
(1979) RPC 143

271
The prohibitions contained in Section 9 are generally applicable to all kinds of marks. The
marks prohibited under Section 9(2) are not registered under any circumstances.

B. Relative Grounds for Refusal of Registration of a Trademark

According to section 11 of the Act, the following trademarks cannot be registered:-

(1) A trademark which because of its identity with an earlier trade mark and similarity in the
goods or services it represents with that of the earlier trade mark, is likely to cause confusion
amongst the public or is likely to be associated with the earlier trademark.
(2) A trademark which because of its similarity with an earlier trade mark and the identity or
similarity of goods or services it represents with that of an earlier trademark is likely to cause
confusion amongst the public or is likely to be associated with the earlier trademark.
(3) A trademark which is identical or similar to an earlier trademark and is to be registered
for goods and services which are not similar to those of an earlier trademark, shall not be
registered if the earlier trademark is a ‘well-known’ trademark and the use of the later
trademark would result in unfair advantage or be detrimental to the distinctive character of
the well-known trademark.
(4) A trademark shall not be registered if its use it liable to be prevented by virtue of any law
in particular the law of passing off protecting an unregistered trademark used in the course of
trade or by virtue of law of copyright.

For the purpose of Section 11 of the Act, earlier trademark means –

(a) A registered trade mark or a convention application which has a date of application earlier
than that of the applicants' mark, taking account, where appropriate, of the priorities claimed
in respect of the trade marks
(b) A trade mark which on the date of the application for registration of the trade mark in
question, or where appropriate on the date of priority claimed in respect of the application
was entitled to protection as a well known trademark.

2.1.5 Procedure for Registration of a Trademark

The procedure for registration of a trademark is provided under Sections 18-23 of the
Trademarks Act, 1999:

A. Application for Registration (Section 18)

The application for registration of a trademark can be made by any person claiming to be the
proprietor of a trademark. The application is to be made to the Registrar of Trademarks on
Form TM-1. At the time of registration, it is not necessary for the applicant to establish use of
the trademark. It is open for the applicant to register the trademark for future use.

B. Withdrawal of Acceptance (Section 19)

After acceptance of the application and prior to actual registration of the trademark, it is open
for the Registrar to withdraw acceptance of the application in case:
a) The application has been accepted in error; or
b) In the circumstances of the case, the trademark should not be registered or should be
registered subject to certain conditions or limitations or to conditions additional to or
different from the conditions or limitations subject to which the application has been accepted

272
The power under this section can be exercised by the Registrar subject to certain conditions.
The Registrar has to issue a notice, specifying the objections, which has led him to think that
the application has been accepted in error or why the mark should not be registered, to the
applicant and give him an opportunity of being heard by requiring him to show cause why
acceptance should not be withdrawn. 5

C. Advertisement of Application (Section 20)

After acceptance of the Application, the Registrar has to get the application advertized in the
prescribed manner in the Official Gazette. The objective behind advertisement is to inform
the public at large about the application and to give an opportunity to any interested party to
oppose the registration of the trademark.

D. Opposition to Application (Section 21)

Any person, including any member of the public can oppose an application for registration of
a trademark. The application for opposition has to be filed within three months from the date
of advertisement. However upon payment of the prescribed fees, the Registrar can extend the
time period by one month. After receiving the application for opposition, the Registrar is
required to supply its copy to the applicant for registration and within two months, the
applicant is required to file his counter statement. After completion of the pleadings, the
Registrar hears both the parties and adjudicates on the objections. If the objections are
allowed, the trademark is not registered.

E. Registration (Section 23)

Subject to Section 19 and any order of the Central Government that directs otherwise, the
Registrar is bound to register a trademark in the following circumstances:
a) When the application has not been opposed and the time for notice of opposition has
expired; or
b) The application has been opposed and the opposition has been decided in favor of the
applicant.

Once the Registrar enters the trademark in the Register of Trademarks, it is deemed to be
registered from the date of on which application for registration was filed and the said date is
also treated as the date of registration of the trademarks.

2.1.6 Term of Protection a Trademark

According to Section 25 of the Trademarks Act, 1999, the registration of a trademark
continues till ten years. Upon the expiry of ten years, it is left to the discretion of the owner of
a trademark to either renew the registration or abandon it. In case the owner of trademark
fails to renew the registration of a trademark within six months of the expiry of ten years, the
Registrar can remove the trademark from the Trademark Register.

2.1.7 Infringement and Passing Off

5
Relevant Case: Tikam Chand and Another v Dy. Registrar of Trade Marks 1998 PTC 542 (Del).

273
Trademark Infringement

Upon registration of a trademark, the owner gets the exclusive right to use the trademark in
relation to the goods and services in respect of which it has been registered. When any
person, other than the owner of the registered trademark or a permitted user, uses a mark that
is identical or deceptively similar to the registered trademark, in relation to goods and
services for which the trademark is registered, infringement of trademark takes place.

In a nutshell, the essentials of trademark infringement are:

a) The infringing trademark must be either identical with or deceptively similar to the
registered trademark.
b) The goods or services in respect of which the infringing trademark is used should be
covered by the class of goods or services qua which the earlier trademark is
registered.

In Durga Dutt Sharma v Navratna Pharmacy Laboratories, AIR 1965 SC 980, the Supreme
Court of India has laid down the following guidelines regarding trademark infringement
cases:
a) The onus of establishing infringement of trademark is on the plaintiff.
b) In a case where the infringing trademark is identical to the registered trademark, no
further inquiry is required by a Court.
c) In a case where the infringing trademark is not identical to the registered trademark,
the plaintiff would have to establish that the use of the defendant’s trademark is likely
to deceive or cause confusion amongst the relevant section of public.
d) While comparing the two trademarks, a Court has to look into their degree of
resemblance. The degree of resemblance is determined by noting the essential feature
of the two trademarks.6

Passing Off

Passing Off is a common law remedy against an action of deceit i.e. passing off by a person
of his own goods as that of another. It is based on the principle that “no man is entitled to
represent his goods as being the goods of another man; and no man is required to use any
mark, sign or symbol, device or means, whereby without making a direct representation
himself to a purchaser who purchases from him, he enables such purchaser to tell a lie or to
make a false representation to somebody else who is the ultimate purchaser.” 7

The main objective behind the existence of passing off remedy is to protect the consumers
from being confused at the time of purchasing goods or services. The objective is achieved by
prohibiting acts that tend to create false impressions or result in misleading of the public
regarding the origin of the product. As an offshoot of the aforesaid objective, the passing off
remedy also assists in protecting the interests of the owners of unregistered trademarks and
promotes fair competition in the market.

6
S.M. Dyechem v Cadbury’s (India) Pvt. Ltd., AIR SC 2000 2114
7
Singer Manufacturing Co. v Loog (1880) 18 Ch. D. 395, p. 412.

274
In an action of passing off, a plaintiff has to establish the ‘classical trinity’ 8:

a) Reputation
The plaintiff has to establish that its trademark has an established goodwill and reputation
regarding certain products and the public identifies and associates the plaintiff and
nobody else with those products.
b) Deception
The plaintiff has to establish that there is a likelihood of confusion amongst the public or
damage to the reputation of the plaintiff and such likelihood originates from the acts of
the defendant.
c) Damage
The plaintiff has to establish that the act of the defendant is likely to cause damage or
injury to its reputation and goodwill. The plaintiff is not required to prove that it suffered
actual loss or damage.

The probability of deception is a question of fact, which depends upon a number of factors as
held by Supreme Court in Cadila Healthcare case9:
(i) Nature of the mark
(ii) Degree of resemblance between the marks.
(iii) Nature of goods in respect of which they are used
(iv) Similarity in the nature, character and performance of the goods of the rival
traders.
(v) Class of purchasers, who are likely to buy the goods bearing the marks, their
education and intelligence and a degree of care they are likely to exercise.
(vi) Mode of purchasing
(vii) Any other surrounding circumstances which may be relevant.

Difference between Trademark Infringement and Passing Off

Trademark Infringement Passing Off

1. It’s a statutory remedy. 1. It’s a common law remedy

2. It is applicable only in respect of
registered trademarks.
3. The plaintiff is not required to establish
likelihood of damage to reputation or
goodwill in the trademark.
4. In a case of trademark infringement,
the plaintiff is required to establish that
the defendant is using its trademark in
relation to goods and services covered by
the class of goods and services for which
plaintiff’s trademark is registered.
2. It is applicable in respect of registered
and unregistered trademarks.
3. The plaintiff has to establish likelihood
of damage to reputation or goodwill in
the trademark.
4. In a case of passing off, the
defendant’s goods and services need not
be similar or identical to that of the
plaintiff.

8
Harrods v Harrodian School (1996) RPC 698
9
Cadila Healthcare Ltd. v Cadila Pharmaceutical Ltd. (2001) 5 SCC 73. Other important case is: Mahendra
and Mahendra Paper Mills Ltd. v Mahindra and Mahindra Ltd. AIR 2002 SC 117.

275
2.2 Domain Names
From the perspective of an ordinary man, a “Domain Name” is the string of characters
(words)10 that a user of Internet types in a web browser in order to open a website. In
technical terms, a domain name11 is the user-friendly substitute for the address of a
computer/server hosting a website on the Internet 12. Every computer on the Internet has a
unique IP address, which is a set of four numbers from 0 to 255 separated by a period, for
example 198.41.0.108. Using these addresses one computer is able to contact, communicate
and share data with any other computer on the Internet. Internet users find it difficult and
cumbersome to remember these number strings, therefore a more user-friendly system of
domain names was adopted in 1984. The purpose of domain names is to enable users to
locate sites on the Internet in an easy manner.
Anatomy of a Domain Name
Domain names are read from right to left, and are divided into “levels”. The “top level
domain” (“TLD”) corresponds to either the generic type of organization or the geographic
origin of the organization. The “second level domain” (“SLD”) portion of the domain name
appears directly before the TLD and is the key feature of the domain name. The SLD 13
portion of the domain name establishes the unique identity of an entity on the Internet. The
prefix ‘www’ is a standard for all World Wide Web addresses. The following depiction gives
a better understanding of the anatomy of a domain name.

Anatomy of a Domain Name

Hypertext World Second level Top level

Transfer Wide Web domain domain
Protocol

http://www.hotmail.com

This is what needs to be

registered and is the most In case of a ccTLD, the
important part of a top level domain is the
domain name. country code e.g. ‘.uk’

Classification of Domain Names

10
As described by most vendors offering to sell Domain Names, at
http://www.acelogic.co.uk/help/mainhelp.php?page=sitename.htm&hp=host and http://www.1stdomain.net/
11
For a brief background on domain names, see J. Thomas McCarthy, McCarthy On Trademarks And Unfair
Competition, 4th Ed. 1998. (Last visited on Sept. 28, 2009)
12
For example www.google.com is the user friendly substitute for the computer/server no. 64.233.161.99 which
hosts the popular search engine ‘Google’. Instead of typing www.google.com , an Internet user can access the
Google website by typing 64.233.161.99.
13
A corporation can establish additional levels (possibly representing separate divisions of the corporation), to
either second level domain name by separating the new level from the second level domain name by a period (.).
For example, WIPO could establish multiple domain levels such as “publications.wipo.com” or
“reports.wipo.com”. The creation of multiple levels is constrained by the twenty-two character limit.

276
There are two kinds of Domain Names:-
1. Generic Top Level Domains (“gTLDs”): These are domain names which are not country
specific. E.g. www.hotmail.com, www.wipo.org etc.
2. Country Code Top Level Domains (“ccTLDs”): These are domain names specific to a
country. E.g. www.pokey.ch (Switzerland), www.paris.fr (France), www.vodafone.uk
(United Kingdom) etc.

Generic Top Level Domains (“gTLDs”)

For a long time, there were only 7 general TLDs (Generic Top Level Domain Names)
consisting of14
.com generally used by commercial organisations
.net generally used by Internet service companies
.org generally used by non-profit organisations
.mil reserved for use by the US military organisations
.gov reserved for use by US government organisations
.edu reserved for use by established colleges and universities
.int reserved for use by International organisations and databases related out of
International treaties.

In November 16, 2000, the ICANN15 selected seven new gTLDs in addition to those
mentioned above
1) .aero: It is only intended for use of the members of the aviation community. Registration of
a .aero domain name is done in 2 steps: (a) Identification: before a registrant can submit an
application for a .aero domain name, the registrant must be recognized as a member of the
aviation community and obtain an Aviation Membership ID from the Registry; (b)
Registration: once the registrant has obtained an Aviation Membership ID, the Registrant can
obtain a .aero domain name from an accredited Registrar 16.
2) .biz: It is only intended for domain names that are or will be used primarily for a ‘bona fide
business or commercial purpose’.
3) .coop: It is a sponsored gTLD for cooperatives. One has to abide by the .coop Charter. 17
4) .info: It is an open gTLD without restrictions (anyone can register any domain name)
5) .museum: It is a sponsored TLD for museums. One has to abide by the .museum charter. 18

14
Refer to http://www.iana.org/domain-names.
15
ICANN controls all IP address space allocation, protocol parameter assignment, DNS management, and root
server system management functions. About ICANN, ICANN, at http://www.icann.org/general/abouticann.htm
(Last visited on Sept. 28, 2009). ICANN wants to be perceived not as a United States entity, but as fully
international in its functional scope. See ICANN Articles of Incorporation, ICANN, at
http://www.icann.org/general/articles.htm (Last visited on Sept. 28, 2009) (describing how ICANN is
organized). The bylaws describe ICANN’s place within the international Internet community by stating that
“[t]he Corporation shall operate for the benefit of the Internet community as a whole, carrying out its activities
in conformity with relevant principles of international law and applicable international conventions and local
law . . . . To this effect, the Corporation shall cooperate as appropriate with relevant international organizations.”
ICANN is run by a board of nineteen directors, including its president, nine at-large directors, and nine directors
selected by ICANN’s three supporting organizations. Five of the current at-large directors were selected
according to a vote of Internet users worldwide. Within the ICANN framework, the three supporting
organizations are specific to addresses, domain names, and protocol, and are charged with assisting, reviewing,
and developing recommendations on Internet policy and structure within their specialized areas. Supporting
Organizations, ICANN, at http://www.icann.org/support-orgs.htm (Last visited on Sept. 28, 2009)
16
The details of the .aero Domain Management Policy are given at www.information.aero/policy/aerodmp.htm
17
The .coop Charter is available at www.icann.org/tlds/agreements/coop/sponsorship-agmt-att1-05nov01.htm

277
6) .name: It is an open gTLD for registration of personal names or names of fictitious
characters on the second level or on the second and third level (e.g. <Smith.NAME> or
<John.Smith.NAME> or <Smith.John.NAME> or <J.Smith.NAME>). However, it permits
only for personal names (described as the legal name or the name by which the person is
commonly known) of an individual or of a fictional character provided applicant has a
trademark in that name. Further, additional distinguishing elements (e.g. numbers) permitted
7) .pro: It is open for unsponsored TLD for qualified professionals meeting the registration
restrictions. The details are given in the Appendix of the .PRO Registry Agreement 19.
Registration is permitted on the third level only. The second level will indicate individual
professions (<smith.law.pro>, <smith.cpa.pro>, <smith.med.pro>). In an initial phase,
domain name can only be registered by lawyers (.law.pro), medical doctors (.med.pro) and
chartered accountants (.cpa.pro).

In 2004, ICANN started exploring possibilities to add additional gTLDs 20.

Country Code Top Level Domains (ccTLDs)

Two letter domains, such as .uk, .fr or .au (for example), are called country code top-level
domains (ccTLDs) and correspond to a country, territory, or other geographic location. The
rules and policies for registering ccTLDs vary significantly and a number of ccTLDs are
reserved for use by citizens of the corresponding country. A few of these ccTLDs were
established in the 1980s, but most of them were created in the mid and later 1990s 21.

The administration of a ccTLDs is left to the specific country concerned. For example, the
administration of domain names22 within the .in (Indian) ccTLD is looked after by the NCST.
With the gTLDs being over-used and short in supply, people are now turning to ccTLDs.
There are quite many instances where the ccTLDs are proving to be more apt to indicate
more meaningfully one’s business or profession. Take for example, .tv (of Tuvalu) which has
been high demand by television companies around the world. Another instance is .md (of
Republic of Moldova), a hot favourite for medical professionals. Other ccTLDs having higher
appealing value could be .mr (of Mauritania), .ms (of Montserrat), .my (of Maldives), .tm (of
Turkmenistan), .ac (of Ascension Island), .id (of Indonesia), im (of Isle of Man), etc.

Procedure for Registration of Domain Names

Domain names are registered on a first-come, first-serve basis and offer a unique, global
presence on the Internet23. In 1996, the US government had signed a contract with Network
18
The .museum charter is available at www.icann.org/tlds/agreements/coop/sponsorship-agmt-att1-20aug01.htm
19
The appendix of the .PRO Registry Agreement is available at www.icann.org/tlds/agrements/pro/registry-
agmt-appl-03mar02.htm
20
See a report published by ICANN at www.icann.org/announcements/announcement-31aug04.htm
21
The policies governing establishment, delegation and operation of ccTLDs are given at
www.icann.org/icp/icp-1.htm
22
For details refer to www.domain.ncst.ernet.in.html
23
P.S. Sangal, “Trademarks and Domain Names: Some Recent Developments”, Journal of Indian Law Institute,
1999, Vol. 41, pp. 30-43.

278
Solutions Inc. (“NSI”), a private organization, giving it complete authority to operate the
domain name system (“DNS”). NSI’s contract with the US government was due to expire in
September 1998. However, under an October 1998 agreement with the United States
government, NSI was granted a two year extension. Till April 1999, the registration of
domain names continued to be in the hands of Network Solutions Inc. In April 1999, five
additional corporations were allowed to register domain names on a trial basis. Subsequent to
24th June 1999, when the trial phase concluded, a new competitive registration procedure was
opened to all interested companies whereby any company, which satisfied the standards set
forth in ICANN’s Statement of Registrar Accreditation Policy was permitted to be an
accredited registrars24. The ICANN became the overall governing body with respect to
management of the Domain Name System (DNS). It was made responsible for

1. Internet Protocol Address Space Allocation

2. Protocol Parameter Assignment
3. Domain Name System management

Procedure for Registration of a Generic Top Level Domain Name (gTLD)

ICANN accredits domain name registrars for the gTLDs throughout the world, who in turn
register the domain names.
Two such accredited registrars in India are:
Polar Software Ltd. (signdomains.com).
Direct Information Pvt. Ltd. (directi.com).

Registrations are done by these accredited registrars and the domain name system (DNS) is
managed by the ICANN. Any person interested in registering a domain name can approach
any of the ICANN accredited registrars. The domain name registrant would be required to
furnish his address and other necessary details. Then an agreement would be signed whereby
the domain name registration would be subject to the Uniform Dispute Resolution Policy
(only in case of gTLDs .com, .net, .org) and after the payment of a nominal fee, the registrant
would be entitled use the registered domain name.

Procedure for Registration of ccTLD (".in") in India

The Registry
On 28th October 2004 the Government of India, Ministry of Communications and
Information Technology, announced a liberalization of the registration requirements. Under
the new registration rules which became effective from January 2005 unlimited generic .IN
registration were offered at the second level of domain name and also at the third level in the
zones of domain registration, ".co.in", ".net.in" and ".org.in". Registrations were carried out
by Registrars to be appointed by the .IN Registry.

The National Centre for Software Technology (“NCST”) 25, a scientific research and
development institution under the Ministry of Information Technology (“MoIT”),
Government of India was made the domain name registration authority for India's ".in"
country code top-level domain (“ccTLD”) and thus is the ccTLD manager. NCST had been

24
Registrar Accreditation: Overview, ICANN, at http://www.icann.org/registrars/ accreditation-overview.htm
25
The NCST is now known as Center for Development of Advanced Computing (“C-DAC”)

279
registering domain names in the ".in" ccTLD since 1995. The primary duty of the ccTLD
Manager is one of Public Service and to manage and operate the ccTLD Registry in the
interest of and in consultation with the Local Internet Community, mindful of the interests of
the Global Internet Community.

The Internet Management Group (“IMG”), a committee formed by the Government of India,
oversees the Internet domain name registration related activities for the ".in" ccTLD. This
committee consists of members representing:

 Bharat Sanchar Nigam Ltd (BSNL).

 Ministry of Information Technology (MoIT).
 Videsh Sanchar Nigam Ltd (VSNL).
 National Centre for Software Technology (NCST), and Domain Name System (DNS).

The NCST is the designated manager of the ".in" ccTLD. As such it is in charge of the
operations of the DNS services for the ".in" domain name space.

The “.in” ccTLD is separated into sub-categories, called second-level domains (SLDs).

Organizations/entities can apply for domain names in the following categories:

Domain Category Who can Apply

“co.in” Registered Companies/Trademarks Owners /Banks
“firm.in” Proprietary Concerns/Partnership Firms/Shops/Liaison Offices
“ac.in” The Academic Community
“res.in” Research Institutes
“gov.in” Government Organizations
“mil.in” Military Establishments
“net.in” Internet Service Providers
“in” Registered Company/Individual/etc.
“org.in” Non-Profit Organizations
“ind.in” Individuals
“gen.in” General/Miscellaneous

Nexus between Trademarks and Domain Names

All over the world business enterprises have recognized the significant potential of websites
as a primary source of facilitating electronic commerce. By using trademarks as their domain
names, business enterprises around the world hope to attract potential customers to their
websites and thus increase their global market visibility, and ultimately their sales and profits.
Domain names are now used routinely for advertising and as a means of indicating the
presence of an enterprise or business on the Internet. With the increase in the use of domain
names by business enterprises for publicizing their goods and services, domain names have
gained immense commercial significance. In order to have easy access for the consumers
most of the business enterprises have one or more domain name by which the consumer can

280
access information relating to them. The business enterprises over the world prefer to have
their domain names similar to their trademarks so that they are able to maintain an identity on
the Internet similar to their identity in the real world 26. Thus, domain names share many of
the attributes of traditional trademarks or trade names and as commerce has moved on-line,
they serve to identify a particular entity on the Internet.

The Courts in India and abroad have recognized the fact that domain names are similar to
trademarks and are thus entitled to similar protection.

The Supreme Court of India in Satyam Infoway Ltd. v Sifynet Solutions (P) Ltd.27, observed:

“The original role of a domain name was no doubt to provide an address for
computers on the Internet. But the Internet has developed from a mere means
of communication to a mode of carrying on commercial activity. With the
increase of commercial activity on the Internet, a domain name is also used
as a business identifier. Therefore, the domain name not only serves as an
address for Internet communication but also identifies the specific Internet
site. In the commercial field, each domain-name owner provides
information/services which are associated with such domain name.”

The Court further observed that “a domain name as an address must, of necessity, be peculiar
and unique and where a domain name is used in connected with a business, the value of
maintaining an exclusive identify becomes critical”.

In Tata Sons Limited v Manu Kosuri & Others28, the Court observed, “with the
advancement and progress in technology the services rendered by an Internet site have also to
be recognized and accepted and are being given protection from passing off.
With the advent of modern technology particularly that relating to cyber space, domain
names or internet sites are entitled to protection as a trademark because they are more than a
mere address. The rendering of Internet services is also entitled to protection in the same way
as goods and services are, and trademark law applies to activities on Internet.”

In Acqua Minerals Limited v Pramod Borse & Another29, the Court observed, “With the
advancement of Internet communication the domain name has attained as much legal sanctity
as a trade name. Since the services rendered in the Internet are crucial for any business the
domain name needs to be preserved so as to protect such provider of services against anyone
else trying to traffic or usurp the domain name.”

In Rediff Communications Limited v Cyberbooth30, it has been observed, “the Internet domain
names are of importance and can be a valuable corporate asset and such domain name is more
than an Internet address and is entitled to protection equal to a trademark.”

26
Shamnad Basheer, “Trademark Issues on the Internet: Domain Name Dispute Resolution”, Legal Dimensions
of Cyberspace, Indian Law Institute, 2004, p. 156.
27
AIR 2004 SC 3540
28
2001 PTC 432 Del
29
2001 PTC 619 (Del)
30
AIR 2000 Bombay 27

281
In Cardservice International Inc. v Micgee31 it has been observed, “the domain name service
functions as the trademark and is not a mere address or like finding number on the internet
and, therefore, is entitled to equal protection as trademark for it also identifies the internet site
to those who reach it, much like a person’s name identifies a specific company, the
defendants have to be injuncted upon by way of permanent injunction.”

Hence, the importance of a domain name is no less than the trademark itself. If a particular
trade name has come to be known in the market to represent a particular commodity or a
particular company, the general guess of people online would be that the domain name
equivalent to such trade name would be used by such company. The domain name in the
online world, just like the trade name in the offline world, serves to identify the
goods/services provided by the company.

However, there is one big problem. The process of registration of a domain name is not as
stringent as that of registration of a trademark. The system is based primarily on first-come-
first-serve basis. Anyone can approach a Domain Name Registrar and register any available
domain name. The Delhi High Court in Acqua Minerals Limited v Pramod Borse32 has
observed:

“So far as the Registering Authority of the domain name is concerned it

agrees for registration of domain name only to one person. That is on first
come first serve basis. If any person gets the domain name registered with the
Registering Authority which happens to be trade name of some other person,
the Registering Authority has no mechanism to inquire into it to decide
whether the domain name sought to be registered in is in prior existence and
belongs to another person.”

So, a person just might approach the Registrar and register www.mahindra.com though he
does not have the remotest connection with famous Mahindra & Mahindra in Mumbai.
Naturally, for Mahindra & Mahindra, it might be wrong for anyone to register
www.mahindra.com. After all, ‘Mahindra’ is quite a popular trade mark for its products. It
was soon realized that such domain names have been registered by unauthorized persons, not
only for the purpose of taking advantage of the goodwill created by the trade mark owners
but also, and most of times, for receiving certain financial gain in exchange of the domain
name.33

It is also important to realize that in the online world, there can be only one domain name as
opposed to the possibility of two or more trademarks co-existing in different working
spheres. For example, a person might be selling garments under the mark ‘Roughins’ in India
and somebody else might be selling the same product under the same mark maybe in New
Zealand. One can even have ‘Roughins’ registered as trade marks in different countries
without affecting the other registrations. Leaving apart legal objections, this arrangement is
perfectly possible in the physical world. However, the online world does not permit of such
technological arrangement. If one person owns www.roughins.com, registration of the same
domain name by another person is not permissible. One might register www.roughins.net or
www.roughins.org or www.roughins.biz but cannot register www.roughins.com. In such a
situation, one might conclude that the domain names have a higher degree of importance than
31
42 USPQ 2nd 1850
32
2001 PTC 619 (Del)
33
Check http://www.greatdomains.com for an interesting value-analysis of various domain names.

282
the trade mark. Even though one might be using the trade mark ‘Roughins’ somewhere else
in the world but it is not affecting one’s business in India, not much damage is done. But
domain name is single. If one registers, another cannot. This predicament has led the trade
mark owners to protect their marks online by registering their domain names. Adding to this
problem is the tendency of net surfers to hunt for a particular company’s website by its
trademark itself.

Another indicator of importance of domain names is the availability of a number of popular

domain names in many of the auction/sale web sites. One might register a trade mark as a
domain name, and then put it up for auction or sale.34

2.3 Types of Trademark-Domain Name Disputes

2.3.1 Cybersquatting

In popular terms ‘Cybersquatting’ is the term most frequently used to describe the deliberate,
bad faith abusive registration of a domain name in violation of rights in trademarks and
service marks35. Cybersquatting is proved when all of the following conditions are met:

1. The domain name is identical or misleadingly similar to a trade or service mark in

which the complainant has rights; and
2. The holder of the domain name has no rights or legitimate interests in respect of the
domain name; and
3. The domain has been registered and is being used in bad faith.

For the purposes of the third point, the following shall be evidence of the registration and use
of a domain name in bad faith:

(a) an offer to sell, rent or otherwise transfer the domain name to the owner of the trade
or service mark, or to a competitor of the owner of the trade or service mark, for
valuable consideration; or
(b) an attempt to attract, for financial gain, Internet users to the domain name holder’s
website or other online location, by creating confusion with the trade or service mark
of the complainant; or
(c) the registration of the domain name in order to prevent the owner of the trade or
service mark from reflecting the mark in a corresponding domain name, provided that
a pattern of such conduct has been established on the part of the domain name holder;
or
(d) the registration of the domain name in order to disrupt the business of a competitor.

Thus, Cybersquatting is the act of registering a popular Internet address, such as a company
name or the name of a famous individual, with the intent of selling it to the real owner or with
a view to prevent the real owner from registering his/her trademark as a domain name.

Genesis of the Problem

34
See http://www.david-carter.com/bid-for.htm, http://www.100domains.com/,
http://www.fastdomainsales.com.
35
Pravin Anand, Shamnad Basheer and Keshav S. Dhakad, “Prevention is Better Than Cure An oft repeated
aphorism that is oft forgotten (Internet and Intellectual Property Rights)”, Chartered Secretary, August 2000,
pp. 959-963.

283
With the growth of the Internet, domain names have increasingly come into conflict with
trademarks. The possibility of such conflict arises from the lack of connection between the
system for registering trademarks, on one hand, and the system for registering domain names,
on the other hand. The system of registering trademarks is administered by a public authority
on a territorial basis and gives rights to the trademark holder that may be exercised within the
territory. The system of registering domain names is governed by a non-governmental
organization without any functional limitation. Domain names are registered on a first-come,
first-serve basis and offer a unique, global presence on the Internet.
This difference in the system for registering trade marks and domain names has led to the
emergence of Cybersquatting which is the practice of registering domain names in bad faith.

Recognizing Cybersquatting

How does one identify that the domain name he/she wants is being used by a cybersquatter?

On approaching the domain name if the following results appear then a person has reasons to
believe that the domain name he/she wants is being used by a cybersquatter.

1. A “can’t find server” message.

2. An “under construction” page, or
3. A page that appears to have no relationship to the meaning of the domain name.

Some Important Cases of Cybersquatting

1. Panavision International LP v Toeppen36

In this case, the plaintiff Panavision owned registered trademarks for ‘Panavision’ and
‘Panaflex’. The defendant, Dennis Toeppen registered the domain name <panavision.com>.
Posted on Toeppen’s site were photographs of the City of Pana, IIlinois. When plaintiff
demanded Toeppen cease and desist his use of the domain name, defendant offered to ‘settle
the matter’ for $13000 in exchange for the domain name registration. When plaintiff rejected
the offer, Toeppen plaintiff registered other trademark, ‘Panaflex’ as a domain name and
posted the word ‘hello’ on the website. In a suit for trademark infringement, trademark
dilution and unfair competition, the district court found the defendant liable for dilution and
enjoined him from using plaintiff’s marks or marks similar to them in connection with any
commercial activity.

2. Marks & Spencer PLC v One In A Million Ltd.37

In this case, the Court after finding the respondent to be guilty of ‘cybersquatting’ observed,
“any person who deliberately registers a domain name on account of its similarity to the
name, brand name or trade mark of an unconnected commercial organization, must expect to
find himself on the receiving end of an injunction to restrain the threat of passing off, and the
injunction will be in terms which will make the name commercially useless to the dealer.”

3. Indya.com Portal Pvt. Ltd. v Akram Ali, V.M. Hardware.38

36
141 F3d 1316, 46 USPQ2d 1511 (CA 9 1998)
37
1998 FSR 265
38
WIPO Case No. D2000-1489

284
In this case, the WIPO Arbitration Center held that there is no doubt that the name “indya
.com” of the complainant and the impugned domain name “indyanews.com”,
“indyanews.net” and “indyanews.org” by the respondent are identical and confusingly
similar.

4. In Sony Corporation v Setec39, the WIPO Arbitration Center has held that the domain name
registered by the respondent, namely, “newsony.com” is virtually identical and confusingly
similar to the domain name of the complainant “sony.com”.

5. In Essel Packaging Limited v Sridhar Narra Ltd. & Another40, the Court observed “merely
because a party gets a registration of a domain name does not mean that it also acquires
proprietary rights over the same. Registration of domain names does not involve any process
of enquiry. Its registration in bad faith itself is a ground for injunction.”

6. In Yahoo.Inc v Akash Arora41, the defendant had registered a domain name

yahooindia.com, which was deceptively similar to the domain name of the complainant
yahoo.com. The Delhi High Court passed an injunction order in favor of the complainant.

2.3.2 Typo-Squatting

Typo squatting is basically purchasing a domain name that is a variation of a popular domain
name with the expectation that the site will get traffic off of the original sight because of a user's
misspelling of the name. For example, registering the domain names webapedia.com or
yahooo.com in the hopes that someone making a typing mistake will get to that site
unexpectedly.

Typosquatting is indulged in by people who want to divert traffic to their websites. They do this
by slightly changing the spelling of famous websites in the hope that netizens (Internet Citizens)
will misspell and come to their site.42 It is a lot like purchasing a domain name that is a variation
of a popular domain name with the expectation that some of the traffic for the original site will
stray to theirs. This is a dangerous trend because it is indulged in mostly by pornographers.
Unsuspecting netizens are tricked into visiting their websites because that’s how they earn their
money — by attracting traffic. Such methods can also be detrimental to a company — if
prospective customers are diverted to porn sites they could form an unfavorable opinion about
the company.

In India, there are two important cases where Typosquatting occurred: Yahoo! Inc. v Victor
Majevski a/k/a Marec Polanski & Ors.43 and Info Edge (India) (P) Ltd. v Shailesh Gupta44.

2.3.3 Trademark Dilution by use of Meta Tags

39
WIPO Case No. D2001-0167
40
2002 (25) PTC 233 (Del)
41
1999 PTC (19) 201 (Del)
42
Refer to http://www.trafficsquatting.com/02-definitions1.html
43
WIPO Case No. D2000-0694 decided on 20 Sep 2002.
44
(2001) 24 PTC 355 (Del). Also see Electronics Boutique Holding Corporation v Zuccarini 56 U.S.P.Q 2D.
(BNA) (E.D. Pa.2000)

285
Web pages are created using Hypertext Markup Language (“HTML”), which is a set of
special instructions called “tags” or “markups” that lay out how the page is developed and
specify links to other documents. HTML allows web page developers to incorporate in the
web-page graphics, animation, audio, video, databases, and plug-in or helper applications.
HTML also allows for hidden commenting known as ‘meta tags’. Meta tags contain
keywords used in a computer language called Hypertext Markup Language (HTML) when
creating a website. Meta tags are hidden and are not visible to the viewer when a website is
accessed normally. During a website’s creation, the website’s designer inserts keywords that
describe the contents of the site. These keywords are used by search engines, such as Yahoo
or Google, to identify websites45.

One of the keys to navigating the web is the use of “search engines” and “web portals”.
Search Engines and portals provide services to web surfers in an attempt to attract masses to
their web sites. The concept of a search engine or portal is that individuals use these sites as a
starting point to navigate the vast information online. Some of the common search engines
are www.google.com, www.altavista.com, www.msn.com, www.excite.com,
www.yahoo.com. Web surfers often surf the Internet by keywords, using a search engine.
These engines search through a self-created index of websites and generate a list of websites
relating to the keyword searched for. Search engines look for the keywords in

1. Domain names.
2. The actual text of the web page
3. Meta tags.

The more often a term appears in a Meta tag, the more likely the web page associated with
those Meta tags will appear as a search result for a search of that keyword, and the more
likely it will appear higher on the list of websites.

In order to increase traffic to a particular website, a web designer will normally insert a broad
range of keywords and phrases as Meta tags. These words and phrases should logically be
descriptive or somehow relevant to the website itself. For example, a company such as Pepsi
may include such words or phrases as “Pepsi”, “cola”, “beverages”, “carbonated beverages”
and “drink” in their Meta tags in order to attract users to their website.

There are websites which contain Meta tags that have nothing to do with their websites or are
words or phrases related to their competitors in order to increase traffic to their website and
divert it from their competitors. This is where trademark infringement occurs.

Traditional trademark infringement occurs when a person uses another person’s trademark
without authorization and such use results in a likelihood of confusion among consumers.
When a user types the owner’s trademark into a search engine, the person’s website appears
as a match and more often it appears at the top of the page of matches, thus, possibly
preceding the listing for the owner’s website. This results in web traffic being diverted from
the website of the trademark owner, as well as, misleading consumers into believing that the
website they have been diverted to is somehow related to the trademark or the trademark
owner.

45
Nandan Kamath, “Domain Names in the Indian Context”, Chartered Secretary, August 2000, pp. 963-967.

286
The law regarding infringement of trademark by their unauthorized use in Meta tags is
decided in the following cases:

(A) Playboy Enterprises, Inc. v Calvin Designer Label46

Calvin Designer had two adult websites, namely, www.playboyxxx.com and

www.playmatelive.com. It used ‘Playboy’, ‘Playmate’ and ‘Playboy Magazine’ as meta-tags
in its website to cash on the reputation and goodwill Playboy. Playboy alleged infringement
of trademark which was agreed by the District Court and permanent injunction was granted
enjoining Calvin from using Playboy’s trademarks as domain names or meta-tags.

(B) Playboy Enterprises, Inc. v Asiafocus International Inc.47

In an action against the defendant for trademark infringement, the Court found that the
defendants had purposefully embedded Playboy’s trademarks ‘playboy’ and ‘playmate’
within its computer source code ‘which is visible to search engines that look for web sites
containing specific words or phrases specified by the computer user’. Therefore, once a
querry for ‘playmate’ is made, the search engine returns a number of websites including that
of Asiafocus. The Court concluded that consumers would be mislead into believing that the
website of the defendant is in someway connected to or sponsored by the Playboy. The Court
found against the defendant.

(C) Playboy Enterprises, Inc. v Global Site Designs Inc.48

In this case, Global Site Designs registered two domain names that incorporated Playboy’s
trademarks, www.playmatesearch.net and www.playboyonline.net. The words
‘playboyonline’ was also used in the meta-tags of the website. The Court found infringement
of trade mark and restrained the defendant from using the plaintiff’s trademarks, Playboy and
Playmate, as meta-tags or as part of a domain name.

(D) SNA, Inc. v Array49

The defendant’s were using the plaintiff’s trademark as meta-tags. A block of text repeating
the words, “seawind,” “SEAWIND,” “Seawind” was inserted. It was observed that it does not
matter what the domain name is. The fact that the trademark was used as meta-tags was
enough to confuse Internet users and hence, the defendants were restrained from using the
plaintiff’s trademarks as meta-tags.

(E) Niton Corp. v Radiation Monitoring Devices Inc.50

In this case, the defendant not only used all trademarks of the plaintiff as meta-tags but also
literally copied all of the meta-tags that plaintiff had used to design its own website. The
Court came to the conclusion that the act of the defendant would probably lead an Internet

46
[985 F. Supp. 1218 (N.D. Cal. 1997) (temporary restraining order issued), 985 F. Supp. 1220 (N.D. Cal. 1997)
(preliminary injunction granted), 1999 WL 329058 (N.D. Cal. 1999) (summary judgment entered for plaintiff)]
47
[1998 WL 724000 at *2. (E.D. Va. 1998)]
48
[1999 WL 311707 at *1 (S.D. Fla. 1999)]
49
[51 F. Supp. 2d 554 (E.D. Pa. 1999)]
50
27 F. Supp. 2d. 102 (D. Mass. 1998)

287
consumer to believe that the defendant is in someway either connected to or sponsored by the
plaintiff. Injunction was granted.

(F) Brookfield Communications Inc. v West Coast Entertainment Corp.51

In this case, the defendant used the word, MOVIEBUFF, as meta-tags which the plaintiff
claimed to be its trademark. The Court held that consumers on the lookout of plaintiff’s
goods might be diverted to the website of the defendant due to use of MOVIEBUFF as meta-
tag which would influence the search engine results.

The Court held that using a competitor's trademarks in meta-tags causes initial interest
confusion which is a form of trademark infringement. The plaintiff owned the trademark
MOVIEBUFF whereas the defendant used it as a meta-tag. Searching the said word returned
links to both parties’ websites. The court explained that when a user clicked on the link to
West Coast's web site, there is no confusion regarding the source of the products (because
consumers know they are patronizing West Coast's web site and not Brookfield's web site),
but there is initial interest confusion because West Coast used the trademark MovieBuff to
capture initial consumer attention and divert people to its web site and West Coast
‘improperly benefit[ed] from the goodwill that Brookfield developed in its mark’.

2.4 Reverse Domain Name Hijacking

2.4.1 Introduction

The Internet is a multipurpose medium, and particular domain names are chosen and
registered for a wide variety of reasons, commercial and non-commercial. A domain name
may be registered to reflect a trade mark, or to reflect a name by which the registrant is
known. The domain name could also be a geographic name with which the registrant has an
association or in which he has an interest. It could be a generic term. It may be that the
interest in the name is an interest in using the trade mark to identify the subject of genuine
comment or criticism. It is in disputes involving these types of registration that the concept of
Reverse Domain Name Hijacking (RDNH) comes into play.

2.4.2 Defining Reverse Domain Name Hijacking

Reverse Domain Name Hijacking is an attempt by a trade mark holder, in bad faith, to take
control of a domain name from another, who is not in breach of trade mark laws, and who has
a legitimate interest in the name. According to UDRP Rule 1, the term "Reverse Domain
Name Hijacking" means "using the Policy [the UDRP] in bad faith to attempt to deprive a
registered domain-name holder of a domain name."

2.4.3 Preventing Reverse Domain Name Hijacking

The issue of preventing RDNH can be divided into two elements. The first is protecting the
‘right’ to a domain name registered by someone with legitimate interests in that domain name
(‘protecting legitimate registrants’). Where the registrant is not in breach of trade mark laws,
and is not a cybersquatter, there is no rule, and indeed no reason, why the registration of the
domain name should be set aside.

51
174 F.3d 1036 (9th Cir. 1999)

288
The second element is the deterrence of bad faith attempts by trade mark holders to have
domain names transferred to them. Clearly a trade mark holder has a right to take action to
gain control of a domain name consisting of their trade mark from an infringing registrant or
a cybersquatter. Attempts to do this, in good faith, in which it transpires that the registrant is
not in fact a cybersquatter, but instead has legitimate rights in the name, are not deserving of
censure; but what is deserving of such is are deliberate attempts to take domain names from
registrants who are not cybersquatters nor breaching trade mark laws.

2.4.4 Remedy Available to a Victim of Reverse Domain Name Hijacking

A victim of reverse domain name hijacking can feasibly seek court review of the panel’s
ruling. But this remedy is somewhat illusory because of the following reasons. 52
1. The losing respondent is at a significant disadvantage in the court review process. The
difficulty of obtaining review of a panel decision is due primarily to the fact that the losing
registrant has only ten days to file a complaint in court before the domain name is
transferred.53
2. The ten day period is constraining for registrants who have not yet retained an attorney and
for foreign domain name registrants who must either file a complaint in the United States and
thus lose their home forum or file under the procedures of their home country (which may not
be amenable to a ten-day filing requirement). On the other hand, a losing complainant can
wait indefinitely before seeking court review.

2.4.5 The Uniform Dispute Resolution Policy and Reverse Domain Name Hijacking

The NSI Dispute Policy used to facilitate Reverse Domain Name Hijacking, since a
trademark owner could easily put a hold on a registrant’s domain name without any showing
of trademark infringement. Even if the alleged infringer had a right to use the domain name,
the prospect of going to trial (where fines may be levied) was enough to persuade many
domain name holders to settle with the complainant. This flaw was recognized by ICANN,
and the Rules of UDRP explicitly forbid reverse domain name hijacking. The substantive
prevention of reverse domain name hijacking is located in paragraph 4(c) of the Uniform
Policy, which provides that the domain name holder may escape liability by demonstrating
his right to and legitimate interest in the domain name.

Deficiency in the UDRP

The UDRP remains deficient in at least two respects. Firstly, there exists virtually no
punishment for reverse domain name hijackers in the UDRP. The only penalty provided by
the Rules (other than denying the transfer) is that the decision reporting a bad faith complaint
must be published. Although this punishment may be inadequate, it is difficult to envision a
more harsh sanction without giving arbitrators more power than simply that of transferring or
canceling domain names. The more dangerous problem with the UDRP is that its substantive
portions do not serve to effectively block reverse domain name hijackers. In fact, the Policy,
by and large, is used as a means to facilitate this activity. Under the NSI Policy, a reverse
domain name hijacker would be forced to bear the expense of going to court, a prospect that

52
See Brenda Sandburg, “ICANN Needs Fine Tuning, Lawyers Mull Pros and Cons of Adding an Appeals
Process”, NAT’L L.J., Nov. 6, 2000, at B10.
53
See UDRP Rule 4(k).

289
would presumably filter out some bad faith claims. However, under the cheap and easy
UDRP, a trademark owner can grab any domain names that are similar to its trademark while
bearing only the expense of the panel, which could range from $950 to $2,000 for a single-
member panel, exclusive of attorney’s fees.

Role of Arbitration Panels

Even if the provisions of the Uniform Policy were written to prevent reverse domain name
hijacking more explicitly, it remains up to the panel to properly enforce these terms.
However, since the beginning of the dispute resolution process, some panels have shown
frighteningly little regard to the requirements of the dispute resolution policy, both in terms
of the “no rights or legitimate interests” requirement and the “bad faith” requirement. In
several cases, instances of arguable domain name hijacking have been ignored and the
domain name transferred without much argument.

Important cases of Reverse Domain Name Hijacking

1. Fiber-Shield Industries, Inc. v Fiber Shield LTD54

In this case, the complainant, the registered trademark owner of “FIBER-SHIELD,” brought
a complaint against a Canadian corporation, seeking the transfer of the domain name
“fibershield.net.” Under the UDRP, the respondent had a legitimate interest in the domain
name since there was evidence that it had been commonly known by the domain name.55 In
addition, there did not seem to be any evidence of bad faith on the part of the respondent. 56
However, the panel transferred the domain to the complainant because the “respondent does
not claim any rights superior to the trademark registration of complainant of the name ‘fiber-
shield.’ . . . .”57

The UDRP explicitly stipulates that the registrant can show a legitimate interest in a domain
name “even if [the holder has] acquired no trademark or service mark rights.” Thus, a
trademark owner, merely by owning a mark, is not automatically entitled to domain names
encompassing all permutations of the mark; some malfeasance on the part of the domain
name holder is required. Therefore, even though the panel found that the respondent
registered “fibershield.net” with “actual awareness” of a confusingly similar prior registration
(the complainant had already registered “fibershield.com”), this finding alone was not enough
for a transfer of the domain name. Under the UDRP, if a domain name holder is legitimately
using a domain name, the complainant is not entitled to the domain name, regardless of
whether or not the holder knew of the complainant’s confusingly similar registration.

The tolerance of reverse domain name hijacking occurs in other panel decisions as well.

54
NAF Case No. FA92054 (Feb. 29, 2000), at http://www.arbforum.com/domains/decisions/92054.htm (last
visited Nov. 8, 2005) [hereinafter Fiber-Shield].
55
See id. (“Respondent has been incorporated and has been doing business in Canada under the name ‘Fiber
Shield (Toronto) LTD’.”).
56
See id. (finding that the respondent tried to register “fiber-shield.com,” claiming it did not know of the
complainant’s business activity, and, discovering that the complainant already owned that domain name,
registered “fibershield.net”). There was no evidence of an offer to sell the domain name or of any intent to divert
customers.
57
Id.

290
2. Home Interiors & Gifts, Inc. v Home Interiors58

In this case, the complainant owned registered trademarks in “Home Interiors” and “Home
Interiors & Gifts.” It filed a complaint against the registrant of “homeinteriors.net” and
“homeinteriorsandgifts.com.” The panel did not find that any of the activities constituting bad
faith were met, but transferred the domain name nonetheless. The panel justified its decision
by analyzing the likelihood of customer confusion, but did not offer any reason for finding
bad faith.59

Cases where Plaintiff found guilty of Reverse Domain Name Hijacking

3. Goldline International Inc. v Gold Line, WIPO Case No. D2000-1151 60

In this case, the complainant, Goldline International, was a business dealing in goods and
services relating to coins and precious metals. The respondent, Gold Line Internet, was the
business name for an individual who ran a consulting business specializing in intellectual
property, including intellectual property arising from the use of vanity domain names and 800
telephone numbers.
The required "bad faith" registration and use of the domain name "goldline.com" was claimed
by the complainant primarily because of a claimed likelihood of confusion with the
complainant's name, even though the two businesses had nothing to do with each other and
were unlikely to be confused with each other in actuality. Moreover, the panel found that the
respondent had brought this, and other facts undermining the case, to the complainant's
attention before the case was commenced.
In finding that the complainant had engaged in prohibited reverse domain name hijacking, the
Goldline panel noted:
Complainant's actions in this case constitute bad faith. Prior to filing its Complaint,
Complainant had to know that Complainant's mark was limited to a narrow field, and that
Respondent's registration and use of the domain name could not, under any fair interpretation
of the facts, constitute bad faith. Not only would a reasonable investigation have revealed
these weaknesses in any potential ICANN complaint, but also, Respondent put Complainant
on express notice of these facts and that any further attempt to prosecute this matter would be
abusive and would constitute reverse domain name "hijack[ing]".... Complainant's decision to
file its Complaint in the face of those facts was in bad faith. Accordingly, the Panel finds that
Complainant has engaged in Reverse Domain Name Hijacking.
The panel held that “To prevail on such a claim [of reverse domain name hijacking],
Respondent must show that Complainant knew of Respondent's unassailable right or
legitimate interest in the disputed domain name or the clear lack of bad faith registration and
use, and nevertheless brought the Complaint in bad faith.”

4. Smart Design LLC v Hughes, WIPO Case No. D2000-0993 decided on 18th October 200061

58
WIPO Case No. D2000-0010 (Mar. 7, 2000): http://arbiter.wipo.int/domains/decisions/html/2000/d2000-
0010.html (Last visited on Sept. 28, 2009).
59
See id. The only evidence of bad faith use was a counter at the site that the panel concluded was “tantamount
to an advertisement that the website is for sale,” the fact that the registrant failed to respond to the complainant’s
offer to buy the domain name for$500, and the fact that the registrant failed to respond to the complaint. Id. All
of this evidence is extremely tenuous.
60
For the complete text of the decision refer to www.arbiter.wipo.int/domains/decisions/html/2000/d2000-
0010.html.
61
For the complete text of the decision refer to www.arbiter.wipo.int/domains/decisions/html/2000/d2000-
0993.html.

291
The panel concluded that the complainant committed reverse domain name hijacking even
though it did not explicitly find bad faith. The panel concluded that the complainant made
allegations that the respondent acted in bad faith in reckless disregard of whether the facts
underlying its claims supported that finding. As the panel found:
“The Panel is unable to assess the Complainant's state of mind when the Complaint was
launched, but in the view of the Panel the Complaint should never have been launched. Had
the Complainant sat back and reflected upon what it was proposing to argue, it would have
seen that its claims could not conceivably succeed.”
The standards exemplified by these two cases show that bad faith and a resulting finding of
reverse domain name hijacking can be found not only in cases showing malicious intent, but
also in cases where the panel subjectively concludes that the complainant brought a case that
the panel retroactively concludes should have been obviously insufficient to the complainant.

5. Societe des Produits Nestlé S.A. v Pro Fiducia Treuhand AG, WIPO Case no. D2001-
091662

In this case, the Nestle Company sought to recover the "maggie.com" domain name for one
of its subsidiaries. The respondent did not then have a website, but it claimed to have been
developing one for personal use and for use of a family foundation. There had been failed
negotiations between the complainant and the defendant that were omitted from the
complaint, an omission to which the panel strongly objected and observed:
“As a result of its rather lengthy dealings with Mr. Maggi, Complainant was aware that Mr.
Maggi intended to use the Domain Name for personal use, yet Complainant ignores these
negotiations in the complaint and fails to even mention Respondent's alleged personal interest
in the Domain Name.”
Consequently, the panel not only declined to grant the relief requested by Nestle, but it found
the complainant to be in bad faith as well and guilty of reverse domain name hijacking.

Cases of Gripe Sites

Gripe sites are sites set up to comment on, typically in a very critical manner, the products or
services of a particular business. The standard domain name for these sites is
www.(trademark)sucks.com.

7. Bally Total Fitness Holding Corp. v Faber63

This case is the most famous example of a gripe site case. In this case, the respondent, a US
citizen (Andrew Faber) opened a site called ‘Bally’s Sucks’, after Bally’s Total Fitness (a
large chain of fitness centres) reneged on a deal to give him a lower rate and more privileges
in return for a year’s membership. The site included criticism by Faber of the company, a
guestbook for visitors to air their protests, and instructions on how to cancel an account at
Bally’s, amongst other information. The plaintiff sued Faber for trade mark infringement,
trade mark dilution and unfair competition. The Court found no likelihood of confusion
between plaintiff’s mark and defendant’s “Bally’s sucks” website. The Court observed, “No
reasonable consumer comparing Bally’s official web site with Faber’s site would assume
Faber’s site ‘to come from the same source, or thought to be affiliated with, connected with,
62
For the complete text of the decision refer to www.arbiter.wipo.int/domains/decisions/html/2001/d2001-
0916.html.
63
29 F. Supp. 2d 1161

292
or sponsored by, the trademark owner.’ . . . . ‘Sucks’ has entered the vernacular as a word
loaded with criticism. Faber has superimposed this word over Bally’s mark. It is impossible
to see Bally’s mark without seeing the word ‘sucks.’ Therefore, the attachment cannot be
considered a minor change.”
The Court refused to transfer the domain name to the plaintiff.

6. CompUSA Mgmt. Co. v Customized Computer Training NAF Case No. FA95082 decided
on 17th August 200064

In this case, the panel allowed the respondent to retain the domain names
“www.stopcompusa.com” and “www.bancompusa.com” over CompUSA’s protests, holding
“There is absolutely no confusion or similarity, much less identity, between the domain
names and the trademarks held by Complainant [CompUSA]. No one could confuse
‘COMPUSA’, or anyone [sic] of the registered trademarks, and ‘STOPCOMPUSA.COM’
and ‘BANCOMPUSA.COM’.”
The panel further observed, “After reading the pleadings, the Panel is left with a bad taste.
Here, a large company, faced with criticism from an individual, has attempted to use this
process and procedure to stifle that criticism. If the actions and conduct of Respondent are
wrongful, then Complainant has access to the courts of law, where the truthfulness of the
allegations made by Respondent can be challenged. Use of this forum by Complainant in this
context is inappropriate and constitutes cyber-bullying.”
These cases reinforce the notion that the rights of trademark owners on the Internet are
limited. The UDRP procedure was established to handle only a very limited type of case. The
purpose of the law is to prevent cyber-squatting, and not the right of free speech of Internet
users. These cases make it clear that it is possible for a company to have a valid trademark
and yet fail in a cyber-squatting action.

CHAPTER-III: COPYRIGHT ON THE INTERNET

3.1 Overview of the Law on Copyright

3.1.1 Introduction
The boundaries of intellectual property jurisprudence have always been marked by the
developments in the technological world. The copyright law being one of the obvious forms
of intellectual property is no exception. Over the past two centuries, copyright regime has
challenged time and again by ever growing technology and as a legal and institutional
response to such challenges, the law of copyright itself has developed immensely. Similarly,
the emergence of digital and information technologies towards the last two decades of the
twentieth century as the defining paradigms of new age communication have raised a whole
new set of challenges to the copyright regime. On one side, these new technologies and
innovations present rewarding promises to the copyright owners in terms of widening
markets, however, on the other side the same technologies seems to pose a threat to the
copyright owner with a loss of control over his own intangible property. As more and more
digital products in network environment are emerging, efficient management and controlled
distribution of such products have become one of the important considerations among all
stakeholders. Under the era of internet, the copyright owners find themselves under a
constant threat of loosing control over their products. Because of the inherent difficulties

64
The full text of the decision is available at http://www.arbforum.com/domains/decisions/95082.htm

293
underlying for the purposes of enforcing copyrights against the individual/internet users
globally, the copyright owners have arguably found the answer to this ever growing problem
by placing legal liability for copyright infringement on those who allow and enable Internet
copyright infringers to exist, namely the Internet service providers (ISPs). To what extent
ISPs can be held accountable has become one of the most critical issues in entire copyright
jurisprudence.

3.1.2 WIPO Treaties

Copyright protection on the internet being fairly new phenomena, most of the treaties
providing protection to the copyright does not visualize the phenomenon of advent of internet
or digital technology. At the international level, neither the Revised Berne Convention
directed at authors, nor the Rome Convention for the Protection of Performers, Producers of
Phonograms and Broadcasting Organizations dating from 1960, contained provisions tailored
specifically towards the exploitation of works in digital form. Therefore, it was found
expedient to update the copyright laws because of the dynamism and exigencies of the digital
technology. The consistent and concerted effort of the international community to respond to
the technological challenges resulted in the form of concrete initiative under the aegis of
World Intellectual Property Organisation (WIPO). WIPO being a specialized agency of the
United Nations Organisation, responsible for the promotion of the protection of intellectual
property throughout the world, started in the year 1989 examining the revisions needed in the
multilateral conventions, specifically in the Berne Convention in the light of the new
technologies. The result of a Diplomatic conference organized by WIPO in December 1996
resulted in the form of two treaties, viz. the WIPO Copyright Treaty (hereinafter “WCT”) and
the WIPO Performances and Phonograms Treaty (hereinafter “WPPT”). These treaties are
also known as Internet treaties as they seek to address the issues of copyright protection on
the Internet. The WCT and WPPT addresses the issues in following three ways, namely: (1)
by clarifying the existing provisions in the Berne Convention and in the Rome Convention
and in some cases, reaffirming the interpretations generally adopted; (2) by giving new
interpretations to the existing provisions by widening their scope; and (3) by adding new
provisions on rights and obligations so as to cope up with the creation, adoption, transmission
and distribution of works in the digital medium. At the domestic law, relevant laws which
governs the issue at hand is the Copyright Act, 1957; Information Technology Act, 2000.

3.1.3 Registration of Copyright

Before going further into the discussion, let us discuss in brief the issue of registration of
copyright. The sine qua non to the existence of copyright, is the expenditure of skill and
labour on any work which originated from its author and unless the original work on which
skill and labour has been expended by its author is produced in court to prima facie show that
the work has originated from the author, it cannot be said that there is copyright in the
work.65 Section 44 of the Copyright Act provides for registration of a work in which
copyright subsists but registration of copyright is not compulsory either for acquiring
copyright or for enforcing the copyright by infringement suit.66 Clearly, Copyright subsists as
soon as the work is created and given a material form. That being the statutory position, the
next question arises then what benefits/incentives the author has to get the copyright
registered?

65
Camlin v. National Pencil, AIR 1986 Delhi 444 at p. 451.
66
Kumari Kanaka v. Sundararajan (1972) Ker LR 536; Satsang v. Kiron Chandra AIR 1972 Calcutta 533.

294
The Copyright Act provides that the registration of copyright shall be prima facie evidence of
the particulars entered therein.67 The registration only raises a presumption that the person
shown is the actual author. Of course, the presumption is not conclusive but where contrary
evidence is not forthcoming, it is not necessary to render further proof to show that the
copyright vested in the person mentioned in the register.
The Copyright Office maintains a Register of Copyrights containing the names or titles of
works and the names and addresses of authors, publishers and owners of copyright and other
particulars as may be prescribed.68 Since websites are relatively new, both in terms of
content and technology, it becomes contentious to figure out under which of the above parts
one could register the entire website. Websites are generally a combination of text, images,
graphics, sound and video. So, individually each category of work could be registered under
the corresponding part. For example, the textual component of a website could be registered
under Part I as a literary work and the sound component could be registered under Part V as
sound recording.
The real problem arises with regard to registering the website as a whole, which could
contain content in the form of multimedia, a combination of different copyrightable work.
There is no provision under the existing Indian copyright legislation which specifically talks
about multimedia works. But registering multimedia works which is nothing but a
combination of many media is not unknown to the Copyright Act. Under Part IV of the
Copyright Act, Cinematograph films could be registered which is a combination of various
works existing in different media. Website content, strictly speaking, cannot be described as
“Cinematograph film” but since it is a combination of several media it should be possible to
register it under Part IV. Moreover every website has a software component to it. So, it can
also be registered under Part VI as a computer program.

3.1.4 Protection of Multimedia Works

Digital technologies have made possible the creation of works with much more versatility
than in the past. A work may now consist of several copyrights viz. literary, artistic, musical
and dramatic elements and may also include a phonogram and a cinematographic film. Being
a combination of different types of copyrighted work, a multimedia work by its very nature
combines different elements, such as text, sound, still visuals and moving images, into a
single medium. Increasingly, works from different categories are being fixed in a single
medium of expression. Works protected by copyright have become less and less
differentiated by type and more and more equivalent to one another because they are in the
same medium. This equivalence of works in digital form has made it increasingly easy to
create a difficult-to-classify work by combining what have previously been thought of as
separate categories of works for copyright purposes. This has given rise to the consideration
of forming a separate category under the present Copyright laws for future. 69

67
Section 48 of the Copyright Act, 1957.
68
Section 44 of the Copyright Act, 1957. The Register of Copyright is kept in six parts as follows:
Part I-Literary works other than computer programmes, tables and compilations including computer databases
and dramatic works.
Part II-Musical works
Part III-Artistic works
Part IV-Cinematograph films
Part V -Sound recordings
Part VI - Computer programmes, tables and compilations including computer databases
69
A.S.A. Krishnan and A.K. Chakravarti, “Intellectual Property Rights in the Ensuing Global Digital
Economy”. Available at: www.mit.gov.in.

295
Now, anybody using internet can “interact” with the copyrighted work in different ways
completely unknown previously. One can make alterations and additions and even create a
new work out of the stock of existing ones. If the rights for all classes of works were the
same, then perhaps, this would not have been a major issue. But the law as it stands in India
distinguishes between different classes of works in the matter of rights. For example, the
rights in a literary work and those in a cinematographic film are different. There is no rental
right in a literary work, whereas there is such a right in cinematographic film 70. The
authorship may raise another problem, as the criterion of authorship is different between
literary, dramatic, musical and artistic works on the one hand and cinematographic films and
sound recordings on the other hand71.

What kind of protection does a multimedia work attract in its individual combination of
component parts? The question is how to qualify digital off-line and on-line media from a
copyright perspective. The significance of the issue lies in the fact that the relevant
categorization entails different legal consequences and the presence of multimedia work
defies existing classification under the copyright law. Certainly, it is not a new type of work
to the extent that a multimedia product can fall under one or several, already existing,
categories. Protection of the individual elements of a multimedia work must not be confused
with protection of the multimedia production as a whole. In accordance with the existing
provisions of the Copyright Act it remains possible to dispose of the individual contributions
separately, even after the individual elements have been combined in one single work.

The actual classification of a particular multimedia product will depend on the type of work
and on the different and specific characteristics of each individual multimedia product.
Therefore, it has to be decided on a case-by-case basis. To the extent it is a literary work it
gets protected as such; to the extent it is a cinematographic work, it attracts copyright
protection as a cinematographic work and to the extent that it is a pure phonogram, its
producer is protected. The final interpretation, of course, will then often be in the hands of the
courts.

3.1.5 Multimedia under the Copyright Act, 1957

Let us now turn to treatment of multimedia under the Copyright Act. It is possible to consider
and treat multimedia products as works similar to cinematographic film in the sense of
section 2(f) of the Copyright Act, 1957. It seems reasonably possible to classify and to treat
multimedia productions as collections of literary or artistic works in the sense of Article 2(5)
of the Berne Convention and also fall under the category of compilations of data or other
material in the sense of Article 10(2) of the TRIPS Agreement. 72 There seems to be a
consensus to the view that multimedia should be classified as computer programme since
every multimedia work will have a software component. As there are separate provisions for
rights and authorship of a computer programme distinct from literary works in the Copyright
Act, this could perhaps be a possible solution. However, issues may arise on the retention of
separate copyrights in the works incorporated in the multimedia, in terms of Section 13 of the

70
Section 14(a) and (d) of Copyright Act, 1957.
71
Section 2(d) of Copyright Act, 1957. For an excellent discussion on this point, see, T. C. James, “Indian
Copyright Law and Digital Technologies” Vol.7, No. 5, Journal of Intellectual Property Rights 429 (2002).
72
Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS), an important multilateral
agreement being administered within the framework of the World Trade Organization (WTO).

296
Act73 and the rights of performers74 in the product. At present, large numbers of multi-media
works are being created by combining pre-existing works. The classification of multi-media
works is an issue, which needs to be looked into in depth, requires much needed
deliberations, appropriate strategies and much awaited institutional responses.

Indeed, there is nothing new in the combination of several types of works within one larger
work or on one data carrier; phonograms and cinematographic works are examples from the
past. What is innovative is that text, sound and visual information is now being presented and
stored in digital form. However, it would neither advisable nor desirable to equate all
multimedia works with the existing category of cinematographic works. The fact is that a
multimedia work taken as one single product does not exactly fit any of the existing
categories of works protected under the regime of copyright. The fact that digital products are
vulnerable not only to copying of the whole work but also vis-à-vis copying of parts of the
work poses additional problems. Clearly, unauthorized appropriation of parts of a work only
amounts to an infringement of copyright where the relevant part attracted protection as such.
In nutshell, it still remains to be decided whether multimedia works should be regarded as a
separate category of works protected under the regime of copyright. Since it has not yet been
clarified to what extent multimedia works fall within one of the above-mentioned types of
work, it may be appropriately be pointed out in the legislation that a work can consist of the
combination or merging of other works. Undoubtedly, this would ensure that the
prerequisites of protection were not examined separately but in relation to the multimedia
work as a whole, which would enable protection of the interactivity so characteristic of many
multimedia works, provided that it fulfils the originality requirement.

3.2 Linking
3.2.1 Introduction
The interactive feature of the Internet's most popular information access tool, the World Wide
Web (www), is to hyperlink75 which basically defines its very nature distinguishing clearly it
from any other communications medium. On the Internet, a link is a selectable connection
from one word, picture, or information object to another. 76 Links usually appear as
highlighted, underlined, otherwise prominent text or picture that can be selected by the user,
resulting in the immediate delivery and view of another file. The highlighted object is
referred to as an anchor. The anchor reference and the object referred to constitute a “link”.
Linking can be classified into two types. When the home page of a site is linked, it is the case

73
Section 13(4) of Copyright Act, 1957, provides: “The copyright in a cinematograph film or a sound recording
shall not affect the separate copyright in any work in respect of which or a substantial part of which, the film, or
as the case may be, the sound recording is made.”
74
According to Section 38(4) of Copyright Act, 1957, once a performer has consented to the incorporation of
his performance in a cinematograph film, his performer’s right in that performance ceases to exist, whereas in
the case of other classes of works there is no such provision.
75
Usually, on the web or other hypertext systems, hyperlink is a synonym for both link and hypertext link.
76
In simple terms, a link is simply a connection between the content of two different files or between different
parts of a single file. A link may lead either to another file in the same website, or to a file on a different
computer located elsewhere on the Internet. Internet browsers automatically decipher the instructions given by
links and retrieve the specified file. A single web page may contain many links to other web pages. That same
page may itself be the “destination” of hundreds, or thousands of other links on other pages. So, linking is the
sine qua non for the World Wide Web. Links allow quick access to information that otherwise could take much
time and effort to find. Consequently, if linking were disallowed or made illegal, the Web would no longer
exist.

297
of surface linking. When a link bypasses the home page and goes straight to an internal page
within the linked site, it is the case of deep linking.
The web was built for the purpose of enabling hypertext capabilities, allowing one site to link
to and access another. In most cases, the owner of a web page will desire the page to be the
destination of as many links as possible because more links would mean more hits, and more
hits would in turn mean wider dissemination of whatever information the page is designed to
get across. Typically, website owners used to make money from the advertising on their sites
and the rate of advertising is set keeping in mind the number of people who visit the site. So,
from a purely economic point of view, the website owners have good incentive to encourage
the practice of linking.
However, the problem quite often arises with respect to the practice of deep linking. The
home page of a website is quite often used as the entry point to information contained within
the website. It typically welcomes users, explains the nature of the site and offers links that
allow the user to navigate through the site. Deep links defeat a Website’s intended method of
navigation. Further deep links may “steal” traffic from the linked site’s homepage thereby
decreasing the revenue that could be generated from advertising that is dependant on the
traffic onto the site. A link is just a URL, the Internet address of a Website and, therefore,
not copyrightable. But this technology of hyperlinking may aid in the distribution of creative
material that belongs to someone else.
In Ticketmaster Corp. v. Microsoft Corp.77 case, Ticketmaster Corporation sued Microsoft
for Microsoft's practice of linking, without permission, deep within its site rather than to the
home page, and claimed, among other things, that Microsoft effectively diverted advertising
revenue that otherwise would have gone to the plaintiff. Ticketmaster Corporation had also
entered into contract with other firms whereby those firms had agreed to pay to link to the
Ticketmaster site. Free linking by Microsoft to the plaintiff’s site could have devalued those
contractual relationships. Ticketmaster had also contracted to give MasterCard prominence at
its site. Microsoft's bypassing of the home page threatened the ability of Ticketmaster to
comply with that contract. Allowing such a free link undercut Ticketmaster's flexibility both
in designing its site and in its marketing efforts and arrangements with other sites. During the
pendency of the court proceedings the parties entered into a settlement agreement whereby
Microsoft agreed not to link to pages deep within the Ticketmaster site and agreed that the
links will point visitors interested in purchasing tickets to the ticketing service’s home page.
In Intellectual Reserve, Inc. v. Utah Lighthouse Ministry, Inc.78, the plaintiff, Intellectual
Reserve, held a copyright in the Church Handbook of Instructions. After being directed by
the court to remove the Handbook from its Website, defendants posted a message on its
Website that informed users that the Handbook was online. The message went on to provide
users with the URLs of three Websites at which the Handbook was posted.79 The plaintiff
sought a preliminary injunction enjoining defendants from continuing to post such messages
to their site which, plaintiff claimed, constituted contributory infringement of its copyright in
the Handbook. The court issued the requested injunctive relief and further held that by
posting a message on their Website providing users with the location of infringing materials
and apparently aiding a user in viewing the infringing Websites, the defendants had
committed contributory infringement.

77
Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 (CD CA - 1997).
78
Intellectual Reserve, Inc. v. Utah Lighthouse Ministry, Inc., 75 F. Supp. 2d 1290 (1999).
79
<http://www.phillipsnizer.com/int-art176.htm>.

298
In Shetland Times, Ltd. v. Dr. Jonathan Wills and Another 80, Shetland Times operated a
Website through which it made available many of the items in the printed version of its
newspaper. The defendants also owned and operated a website on which they published a
news reporting service. Defendants reproduced verbatim a number of headlines appearing in
the Shetland Times. These headlines were hyperlinked to the plaintiff’s site. Clicking on the
headline took the reader to the internal pages in the plaintiff’s site on which the related story
was found. The judge agreed that the plaintiff had presented at least a prima facie case of
copyright infringement based upon the United Kingdom's law governing cable television
program providers. He found that the articles were being sent by the Shetland Times but
through the Website maintained by the defendants. In the process, the front page of the
Shetland Times' site on which paid advertisements appeared was bypassed, significantly
diminishing the value of the site to potential advertisers. The court issued an interim interdict
barring defendants, without the plaintiff’s consent, from copying headlines from the
plaintiff’s newspaper onto their Website, and creating hyperlinks from those headlines to the
location on the plaintiff’s site on which the article described in the headline appears.
Thereafter, the case was settled out of court by the parties whereby the defendants agreed not
to deep-link into the site of the plaintiff.
The German Federal Court of Justice in Verlagsruppe Holtzbrinck v. Paperboy81 ruled that
the defendant, Paperboy, an online search engine, neither violated copyright nor competition
law for providing deep links to the plaintiff’s Website. A website which campaigns against
legal attempts to stop deep linking, the plaintiff’s argument against the headline scraper was
that such deep links are illegal, because they “take users directly to news articles, bypassing
introductory pages and advertising, thus depriving the plaintiffs of revenue from their
advertisements”. The question here is couldn't the plaintiff, publishing firm Verlagsruppe
Holtzbrinck, sell more advertising on the traffic generated by deep-links to interesting
stories? Most Internet publishers welcome a deep link to a story, courtesy of a Slashdot or a
Drudge Report, or a prominent position on Google News. They know this traffic isn't going
to come along every day, and they know it isn't “their” traffic. The court also thought the
plaintiff's demand that users must start with the home page was unreasonable. It further
emphasized on the importance of deep links for the Internet and held that it is up to the
plaintiff to prevent deep links with technical measures, if they don't like them.

3.2.2 Liability for linking under Indian law

What liability is there for the content on a linked site? A hyperlink used by a website does not
directly cause copying of any substantive content by anyone, but instead merely provides a
pointer to another site. A surface link to a home page does not generally require permission.
This position is based on the theory that going online creates an implied license for anyone
with a computer to view the Website. Simply placing a surface link is no more an
infringement than the library catalogue. 82 The very fact that a person or an entity has put up a
website is in itself an invitation to all to visit the site. So, the owner of a Website should
indeed be happy that someone has provided a link to his Website. But what exactly can be the
liability for a deep link under the Copyright Act? By virtue of section 14 and 51 of the
Copyright Act, reproducing any copyrighted work, issuing copies of the work to the public or
communicating the work to the public could amount to copyright violation. But in case of
80
Shetland Times, Ltd. v. Dr. Jonathan Wills and Another, [1997] FSR 604.
81
Verlagsruppe Holtzbrinck v. Paperboy, Ruliong of the German Federal Court of Justice (Decided on 18th July
2003).
82
See generally, G. R. Ferrera, S.D. Lichtenstein, M.E.K. Reder, R. August, W.T. Schiano, Cyber Law: Text
and Cases 71 (West, 2001).

299
deep linking, the linking site is not reproducing any work. The reproduction, if at all, takes
place at the end of the user who visits the linked page via the link. Whether the linking site
said to be issuing copies of the work or communicating it to the public? Strictly speaking or
technically, the linking site is only informing people about the presence of the work and
giving the address of the site where the work is present. It is the user’s discretion to access
the work by clicking the link. Nevertheless, the linking site is definitely aiding in the
distribution of the work.
Now, looking the matter from a converse angle, Section 2(ff) of the Copyright Act says that
making any work available for being seen or heard or otherwise enjoyed by the public
directly or “by any means of display” or diffusion other than by issuing copies of such work
regardless of whether any member actually sees, hears or otherwise enjoys the work so made
available. This definition of communication to the public could be stretched to cover the
communication of contents of a Website on the Internet as the expression “by any means of
display” has been used to define communication. Without deep linking, the Internet as we
know it would collapse. One couldn't have a search engine, for example. But some grey areas
do need to be addressed. It is quite different for a search engine to deep link than a
competitor of an e-business Website to do the same. Deep linking to commercial Internet
databases without the permission of the content owner could raise many problems. It would
be difficult for any business to see its content being used by a competitor for free just because
the new technology allows it. Many publishers are moving to curtail or block permanent deep
links, as more free content moves behind registration screens or are shepherded after a few
days into paid-for archives. But many Websites would welcome deep links as well.
So, what could be the best possible solution? Whether the law be amended to stop deep
linking without permission of the owner of the content or whether the law provide complete
exemption/immunity to links of all kinds? Looking at different foreign jurisdictions, perhaps
no law till date has put a ban on deep linking. There are indeed problems in doing so. On the
one hand, one has to consider the rights of the owner of content and, on the other hand, the
interests of the society for which growth of the Internet are all important. Undoubtedly, the
international conventions, treaties and instruments do emphasize the importance of control in
the hands of the content owner, but specifically they have not dealt with the problem of deep
linking. The Indian position also seems to be on the same line. The current provisions of the
Act seek to check the unauthorized use of someone’s content through deep linking and using
these provisions. Further, the courts can fill the vacuum by deciding the same from case to
case basis; if a deep link has been created with bad intent and in order to derive unjust
enrichment out of somebody’s content then it could be injuncted.
It is important to mention here that before linking deep within a website, the prudent course
for businesses and individuals would be to seek permission. And for the creators of a
Website who want that it is not linked to a pornographic or shabby site could place a
prohibition in its “terms of use” similar to, “do not link to this site without our express
consent”. Whether one could be liable for linking to a site that includes illegal material?
Perhaps, one of the possible way is to post a disclaimer on the site indicating that the links are
for information only, and do not constitute an endorsement or approval of the material on the
linked sites.

3.2.3 Inlining
Plainly speaking, inlining or “In-line linking” enables a web page to summon different
elements from diverse pages or servers to create a new web page. Instead of copying the
elements to the composite page, the elements are linked in by “pulling in” graphic or image

300
files from another site and displaying on the composite web page. Thus, the composite page
would consist of a series of links to other sites and servers. While browsing the composite
page, the page directs the browser to get the pictures, graphics etc. from the original sources.
A typical example could be a web page on art that contains images stored around the world.
The web page could contain the text: “See my favourite paintings”. Using an inline link, the
web page could then direct the visiting browser to retrieve the images of famous paintings
from the web page of various museums and place it immediately below the text. To the end-
user, the integration of the two pieces of content (text and pictures) is seamless, despite the
fact that they were taken from two very different sources. The viewer cannot perhaps
distinguish that the image has originated and been imported from a separate site and may
never come to know that it was not created or stored at the site being visited by him. Clearly,
in this respect, inlining is different from deep linking where the user is usually aware that he
has “changed pages”, either from the different appearance of the newly accessed page, or
from the change in the URL address displayed in the Web browser.
In famous case of Leslie A. Kelly v. Arriba Soft Corporation83, a visual search engine
(ditto.com, formerly known as Arriba) crawled the web to produce thumbnail images of
photographs and used them to link to the original pictures. Leslie Kelly, a professional
photographer was upset that the search engine reproduced thumbnails of the images on his
site which, when clicked, produced the full-size image in a window on Arriba's site. The page
used so-called in-line linking to display the original full-sized image, surrounded by text
describing the size of the image, a link to the original website, the Arriba banner, and Arriba
advertising. Kelly filed suit on April 6, 1999, alleging copyright infringement. The
California District Court ruled that both the creating of the thumbnails and the inline-linking
is justified under the fair use doctrine. On appeal by Kelly, the Ninth Circuit Court of
Appeals affirmed and reversed in part the district court decision. The display of the tiny
images was deemed to be legal fair use, but not the inline-linking. On February 6, 2002, the
US Court of Appeals for the Ninth Circuit held that that unauthorized inline linking to images
residing on the copyright owner's Website violates the copyright owner's right of public
display. The court rejected defendant's fair use defence and stated that inline linking
diminishes the opportunities of the copyright owner to sell or licence the images on his own
Website. The Electronic Frontier Foundation (EFF) filed a brief, thereafter, urging the court
to reconsider the part of its ruling on inlining to copyrighted images. The EFF argued that the
ruling against “inline linking” threatened to transform everyday Website activities into
copyright infringements. In July 2003 the court withdrew that portion of its opinion, which
was relating to inlining, leaving it to the lower court to take a fresh look at the issue. It is
now open for the court to reconsider whether inlining is violative of copyright or not.

3.2.4 Inlining and Indian law

As we have seen in the case of linking, one has to go back to Section 51 read with section 14
of the Copyright Act to test and examine the legality of inlining. By virtue of section 14 and
51, reproducing any copyrighted work, issuing copies of the work to the public or
communicating the work to the public could amount to copyright violation. The person who
employs an inline link on his site is not causing any reproduction of the copyrighted content.
This is because the link's creator never copies the pirated content; instead merely provides a
visiting browser with instructions to retrieve the image, which is then incorporated into the
overall page on the user's site. Thus the only person who copies the protected image is the
final user who never comes to know that his browser is fetching different elements from

83
Leslie A. Kelly v. Arriba Soft Corporation, Case No. 00-55521, US Court of Appeals for the Ninth Circuit.

301
different sites. So, the reproduction, if at all any, takes place at the end of the user who visits
the linked page via the link. Also, the creator of the inline link is not issuing copies of the
work nor communicating or distributing the work to the public. But he can be said to be
aiding in such communication and distribution.
Looking from another angle, the definition of communication to the public under section 2(ff)
of the Copyright Act could be stretched or extended to cover the communication of contents
of a website on the Internet as the expression “by any means of display” has been used to
define communication to the public.
Section 14(a) (vi) of the Copyright Act grants the right of adaptation only to the owner of
copyrighted work84. By inlining the linking site could take some elements from the linked
site’s multimedia settings and create it’s own site, thereby affecting the right of making a
derivative work of the linked site because taking some elements from the multimedia setting
and combining them with some other could well fit into the definition of adaptation. So,
adaptation rights do come in picture vis-à-vis inlining. Further, a Inlining brings in the
question of moral rights as well. Section 57 of the Copyright Act, 1957, which talks about
Author’s special rights, says:85
1. Independently of the author's copyright, and even after the assignment
either wholly or partially of the said copyright, the author of a work shall have the
right--
a. to claim the authorship of the work; and
b. to restrain or claim damages in respect of any distortion, mutilation,
modification or other act in relation to the said work which is done before the
expiration of the term of copyright if such distortion, mutilation, modification
or other act would be prejudicial to his honour or reputation
2. The right conferred upon an author of a work by sub-section (1), other
than the right to claim authorship of the work, may be exercised by the legal
representatives of the author. (emphasis added)
Firstly, this section allows the copyright author to claim authorship of the work. In case of
inlining, the user is quite confused about the original source and hence may never come to
know about the author of an inlined work as the user may never know from where different
elements of the site have emanated. So, the practice of inlining may implicate the moral right
of the author.
Secondly, section 57 talks about the right of integrity. The author of the copyrighted work
has a right to see that his work is not being distorted, mutilated or modified. Copyrighted
graphic image could be pulled into a site with its image appearing on a single page combined
with other images, thus creating another work, virtually new and different from the original,
thereby strongly implicating the right to integrity of the work. The combination of various
elements could be termed as modification or even mutilation in certain circumstances.

84
According to Section 2(a), Copyright Act, 1957, “adaptation’ means, -
i .in relation to a dramatic work, the conversion of the work into a non-dramatic work;
ii. in relation to a literary work or an artistic work, the conversion of the work into a dramatic work by way of
performance in public or otherwise;
iii. in relation to a literary or dramatic work, any abridgment of the work or any version of the work in which the
story or action is conveyed wholly or mainly by means of pictures in a form suitable for reproduction in a book,
or in a newspaper, magazine or similar periodical;
iv. in relation to a musical work, any arrangement or transcription of the work; and
v. in relation to any work, any use of such work involving its rearrangement or alteration
85
Section 57 of the Copyright Act, 1957.

302
Whether the law be amended to outlaw inlining or to allow this practice? The Copyright Act
talks about various rights of owners and authors of works and describes situations where
these rights can be infringed. So, there is no need for the law to be changed as such in this
regard. A complete ban could restrict the growth of the Internet. At the same time owner’s
content should not be subject to exploitation by one and all. In this situation, it is for the
courts to decide upon the legality/illegality of inlining from case to case. The measure would
always be the Copyright Act, the philosophy of which is amply clear. In case an inline link
amounts to aiding in distribution or communication with dishonest intentions, the courts will
come forward and declare such inlining illegal.

3.3 Framing
3.3.1 Definition
Web browsers allow web authors to divide pages into “frames” 86. Since it is possible for a
site to call a frame's contents from a different location, a programmer might “frame” another's
Web content beneath his own navigation or banners. This allows him to use creative content
owned by another entity to sell banner advertising on its on site. A typical use of frames is to
have one frame containing a selection menu and another frame that contains the space where
the selected (linked to) files appear.87
It is worthwhile to note that the technology of framing was developed by Netscape and was
introduced in 1996 and is now a common technology used on many web pages. There are
several legal issues involved therein.
In Washington Post Co. v. Total News, Inc.88, the Washington Post filed a complaint against
an online news site, Total News, the publisher of the Website www.totalnews.com. Total
News, an aggregator of web news sources, employed frame technology to display news sites
from around the Web. Total News had created pages with frames that contained hyperlinks to
other news Websites, such as the Washington Post, CNN, USA Today, Time and Sports
Illustrated, etc. Web users, therefore, could use www.totalnews.com to access articles from
various sources. The Total News Website generated its revenue from advertising, which it
placed in a static border frame. Clicking on a hyperlink to ‘The Washington Post’ within the
Total News Web page displayed the content of The Washington Post page within a frame that
was surrounded by Total News's URL, logo, banner, advertisements and information. Six
content providers - CNN, Time-Warner, Reuters, The Washington Post, The Wall Street
Journal and the LA Times, sued Total News, claiming that such framing was “the Internet
equivalent of pirating copyrighted material. They also alleged misappropriation, trademark
infringement and trademark dilution. The plaintiffs complained that Total News has designed
a parasitic Website that republishes the news and editorial content of others' Websites in
order to attract both advertisers and users. Total News settled the case by agreeing to link to,
rather than frame, the Web pages of various plaintiffs and the court did not have an
opportunity to decide any of the legal issues that were raised by the plaintiffs.

3.3.2 Legality of framing under Indian law

As we saw in linking and inlining one has to turn to section 51 read with section 14 of the
Copyright Act, 1957 to test and examine the legality of framing. The person who frames
86
In simplest term, a “frame” is an independently controllable window on a website through which pages from
another website can be viewed.
87
<http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212154,00.html>.
88
Washington Post Co. v. Total News, Inc., 97 Civ.1190 (S.D.N.Y.).

303
some other site’s content on his site is not causing any direct reproduction of the copyrighted
content. This is because the framer never copies the pirated content; instead merely provides
a visiting browser with instructions to retrieve the content, which is then incorporated into the
overall page on the user's site. Thus the only person who copies the content is the final user
who never comes to know that his browser is fetching different elements from different sites.
Also, the framer is not directly issuing copies of the work nor communicating or distributing
the work to the public as the user’s browses is actually fetching the content directly from the
owner’s site. But he can be said to be aiding in such communication and distribution.
Further, Section 14(a) (vi) grants the right of adaptation only to the owner of copyrighted
work. The framing site could take some elements from the framed site’s multimedia settings
and create it’s own, thereby affecting the right of making a derivative work of the framed site
because taking some elements from the multimedia setting and combining them with some
other could well fit into the definition of adaptation. So, derivation and adaptation rights do
come in picture vis-à-vis framing.
It is important to note here that the framing brings in the question of moral rights as well.
Section 57(1) of the Copyright Act, allows the copyright author to claim authorship of the
work. In case of framing the user is confused about the original source and hence may never
come to know about the author. The user may never know from where different elements of
the site have emanated. The creator of a frame does not literally “copy” the contents of the
framed page but only directs the user’s browser to summon content from another Website and
show the same along with the content of the framing site. Since the URL of the framed Web
page does not appear on the screen, the user accessing a framed site may not perceive the site
as being framed and may attribute the appropriated material to the home site owner. This
could implicate the right of the author to be identified as such, since the user never comes to
know that he is viewing content from a different site. The author of the copyrighted work has
a right to see that his work is not being distorted, mutilated or modified. Content from
various sites could be pulled into a single window, thus creating another work virtually new
and different from the original thereby strongly implicating the right to integrity of the work.
Perhaps, the combination of various elements could be termed as modification or even
mutilation in certain circumstances.

3.4 Protection of Website Content

3.4.1 Introduction
Almost everything on the web is protected by copyright law. Websites are nothing but a
composition of materials, quite often consisting of words, graphics, audio, and video, that are
expressed to the consumer/viewer as information content. The owners and website developers
typically select the content to put/advertise sell the company’s product or service on the
website. The subject matter expressed in the site is nothing but an electronic publication of
the content. Since, designing, producing, and maintaining a sophisticated Website is quite
expensive, the author/publisher has a good incentive to protect the content posted on the
website. However, the violation of copyright on internet has grown exponentially. Why? One
of the possible justifications might be that it is too easy to violate a copyright owner’s
exclusive right to copy the material. A computer and Everyone with a computer and an
Internet connection creates his own What he actually requires is just one computer with
internet connection, which gives him two important power viz. power to upload and power to
download, which is quite often regarded as the biggest carried of globalisation.

304
3.4.2 Liability of Internet service providers for copyright infringement
The liability of Internet Service Providers (ISPs) for on-line copyright infringement has been
one of the most contentious issues in the copyright laws. The issue of liability for ISPs has
been as old as the use of the Internet, which started exponentially at the beginning of 1990s.
Whether the ISPs be held liable for illegal activities committed by their users? If yes, upto
what extent? To what extent, an ISPs who is just acting as an online intermediaries be held
accountable for third party material put on the Internet by users of their facilities?
Because of the inherent difficulties of enforcing copyrights against individual Internet users
worldwide, the copyright owners have found the answer to this problem is placing legal
liability for copyright infringement on those who allow and enable Internet copyright pirates
to exist, namely the Internet service providers (ISPs). For the content community, it is
practical to sue the ISPs as they are in a position of policing the Internet. On the other side of
the argument, ISPs are passive carriers similar to telecommunications companies and,
therefore, should be granted some limitation from liability with regard to copyright
infringement. In addition, to make ISPs liable could stifle the growth of the Internet.
The liability of ISPs may arise in a variety of legal fields, such as criminal law, tort law, trade
secret law, copyright law, trademark law, unfair competition law, etc. Worldwide many
nations have tried to define the liability of ISPs in disseminating third party content. Many of
these national laws relate to criminal law, information technology law or copyright law.
These statutes have tried to solve the problem by adopting either of the two approaches;
horizontal approach and non-horizontal approach. The horizontal approach 89 covers not only
copyright infringement but also all other potential areas of law where liability of ISPs might
arise. It fixes the liability regardless of the grounds for illegality of the transmitted material.
Whereas, under non-horizontal approach90 the potential liability of ISPs is determined under
each law where it might arise. In this case various statutes would determine ISP liability; for
example, adopting non-horizontal approach the copyright statute would address ISP liability
that might arise only in relation to copyright violations.

3.4.3 ISP liability under the Copyright Act, 1957

As noted earlier, the Copyright Act, 1957 was obviously drafted in complete oblivion of the
phenomenon called the Internet. Even after its amendments in 1994 and 1999 it does not
contain any express provision for determining or limiting ISP liability. However, some
provisions in the Act could be interpreted to have some bearing on the liability of ISPs. As
per section 51 (a) (ii) of the Copyright Act:
“Copyright in a work shall be deemed to be infringed, when any person, without a
licence granted by the owner of the Copyright or the Registrar of Copyrights under this Act
or in contravention of the conditions of a licence so granted or of any condition imposed by a
competent authority under this Act … permits for profit any place to be used for the
communication of the work to the public where such communication constitutes an
infringement of the copyright in the work, unless he was not aware and had no reasonable
ground for believing that such communication to the public would be an infringement of
copyright.” (emphasis added)

89
There are laws now in force in Germany, Sweden, Japan, etc. which approach the issue from a horizontal
perspective.
90
Non horizontal approach has been adopted by some countries such as Hungary, Ireland, Singapore and the
USA.

305
Typically, ISPs allow their servers and other telecommunication facilities for storing user’s
material and for transmitting that material. The computer servers and other
telecommunication facilities are actually located at their business premises and hence they
would verily come under the expression “any place” and could be held liable for the
infringing activities of third parties whose material they store or transmit if other
requirements are fulfilled. Further, the expression “permits for profit” means that to be held
liable the activities of ISP should be for profit meaning thereby that he should be financially
benefiting out of the infringing activities. ISPs normally charge for their services and even if
they offer some services for free, they could indirectly be making profit out of it, e.g., from
advertisements that they bundle together with the transmitted material. So, the above two
requirements are fulfilled by ISPs for most of their activities in case they transmit or store
infringing material. The expression ‘unless he was not aware and had no reasonable ground
for believing that such communication to the public would be an infringement of copyright’ is
significant in the sense that ISPs are liable only if they have knowledge of the infringing
material stored or passing through their servers.
Further, it is to be noted here that “any person who knowingly infringes or abets the
infringement of copyright …” is made criminally liable under the Act 91. However, whether
an ISP be said to have abetted the infringement of copyright is a question to be decided by the
courts in the light of actual facts and circumstances of each case.

3.4.4 ISP liability under the Information Technology Act, 2000

Under the (Indian) Information Technology Act, 2000 the provisions relating to the ISPs has
been specifically provided wherein an Internet Service Provider has been referred to as
Network service provider and is defined as: “Network service provider” means an
intermediary.92 Further, Intermediary has been defined as: "intermediary" with respect to any
particular electronic message means any person who on behalf of another person receives,
stores or transmits that message or provides any service with respect to that message.93
However, the Act contains a clause which limits the liability of ISPs under certain
circumstances94. It provides that no person providing any service as a network service
provider shall be liable under this Act, rules or regulations made there under for any third
party information or data made available by him if he proves that the offence or contravention
was committed without his knowledge or that he had exercised all due diligence to prevent
the commission of such offence or contravention. So, the without knowledge and due
diligence are two statutorily recognised defences available to the ISPs.

3.4.5 Classification of ISPs under the IT Act, 2000

Under IT Act, 2000 there is no classification of ISPs. The expression “Network service
providers” used in section 79 of the IT Act seems to provide within it all kinds of Internet
service providers irrespective of what function they perform in the long chain of
intermediaries that transport or carries the internet content to the desired destinations.
Undoubtedly, the different ISPs perform different functions in the process of transporting
content and their liability cannot be uniform. The liability of ISPs must be appropriately and
proportionally based on what function the ISPs has performed. In view of the same, it
becomes quite essential to categorize the ISPs into different functional categories otherwise

91
Section 63 of the Copyright Act, 1957.
92
Explanation (a) to Section 79 of IT Act, 2000.
93
Section 2(w) of the IT Act, 2000.
94
Section 79 of the IT Act, 2000.

306
different ISPs could be held liable under the IT Act, 2000 for something in which they played
no role at all or it has no or very little control.

3.4.6 Filtering ISP liability through the IT Act

A bare perusal of Section 79 of the IT Act which starts with the caption “Network service
providers not to be liable in certain cases” makes it quite clear that the rationale of the
aforesaid provision is to limit the liability of ISPs. The liability of ISPs could arise in a
number of ways under different statutes. It could be civil, criminal, or both. It is neither
feasible nor desirable to define the liability of ISPs which could arise in various forms at one
place. Equally undesirable could be to amend all our laws, which could hold ISPs liable, in
order to limit their liability. The same has not been attempted in any of the Indian legislations
including the Copyright Act, 1957. The IT Act, 2000 does not attempt to define the liability
of ISPs which could arise in various forms at one place. It has been done to create a filtering
mechanism for determining the liability of ISPs. Obviously, the rationale is that the liability
of an ISP for his action or omission be first determined in accordance with the statute under
which it arises and then if at all the ISP is held liable, his liability again be filtered through
section 79 of the IT Act. For example, if an ISP is accused of illegally distributing pirated
copies of music, then his liability is first determined under section 51(a) (ii) and section 63 of
the Copyright Act, 1957. If the ISP is found liable then his liability is again tested under
Section 79 of the IT Act, 2000.

3.4.7 Exemption of an ISP from the liability for copyright infringement

In order to get exemption, ISPs must not either initiate the transmission, or select the receiver
or have any editorial control by selecting or modifying the material. As already discussed
Section 79 of the IT Act provides two circumstances viz. Lack of knowledge and Exercise of
due diligence under which an ISP can qualify for exemption from liability. It is necessary to
keep in mind that knowledge of the illegal contents on part of the ISP is a prerequisite for
holding him liable under section 79 of the IT Act, 2000. The ISP can escape liability if it
could be proved that he was unaware of all that was stored and passing through his servers.
But if he is put under a notice that some infringing material is either stored or passing through
his servers, he has to take proper action for removing or disabling that material otherwise he
could be said to have knowledge of the infringing material and held liable.
Looking from the side of ISP, in order to escape the liability, Section 79 prescribes “due
diligence” to be exercised by him. The provision requires actual knowledge or breach of the
duty of care. What should be the extent of the “due diligence” requirement? Should the ISPs
be required to monitor and judge legality of millions of files that are present or passing
through their servers? Considering the gigabytes that are stored or passing through their
servers this seems to be an impossible task. But, if we say that the ISPs should not be under
an obligation for “due diligence”, it might encourage them to consciously ‘look away’ and
evade all liability. It can be safely concluded that ISPs are not liable for the (infringing)
gigabytes that are stored and passing through their servers unless they are put on notice. If an
ISP encounters particularly suspicious circumstances, he may be subject to “due diligence”
i.e. a duty of care to investigate further whether material he hosts or refers to is unlawful and,
where found to be so, to block access.

3.4.8 Impleadment of ISPs in the cases of copyright infringement on the Internet

Typically in every law suits/legal proceedings where a copyright owner initiates legal action
against the alleged infringements on the Internet, s/he also makes ISPs as a party for

307
simultaneous appropriate action, apart from the person who actually commits the
infringement. So, ISPs are also invariably impleaded in the matter to fix its responsibility.
Further, the ISPs can be identified very easily. For example a software product is found
loaded on a Website which anyone is free to download. Let’s assume the Website actually
operates some kind of update/ bulletin board, i.e. a site where people just upload and
download files and where anyone can contribute. In such a situation, often one can trace out
the Website owner but it is extremely difficult to find out the actual contributor. So, one can
easily find out the ISP who’s facilities have been used to upload the software. There is no
denial of the fact that in digital environment products are priced high and much damage can
occur in very less time. So, apart from initiating legal proceedings against the actual offender,
the aggrieved party has good incentive to sue the ISP as well. This incentive is also based on
the fact that generally, an ISP as a business entity, has, invariably deep pockets and generally
more capable of paying the damages than an individual private user. Another obvious reason
to have deterrent effect on the ISP. If on a Website there are 20 subscribers, all of whom can
upload and download content to and from that Website, if the aggrieved person sues one of
them, the next day someone else might upload the same content. But if the aggrieved sue the
ISP directly, the ISP in order to avoid any future trouble, will simply shut off and make it
clear in very unambiguous terms to its subscribers that the infringing content will not be
uploaded on this Website in future.

CHAPTER-IV: BUSINESS METHOD PATENTS AND SOFTWARE PATENTS

4.1 Overview of the Law on Patents

4.1.1 Origin of Patents

According to some, the grant of the first patent can be traced as far back as 500 BC. It started
from a city in Greece dominated by gourmands and it was perhaps the first grant of the kind
that is now-a-day called a “patent” right to promote culinary art. It conferred exclusive rights
of sale to any confectioner who first invented a delicious dish. As the practice was extended
to other Greek cities and to other crafts and commodities, it acquired a name monopoly, a
Greek Portmanteau, comprising mono (alone) and polein (sale). 95

In the modern day world, the grant of priveleges acted as a pre-cursor to the grant of what we
now known as patents. The Republic of Venice was the first to adopt a statute for grant of
privileges, the ‘Parte Veneziana’ of 1474.96 That statute laid down the principles on which
today’s patents are built: the usefulness of new inventions for the State, the exclusive rights
of the first inventor for a limited period and penalties for infringement.

4.1.2 Subject Matter of Patent

A patent can be secured for the practical utilization of an idea or concept. The idea or concept
itself cannot be protected by patents, only the manner of putting the ides or concept into
practical use can be patented. For patent protection an invention must fall within the scope of

95
Jagjit Singh, “Property, Patents and Technology”, a paper presented at National Research Development
Corporation (NRDC) Training Programme on Patents, Designs & Trademarks, March 10-14, 1986.
96
Edith T. Penrose, The Economics of the International Patent System, 1951, John Hopkins Press, Baltimore,
p.2.

308
patentable subject matter. In general, there are two categories of subject matter which can
form the basis for the grant of patent:
a) Processes: - This category may include the processes of preparing chemical compounds,
new or known, compositions of matter, new or known processes of making or shaping or
processing articles and the like.
b) Products: - This category may include any new pharmaceutical substance, chemical
compounds, polymers, synthetic materials, mixtures of chemicals, composition of matter,
alloys and pharmaceutical compositions.

4.1.3 Criteria of Patentability

Under the Patents Act, 1970, an Invention means “a new product or process involving an
inventive step and also capable of being made or used in the industry.” It means the invention
to be patentable should be technical in nature and should meet the following criteria –
i) Novelty: The matter disclosed in the specification is not published in India or elsewhere
before the date of filing of the patent application in India.
ii) Inventive Step: The invention is not obvious to a person skilled in the art in the light of the
prior publication/knowledge/ document.
iii) Industrially applicable: Invention should possess utility, so that it can be made or used in
the industry.

4.1.4 Exclusions from Patentability

As per Section 3 of the amended Patents Act, 1970, the following are non-patentable
inventions:
1. An invention which is frivolous or which claims anything obviously contrary to well
established natural laws.
2. An invention the primary or intended use or commercial exploitation of which could be
contrary to public order or morality or which causes serious prejudice to human, animal
or plant life or health or to the environment.
3. The mere discovery of a scientific principle or the formulation of an abstract theory (or
discovery of any living thing or non-living substances occurring in nature),the mere
discovery of a new form of a known substance which does not result in the enhancement
of the known efficacy of that substance or the mere discovery of any new property or
mere new use for a known substance or of the mere use of a known process, machine or
apparatus unless such known process results in a new product or employs at least one new
reactant
Explanation- For the purposes of this clause, salts, esters, ethers, polymorphs,
metabolites, pure form, particle size, isomers, mixtures of isomers, complexes,
combinations and other derivatives of known substance shall be considered to be the
same substance, unless they differ significantly in properties with regard to efficacy.
4. A substance obtained by a mere admixture resulting only in the aggregation of the
properties of the components thereof or a process for producing such substance
5. the mere arrangement or re-arrangement or duplication of known devices each
functioning independently of one another in a known way
6. A method of agriculture or horticulture
7. Any process for the medicinal, surgical, curative, prophylactic, diagnostic, therapeutic or
other treatment of human beings or any process for a similar treatment of animals to
render them free of disease or to increase their economic value or that of their products.

309
8. Plants and animals in whole or any part thereof other than micro-organisms but including
seeds, varieties and species and essentially biological processes for production or
propagation of plants and animals
9. A mathematical or business method or a computer programme per se or algorithms
10. A literary, dramatic, musical or artistic work or any other aesthetic creation whatsoever
including cinematographic works and television productions
11. A mere scheme or rule or method of performing mental act or method of playing game
12. A presentation of information
13. Topography of integrated circuits
14. An invention which in effect, is traditional knowledge or which is an aggregation or
duplication of known properties of traditionally known component or components.
15. Inventions relating to atomic energy and the inventions prejudicial to the interest of
security of India.

4.1.5 Procedure for Grant of Patent

File a patent application Publication in the Official
with prescribed fees Gazette within 18 months

Request for
Substantive
Examination

Are Outcome
Rejection
objections of
fulfilled? hearing

Application accepted

Opposition Cancelled

Notify in the Official Gazette

Patent Granted 310

4.1.6 Revocation of Patent

As per Section 64 of the amended Patents Act, 1970, a patent can be revoked on the same
grounds as grounds of opposition. A patent can also be revoked on directions of the Central
Government in cases relating to atomic energy (Section 65), or where the patent or the mode
in which it is exercised is mischievous to the State or generally prejudicial to the public
(Section 66). The patentee or any person holding rights in such patent are given an
opportunity to be heard before any decision for revocation is taken.

4.1.7 Rights of a Patentee

The patentee (i.e. an applicant who has been granted a patent) has the exclusive right to
prevent unauthorized third parties from making, using, offering for sale, selling or importing
the patented product in India. If the patent has been granted for a process then the patentee
has the exclusive right to prevent unauthorized parties from using, offering for sale, selling or
importing the product obtained directly by that process in India.

4.1.8 Term of Protection

The duration of patent protection is 20 years and is determined from the date of filing the
application. If a provisional has been filed followed by a complete specification, the term of
the patent is counted from the date of filing the provisional application. In case of
International applications under Patent Cooperation Treaty, 1970, the filing date is the
international filing date for determining the term of the Patent.

4.2 Business Method Patents

Business methods include processes related to e-commerce, the Internet and data processing
techniques involving financial services, electronic sales, advertising methods, and other such
business or management practices. A business method patent can be obtained for any of the
above mentioned processes as long as the legal requirements or criteria for patentability are
met in accordance with the relevant national/regional law.

4.3.1 History of Business Method Patents

Automated financial/management business data processing method patents, which date back
to 1800s97, were the predecessors of today's modern business method patents. The first three
automated financial and business data processing method patent were issued in January 1989
to Herman Hollerith and the Tabulating Machine Company for automated tabulating and
compiling of statistical information. TMC is now known as IBM. 98 It has over ___ BMPs.

97
See USPTO White Paper - Automated Financial or Management Data Processing Methods, at
http://www.uspto.gov/web/menu/busmethp/index.html (Last visited on Sept. 28, 2009).
98
In 1924 Thomas J. Watson, Sr. changed the name of the Tabulating Machine Company to International
Business Machine Corporation ("IBM").

311
4.3.2 Patentability of Business Methods

American Perspective

In the United States, the debate on patentability of business method can be divided in three
phases, hinging on the judgment of the US Court in State Street Bank & Trust Co. v
Signature Financial Group, Inc.99

Pre- Street Bank Case

Prior to the State Street decision, there was a judicially created "business method exception"
to patentability in the United States. The Courts had refused to grant patents to inventions
regarding book-keeping systems100 and drive-in movie theaters.101 Hotel Security Checking
Co. v Lorraine Co.102 is said to be the case that gave birth to the business method exception
in the US. In the said case, the Court held that a patent on a "method of and means for cash-
registering and account-checking" was invalid. In obiter dicta, the Court observed, "a system
of transacting business disconnected from the means for carrying out the system is not, within
the most liberal interpretation of the term, patentable subject matter."

Street Bank Case

In 1998, a Federal Circuit Court of the United States laid the ill-conceived business method
exception to rest through its judgment in State Street Bank & Trust Co. v Signature Financial
Group, Inc.103 The patented invention in State Street Bank was a computer program,
essentially a data processing system that organized mutual funds into an investment portfolio
in order to gain investment and tax advantages for mutual fund managers. The plaintiffs in
State Street Bank attempted to invalidate the patent on two theories: the mathematical
algorithm exception and the business method exception. The Court held that the patent did
not fall within the mathematical algorithm exception since it produced “a useful, concrete and
tangible result”. It also held that no business method exception ever existed. The Court
concluded that business method patents should be "subject to the same legal requirements for
patentability as applied to any other process or method."

Post Street Bank

The Federal Circuit Court reaffirmed its State Street Bank judgment in AT&T Corp. v Excel
Communications, Inc104. In AT&T, the Court upheld a patent that was directed to a "method
that facilitated allocation of telephone service fees among a number of different carriers,
allowing computers to generate bills easily and accurately." The Court affirmed its
reassessment of the mathematical algorithm exception, and its rejection of the business
method exception in State Street Bank case.

99
47 USPQ 2d 1596 (CAFC 1998)
100
In Re Ex Parte Abraham 1868 Com'R Dec. 59, 59 (Com'R Pat. 1868).
101
Loew's Drive-In Theatres, Inc. v Park-In Theatres, Inc., 174 F.2d at p. 552. These decisions were not very
clear in their reasoning and were criticized in In re Schrader, 22 F.3d at p. 298.
102
160 F. 467, 469 (2d Cir. 1908)
103
Supra
104
172 F.3d 1352 (Fed. Cir. 1999)

312
Two years later, in 2001, the Court dealt with another software business method patent in
Amazon.com Inc. v Barnesandnoble.com, Inc105. Amazon.com patented a "1-Click" shopping
device, the '411 patent, which was for "a method and system for 'single-action' ordering of
items in a client/server environment."106 Amazon.com sued Barnesandnoble.com for
infringement of the "1-Click" patent by Barnesandnoble.com's "Express Lane" shopping
feature, which essentially allowed customers to purchase products in a single step. 107 The
District Court granted a preliminary injunction against Barnesandnoble.com. In response,
Barnesandnoble.com argued/submitted that the district court did not construe the claims
properly to determine the underlying validity of the "1-Click" patent. Looking at prior art
references offered by Barnesandnoble.com to show that the "1-Click" patent was not new and
non-obvious as required, the Court reversed the preliminary injunction. The Court observed
that although Amazon.com are likely succeed in the infringement claim, Barnesandnoble.com
have raised sufficient questions as to the validity.108 Unfortunately, the trial court was unable
to evaluate the validity of the patent because the parties settled prior to the date of trial.

In 2006, a US Court limited the strength of business method patents. Justice Kennedy in Ebay
v MercExchange,109 opined that infringement of business method patents may not merit
injunctive relief because of their "potential vagueness and suspect validity".

In re Bilski

In 2008 emerged a new facet to the Business Method patenting scenario. The in re Bilski case
involved patent claims for a method of hedging risks in commodities trading. The claimed
process essentially comprised of the steps of initiating a series of sales or options transactions
between a broker and purchaser-users by which the purchaser-users buy the commodity at a
first fixed rate based on historical price levels. Thereafter, the producer-sellers of the
commodity are identified, and finally a series of sales or options transactions between the
broker and producer-sellers are initiated at a second fixed rate, such that the purchasers’ and
sellers’ respective risk positions balance out.

The Federal Circuit Court laid down that a process is patentable if it is tied to a particular
machine or apparatus, or it transforms a particular article into a different state or thing. It
further stated that two caveats exist to the transformation-machine test; first, that a field-of-
use limitation is insufficient to avoid the prohibition against pre-emption; and second that
conventional or obvious insignificant post-solution activity does not make what is otherwise a
claim to a principle, patent-eligible. The court added that insignificant pre-solution activity is
equally ineffective, and so too is an insignificant step in the middle of a process. Moreover,
the court laid down that this two-branch test should be considered all-inclusive, i.e., as stating
indispensable conditions of patent-eligibility, and rejected other proposed tests of patent-
eligibility viz. State Street Bank test and Freeman-Walter-Abele test. Based on this proposed
test, the court rejected the patent grant.

105
239 F.3d 134 (Fed. Cir. 2001)
106
Amazon's patent "describes a method and system in which a consumer can complete a purchase order for an
item via an electronic network using only a 'single action,' such as the click of a computer mouse button on the
client computer system."
107
Barnesandnoble.com's "Express Lane thus presents a product page that contains the description of the item to
be purchased and a 'description' of the single action to be taken to effect placement of the order."
108
The Court however, made no final determination regarding either issue and remanded the case for further
proceedings.
109
Ebay Inc. v MercExchange, L.L.C., 547 U.S. 388 (2006)

313
 Bilski v. Kappos

The decision of in re Bilski went up in appeal to the U.S. Supreme Court and was decided in
2010. The Supreme Court rejected the Federal Circuit's holding in In re Bilski that the
machine-or-transformation test is the sole test to determine whether a particular process
constitutes patent-eligible subject mater. Instead, it held that the test should be viewed as a
clue to this analysis. The court upheld that the Bilski invention was not patent-eligible subject
matter because it was an attempt to preempt an abstract idea. However, the Supreme Court
stated that it was not resurrecting the useful, concrete, and tangible result test of the Federal
Circuit’s State Street Bank decision.

European Perspective

The European Patent Office (“EPO”) directly forbids issuing business method patents. Under
the European Patent Convention (“EPC”), patents are granted for "any inventions which are
susceptible of industrial application, which are new and which involve an inventive step," 110 a
standard very similar to that of US law.111 Additionally, however, in order to meet EPC
patentability requirements, "an invention must be of a technical character to the extent that it
must relate to a technical field, must be concerned with a technical problem and must have
technical features in terms of which the matter for which protection is sought can be defined
in the patent claim."112

Article 52(2) of EPC states, "the following in particular shall not be regarded as inventions
within the meaning of paragraph 1: . . . schemes, rules and methods for performing mental
acts, playing games or doing business, and programs for computers." 113 The EPO
categorically disallows business method patents, however, in reality, the ban is not absolute.
The inclusion of business method patents in limited circumstances is based on the language
of Article 52(3), which states "[t]he provisions of paragraph 2 shall exclude patentability of
the subject-matter or activities referred to in that provision only to the extent which a
European patent application or European patent relates to such subject-matter or activities as
such."114 The words "As such" have been construed only to exclude pure business method
patents, leaving an avenue of patentability for inventions of a technical character even if such
invention involves a business method or computer program, 115 as long as the invention meets
the requirements of novelty116, inventive step117 and industrial application118.

Indian Perspective

110
European Patent Convention (“EPC”), Art. 52(1)
111
35 U.S.C. § 101 states, "Whoever invents or discovers any new and useful process, machine, manufacture, or
composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the
conditions and requirements of this title".
112
Patentability of Methods of Doing Business, European Patent Office (Aug. 18, 2000), available at
http://www.european-patent-office.org/news/pressrel/2000_08_18_e.htm (Last visited on Jan. 19, 2010)
[hereinafter Patentability of Methods].
113
EPC Art. 52(2).
114
EPC Art. 52(3).
115
Patentability of Methods of Doing Business, European Patent Office (Aug. 18, 2000), available at
http://www.european-patent-office.org/news/pressrel/2000_08_18_e.htm (Last visited on Sept. 28, 2009)
[hereinafter “Patentability of Methods”]
116
See EPC Art. 54
117
See EPC Art. 56
118
See EPC Art. 57

314
The Indian Patents (Amendment) Act, 2002, amended s. 3 covering inventions that are not
patentable to include a mathematical or business method or a computer program per se or
algorithms.

This section was interpreted in Yahoo Inc. v Asst. Controller of Patents and Designs and
Rediff.com, OA/22/2010/PT/CH Intellectual Property Appellate Board (Decided on
December 8, 2011), where Yahoo applied for patent of its invention titled in respect of
“System and method for influencing a position on a search result listing generated by a
computer network search engine” which was later amended to “A method of operating a
computer network search apparatus”. This was a business method patent that sought to patent
a tool enabling real time online competitive bidding process where advertisers could target
web search terms relevant to their business and pinpoint the placement of their web site
description within the search results. Thus, they would be able to control their placement in
search result listings so that their listings are prominent in searches that are relevant to the
content of their web site. This could be a powerful advantage to businesses and others
seeking to increase their web exposure

The board concluded that the invention was a business method one, even if it was a
technically smarter way of doing business. Hence it disallowed a patent for the same.

Software Patents

U.S. Perspective

The history of software patents is bracketed by two landmark decisions: Gottschalk v Benson
in 1972 and Diamond v Diehr in 1981.119 Both these judgments addressed the issue of
whether or not a computer algorithm constituted patentable subject matter. After Gottschalk,
the patent environment was unfavorable to software patents; after Diamond it became broadly
favorable.

In Gottschalk v Benson the patent application was filed by Bell Telephone Laboratories, the
research arm of AT&T. The invention related to a means of converting Binary Coded
Decimal (“BCD”) numbers to ordinary binary numbers. Most of the patent was expressed in
process-and-apparatus form, but one of the claims related to the algorithm itself. The
algorithm was executable by any general purpose computer or even using pencil and paper. It
could have been also been considered a "law of nature". The patent was rejected by the
patent examiner because the algorithm constituted "non-statutory subject matter." 120 Bell
Labs took the case to the Court of Customs and Patent Appeals, which reversed the decision
on the grounds that the process "had no practical use other than the more effective operation
and utilization of a machine known as a digital computer" and the Court saw "no sound
reason why the claims in this case should be held non-statutory." Thereafter, the
Commissioner of the Patent Office, Leonard Gottschalk, appealed to the Supreme Court for a
writ of certiorari. The Supreme Court reversed again, stating that the claim was "so abstract
and sweeping as to cover both known and unknown uses" and "would wholly pre-empt the
mathematical formula and in practical effect would be a patent on the algorithm itself." 121 In
effect, this decision ruled out "pure" software patents but left the door open for software

119
Gottschalk v Benson, 409 U.S. 63 (1972); Diamond v Diehr, 450 U.S. 175 (1981).
120
In re Benson, 441 F.2d 682 (C.C.P.A. 1971), at 1137
121
Id.

315
enabled inventions that produced a new, useful, and non-obvious technical effect. 122

The effect of the Gottschalk v Benson decision was to discourage applications for pure
software inventions--inventions that could form the basis for a software product, independent
of a particular hardware configuration--in the 1970s.

The next case to deal with patentability of computer software was Parker v Flook 123. In
this case, the patent at issue was a method of utilizing a computer to continuously recalculate an
alarm limit during a chemical conversion process. The US Supreme Court found that the only
novel part of the invention was the use of the computer software to implement a pre-existing
process and reaffirmed its judgment in Gottschalk v Benson that the “discovery of a novel and
useful mathematical formula may not be patented.”

After Parker v Flook, the Court of Customs and Patent Appeals developed the two-
step Freeman-Walter-Abele test. According to this test, while evaluating a patent, a Court
was required to determine (1) whether a patent claim mentions an algorithm “directly or
indirectly,” and if so, then (2) whether the claimed invention as a whole involves more
than just the algorithm itself, allowing the claim to fall under section 101 of the U.S.
Patent Act.124

The controversy regarding software patents was laid to rest by the judgment in Diamond
v Diehr. The US Supreme Court expressly held for the first time that “. . . an invention was
not necessarily un-patentable simply because it utilized software."125 In this case, the patent
application claimed a process for molding synthetic rubber using a computer to constantly
measure the temperature inside the mold so as to recalculate the cure time by means of the
Arrhenius equation. The US Supreme Court distinguished this case from its previous
holdings because those cases held that "an algorithm, or mathematical formula, is like a law
of nature, which cannot be the subject of a patent," whereas the Diehr application was for a
process of curing rubber which incorporated the use of a computer.

The decision in Diehr’s case opened the door for a flood of patents where an entirely new
process, or a new process utilizing previously known algorithms, could be implemented through
the use of computer processing power.

This trend continued till the decision of the Federal Circuit Court in In re Alappat 126. In this case,
the Court found the applicant's invention to be patentable.127 Alappat's invention used anti-
aliasing techniques to create a smooth waveform display in a digital oscilloscope. 128 The
Federal Circuit stated that “while many elements of the invention performed mathematical
functions, the claimed invention as a whole is directed to a combination of interrelated

122
The term "technical effect" is predominantly used within the European Community; the United States does
not appear to have such a neat encapsulation.
123
437 U.S. 584 (1978).
124
As a result of the Freeman-Walter-Abele test, programs could be patentable with the only new idea being the
algorithm itself, as long as the drafter included other process steps or physical structures in the patent claims.
125
Kirsch, The Changing Roles of Patent and Copyright Protection for Software, GigaLaw.com, Apr. 2000, at
http:// www.gigalaw.com/articles/2000-all/kirsch-2000-04-all.html. (Last visited on Sept. 28, 2009). See Diehr,
450 U.S. at 176 ("A claim drawn to subject matter otherwise statutory does not become non-jstatutory simply
because it uses a mathematical formula, computer program, or digital computer.").
126
33 F.3d 1526 (Fed. Cir. 1994).’
127
In re Alappat, 33 F.3d at 1545
128
Id. at 1537

316
elements which combine to form a machine for converting discrete waveform data samples
into anti-aliased pixel illumination intensity data to be displayed on a display means. This is
not a disembodied mathematical concept which may be characterized as an ‘abstract idea,’
but rather a specific machine to produce a useful, concrete, and tangible result.” 129

The Court held that computer software was patentable so long as it meets the statutory patent
law requirements.130 The concession by the Court to grant patents for a computer program in
conjunction with a process indicated the Federal Circuit's full-fledged allowance of computer
applications.131

The Court also observed that “specific programming creates a new machine, because a general
purpose computer in effect becomes a special purpose computer once it is programmed to
perform particular functions pursuant to instructions from program software.”

The Alappat opinion made it clear that software claims must be tied to a machine in order to be
patentable. The search for patentable subject matter within computer systems was shifted to
focusing on the software itself as a novel and useful process, which could be executed by a
computer. After Alappat, the only remaining major obstacle to patenting computer programs was
the requirement that software claims implement the program within an apparatus or machine.
This obstacle fell in 1995 when IBM appealed a United States Patent and Trademark Office
rejection of a claim to the Federal Circuit. 132 On appeal, the Commissioner of Patents and
Trademarks conceded that “computer programs embodied in a tangible medium, such as floppy
diskettes, are patentable subject matter,” and the case was dismissed for lack of case or
controversy.

European Union Perspective

In the European Union, the Board of Appeals considered the patentability of software in the
VICOM case. The invention related to a "method of digitally processing images" using
certain mathematical algorithms133 "which can be carried out on a conventional general
purpose computer."134 Under EPC Art. 52(2)(c) and (3), a computer program is excluded as
subject matter "as such," but this was interpreted by the Board not to exclude claims directed
to a technical process carried out by a computer program. 135 The Board of Appeals declared
that the novel technical feature136 existed in the claims because the invention "confers a
technical benefit, namely a substantial increase in processing speed compared with the prior

129
Id. at 1544
130
Id. at 1545
131
The Court in In re Alappat distinguishes mathematical algorithms from patentable computer programs by
"saying that certain types of mathematical subject matter, standing alone, represent nothing more than abstract
ideas until reduced to some type of practical application." When taken as a whole, the computer programs must
provide some type of functionality that creates a tangible result or provides a practical application. See In re
Alappat 33 F.3d at 1543-44 (stating that the claim must be looked at as a whole in order to determine whether it
is directed to statutory subject matter).
132
In re Beauregard, 53 F.3d 1583 (Fed. Cir. 1995).
133
Case T208/84, VICOM/Computer-related invention, [1987] E.P.O.R. 74 (1986), at 77-78
134
Id. at 76
135
Id. at 80
136
As required by the Implementing Regulations to the Convention on the Grant of European Patents of 5
October 1973 as last amended by Decision of the Administrative Council of the European Patent Organisation
of 13 December 2001 [hereinafter EPC Regulations], Rule 29(1) ("The claims shall define the matter for which
protection is sought in terms of the technical features of the invention.").

317
art."137 The Board stated that the process of digital filtering consisted of "physical
manipulation of electrical signals."138 The Board also stated that "even if the idea underlying
an invention may be considered to reside in a mathematical method a claim directed to a
technical process in which the method is used does not seek protection for the mathematical
method"; rather, if the claims outline the "technical means for carrying out the functions,"
then the conditions for declaring the "technical features" of the invention are met. 139 In other
words, if a computer is used in conjunction with or applied to a process within the subject
matter of patentability, then the claimed invention is patentable. 140

These holdings have been reiterated by the Board of Appeal in other cases. The Technical
Board of Appeals in IBM/Computer Programs considered the patentability of claims directed
towards: (1) a computer program directly loadable into internal memory; and (2) a computer
program stored on a computer usable medium.141 The Board interpreted EPC Art. 52(2) and
stated that the "legislators did not want to exclude from patentability all programs for
computers . . . . [T]he fact that only patent applications relating to programs for computers as
such are excluded from patentability means that patentability may be allowed for patent
applications relating to programs for computers where the latter are not considered to be
programs for computers as such."142 Computer programs must have a technical character to
be patentable.143 Technical character was defined by the Board as requiring a "technical
effect" which is "achieved by the internal functioning of a computer . . . under the influence
of [a] . . . program."144

The current EPO Guidelines for Examination reflect the EPO decisions and state that while
computer programs are excluded as such from EPC art. 52, software is not excluded subject
matter if it has a "technical character" by bringing about a "further technical effect." 145

Indian Perspective

137
VICOM, [1987] E.P.O.R. at 77
138
Id. ("Digital filtering in general and digital image processing in particular are 'real world' activities that start
in the real world (with a picture) and end in the real world (with a picture). What goes on in between is not an
abstract process, but the physical manipulation of electrical signals representing the picture in accordance with
the procedures defined in the claims. There is no basis in the EPC for treating digital filters differently from
analogue filters.").
139
Id. at 79.
140
Id. at 80-81 ("The Board is of the opinion that a claim directed to a technical process which process is carried
out under the control of a program (be this implemented in hardware or in software), cannot be regarded as
relating to a computer program as such within the meaning of Article 52(3) EPC, as it is the application of the
program for determining the sequence of steps in the process for which in effect protection is sought.
Consequently, such a claim is allowable under Article 52(2)(c) and (3) EPC .... Generally speaking, an invention
which would be patentable in accordance with conventional patentability criteria should not be excluded from
protection by the mere fact that for its implementation modern technical means in the form of a computer
program are used. Decisive is what technical contribution the invention as defined in the claim when considered
as a whole makes to the known art.").
141
Case T1173/97, IBM/Computer Programs, [2000] E.P.O.R. 219, 221 (1998).
142
Id. at 226.
143
Id. at 227
144
Id.
145
2003 European Patent Office Guidelines for Examination, C-IV, 2.3.6 [hereinafter EPO Guidelines].
Regardless of the changes in the Guidelines for Examination, only the provisions of the EPC are binding on the
Board of Appeals. EPC art. 23(3) ("In their decisions the members of the Boards shall not be bound by any
instructions and shall comply only with the provisions of this Convention."). See, e.g., IBM/Computer
Programs, [2000] E.P.O.R. at 225- 26. A technical character or effect is generally required for patentability.

318
The Indian Patents (Amendment) Act, 2002, amended s. 3 covering inventions that are not
patentable to include a mathematical or business method or a computer program per se or
algorithms. Academics, critics and the Indian Patent office largely equate Art. 52(3), EPC ‘as
such’ with the Indian Patent Act 1970 ‘per se’ and apply a similar interpretation.

4.2.3 Criticism of Business Method Patents and Software Patents

The grant of business method patents and software patents is criticized on various grounds.

It is believed that business method and software patents may result in a “chilling effect” on
electronic commerce i.e., they may slow down its development and that software patents, in
particular, may not advance innovation. The underlying bases of this argument are the following
differences:

1. The Patentable Subject Matter is Different: Software programs are different from other
technologies as they are extremely complex and often made up of thousands of algorithms and
techniques that need to be patented individually. Not only does this make the cost of patenting
prohibitive, it is impossible to expect software firms to license each of the associated patents or to
bring such a legally risky product to market.

2. The Search for Prior Art is Difficult: Patent examiners use prior art (prior invention) as a basis
to determine if an invention is novel and involves inventive step (that is nonobvious). This may
not be readily available when considering business method patent applications. The difficulty in
identifying prior art may result in the issuance of numerous patents for the same invention.

3. Obviousness is a Problem. Too many patents that are obvious may be issued due to the
difficulty in applying the inventive step (non-obvious) criteria.

4. Training and Skills in Business Methods and Computer Science are limited.
Governments need to compete with private-sector entities to hire skilled business executives and
computer technicians. Lack of skills in examining the patent application adds to the issues
associated with prior art and obviousness.

CHAPTER-V: IMPORTANT INTERNATIONAL INSTRUMENTS

5.1 Paris Convention for Protection of Industrial Property, 1883

The Paris Convention pertains to industrial property and was signed on March 20, 1883 146 by
11 states147. Industrial Property includes (a) Patents (b) Utility models (c) Industrial designs
(d) Trademarks, service marks and trade names (e) Indication of source or appellations of
origin (this is same as the geographical indications adopted in TRIPS)

The Paris Convention has been revised six times in:

1. Brussels (1900)
2. Washington (1911)
3. The Hague (1925)
4. London (1934)

146
WIPO Publication 201 (E)
147
These were the Belgium, Brazil, El Savador, France, Guatemala, Italy, Netherlands, Portugal, Serbia, Spain,
and Switzerland.

319
5. Lisbon (1958)
6. Stockholm (1967)

An amendment took place in 1979 at Paris.148

On January 15, 2009 the Paris Convention comprised 173 member States. 149 For the purpose
of the present study, the following principles of the Paris Convention are relevant:

1. The Principle of National Treatment (Article 2(1))

Under the Paris Convention, national treatment means that each country party to the
Convention must grant the same protection to nationals of other member countries as it grants
to its own nationals.150 The Paris Convention excludes any requirement of reciprocity for the
protection. Consequently, if a member state has a longer term of patent protection than
another member state; then the former will not have the right to provide that the nationals of
the later country will enjoy a term of protection for the same duration as they enjoy in their
own country.

An exception to the national treatment principle has also been provided in the Paris
Convention.151 Article 2(3) provides that certain procedural requirements which impose on
the foreigners special conditions for the purpose of judicial as well as administrative
procedure may validly be invoked against the foreigners who are nationals of the member
state.

2. The Right of Priority (Article 4)

Right of priority means that on the basis of a regular first application filed in one of the
member states, the applicant can apply for the protection of his invention in any of the
member states within a period of 6 months for industrial designs and trademark and 12
months for patent, inventor’s certificates and utility models. These applications will be
regarded as if they had been filed on the same date as the first application. Thus, it can be
said that these later applications will enjoy the priority over the application filed during the
same period of time and for the same subject matter.

One of the great practical advantages of this principle is that when an applicant desires
protection in several countries he is not required to present all his applications at the same
time, he has 6 to 12 months at his disposal to decide in which countries he wishes protection
and to organize with due care the steps he must take to secure protection.

Generally, once an application for patent is filed in one country, it will no longer be novel (an
essential requirement for the grant of a patent) in other countries. Thus, they can refuse to
grant patent protection to that invention. The right of priority corrects this defect.

148
WIPO, “Industrial property Protection under Paris Convention and the TRIPS Agreement”, in WIPO
National Seminar on Industrial Property Protection under the main treaties administered by WIPO and the
TRIPS Agreement, WIPO/IP/THR/96/5, Tehran, 1996, p. 116.
149
The Paris Convention available at http://www.wipo.int/treaties/docs/english/d-paris.doc (Last visited on
April 23, 2009 at 9:30 p.m.).
150
S. K. Verma, “Intellectual Property: International Aspects” published in P. S. Sangal & K. Ponnuswami
(Ed.), Intellectual Property Law, 1994, UDH Publishers, New Delhi, p. 123.
151
See Article 2(3) of the Paris Convention, 1883.

320
Incidentally, it also bars others from claiming the said invention during the specified period.
If the inventor chooses not to file the application in other countries during the one year period
starting from the date of filing the first application, the latter are under no obligation vis-a-vis
the inventor.152

3. The Principle of Independence of Patents (Article 4bis)

According to this principle, a patent for an invention sought or obtained in one country is
independent of all other patents for that invention in other countries. The granting of a patent
for an invention in one country does not oblige another country to grant a patent for that
invention. Similarly, the refusal, annulment or expiry of a patent in one country, does no
affect the status of the patent in any other contracting state.
In short, the fate of a particular patent for same invention in any given country has no
influence whatsoever on the fate of a patent for the same invention in any of the other
countries including non-member countries. 153

4. The Right of Inventor to be named in the Patent (Article 4ter)

Article 4ter of the Convention provides that the inventor will have the right to be mentioned
as such in the patent for invention. This right of an inventor is generally called as moral right
of the inventor to be named as such in the patents granted for invention in all the member
states of the Paris Convention. The Contracting States have been given the power to
implement in their national laws the procedure regarding the exercise of this right of the
inventor.

National laws have implemented this provision in several ways. Some give the inventor only
the right for civil action against the applicant or owner in order to obtain the inclusion of his
name in the patent for invention. Others enforce the naming of the inventor during the
procedure for the grant of a patent for invention on an ex officio basis. In some countries, for
instance the United States of America, it is even-required that the applicant for a patent be the
inventor himself.154

5. Protection against Unfair Competition (Article 10)

Article 10bis (2) of the Paris Convention defines an act of unfair competition as “any act of
competition contrary to honest practices in industrial or commercial matters”.
Article 10bis (3) specifies which acts, in particular, shall be prohibited:
1. All acts of such a nature as to create confusion, by any means, with the establishment, the
goods, or the industrial or commercial activities, of a competitor;
2. False allegations in the course of trade of such a nature as to discredit the establishment,
the goods, or the industrial or commercial activities, of a competitor;
3. indications or allegations the use of which in the course of trade is liable to mislead the
public as to the nature, the manufacturing process, the characteristics, the suitability for their
purpose, or the quantity, of the goods."

5.2 Berne Convention for Protection of Literary and Artistic Works, 1886
152
Supra n. 20 at p. 124
153
International Bureau of WIPO, “WIPO and International Corporation in Relation to Patent”, 1986,
PS/KL/86/1, 1986, paragraph 59.
154
Supra n. 123 at paragraphs 62-63.

321
The Berne Convention for Protection of Literary and Artistic Works, 1886 is the oldest
multilateral copyright treaty. Its objective is to harmonize the copyright laws of all the
countries. Over 164 counties are contracting parties to the Berne Convention.

The Berne Convention has been revised five times in:

1. Berlin (1908)
2. Rome (1928)
3. Brussels (1948)
4. Stockholm (1967)
5. Paris (1971)

The Berne Convention provides for minimum standards of protection in all its member states.
For the purpose of the present study, the following principles of the Berne Convention are
relevant:

1. The Principle of National Treatment (Article 5(1))

According to this principle a contracting party to the Berne Convention cannot discriminate
between foreign nationals and its own nationals. A contracting party is bound to provide
foreign authors, treatment similar to that provided to its own nationals.
For Example
If Italy provides for a term of protection of 50 years to the works of its nationals then it has to
provide a term of protection of 50 years to the works of foreign authors.

The principle of national treatment is subject to one exception: ‘Comparison of Terms’

(Article 7(8))
According to this exception a work is to be protected in a Berne country only for a term
which does not exceed the term fixed in its country of origin.
For Example
Both United States and India are Contracting Parties to the Berne Convention but United
States provides for a term of protection of 70 years after the death of the author, while India
provides for 50 years only. Therefore, if an Indian author publishes a novel in United States,
his work will be protected in the United States for 50 years after his death instead of 70 years
which is the normal term of protection for US works.

2. The Principle of Automatic Protection (Article 5(2))

According to this principle, the protection of a work by copyright laws has to be automatic.
The enjoyment and the exercise of copyright by an author in a Berne country, other than the
country of origin of the work, cannot be made dependent or conditional on any formality.
Thus no contracting party to the Berne Convention can impose conditions like registration of
copyright, deposit of work etc. for the purpose of granting copyright protection to a work.
The principle does not prevent a Berne country from imposing conditions for grant of
copyright on its own nationals.

3. The Principle of Independence of Protection

According to this principle, the grant of copyright protection in a country is independent of

the grant of copyright protection in the country of origin of the work. This means that a work

322
that is first published in India cannot be denied copyright protection in the United States on
the ground that it has been denied copyright protection in India.
4. The Principle of Minimum Rights

The Berne Convention guarantees to every author, a minimum set of economic and moral
rights, immediately upon the creation of a work:-

A. Economic Rights
1. Right of Reproduction
2. Right of Translation and Adaptation
3. Rights of public performance, broadcasting and communication to the public
4. Droit de Suite

B. Moral Rights (Article 6bis)

1. Right to Paternity
2. Right to Integrity

Other Important Points:

1. Article 2 of the Berne Convention provides an illustrative and not exhaustive list of works.

2. In order to qualify for copyright protection under the Berne Convention a work has to be
original. However, the Berne Convention does not give a precise definition of originality.
Instead, it grants every member country the freedom to set its own standard of originality.

3. Fixation of a work is a requirement for protection only in those countries that expressly
provide for it. Otherwise, all works are protected, whether they are recorded or oral and
whether they are in a tangible or a non-tangible format.

4. The general term of copyright protection under the Berne Convention (article 7) is 50 years
after the death of the author (50 years post mortem auctoris or p.m.a.). However, the
contracting parties to the Berne Convention are free to provide a longer term of protection to
works.

5. The Berne Convention provides for the exclusion of certain categories of works from the
scope of copyright protection. The excluded categories are:
(a) Official texts of a legislative, administrative and legal nature (Article 2(4))
(b) News of the day (Article 2(8))
(c) Political speeches and speeches delivered in the course of legal proceedings (Article
2bis(1))

6. Under the Berne Convention, a use of a work protected by copyright is considered to be

‘fair use’ in case the following conditions are satisfied: 155

155
private use
judicial and administrative use
use for educational, research and scientific purposes
use for teaching purposes
use by libraries and archives
use for certain humanitarian purposes (e.g. handicapped or blind readers)

323
 (a) the reproduction of a work can only be permitted in ‘certain special cases’,
(b) it should not conflict with the ‘normal exploitation’ of the work and
(c) it should not unreasonably prejudice the ‘legitimate interests’ of the author.

5.3 Madrid Agreement for International Registration of Trademarks, 1891

and the Madrid Protocol for International Registration of Trademarks, 1989

The Madrid Agreement, 1891 and the Protocol to the Agreement govern the system of
International Registration of Trademarks. By utilizing the procedure established under the
Madrid Agreement or the Madrid Protocol, a legal person residing in a contracting state can
obtain simultaneous protection of his/her trademark in a number of contracting states.

The Madrid Agreement has been revised six times in:

1. Brussels (1900)
2. Washington (1911)
3. The Hague (1925)
4. London (1934)
5. Nice (1957)
6. Stockholm (1967)
It was also amended in 1979.

The Madrid Protocol was concluded in the year 1989 in order to make the system of
international registration of trademarks compatible with the national laws of certain countries
that had not acceded to the Madrid Agreement.

Procedure for Registration

The application for international registration is filed at the International Bureau, WIPO,
Geneva along with the requisite fees. In the application, the applicant is required to provide
information, including the names of the contracting states in which the registration is sought.
Upon receipt of the application, the International Bureau of WIPO conducts a formal
examination of the application for compliance with the requirements of the Agreement or the
Protocol. In case the application is found to be in order, it is recorded in the International
Register, published in the WIPO Gazette of International Marks and notified to the
designated contracting states. The IP office at the contracting state conducts a substantive
examination of the application for compliance with the domestic law. In case the application
does not satisfy the criteria laid down in the domestic law, the contracting state has right to
refuse registration of trademark. After refusal of registration by a contracting state, the
applicant can only pursue the remedies available at the domestic forum of the contracting
state.

The effect of registration in each or any of the designated contracting states is that from the
date of the international registration, the trademark is deemed to be registered in the
contracting state that grants registration

Differences between Madrid Agreement and Madrid Protocol

324
1. In case of an application filed under Madrid Agreement, it is necessary that prior to filing
of the application, the trademark be registered in its home country. However in case of an
application filed under the Madrid Protocol, the only requirement is that an application for
registration of the trademark should be pending in the home country.

2. In case of an application filed under the Madrid Agreement, the office at a designated
country has twelve months to conduct a substantive examination of the application for
registration of the trademark and convey its decision to the International Bureau at WIPO. In
the Madrid Protocol, the said period has been increased to eighteen months.

3. In case of an application filed under the Madrid Agreement, all communications have to be
in French. In case of an application filed under the Madrid Protocol, the communications can
either be in English or French.

Benefit of the System of International Registration of Trademarks

At the time of registration and subsequently at the stage of renewal, the applicant is saved
from filing multiple applications in different countries, in different languages, in accordance
with varied procedures and paying different fee. At the WIPO Bureau, the application is
made in one language and one consolidated fee is required to be paid.

Other Important Points

An application for international registration of a trademark continues to depend on the

registration of the trademark in the home country for a period of five years. If within five
years of international registration of the trademark, the registration of the trademark in the
home country is cancelled or not renewed, the international registration also becomes
ineffective. After the expiry of five years from the international registration of the trademark,
the international registration becomes independent of the trademark in the home country, and
continues to be effective even if the home country registration is cancelled.

5.4 Universal Copyright Convention, 1951

The Universal Copyright Convention (“UCC”) is administered by the United Nations

Education, Scientific and Cultural Organization (“UNESCO”). It was negotiated in the year
1951 by countries that were unwilling to adopt the standards of the Berne Convention. It laid
down lower standards than the Berne Convention and introduced the use of the symbol © on
a work as sufficient compliance with any requirement of formalities in another member
country. Over the years, UCC has lost its significance because of the accession of the United
States to the Berne Convention and the emergence of the TRIPS Agreement, 1994.

5.5 Rome Convention for the Protection of Performers, Producers of

Phonograms and Broadcasting Organisations, 1961

The Rome Convention deals with related rights/neighboring rights. 156 Related rights are
different from copyright in as much as they are derived from a work protected by copyright.
The underlying rationale behind granting protection to related rights is to shelter the legal

156
The Rome Convention was the first attempt to establish international rules and standards in this area and
most national states had already legislated or enacted laws before they adhered to the Convention.

325
interests of those persons and legal entities who add substantial creative, technical or
organizational skill in the process of bringing a work to the public.

For Example
A musician that performs a composer's work to the public.

The Related Rights protect interests of:

a) Performers

Their rights are protected because they have a justifiable interest in the legal protection of
their individual interpretations of the works they are performing. While performing a work, a
performer adds to the work and that addition is usually a result of his/her creative input. This
effort is protected by related rights.

For example:
The same piece of music would be performed differently by a performer A, who uses a guitar
and performer B, who uses a Piano. Both A and B would have independent performer’s rights
which would protect their creative manner of performing the piece of music.

The Rome Convention guarantees to a performer, the following rights:

1. Right to prevent broadcasting, fixation, reproduction.

2. Right to remuneration for communication to the public of the commercially published
phonograms.

b) Producers of Phonograms

Their rights are protected because without their creative, financial and organizational
resources, the recorded sound of a performance cannot be made available to the public. The
producers of phonograms use their resources to produce commercial phonograms such as
CDs, cassettes, records and Mini Discs which take copyrightable works to large audiences.

The other reason for protecting rights of producers of phonograms is that by utilizing their
monetary resources they are able to take action against piracy of copyrighted works.

The Rome Convention guarantees to every producer of phonograms, the following rights:

1. Exclusive reproduction right.

2. Right to remuneration for communication to the public of the commercially published
phonograms.

c) Broadcasting Organizations

Their rights are protected because by utilizing their creative, financial and organizational
resources they make copyrighted works available to the public. Also, the broadcasting
organizations have a legitimate interest in controlling the transmission and retransmission of
their broadcasts.

326
The Rome Convention guarantees to every broadcasting organization, the following rights:

1. Rebroadcasting right
2. Right of fixation
3. Reproduction right

Term of Protection of Rights under the Rome Convention

The rights in the performance expire normally 20 years after the end of the calendar year in
which the performance to which they relate took place. But if a phonogram of the
performance is made the rule changes and the rights shall only expire 20 years after the end
of the calendar year in which the fixation of the performance in the phonogram took place.

The rights of the producer of a phonogram also expire 20 years after the end of the calendar
year in which the fixation of the phonogram took place, i.e. the year during which it was
recorded.

The rights of the broadcasting organization in its broadcast expire 20 years after the end of
calendar year in which the broadcast took place.

Limitations and Restrictions of Related Rights under the Rome Convention

The Rome Convention allows limitations and restrictions of related rights covering such
things as:
1. Related rights are not infringed by anything done for private use.
2. Any use that is solely for the purposes of teaching or scientific research will also not
amount to an infringement.
3. The use of short excerpts for the purposes of reporting current events will also be
exempted.
4. Ephemeral fixation by a broadcasting organization by means of its own facilities and
for its own broadcasts will not amount to an infringement.

5.6 WIPO Copyright Treaty, 1996 and the WIPO Performances and
Phonograms Treaty, 1996

Both the treaties were concluded on December 20, 1996 at WIPO, Geneva. They were
created to address the changing needs of copyright protection in the digital age. The treaties
address issues in three ways, namely:

1. By clarifying the existing provisions in the Berne Convention and in the Rome Convention
and in some cases, reaffirming the interpretations generally adopted.
2. By giving new interpretations to the existing provisions by widening their scope.
3. By adding new provisions on rights and obligations so as to cope up with the creation,
adoption, transmission and distribution of works in the digital medium.

WIPO Copyright Treaty, 1996

The WIPO Copyright Treaty, 1996 (“WCT”) came into force on 6th March 2002. The stated
purposes of the WCT is to protect the rights of authors effectively and uniformly, to clarify

327
international copyright law, to update international copyright law and make it applicable to
digital media, to emphasize copyright protection as an incentive for literary and artistic
creation, and to recognize the balance between the rights of authors and the public interest.
The treaty explicitly states that it does not take away from any obligations under the Berne
Convention; rather, it operates in conjunction with the Berne Convention.

Important Points:

1. The WCT articulates two specific subject matters to be protected by copyright:

a) Computer programs in any mode or form
b) Compilations of data or material in any form which constitutes an intellectual
creation

2. The WCT recognizes three explicit rights of authors:

a) The right of distribution

b) The right of rental
c) The right of communication to the public

3. The WCT clarifies the scope and duration of protection of works and allows contracting
nations the liberty to enact some exceptions to its protection. It also details the obligations of
a contracting state concerning rights management information and administrative particulars
concerning the treaty's ratification and enforcement.

4. The greatest extension of copyright protection introduced by WCT can be found in Article
11 of the Treaty, which concerns the contracting parties ‘obligations concerning
technological measures.

WIPO Performances and Phonograms Treaty, 1996

The WIPO Performances and Phonograms Treaty, 1996 (“WPPT”) came into force on 20 th
May, 2002. The WPPT acts in conjunction with the Rome Convention, 1961. It deals with
Performers and Producer of Phonograms. However it does not deal with broadcasting
organizations.

Important Points:

1. The WPPT provides updated definitions of the terms ‘performers’, ‘phonograms’,

‘broadcasting’ etc. It grants protection to performances of expressions of folklore which
wasn’t available earlier.

2. The WPPT is the first international treaty that confers moral rights on performers. It
confers the following moral rights:

a) The Right of Paternity

b) The Right of Integrity

3. The WPPT confers the following rights on performers:

328
 a) The right of reproduction
b) The right of distribution
c) The right of rental
d) The right of the making available of fixed performances
e) The right to remuneration for broadcasting and communication to the public

4. The WPPT confers the following rights on producers of phonograms:

a) The right of reproduction

b) The right of distribution
c) The right of rental
d) The right of the making available of phonograms
e) The right to remuneration for broadcasting and communication to the public

5. The WPPT provides for a minimum protection of 50 years for both performers and
producers of phonograms. For performers the 50-year period starts running from the end of
the year in which the performance was fixed in a phonogram. For producers of phonograms,
the 50-year period starts running from the end of the year in which the phonogram is first
published. In case the phonogram is not published within 50 years from fixation, the period
starts running from the end of the year in which the fixation is made.

5.7 TRIPS Agreement

Before the advent of the World Trade Organization (hereinafter “the WTO”), the extent of
protection and enforcement of intellectual property rights (hereinafter “IP rights”) varied
widely around the world. As intellectual property became more important in trade, the
differences among different countries with regard to the extent, protection, and enforcement
of the IP rights became a source of tension in international economic relations. Historically
speaking the link between the intellectual property and trade was forged under the leadership
of the United States. After all, it was only after the close of the Tokyo Round in 1979, the
United States became concerned and frustrated by the reluctance of developing countries to
adopt high normative standards and strict enforcement measures for intellectual property
rights. Initiatives under the auspices of the World Intellectual Property Organisation (WIPO)
and the principal international conventions on intellectual property came to no avail, so the
United States successfully placed intellectual property on the negotiating agenda for the
Uruguay Round. Clearly, the negotiation of the TRIPS Agreement was primarily one between
developed and developing countries of the GATT. The latter accepted the TRIPS Agreement
reluctantly as part of the Uruguay Round package deal.

The TRIPS Agreement within the framework of WTO introduced intellectual property rules
into the multilateral trading system for the first time. It provides minimum standards for the
enforcement of intellectual property rights by giving various enforcement measures which
include civil and administrative remedies, criminal remedies, and border (customs) measures.
The dispute settlement process, as provided for in the Dispute Settlement Understanding
(hereinafter “the DSU”) of the WTO Agreement, applies to the settlement of disputes arising
under the TRIPS Agreement as well. It seeks to ensure order and predictability, and for
disputes to be settled more systematically.

329
Quite arguably, the TRIPS Agreement is regarded as the introduction of normative order in
the area of IP rights. It is seen as an attempt to narrow the gaps in the way IP rights are
protected around the world, and to bring them under common international rules. It
establishes minimum levels of protection that each government has to give to the intellectual
property of fellow WTO members. In doing so, it strikes a balance between the long term
benefits and possible short term costs to society. Society benefits in the long term when
intellectual property protection encourages creation and invention, especially when the period
of protection expires and the creations and inventions enter the public domain. Governments
are allowed to reduce any short term costs through various exceptions, for example to tackle
public health problems. And, when there are trade disputes over intellectual property rights,
the WTO’s dispute settlement system is now available.

The TRIPS Agreement broadly covers five broad issues: 1. How basic principles of the
trading system and other international intellectual property agreements should be applied? 2.
How to give adequate protection to intellectual property rights? 3. How countries should
enforce those rights adequately in their own territories? 4. How to settle disputes on
intellectual property between members of the WTO? 5. Special transitional arrangements
during the period when the new system is being introduced.

As provided in two other Agreements under the WTO viz. GATT and GATS, the TRIPS is
based on non-discrimination features prominently: national treatment (treating one’s own
nationals and foreigners equally), and most-favoured-nation treatment (equal treatment for
nationals of all trading partners in the WTO). National treatment is also a key principle in
other intellectual property agreements outside the WTO. The TRIPS Agreement has also an
additional important principle: intellectual property protection should contribute to technical
innovation and the transfer of technology. Both producers and users should benefit, and
economic and social welfare should be enhanced, the agreement says.

As mentioned hereinbefore, the TRIPS Agreement deals with different kinds of intellectual
property rights and provides protection mechanism for it. It seeks to ensure that adequate
standards of protection exist in all member countries. Here the starting point is the obligations
of the main international agreements of the World Intellectual Property Organization (WIPO)
that already existed before the WTO was created: 1. The Paris Convention for the Protection
of Industrial Property (patents, industrial designs, etc) and 2. The Berne Convention for the
Protection of Literary and Artistic Works (copyright). Other forms of IPs are not covered by
these two aforesaid conventions. In some cases, the standards of protection prescribed were
thought inadequate. So the TRIPS agreement adds a significant number of new or higher
standards.

It must be understood that mere recognizing IP rights is not sufficient. It requires effective
adequate protection. These rights have to be enforced. Part 3 of TRIPS deals with that aspect.
The agreement says that the governments have to ensure that intellectual property rights can
be enforced under their laws, and that the penalties for infringement are tough enough to
deter further violations. The procedures must be fair and equitable, and not unnecessarily
complicated or costly. They should not entail unreasonable time-limits or unwarranted
delays. People involved should be able to ask a court to review an administrative decision or
to appeal a lower court’s ruling. The agreement further describes in some detail how
enforcement should be handled, including rules for obtaining evidence, provisional measures,
injunctions, damages and other penalties. It says courts should have the right, under certain
conditions, to order the disposal or destruction of pirated or counterfeit goods. Wilful

330
trademark counterfeiting or copyright piracy on a commercial scale should be criminal
offences. It further mandates that the governments should make sure that intellectual property
rights owners can receive the assistance of customs authorities to prevent imports of
counterfeit and pirated goods.

When the WTO agreements took effect on 1 January 1995, developed countries were given
one year to ensure that their laws and practices conform with the TRIPS agreement.
Developing countries and (under certain conditions) transition economies were given five
years, until 2000. Least-developed countries have 11 years, until 2006, now extended to 2016
for pharmaceutical patents. If a developing country did not provide product patent protection
in a particular area of technology when the TRIPS Agreement came into force (1 January
1995), it had up to 10 years to introduce the protection. But for pharmaceutical and
agricultural chemical products, the country had to accept the filing of patent applications
from the beginning of the transitional period, though the patent did not need to be granted
until the end of this period. If the government allowed the relevant pharmaceutical or
agricultural chemical to be marketed during the transition period, it had to, subject to certain
conditions, provide an exclusive marketing right for the product for five years, or until a
product patent was granted, whichever was shorter. Subject to certain exceptions, the general
rule is that obligations in the agreement apply to intellectual property rights that existed at the
end of a country’s transition period as well as to new ones.

331
 PAPER- IV: ELECTRONIC COMMERCE

Introduction

Over the last few centuries, human beings have experienced two major revolutions—the industrial
revolution and the electronic revolution. The former transformed our society from being agricultural
based to industrial based, whereas the latter transformed our society from being mechanical based to
electronic based.1

E-commerce is a new way of conducting, managing and executing business transactions using modern
means of information technology. E-commerce defined simply, is the commercial transaction of
services & goods in an electronic format. E-commerce is a ‘commerce based on bytes’. E-commerce
defined simply, is the commercial transaction of goods and/or services in an electronic format.

E-Commerce refers to the paperless exchange of business information using Electronic Data
Interchange, Electronic Mail, Electronic Bulletin Boards, Electronic Fund Transfer and other network
based technologies. It not only automates manual processes and paper transactions but also helps the
organization move to a fully electronic environment and change the way we operate. E-commerce is a
new business methodology that addresses the needs of organizations, traders and consumers to reduce
costs while improving the quality of goods and services and increasing the speed of service delivery. I

By Internet Commerce we mean the use of the global Internet and World Wide Web (WWW) for
commerce. With the advent of Internet & Website, being the all-pervasive communication tools,
scope of Ecommerce has increased manifold. For these reasons the term I-Commerce has become
synonymous with the term E-Commerce.2

The objective and scope:

The objective and scope of this module is to study and analyse the concept and issues of the
Ecommerce in general with reference to its functioning and in special with reference to Indian
scenario.

UNIT-I : INTRODUCTION TO E-COMMERCE

(i) UNCITRAL Model Law on Electronic Commerce (MLEC), 1996

The Model Law was adopted in 1996 to facilitate the use of modern e- means of communication and
storage of information, such as electronic data interchange (EDI), electronic mail and telecopy. It’s
main objective was to bring uniformity in national laws relating to e-commerce. It has granted legal
recognitions to data message and digital signature. It has encouraged national legislators to adopt a set
of internationally acceptable rules for validity of electronic commerce by providing equal treatment
to paper-based and electronic information. Significantly, such equal treatment is essential for enabling
the use of paperless communication, thus fostering efficiency in international trade. It is commendable
to note that The MLEC was the first legislative text which adopted the fundamental principles of non-

*The content writer /Author of this research paper is Ms. Mrunal Dattatraya Buva, Advocate Supreme Court of
India and guest faculty for Cyber Laws at Indian Law Institute, New Delhi. The content writer acknowledges the
UGC E-pathshala Course :Content module for postgraduate courses i.e. Ms. Mrunal Dattatraya Buva,
Ecommerce Concept & Issues available at http://epgp.inflibnet.ac.in/ahl.php?csrno=20
1
Dr. Bhasin Madan Lal. “E-Commerce and M-Commerce Revolution: Perspectives, Problems and Prospects.”
December 2005: The Chartered Accountant : 824
2
Gandhi Sunil Kr. “E-Commerce And Information Technology Act, 2000.”, 11:March 2006 :Vidyasagar
University Journal of Commerce.
332
discrimination, technological neutrality and functional equivalence. In order to ensure that a document
would not be denied legal effect, validity or enforceability solely on the grounds that it is in electronic
form it has laid down the principle of non-discrimination. The principle of technological neutrality
involves the adoption of provisions that are neutral with respect to technology used. The principle of
functional equivalence makes electronic communications equivalent to paper-based communications.
This Law has been divided into two parts i.e., part I dealing with E-Commerce in General consisting
of 3 Chapters and part II consisting of Chapter 1 only. Significantly, Part I has provided for the
establishment of a functional equivalent for paper-based concepts such as "writing", "signature" and
"original". In addition, this part lays down rules for the formation and validity of contracts concluded
by electronic means, for the attribution of data messages, for the acknowledgement of receipt and for
determining the time and place of dispatch and receipt of data messages. Further, certain provisions of
the MLEC were amended by the Electronic Communications Convention in light of recent electronic
commerce practice. Moreover, part II of the MLEC, deals with electronic commerce in connection
with carriage of goods and is complemented by other legislative texts, including the United Nations
Convention on Contracts for the International Carriage of Goods Wholly or Partly by Sea (the
"Rotterdam Rules") and may be the object of additional work of UNCITRAL in the future.3

Salient Features of MLEC

Important features of this Model Law are:

i. First feature of this law is "electronic equivalence". Significantly, the Model Law does not directly
consider electronic communications valid but it provides that information or documents will not be
denied legal effect or enforceability solely because they are in electronic format. Therefore, it
conferred validity one transaction indirectly.

ii. For achieving electronic equivalence, the model law provides various rules specifying conditions
which must be fulfilled for an electronic communication to constitute a legally valid substitute for a
conventional and paper-based communication. It provides that a legal requirement to provide
information or a document sent "in writing" is satisfied by its electronic equivalent if it is in a form
that can be subsequently accessed and used by the recipient.

iii. Further, under the law electronic documents are treated as "original" documents if there is a
reliable assurance as to the integrity of the information and that the information is capable of being
displayed to the person to whom it is to be presented. Further, the information must be complete and
remain unaltered, apart from the addition of any endorsement and any change that arises in the normal
course of communication, storage and display. However, the question of reliability is to be determined
in the light of all the circumstances, including the purpose for which the document was created.

iv. It confers the validity on e-evidence as it provides that evidentiary rules don’t deny the
admissibility of an electronic communication solely on the grounds that it is in electronic form.

v. Significantly, the law lays down the conditions for data retention. It provides that the message must
be retained in the format in which it was generated and any information indicating origin, destination,
date and time of the message is retained. Another important condition for retention is that the
information contained with the electronic message must be accessible so as to be usable for
subsequent reference.

3
Dr. Jyoti Rattan, LAW RELATING TO E- COMMERCE: INTERNATIONAL AND NATIONAL SCENARIO WITH SPECIAL
REFERENCE TO INDIA, International Journal of Social Science and Economics Invention (IJSSEI)
Volume//01//Issue//02//August 2015

333
vi. It is heartening to note that the Model Law is accompanied by a Guide to Enactment, which
provides background and explanatory information to assist States in preparing the necessary
legislative provisions. The CLOUT (Case Law on UNCITRAL Texts) system contains cases relating
to the application of the Model Law on Electronic Commerce.4

Conceptual Analysis

E-commerce: A Legal Definition

The Internet Tax Freedom Act (ITFA), 1998, on other hand, more narrowly defines e-commerce as
“any transaction conducted over the Internet or through Internet access, comprising the sale, lease,
license, offer or delivery of property, goods, services or information, whether or not for consideration,
and includes the provision of Internet access”. 5

E-commerce & WTO

The World Trade Organization (WTO) Ministerial Declaration on E-commerce defines e-commerce
as “the production, distribution, marketing, sales or delivery of goods and services by electronic
means”.6

E-commerce & EDI

During late 60s, though telegraph, telephones and telex were still relied upon options for faster
communication, nevertheless EDI was fast emerging as a computer-to-computer means of managing
inventory, bill presentment, shipment, orders, product specifications, and payment. It is a process by
which goods are ordered, shipped, and tracked computer-to-computer using standardised protocol. 7
EDI permits the “electronic settlement and reconciliation of the flow of goods and services between
companies and consumers”; and saves money because the computer, and not an office staff, submits
and processes orders, claims, and other routine tasks.

India joined the EDI movement in early 1992, when it obtained the observer status in the Asia
EDIFACT Board (ASEB). India became a member of ASEB in August 1992. The community
partners for customs system were broadly identified as Banks8, Airlines, Airport Authority of India
(AAI), Apparel Export Promotion Council (AEPC), Sea Ports (Port Trust Authorities), Director
General of Foreign Trade (DGFT) etc. EDI is also used in international trade, electronic fund transfer
(EFT) between supplier and customer via banker, insurance claim settlement etc.9

Various application of E-commerce

Businesses communicate with customers and partners through channels. The internet is one of the
newest and best business communications channels. It is fast, reasonably reliable, inexpensive, and
universally accessible. It reaches virtually every business and more than 200 million consumers.
Electronic commerce, being a new field, is just developing its theoretical or scientific foundations. It
has several applications. The major applications of E-commerce are as follow:

4
Ibid
5
Available at http://nhdd.com/linked_media/publications/InternetLawPractice.pdf accessed on 6 November
2013 at 7 PM.
6
McIntosh Joanna (ed) “WTO, E-Commerce and Information Technology” available at
http://www.iie.com/publications/papers/wunsch1104.pdf accessed on 29th November 2013 at 1 PM.
7
Teitelman Robert et. al, How the Cash Flows? : 58:Aug.1996: Institutional Investor.
8
The Structured Financial Messaging Solution (SFMS) has emerged as the EDI system for banks, allowing
exchange of secure and structured messaging within the banks and between banks using the INFINET.
9
Supra note 2
334
1. Direct marketing selling and service- Today more Web sites focus on direct marketing, selling and
service than on any other type of electronic commerce.
Direct selling was the earliest type of e-commerce, and has proven to be steppingstone to more
complex commerce operations for many companies. Successes such as Amazon.com, Flipkart, Dell
computer, and the introduction e-ticket by major airlines, have catalyzed the growth of this segment,
proving the reach and customer acceptance of the internet.
2. Financial and Information Service- A broad range of Financial and Information Service are
performed over the internet today, and sites that offer them are enjoying rapid growth. These sites are
popular because they help consumers, businesses of all sizes, and financial institutions distribute some
of their most important information over the internet with greater convenience and richness than
is available using other channels. For example, online banking, online billing, secure information
distribution.
3. Maintenance, Repair and Operation- The internet also offers tremendous time and cost savings for
corporate purchasing of low-cost, high-volume goods for maintenance, repair and operations
activities. Typical goods include office supplies, office equipment and furniture, computers, and
replacements parts. The internet can transform corporate purchasing from a labor and paperwork–
intensive process into a self-service application. Company employees can order equipment on Web
site, company officials can automatically enforce purchase approval and policies through automated
business rules, and suppliers can keep their catalog information centralized and up-to-date. Purchase
order application can then use the internet to transfer the order to suppliers. In response, suppliers can
ship the requested goods and invoice the company over the internet. In addition to reduce
administrative costs, internet-based corporate purchasing can improve ordertracking accuracy, better
enforce purchasing policies, provide better customer and supplier service, reduce inventories, and give
companies more power in negotiating exclusive or volume discount contracts. In other words, the
internet and e-commerce have changed the way enterprises serve customers and compete with each
other, and have heightened awareness for competing supply chains. No other business model
highlights the needs for tight integration across suppliers, manufacturers, and distributors quite like
the value chain. Delays in inventory tracking and management can ripple from the cash register all the
way back to raw material production, creating inventory shortages at any stage of the value chain.
The resulting out of stock events can mean lost business. The internet promises to increase business
efficiency by reducing reporting delays and increasing reporting accuracy. Speed is clearly the
business imperative for the value chain.
4. A retailer can save his existence by linking his business with the on-line distribution. By doing so,
they can make available much additional information about various things to the consumers, meet
electronic orders and be in touch with the consumers all the time. Therefore, E-Commerce is a good
opportunity. In the world of e-commerce the existence of the wholesalers is at the greatest risk
because the producer can easily ignore them and sell their goods to the retailers
and the consumers. In such a situation those wholesalers can take advantage of ecommerce who are
capable of establishing contractors with reputed producers and linking their business with the on- line.
5. Marketing-Many issues of marketing offline are relevant to online E-Commerce - for example, cost
benefits of advel1isements and advertisement strategies. Other issues are unique to E-Commerce,
ranging from online marketing strategy to interactive kiosks.
6. Computer sciences - Many of the issues in the infrastructure of E-commerce,such as languages,
multimedia, and networks, fall into the discipline of computer sciences. Intelligent agents play a major
role in E-Commerce as well.
7. Consumer behavior and Psychology - Consumer behavior is the key to the success of B2C trade,
but so is the behavior of the sellers. The relationship between cultures and consumer attitude in
electronic market is an example of a research issue in the field.
8. Finance - The financial markets and banks are one of the major participants in ecommerce. Also,
financing arrangements are part of many online transactions. Issues such as using the Internet as a
substitute for a stock exchange and fraud in online stock transactions are a sample of the many topics
of the field.

335
9. Economics – E-commerce is influenced by economic forces and has a major impact on world and
country economies. Also, theories of micro and macroeconomic need to be considered in E-
Commerce planning, as well as the economic impacts of E-Commerce on firms.
10. Management Information Systems (MIS) - The information systems department is usually
responsible for the deployment of e-commerce. This discipline covers issues ranging from systems
analysis to system integration, not to mention planning, implementation, security, and payment
systems, among others.
11. Business Law and Ethics - Legal and ethical issues are extremely important in e-commerce,
especially in a global market. A large number of legislative bills are pending, and many ethical issues
are interrelated with legal ones, such as privacy and intellectual property.
12. Others - Several other disciplines are involved in various aspects of E-Commerce to a lesser
extent- for example, linguistics (translation in international trades),
robotics and sensory systems, operations research / management science, statistics, and public policy
and administration. Also, e-commerce is of Interest to engineering, health care, communication, and
entertainment publishing.
For developing countries like India, e-commerce offers considerable opportunity. E-commerce in
India is still in growing stage, but even the mostpessimistic projections indicate a boom. It is believed
that low cost of personal computers, a growing installed base for Internet use, and an increasingly
competitive Internet Service Provider (ISP) market will help fuel e-commerce growth in Asia‖s
second most populous nation. The first e-commerce site in India was rediff.com. It was one of the
most trafficked portals for both Indian and nonresidents Indians. It provided a wealth of Indian-related
business news a reach engine, e-commerce and web solution services. The past 5 years have seen a
rise in the number of companies enabling e-commerce technologies and the internet in India. Major
Indian portal sites have also shifted towards e-commerce instead of
depending on advertising revenues. The web communities built around these portal sites with content
have been effectively targeted to sell everything from event and mouse tickets the grocery and
computers. In spite of RBI regulation low internet usage e-commerce sites have popped up
everywhere hawking things like groceries, bakery items, gifts, books, audio and video cassettes,
computer etc10.

E-commerce & Business Process Reengineering (BPR)

The idea behind business process reengineering is to create effective and efficient business
processes for better quality. The thrust of BPR lies in managing the existing resources in an optimum
manner. Example: E-commerce, forever creates efficient and effective business processes for better
quality at a lower cost.11

E-commerce: An Online Approach12

E-commerce online approach is to perform traditional marketing & sales functions such as
Payment and Funds Transfer, Order Entry and Processing, Invoicing, Inventory Management, Cargo
Tracking, Electronic Catalogs, Point-of-sale Data Gathering, Advertising, Marketing & Customer
Support Function.

E-consumer: A New Phenomenon

10
Available at http://assets.vmou.ac.in/PGDCL03.pdf
11
Janesan Moneque et al Business Process Redesign for effective e-commerce processes in the service
industry available at http://is.ieis.tue.nl/staff/hreijers/Papers/Beta%20report%20bpr.pdf accessed on 6. October
2013.
12
Kuller Edwin, Approaches to Ecommerce available at
http://www.emarketservices.com/clubs/ems/prod/eMarket%20Services%20-
%20Approaches%20to%20ecommerce.pdf accessed on 2nd November 2013 at 12AM..
336
 E-consumer desires are very hard to predict, pinpoint, or decipher in electronic markets whose
shape, structure and population are still in the early stages – more so, in Indian milieu.13

Differentiating between E-commerce & E-business14

E-business refers to all aspects of a business where technology is important. This may include
knowledge management, design and manufacturing, R&D, procurement, finance, project planning,
human resource planning and the related activities. It is that part of e-business that relates directly to
sales & marketing. It is a part of the all-encompassing world of e-business.

Stages of E-Business:

Business tries to connect, adapt, integrate and outsource IT systems so companies can spend more
time managing their business. It process through following stages

Stage 1: Conducts business transaction on the Web in order to increase profits and provide better
customer service.

Stage 2: Integrating core processes to establish more responsive relationships with employees,
suppliers and partners and

Stage 3: Focuses almost all time and effort on core competencies.

(Table: 1) : Describes three stages of e-business

Classification of Aspects of E-business Models:15

E-business models are based on various aspects such as technology, software domain, management
and statutory-legal dimension.

1. The technology aspect Covers E-business Models comprising of

telecommunication, networking and other
infrastructure issues
2. The software domain Includes programming languages, web page design,
customer interface-transactions management,
security and privacy management, and large scale
data mining
3. The management aspect Deals with the business strategies for value creation,
growth and customer development and retention.
4. The statutory and legal dimension Addresses various cyber laws dealing with security,
crimes etc. and government policies for nurturing the
Internet based Ecommerce.

13
Ibid
14
Difference between Ecommerce and Ebusiness available at
http://www.ebusinessprogrammers.com/ebusiness/ecommerce_and_ebusiness.asp accessed on 13 December
201 at 2.30AM.
15
Mahadevan , “Business Models for Internet Based E-Commerce”. 42: 2000: California Management Review
Summer .
337
 (Table 2): Aspects of E-business Classification
Ecommerce Models:

Functionally, e-commerce involves, businesses and consumers. It can be divided into four distinct
segments, which are Business-to-Business (B2B), Business-to-Consumer (B2C), Consumer-to-
Business (C2B), and Consumer-to-Consumer (C2C)

i) Business-to-Business (B2B)

It is a business platform involving two independent or even dependent business entities using
information and communication tools which acts a business communication channel between the
manufacturer and its suppliers. This may include registration of vendors, invitation of quotations,
negotiations, price settlement, contract finalization, procurement, cargo tracking, and payments –
online. Thus a B2B platform acts a business facilitator, negotiator and dealmaker, which facilitates,
negotiates and clinches deal between independent or dependent business units. 16 Eg.
www.amazon.com

(Image 1: Describes B2B Model)

(Source: http://www.eservglobal.com/uploads/files/index.pdf)

ii) Business-to-Consumer (B2C)

It refers to a business platform, involving a business entity and consumers. It is a retail version of e-
commerce. Selling goods or services through web based shops. It is based on the concept of ‘shopping
at convenience’. It is a retail version of e-commerce known as e-tailing.17 It is the most popular model
of e-commerce as it has helped moving commercial transactions from public domain to private
domain. Eg. www.imn.com

16
Available at
http://www.upscsuccess.com/sites/default/files/documents/[email protected]
accessed on 22nd December 2013 at 5PM.
17
Dr. Khurana Anil , “Introduction to Ecommerce” available at
http://www.ddegjust.ac.in/studymaterial/mcom/mc-201.pdf accessed on 25th December 2013 at 1 AM.
338
 ( Image 2: Describes B2C Model)

(Source: http://www.eservglobal.com/uploads/files/index.pdf)

iii) Consumer-to-Business (C2B)

It is a kind of retail marketing platform, where a business entity seeks or rather ‘chases’ customers
actively. It is a pro-active version of e-commerce, offering customers’ deals, packages or bundle of
products at competitive prices. It negotiates or bids by offering ‘best possible deals’ to the customers.
It is often referred to as ‘reverse auction’.18 Eg. www.monster.com.

( Image 3: Source: http://www.eservglobal.com/uploads/files/index.pdf)

iv) Consumer-to-Consumer (C2C)

It represents a consumer business platform, where one consumer acts a resource person selling goods
in an online medium to other consumers at a price. One may call such processes as ‘consumer 2
consumer’ auctions. It is in the realm of resale and rentals. It has helped in creating a market for
second hand goods. A B2C model is no longer a ‘business -to-consumer model, it is integrating
functionalities of other models like C2C or C2B also. Eg. www.bazee.com, ebay.

18
Id
339
 ( Image 4: Describes C2C Model)

(Source: http://www.eservglobal.com/uploads/files/index.pdf)

All in all, the success of e-commerce models is built around managing supplies, partners and
customers effectively and efficiently. 19

v) Business to Employees E-commerce (B2E)

This is concerned more with marketing a corporation's internal processes more efficiently. Customer
care and support activities also hold ground. The requirement is that are all self-service with
applications on the web that the employees can use themselves. Examples of B2E applications
include:

 Online insurance policy management

 Corporate announcement dissemination

 Online supply requests

 Special employee offers

 Employee benefits reporting

 Management

f. Business-to-government

Business-to-government (B2G) is a derivative of B2B marketing and often referred to as a market

definition of "public sector marketing" which encompasses marketing products and services to
various government levels - including central, state and local - through integrated marketing
communications techniques such as strategic public relations, branding, advertising, and web-based
communications.Government agencies typically have pre-negotiated standing contracts vetting the
vendors/suppliers and their products and services for set prices. These can be state, local or federal
contracts and some may be grandfathered in by other entities. There are multiple social platforms
dedicated to this vertical market and they have risen in popularity with the onset of the

19
Turban Efraim et al Electronic Commerce.:6th Prentice Hall Press Upper Saddle River, NJ, USA: 2010.
340
ARRA/Stimulus Program and increased government funds available to commercial entities for both
grants and contracts.

g. Government-to-Business

Government-to-Business (G2B) is the online non-commercial interaction between local and central
government and the commercial business sector, rather than private individuals (G2C).20

E-commerce & E-governance in India

Phase I
The first phase of e-commerce lasted from 1996 to 2001. It helped in shaping new rules of
commercial transactions in the electronic marketplace. India followed the models of developed
countries while creating e-commerce models, without realizing that one needs technology tools and
business maturity to understand this new medium of business. The result was mushrooming of
‘dotcoms’ as new business engines without proper infrastructure. The dotcoms bubble burst of 2001 l
gave useful lessons in terms of e-commerce, i.e. without the spread of technology, development of
critical infrastructure; one cannot have revenue generating e-commerce activities. 21

E-commerce: Phase II
Post 2002, the useful lesson , which ecommerce realm got was one has to have a sensible
business model, which should not only work technology wise but also business wise. It also gave a
message that without electronic banking22 e-commerce will not be successful.

E-commerce: Changing Perceptions

The reasons of this change in perception from phase I to phase II are provided as under:

Better Information Technology Infrastructure

E-business models are moving from the proprietary EDI ‘specific’ solutions to Internet based
‘mass’ solutions. It has more to do with better computer penetration, increase in number of mobile
phone users and Net users, high-speed connectivity rather than anything else.23

Wider Acceptance of Online Payment System24

Online payment mechanism means ‘payment’ and ‘acceptance’ of virtual money. Any such
online payment system requires not only the parties transacting business over the Net but also a
‘payment gateway’ facilitating such transactions, Eg. Credit cards and other modes of online
payment.25 Proprietary online payment systems like Cyber Cash , E-Cash can be used online for
making payments such as Secure Sockets Layers (SSL, developed by Netscape provides privacy,
integrity and authentication through digital certificates).26

20
Available at http://assets.vmou.ac.in/PGDCL03.pdf
21
Joseph P. T. S. J., Ecommerce an Indian Perspective: PHI Learning Pvt. Ltd., 23-Dec-2011.
22
Electronic banking is a process of delivery of banking services and products through electronic channels such
as telephone, Internet, cell phone, etc., and it encompasses Internet –telephone- mobile banking, etc. First
example of e-banking was in the form of Shared Payment Network System (SPNS) or SWADHAN network of
ATMs for 24x7 electronic banking service to the customers’ any where in the city of Mumbai.
23
E-business – Chapter-3 Available at http://highered.mcgraw-
hill.com/sites/dl/free/0073195588/438531/sample_chapter3.pdf accessed on 26th December 2013 at 2 PM.
24
Sharma Vakul on E-commerce: A New Business Paradigm in Legal Dimensions of Cyberspace edited by
Verma S.K. et al. ILI Publication: 2004.
25
Ibid
26
Supra note 13.
341
 Smart Card are being used over public terminals (Websites, ATMs, Telephone lines) etc. A
system of Credit card transactions over the Internet is being currently developed jointly by Visa and
MasterCard with technical assistance from companies like Netscape, IBM and VeriSign; which is
known as Secure Electronic Transactions (SET). 27 The adoption of Digital/ Electronic Signatures as
authentication standards provides integrity, confidentiality and non-repudiation of electronic records
for legal recognition of electronic contracts and legal sanctity to online payment system.28

Legal Recognition to E-commerce Practices

Legal recognition to E-commerce practices has come a long way from the initial adoption of
UNCITRAL’s Model Law on Electronic commerce by the General Assembly of the United Nations in
early 1997. The purpose is to encourage the use of electronic commerce and to provide nations with
model legislation “governing the use of alternatives to paper-based methods of communication and
storage of information” 29. It is based on “functional-equivalent” approach and gives legal acceptance
to electronic records and digital signatures i.e. asymmetric cryptosystem.30

Adoption of Security Standards by the Industry

Business thrives on safety, security and trust whether it is offline or online. Internet being an
open, integrated and public system requires far better security coverage than its offline counterpart.31
It needs an ‘encryption’ technology that provides:

(i) Confidentiality

It uses encryption technology to ‘encrypt’ the information in such a way that only an intended
user could ‘decrypt’ the information.32

(ii) Authentication

It means use of encryption technology to identify the sender or originator of the information.
Similarly it should be possible to ensure that the message is sent to the person for whom it is meant.

(iii) Integrity
It is to verify that the information, which is received, has not been manipulated during its
transmission. The information should appear exactly as it was stored or sent by the sender or
originator. 33

(iv) Non-repudiation

Encryption technologies make it possible to bind messages and message acknowledgements

with their originators.34

27
Khem:“Development of Ecommerce” available at http://www.siteforinfotech.com/2012/11/development-of-e-
commerce.html accessed on 2nd Feb 2012, at 3 PM.
28
Ibid
29
Supra note 20
30
Miller Riel et al: “The Promises and Perils Of 21st Century Technology: An Overview Of the Issues”, available
at http://www.oecd.org/futures/35391210.pdf accessed on 1st December 2013 at 7AM.
31
Fred B. Schneider. Trust in Cyber Space : National Academy Press.1999.
32
James Boyle: “Foucault in Cyberspace: Surveillance, Sovereignty and Hardwired Censors” 66 University Of
Cin Va ti Law Review 177
33
Information Security: Challenges and Solutions available at http://www.peterindia.net/ITSecurityView.html
accessed on 19th December 2013 at 9PM.
34
Supra note 23
342
(v) Auditability

The Data Encryption Standard (DES) and the RSA algorithm (patented by its inventors,
Rivest, Shamir and Adleman, in 1977) have emerged as symmetric and asymmetric cryptographic
protocols respectively. 35 It is to ensure specified confidentiality and integrity of data. Industry
(payment gateways, banks, online service providers etc.) has been able to adopt cryptographic
protocols to encrypt information, messages or data. When a single secret key is used to maintain
communication between the sender and the receiver, it is referred to as a symmetric cryptography
(ATM cards) or private-key cryptographic system and where different keys are used for encryption
and decryption purposes, it is referred as a asymmetric cryptography (digital signature certificates)or
public-key cryptographic system.

UNIT-II: ONLINE CONTRACTS AND E-COMMERCE WEBSITES

Online Contracts

The Indian Contract Act, 1872 defines contract as an agreement between two or more parties for the
buying/selling of goods or services for a valid consideration. The essentials to a valid contract are also
some of the essentials to an e-contract which are:

An offer and acceptance has to be made.

There should be a lawful consideration.
There should be a free consent between the parties to a contract.
The object of the agreement should be lawful.
Parties must be competent enough to contract.
The contract must be enforceable by law.
Recognition of E-contracts

Section 10 of the IT Act, 2008 gives legislative authority to E contracts. It says that, “Where in a
contract formation, the communication of proposals, the acceptance of proposals, the revocation of
proposals and acceptances, as the case may be, are expressed in electronic form or by means of an
electronic record, such contract shall not be deemed to be unenforceable solely on the ground that
such electronic form or means was used for that purpose.” For any contract to be valid, signatures
from both the parties are required. In the case of an e-contract, an electronic signature comes to play.
An electronic signature is defined by the Information Technology Act, section 2(p) as the
authentication of any electronic record by a subscriber by means of the electronic technique specified
in the second schedule and it includes a digital signature. Further, section 5 of the Information
Technology Act says that where any law requires that information or any other matter be
authenticated by affixing a signature or any document signed by or bear the signature of any person,
then such requirement shall be deemed to have been satisfied. Electronic signature serves the same
purpose as a handwritten signature. Section 85 c of The Indian Evidence Act states that as far as a
digital signature is concerned, the courts presume that the information provided in that certificate is
true and correct. E contracts are contracts that are not paper based and are electronic in nature. These
contracts are generally made for speedy entering into a contract or for the convenience of the parties.
They are best made between parties who live in 2 different parts of the world and have to enter into an
agreement. A digital signature is all they need to enter into a contract as a party even though both the

35
Sharma Vakul, Information Technology – Law & Practice: Universal Law Publishing: 2009.
343
parties to the contract are sitting miles away from each other. In this proliferating world, it is the most
convenient method to enter into a contract without being physically exhausted.36

The 2 main parties to an e-contract are- The Originator and the Addressee.

Originator according to the IT Act, 2008 is a person who sends, generates, stores or transmits any
electronic message to be sent, generated, stored or transmitted to any other person and does not
include an Intermediary.( In the present context, the person who initiates the process of making an e-
contract to send it to the other party.) An Addressee according to the IT Act, 2008 is a person who is
intended by the originator to receive the electronic record but does not include any Intermediary.(In
the present context, the party which receives the e-contract made by the other party.)37

The Information Technology Act, 2000:

The Information Technology Act, 2000 attempts at alleviation of some of the problems that arise out
of communication over computer networks. Although electronic or online contracts are not
specifically addressed by any statute in India, the omnibus provisions of the Information Technology
Act provide a significant platform for interaction of the law and technology. By clothing electronic
records and transactions with legal sanctity, the Act has facilitated online commercial transactions.
Section 11 provides for the attribution of electronic records to the originator. This is a significant
provision in view of the necessity to have provisions which prohibit a person from disowning
electronic communications that originated from him. A mandate for non-repudiation is, after all,
crucial for a contract to come into being. Section 12 makes provisions for the acknowledgment of
receipt of communication and the time at which such communication is received. These provisions go
a long way in resolving some of the complications that arise out of communication over the Internet.
Section 12 provides that where the originator of a communication has not agreed with the addressee
of such communication, on the mode in which acknowledgment of receipt is to be given, the
acknowledgment for receipt of such communication may be given by the addressee by any automatic
or other communication or by the conduct of the addressee which is sufficient to indicate to the
originator that such communication has in fact been received. However, this rule operates only in the
absence of any contract between the parties as regards the acknowledgement of receipt. The parties
are also at liberty to specify the time limit within which such acknowledgement of communication has
to be made. If such acknowledgement is not communicated within a reasonable time, the originator of
the message who has not received the acknowledgment is also at liberty to treat the communication as
never having been sent. Section 13 of the Act contains significant provisions which obviate certain
problems of communication over computer networks. Several countries, including the U.S.A and
Canada have introduced legislation to address issues arising out of e-commerce. The Uniform
Electronic Transactions Act, 1999 (UETA) and the Uniform Computer Information Transactions Act
(UCITA) have been introduced in the U.S.A. and Canada has introduced the Uniform Electronic
Commerce Act (UECA). In addition to these laws, several states have introduced legislation to adopt
or to supplement them. controversy as to the applicability of the mailbox rule to communications on
the Internet and the complications involved in the ascertainment of the conclusion of a valid contract
appear to have been resolved, at least to a great extent, by the provisions of section 13. This section
also operates only in the absence of a contract to the contrary between the parties. In other words, in
the absence of an agreement to the contrary, the acceptance is despatched when such acceptance
enters a computer resource outside the control of the originator. The marked difference in case of a
contract governed by section 13 is that the point at which the acceptance is binding qua the offeree is
not when it leaves his computer system and is outside his control but the point at which acceptance

36
Available at http://14.139.60.114:8080/jspui/bitstream/123456789/722/9/Online%20Contracts.pdf
37
id
344
enters the computer resource beyond his control. Sub-section 2 of section 13 contains certain
significant provisions which also provide for specific cases in which acceptance is actually
communicated and these provisions go a long way in determining the point of conclusion of contract.
If the offeror has designated a computer resource through which a communication of acceptance has
to be signified, the contract comes into being once the acceptance enters such designated computer
resource. In the event of the offeror not designating any particular computer resource for this purpose
the contract is concluded when the offeror retrieves such message from his computer system.
Subsection 3 and sub-section 4 of section 13 also provide for determining the place of conclusion of a
contract. In the absence of an agreement to the contrary, the place of conclusion of the contract will be
the place of receipt of acceptance by the offeror. The application of this rule obviates many of the
problems that arise out of the location of computer and computer systems over different places. The
acceptance is deemed to have been received at the place of business of the offeror. In fact sub-section
4 makes it very clear that even if the computer resource is located in a place different from a place
where the electronic record is deemed to have been received, the time at which the contract is
concluded shall be governed by the provisions of sub-section 2. In sum, the provisions of the
Information Technology Act have helped tackle certain ticklish issues arising out of online
transactions and these provisions make it amply clear that a legally enforceable contract which has all
the essential ingredients can in fact be formed online.38

Privity of Contracts

No one but one of the parties can go to court & enforce the contract even if the contract was to operate
to a third party`s benefit. This known as the “privity of contract” rule. There are exceptions to it:

 Agents or employees who accept or offer a contract on another person`s or a corporation`s

behalf . In these situations, the contract is said to be signed by an agent. The person
employing the agent is called the principal & the principal could sue or be sued under
contracts entered into by his or her agent even though the principal did not sign the contract
directly.

 Another exception allowed under special laws is cheques 7 promissory. In these cases,
enforcement rights are created by special laws between non-signatories as the cheque
exchanges hands, from one bank to another or from one person to another.

 Contracts that restrict or impact upon the use of land ( eg An easement) may be enforceable
upon the next land-owner, even though they were not privy to the original contract. This is an
old exception to the rule of privity of contract that is still applicable today.

 The law of trusts, where a person may contract to the beneifit of another, operates to convey
certain rights to the third party even though , in fact, this third party was not party to a
contract which created the trust.39

E contracts can be broadly categorized into :

Shrink Wrap Agreements

38
id
Chapter 1: Ecommerce silent features available at
39

http://www.nalsarpro.org/CL/Modules/Module%203/Chapter1.pdf
345
Shrink Wrap agreements are those which can only be read and accepted by the consumer after the
opening of a particular product. The term is described after the shrink wrap plastic wrapping that is
used to cover software or other boxes. Installing software from a CD into your PC is an example of a
shrink wrap agreement.

Click Wrap Agreements

Click Wrap agreements are mostly found in the software installation process. The user has to click
either ‘Accept’ or ‘Decline’ to accept or reject the agreement respectively. These agreements lack a
certain amount of bargain power. Choosing to make payments online or choosing to reject it is an
example of using a click wrap agreement.40

Admission of e-contracts in courts

The Delhi High Court in the case of Societe Des Products Nestle S.A and Anr Vs Essar Industries and
Ors paved way for the immediate introduction of Section 65 A and 65 B in the Indian Evidence Act,
1872 relating to the admissibility of the computer generated in a practical way to eliminate the
challenges to electronic evidence. According to section 65 A, the content of the electronic records can
be proved by parties in accordance with section 65 B of the Indian Evidence Act, 1872. Also, Delhi
High Court in the case of State of Delhi Vs Mohd. Afzal and Others held that,” Electronic records are
admissible as evidence.”E-Commerce: Terms of Service Agreements

The purpose of terms of service agreements means and includes, to set down what you have
agreed; or Present the inflexible terms under which you will accept business including: Defining the
contract; Defining the business procedures; Protection of your business and your rights; Limitation of
your liability; Other relevant matters etc. 41

Ground rules for framing terms of service agreements are as under:

(i) Know your site implies that one should be aware of website’s revenue model, its
functionalities and target users.

(ii) Website’s strengths and weaknesses can be analysed by understanding every aspect of the
site.

(iii) Transform your site’s strengths and weaknesses into appropriate disclaimers

(iv) Cover yourself from all angles by framing appropriate,adequate and relevant terms of service
conditions.

A model Terms of Service (ToS) conditions:

The terms of service conditions may include the things such as Notice, Website Limited
License, Limitations on Use, Intellectual Property Rights, Linking to this Website, Advertisers,

40
Available at https://www.indianbarassociation.org/e-contracts/
41
Emmanuel Marilly et al: “Service Level Agreements: A Main Challenge for Next Generation Networks”
available at http://www-rp.lip6.fr/adanets/PublicDoc/Papers/001_ECUMN02-SLA-NGN.pdf accessed on 16th
December 2013 at 12 AM..
346
Errors and Corrections, Third Party Content, Disclaimer, Limitation of liability, Indemnification,
Third Party Rights, Unlawful Activity, Governing Law and Jurisdiction, Modifications to Terms of
Use, If You Do Not Agree etc. Following are some important clauses:42

4.2 Protecting the business

4.2.1 Framing a Privacy Policy

Merely creating terms of service conditions is not enough. It must be complemented with an
appropriate privacy policy also. Following questions need to be asked:

 What kind of information is to be collected: E-mail address, name, phone number, postal
address, age, gender, occupation, credit card number etc.

 What kind of technological tools will be used to collect information? How the information
thus collected will be used and for what purpose? Whether information to be given to any
third-party and for what purpose? Whether a choice be given to the individual to opt-out from
collection and distribution of online information.

 What will be the business transaction consequences of an individual who has refused to
provide private information or has refused to accept a cookie? How individually identifiable
private information collected can be reviewed, corrected or removed? How frequently the
privacy policy will be reviewed? Whether the site is independently verified to ensure that its
security controls adequately protect its customers from risk of security breaches?

4.2.2 Objective and Contents of Privacy Policy:

It may include Privacy Notice, the Information which website collects, how the website uses the
information, how the Information will be protected.Privacy policy on the Web site is a Platform for
Privacy Preferences (P3P) industry standard to allow Web users to gain more control over the
personal info being collected on the Web and to make privacy policies easier to find and understand;
determine if Web site privacy policies match users’ privacy needs43

The purpose of terms of service agreements is:

 To set down what you have agreed; or

 Present the inflexible terms under which you will accept business; including;
 Defining the contract;
 Defining the business procedures;
 Protection of your business and your rights;
 Limitation of your liability;

Other relevant matters.Ground rules for framing terms of service agreements:

•Know your site

It implies that one should be aware of website’s revenue model, its functionalities and target users.

•Site’s strengths and weaknesses

42
Ibid
43
Ackeram Mark S.: Privacy in persuasive Environments: next generation labeling protocols: 8 Pers Ubiquit
Comput (2004): 430–439.
347
Every website has its strengths and weaknesses. These strengths and weaknesses can be analysed by
understanding every aspect of the site.

•Translate your site’s strengths and weaknesses into appropriate disclaimers

Framing an appropriate terms of service conditions will require understanding the site’s strengths and
weaknesses.

•Cover yourself from all angles

Internet is a new medium. The risks are also new! Thus it would be appropriate, if adequate and
relevant terms of service conditions were framed.

A model Terms of Service (ToS) conditions may include following important clauses:

I. Notice

Make it explicitly clear to all users that if they do not agree to the terms & conditions they should not
access this site or any of its links.

II. No Warranty / Disclaimer of Warranty

Inform that all the information & material (text, graphics, links or other items) are provided “as is”,
“as available”.

III. Disclaim all Errors or Omissions

Disclaim all kinds of implied, express or statutory warranties, if any.

Disclaim any failure of performance, interruption, defect, delay in operation or transmission,

computer virus, or line or system failure.

Disclaimer of liability.

IV. Site Contents, Ownership, Use Restrictions

Create copyright for all the information & material (text, graphics, links or other items). Make the
user responsible for providing true, accurate, current and complete information.

Example: Terms of Use / Service Agreement

YOUR USE OF THIS WEBSITE CONSTITUTES YOUR AGREEMENT TO BE BOUND BY

THESE TERMS AND CONDITIONS OF USE.
This Website, including all of its features and content (the “Website”) is a service made available by
(“Provider”).

All content, information and software provided on and through this Website (“Content”) may be used
solely under the following terms and conditions (“Terms of Use”).

348
Notice
By using the Website XYZ.com, you signify your assent to these terms of use. If you do not agree to
these terms of use, please do not use the site.

Website Limited License

As a user of this Website you are granted a nonexclusive, nontransferable, revocable, limited license
to access and use this Web Site and Content in accordance with these Terms of Use. Provider may
terminate this license at any time for any reason.

Example: Limited Site License. Short Description44

You are granted a non-exclusive and non-transferable license to install and use the Software under the
following conditions:

1. The Software may be installed and used by the Licensee for commercial purposes or business
environment.
2. Up to 50 copies of the Software may be installed and used on compatible systems, provided
all copies are registered for the Company name, and all systems are located within the Licensee's
Company premises nationwide.
3. The Software can be utilized by up to 50 users at a time, provided they are employees of the
Licensee's Company.
4. With this License the Software will be licensed to the Licensee's Company name.
5. A unique license key generated for the Licensee's Company name will save the trouble when
entering the License info on multiple systems.

Limitations on Use

The Content on this Website is for your personal use only and not for commercial exploitation. You
may not copy, modify, reproduce, republish, distribute, display, or transmit for commercial, non-profit
or public purposes all or any portion of this Website, except to the extent permitted above. Any
unauthorized use of this Website or its Content is prohibited.

Intellectual Property Rights

You agree that the Content and Website are protected by copyrights, trademarks, service marks,
patents or other proprietary rights and laws.

Linking to this Website

You may provide links only to the homepage of this Web site, provided (a) you do not remove or
obscure, by framing or otherwise, any portion of the homepage, including its advertisements, the
terms of use, the copyright notice, or other notices on this Site, (b) you give Provider notice of such
link by sending an e-mail to [email protected] (c) you discontinue providing links to this
Website if requested by Provider.

Advertisers

This Website may contain advertising and sponsorship. Advertisers and sponsors are responsible for
ensuring that material submitted for inclusion on this Web site is accurate and complies with

44
Available at http://wiki.eltima.com/software-licenses/limited-site-eula.html
349
applicable laws. Provider will not be responsible for the illegality of or any error or inaccuracy in
advertisers’ or sponsors’ materials or for the acts or omissions of advertisers and sponsors.

Errors and Corrections

Provider does not represent or warrant that this Website will be error-free, free of viruses or other
harmful components, or that defects will be corrected or that it will always be accessible. Provider
does not warrant or represent that the information available on or through this Website will be correct,
accurate, timely, or otherwise reliable. Provider may make improvements and/or changes to its
features, functionality or Content at any time without informing the user.

Third Party Content

Third party content may appear on this Website or may be accessible via links from this Website.
Provider shall not be responsible for and assumes no liability for any infringement, mistakes,
misstatements of law, defamation, slander, libel, omissions, falsehood, obscenity, pornography or
profanity in the statements, opinions, representations or any other form of content contained in any
third party content appearing on this Website. You understand that the information and opinions in the
third party content is neither endorsed by nor does it reflect the belief of Provider.

DISCLAIMER: This website is provided on an “as is, as available” basis. provider expressly
disclaims all warranties, including the warranties of merchantability, fitness for a particular purpose
and non-infringement.

LIMITATION OF LIABILITY: Provider shall not be liable for any loss, injury, claim, liability, or
damage of any kind resulting from your use of this website or any facts or opinions appearing on this
website, provider shall not be liable for any special, direct, indirect, incidental, or consequential
damages of any kind whatsoever in any way due to, resulting from, or arising in connection with the
use of or inability to use this website or the content.

Indemnification

You agree to indemnify, defend and hold harmless Provider, its officers, directors, employees, agents,
licensors, suppliers and any third party information providers to the Website from and against all
losses, expenses, damages and costs, resulting from any violation of these Terms of Use by you.

Third Party Rights

Provider and its officers, directors, employees, agents, licensors, suppliers, and any third party
information providers to the Website, each of these individuals or entities shall have the right to assert
and enforce those provisions directly against you on its own behalf.

Unlawful Activity

Provider reserves the right to investigate complaints or reported violations of our Terms of Use and to
take any action we deem appropriate including but not limited to reporting any suspected unlawful
activity to law enforcement officials, regulators, or other third parties and disclosing any information
necessary or appropriate to such persons or entities relating to user profiles, e-mail addresses, usage
history, posted materials, IP addresses and traffic information.

Governing Law and Jurisdiction

The Terms of Use are governed by and construed in accordance with the relevant Indian laws. You
agree that any action at law or in equity arising out of or relating to these terms shall be filed only in
350
the courts and forums located in Delhi and you hereby consent and submit to the personal jurisdiction
of such courts and forums for the purposes of litigating any such action.

Modifications to Terms of Use

Provider reserves the right to change these Terms of Use at any time. Updated versions of the Terms
of Use will appear on this Website and are effective immediately. You are responsible for regularly
reviewing the Terms of Use. Continued use of this Website after any such changes constitutes your
consent to such changes.

Example: For the above contents is as under:

Access to ModDeals.com Web Site is provided to our customers and prospective customers "AS IS"
and "AS AVAILABLE" and without warranty of any kind, whether express or implied, INCLUDING
BUT NOT LIMITED TO, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE OR NONINFRINGEMENT. Some jurisdictions do not allow the disclaimer of
implied warranties. In such jurisdictions, the foregoing disclaimer may not apply to you.
ModDeals.comreserves the right to block or deny access to the Web Site to anyone at any time for any
reason. Jurisdiction:ModDeals.com controls this Web Site from its offices within the State of
California . ModDeals.com does not imply that the materials published on this Web Site are
appropriate for use outside of the United States. If you access this Web Site from outside of the
United States, you do so on your own initiative and you are responsible for compliance with local
laws. The terms of this Web Site shall be governed by the laws of the State of California , without
giving effect to its conflict of laws provisions.45

IF YOU DO NOT AGREE

IF THESE TERMS AND CONDITIONS ARE NOT ACCEPTABLE IN FULL, YOU MUST
IMMEDIATELY TERMINATE YOUR USE OF THIS SITE.

Framing a Privacy Policy

Merely creating terms of service conditions is not enough. It must be complemented with an
appropriate privacy policy also. Following questions need to be asked:

 What kind of information is to be collected: E-mail address, name, phone number, postal
address, age, gender, occupation, credit card number etc.

 What kind of technological tools will be used to collect information?

 How the information thus collected will be used and for what purpose?

 Whether information to be given to any third-party and for what purpose?

 Whether a choice be given to the individual to opt-out from collection and distribution of
online information.

 What will be the business transaction consequences of an individual who has refused to
provide private information or has refused to accept a cookie or has opted out of a particular
use of such information?

45
Available at http://www.moddeals.com/termsofuse.htm accessed on 31 October 2012 5 pm.
351
  How individually identifiable private information collected can be reviewed and, if necessary,
corrected or removed?

 How frequently the privacy policy will be reviewed?

 Whether the site is independently verified to ensure that its security controls adequately
protect its customers from risk of security breaches?

Example of a Privacy Policy

Privacy Notice

Your privacy is important to us. To better protect your privacy we provide this notice explaining our
online information practices and the choices you can make about the way your information is
collected and used. To make this notice easy to find, we make it available on our home page and at
every point where personally identifiable information may be requested.

This notice applies to all information collected from or submitted to the XYZ website.

The Information We Collect

XYZ respects the privacy and security of its users. Our goal is to provide you with knowledge,
resources, and services that are most relevant and helpful to you. In order to achieve this goal, we
sometimes collect information during your visits to understand what differentiates you from each of
our millions of other users.

The personal information you provide to us when using our website: XYZ such as your name, postal
or email address or telephone number will be kept confidential and used to support your customer
relationship with the company. It also may be used to notify you of special offers, updated
information and new products and services from the company, or offers from third parties that we
think may be of interest to you.

How We Use Information?

XYZ does track certain information about the visits to our website. We compile statistics that show
the numbers and frequency of visitors to our website and its individual pages.

These aggregated statistics are used internally to improve the web site content and services in
general. We may provide the aggregated statistics thus collected to advertisers and other third parties,
but again, the statistics contain no personal information and cannot be used to gather such
information.

How We Protect Your Information?

The privacy and protection of your personal information is vitally important to us. Unfortunately, no
data transmission over the Internet can be guaranteed to be 100% secure. Accordingly, despite our
efforts to protect your personal information, we at XYZ cannot ensure or warrant the security of any
information you transmit to us.

You transmit all such information at your own risk. However, once we receive your transmission, we
make our best effort to ensure its security on our systems.

352
XYZ will not willfully disclose any individually identifiable information about its users to any third
party without first receiving that user's permission. XYZ may disclose personal information when we
believe in good faith that the law requires it or to protect the rights or property of XYZ.

We welcome any questions or comments you have about the XYZ site. Please direct them to
[email protected]

E-commerce: Service Level Agreements46

In order to create e-commerce related websites, an entrepreneur has to enter into various
agreements with different service providers. He may be entered into domain name registration
agreement, content development agreement, web designing agreement, web hosting agreement etc.

Domain Name Registration Agreement

Domain names are bought and sold every day, often with no legal problems.47 It is an
agreement between the Registrar and the Registrant. Person who pays to acquire the domain name is
being referred to as the Registrant.48 The main clauses of such an agreement to include Place/location
of registrar, Security to protect domain name registration records, Right of refusal, Transfer and
assignment of domain name, Transfer to another domain name registrar, Length of domain name
registration period, Renewal of domain name, Mandatory information required from the registrant,
Revocation of domain name, Transfer and assignment of domain name, Place of jurisdiction and
governing law, Whether ‘Uniform Domain Name Dispute Resolution Policy’ (UDRP) applicable
etc.49

Content Development Agreement

If a company elects to develop its website without outside assistance, it enters smaller number
of agreements which cover licenses for web development to create and maintain content. If, on the
other hand, an organization outsources its website development, it needs to enter into a developer’s
agreement with a third party50 i.e. between the Content developer and the Website owner. The main
clauses of such an agreement to include: Define content, Exclusive or non-exclusive right to content,
Issue of ownership of copyright / trademark related to content, Display all copyright notices, bylines,
disclaimers, restrictions, etc., Maintaining editorial integrity of the content, Retaining all rights, title
and interest in the content, Content usage rights over multiple platforms/media, No liabilities for any
indirect, incidental, special or consequential damages, Place of jurisdiction and governing law etc.

Web Designing Agreement

It is an agreement between the Web designer and the Website owner. The main clauses of such an
agreement to include: Designing cost for the ‘home page’ & other web pages, Item wise designing
cost -image, photograph, flash, banner ads etc., Confidentiality of designs, Copyright and trademarks,
Use of licenced software, Prototype / Beta testing and final approval, Deployment/ debugging of the

46
Sharma Vakul. Handbook of Cyber Laws .Macmillan India, 2002.
47
Michel Cyger, Domain Name Purchase Sale Agreement available at http://www.domainsherpa.com/domain-
name-purchase-sale-agreement/ accessed on 31st October 2012.
48
Abbott Frederick M.: “ On The Duality Of Internet Domain Names: Propertization and Its Discontents 1: 3:
2013: Journal Of Intellectual Property And Entertainment Law: 1.
49
Present online dispute resolution service providers are Asian Domain Name Dispute Resolution Centre
(ADNDRC), CPR Institute for Dispute Resolution National Arbitration Forum (NAF) and WIPO.
50
Richardson Helen H.:“Website Development Agreements/Licensing of Website Content” available at
http://files.ali-cle.org/thumbs/datastorage/skoobesruoc/source/CL035_SL035-Ch07_thumb.pdfaccessed on 31st
October 2012 at 3:13 AM
353
website, Time period for completion, Training of personnel, Indemnity against third party claims,
Jurisdiction and governing law. 51

Web Hosting Agreement

It is an agreement between the Web hosting service provider and the Website owner. The main
clauses of such an agreement to include: Bases pricing on bandwidth used, Rents racks /Rackspace on
servers, Sell racks on servers, Data backup, performance monitoring and browser behavior analysis on
customised basis, Offers site development services, mirroring and caching, e-commerce web
solutions, Offers support/monitoring services round the clock, UPS / Back up power/Generator,
Disaster management and business continuity services, if any, Percentage of hosting uptime or
downtime, Site bandwidth/Backbones connected, Jurisdiction and governing law.52

The Mailbox Rule

Web-based contracting may also help eliminate uncertainty and unfairness inherent in application of
the so-called "mailbox rule." Where the method for making an offer and acceptance inevitably
requires a time delay of some magnitude, such as where the mail is used, courts apply the so-called
mailbox rule. That rule provides that where an offer can be accepted by mail, the mere mailing of the
acceptance is deemed to seal the contract regardless of any delays that may result in the receipt of the
acceptance by the offeror, or even the failure of the offeror ever to receive it. However, attempts by
the offeror to revoke an offer are not effective until received by the offeree. The one-sidedness of the
so called "mailbox rule" in favoring offerees means the burden is on the offeror to specify the method
by which the offer can be accepted in a way that eliminates any unacceptable risk due to delay in
communicating an acceptance. Note that the mailbox rule applies only in circumstances in which the
delivery of the offer and acceptance are necessarily delayed -- it does not apply to contracts negotiated
over the telephone, or telex, or in person, or perhaps by fax. The question therefore is whether the
courts will consider E-mail and other forms of Internet-based communication to be essentially
instantaneous, in which case the mailbox rule will not apply, or to be more analogous to the mail or
telegraph, where the rule does apply. A Web page can be set up so as to eliminate any ambiguity as to
when or how a contract is entered into, thereby eliminating concern over application of the mailbox
rule. E-mail is not so simple. Sometimes E-mail messages are essentially instantaneous, and
sometimes they can be delayed for hours. Where non-instantaneous forms of electronic acceptance are
contemplated, the careful offeror will consider this issue and structure the offer in a way to avoid
ambiguity. In general, however, the Internet is a favorable environment to avoid contracting
ambiguities such as those presented by the mailbox rule.53

Online Dispute Resolution and Jurisdiction

In Canada, the Cyber Tribunal in Montreal has successfully resolved e disputes using ODR, in U.S the
Online Ombudsman office uses e –mediation. Square Trade is a well known ODR provider that
resolves disputes between sellers and buyers that use the e-bay services by adopting negotiation and
mediation methods. In U.S, financial disputes are resolved through CyberSettle and ClicknSettle
resolves insurance related disputes. Other ODR services providers include www.mediate.com,
www.novaforum.com, www.icourthouse.com , www.etribunal. SmartSettle uses a negotiations
software to settle disputes after the parties allocate priority to various interests which are affected by

51
Carol A. Kunze, “Web Site Legal Issues” 2: 14: 1998 Santa Clara Computer & High Technology Law
Journal:477
52
Ibid
53
Legal Issues in Contracting on the Internet, Available at http://corporate.findlaw.com/business-
operations/legal-issues-in-contracting-on-the-internet.html
354
the disputes. In Europe, the European Small Claims Procedure was established with effect from 1 st
January, 2009 and in Netherlands, the NMI Mediation uses the mediation by experts to settle online
disputes.54

August, 1999.It provides for an administrative proceeding to resolve domain name related disputes
through accredited service providers that follow the UDRP policy alongwith their own supplemental
rules. WIPO, National Arbitration Forum, Asian Domain name Dispute Resolution Centre are
amongst the accredited ODR service providers. The administrative proceeding stipulates that the
disputes ought to be resolved within a particular time frame and the procedure may be invoked prior
to a court proceeding. The decision of the administrative panel may be challenged within 10 days of
the date of decision by any affected party. The disputes resolved through UDRP policy lead to transfer
of the domain names which are registered by a respondent in bad faith and in which it has no
legitimate interest, if the subject domain name is deceptively similar or identical to the trade mark of
the Complainant . In Tata Sons Ltd. vs the Advanced Information Technology Association, WIPO
directed that the domain name Tata.org should be transferred to the complainant Tata Sons Ltd. as all
the three criteria’s of the UDRP policy were established in the case.55 The law of consumer protection
grants stronger protection to the consumers in Europe and application of mandatory rules of law at
Lex Situs are some challenges that emerge due to lack of homogenous cyber laws. Could there ever
be an International Court of Justice that decides e disputes of all nature adopting homogenous cyber
laws in ODR process and procedure ?56 At this point I draw an analogy to Lex Mercatoria applicable
to international trade.It will be beneficial if at least a homogenous ODR law or core legal principles
for law and practice of ODR could be framed. Major International Legislative Texts, Treaties and
Conventions and National initiatives could bring definiteness to the law and practice of ODR in cyber
space. Infact, the mission is half accomplished as some land mark initiatives have been made to
bring more clarity in ODR .These initiatives include the Recognition and Enforcement of foreign
arbitral awards,1958, Brussels Convention on Jurisdiction and Enforcement of Judgments in Civil
and Commercial matters,1968, the Rome Convention on law applicable to Contractual
Obligations,1980 . In 1999, the OECD published its guidelines for Consumer Protection in the context
of Electronic Commerce.57

54
In many ODR systems such as Adjusted Winner (Brams and Taylor, 1996) 12 , SmartSettle (Thiessen and
Mac Mahon, 2000) 13 adopt ‘Bargain and resolve consumer disputes in United States using conciliation and if
unsuccessful mediation through engaging online resources. One of the most successful ODR initiatives is the
WIPO Domain name Dispute Resolution Policy adopted by ICANN
55
Gain theory’ for dispute resolution. In SmartSettle, an automated software renders assistance to parties to
discuss multiple options to arrive at a settlement. To decide on the jurisdiction applicable to an e dispute, the
effects test and the zippo sliding scalepproach may be used. In private international law, the place of
performance of a contract is a significant parameter to decide substantive law or the jurisdiction which will
apply to the facts of a case.
56
19 United States Supreme Court in Calder v. Jones, 465 U.S. 783 (1984) also see
http://ecommercelaw.typepad.com/ecommerce_law/2007/12/caldereffects.html#ixzz16Cp2wPlI20 … Zippo
Manufacturing Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119 (W.D. Pa. 1997)12
57
The Guidelines provide that the consumer ought to be rendered fair, and cost effective means of dispute
resolution and explain the significance of information technology while using ADR systems. In European Union,
the Ecommerce Directive, provides in article 17 that in case of an e-dispute, the member states are required
to ensure that the parties are not hindered from using ADR process for dispute resolution ‘including
appropriate electronic means’. The National Alternative Disputes Resolution Advisory Council drafted
standards for ADR in 2001 and laid down the principles for ODR in 2002.Thus , we have some legal initiatives
already made to promote ADR and use of technology to bring speedy dispute resolution services. It is a matter
of infusing new ideas and solutions to promote and streamline body of laws for ODR while also incorporating
the legal principles enunciated by international initiatives by fair adaptation that will lead to unification in ODR
law and practice
355
Ecommerce & Online Advertisements

Online advertising is a part of e-commerce ecosystem. It has played an important role in bringing
the consumer and the businesses closer and like e-commerce it is has also grow exponentially. 58

Why Online Advertising?

Online advertising is a growing phenomenon because of Growing Net Population,
Exponential Growth in E-Commerce Transactions, and Emergence of Net as a Channel to
Complement ‘Offline’ Commercial activities etc.

Types of Online Advertisements59

The types of online advertisements include Text ads, Display Ads, Flash / DHTML Ads,
Interstitial Ads, Video Ads, On-Site Sponsorships, Advertorials, Contextual Targeting, Behavioral
Targeting, Geo-Targeting / Local Advertising, Websites, Banner Ads, Interactive Ads, Pop up
Windows, Blogs/Blogging, Ticker Tape, Web Directories, Search Engines,Sponsored Links,
Hyperlinking Facility,Spam Emails/Spamming etc.

Text ads
Advertisements displayed as simple, text-based hyperlinks are known as Text Ads. They do
not include graphic images and are sold on non-search website which can be served either by
individual websites, or a publisher’s own ad servers60. Eg. Humana Health Insurance

Display Ads
Graphical advertisements featured on websites are known as Display Ads. Display ads are
often available in many standard shapes and sizes, including: banners, leader boards, skyscrapers,
large boxes, and other sized graphical ads. Display ads are sold on non-search websites and can be
served either by individual websites, or a publisher’s own ad servers. Eg. Blair Clothing

Flash / DHTML Ads

These kinds of ads incorporate Flash animation or other motion graphics. Ads may be animated
display ads in more traditional shapes and sizes, or, they can be sophisticated that function similarly to
pop-up ads but with much deeper integration into the overall design of the site.

Interstitial Ads

Interstitial ads appear between web pages that the user requests.These load in the background and do
not interrupt the users immediate browsing experience, they are a preferred method of delivering ads
with rich media, streaming video, and/or large graphics. 61

Video Ads
Currently video ads can either be content created entirely by the advertiser, or show your ad within a
video. Major search properties like Google (through YouTube), MSN, Yahoo, and AOL all offer
advertising on their video websites.62

58
Available at http://www.navneet.tecindia.co.in/navneet-cyberlaw/MIR-013-B1-unit3.pdf
59
Available at http://www.webadvantage.net/digital-marketing-services/online-media-buying-planning/types-of-
online-advertising accessed on 1st November 2012 at 3 pm.
60
Singh Debudatta: Variants of online Advertising available at http://www.slideshare.net/rajarajurani/internet-
advertising-5655436
61
Maja Levi Jaksic et al: “Innovative Management and Business performance.” University of Belgrade, faculty
of organizational Sciences: 2012.
62
Ibid
356
On-Site Sponsorships
On-Site sponsorships are ads (typically just a company’s logo) that can be bought on
individual website which appear in an area reserved for sponsors. Eg: Connections Academy63

Advertorials
Advertisements in editorial form that appear to contain objectively-written opinions are
known as paid editorial ads, or “Advertorials” which are typically featured on publisher’s websites
and promote products and services related to the website’s content. Eg: International Federation for
Animal Welfare (IFAW)

Contextual Targeting
When ads are served based on related content a user is currently reading or browsing online, it
is known as contextual targeting. Contextual ads are purchased through major search properties like
Google, Yahoo, MSN, and through many other contextual ad networks. Eg: IFAW 64

Behavioral Targeting
Behavioral targeting is based on a variety of online factors such as recent online purchases,
searches, and browsing history, as well as demographic details such age or gender. Eg.Connections
Academy65

Geo-Targeting / Local Advertising

When ads are served based on a user’s geographical location, it is known as geo-targeting. It
also includes network buys through radio, television and newspaper websites, as well as localized
search engines and directories such as Yahoo! Local, Google Local, and AOL City Guide.

Websites

A website is like an electronic brochure, which is available 24x7. This could be a most cost effective
tool not only to market, but also to sell goods and service over the Internet.

Banner Ads

A banner advertisement is a small graphics link, sometimes called a ‘hot link’, placed on a Web page.
The banner is linked to the advertiser’s Web pages, so that clicking it will transport the browser into
the advertiser’s site. It can be placed anywhere on a Web page. The effect of such ads is precisely
measurable, as the advertiser collating ‘click-throughs’ can easily count the users who click on the
banner.66

Interactive Ads

One of the simplest approaches to extend the value of a simple banner is to create an
interactive ad. It requires the ‘programmability’ of the computer on which the advertisement is
displayed, so as to create new and interesting shapes, images or messages whenever the banner is seen
– by using the facilities of Sun’s Java or Microsoft’s ‘ActiveX’ applets.

Cookies

63
Ibid
64
Available at http://www.maxklick.com/types-of-internet-advertising.php accessed on 24tth November 201at
11.30 AM.
65
Ibid
66
Supra note 64
357
 The data stored on the local browser is referred to as a ‘cookie. Cookies can be used to record
the location of the browser, so that only advertisements for a specific country, city, or even individual
user are displayed. Cookies help in creating a profile of the user so that only those advertisements for
a particular web page or site those are relevant to the user are displayed before him.67

Blogs

This is a web page made up of usually short, frequently updated posts that are arranged
chronologically. These are being increasingly used to influence the viewers and many times these
blogs are used to promote products and services in a clandestine manner. These days, a micro-
blogging site, like twitter is being to promote all kind of causes.68

Search Engine Listings, etc.

Other facilities, like ticker tape, use of meta-tagging for search engines/web directory listings
have given a great impetus to online advertising. In 2000, Google introduced its first advertising
programme called Ad Words, allowing advertisers to place their ads alongside search results. These
were not called advertisements, but sponsored links, demarcated by a vertical line. By 2002, it started
charging advertisers per click text advertisement. The advertiser will only pay, if that user decides to
click on the description and follow the link to the advertiser’s actual site. The advertisement is
displayed for free with the site owner paying for those clicks through within a daily budget they have
stipulated in advance.69 In 2005, Google started AdSense, which extended to other sites, which are
using Google search.

Spamming
Spam is a form of unsolicited e-mail. Most spam comes with no effective return address, and
no easy way to trace sender because it is inserted into the network using a variety of techniques that
rely on badly-configured mail systems, web servers and network components. Following are the
advantages and disadvantages of spamming:

Advantages of Spamming: Advantages of Spamming: Disadvantage of Spamming

Sender Recipients

Mass mailing of messages Gain in terms of information, if Using valuable bandwidth/

not knowledge clogging of the Net

Global reach of messages Brought in social behaviour Filing up disk space in

change: computers, networks etc.

Extremely low cost advertising Forced cautious approach Slowing down the Net access
rate

Personalised messages Forced concern for privacy Information overload

Cost effective Frauds/forgeries

Anonymity of the sender Annoyance to the Net users

Table 4: describes Advantages and disadvantages of spamming

67
Supra note 64
68
Supra note 13.
69
ibid.
358
Online Advertising: Ethical Issues
Online advertising is a double-edge sword. There is always a thin line of demarcation
between a ‘legitimate and illegitimate information’. E-commerce sites are in a hurry to maximize their
profits and often they use questionable means in the form of questionable technologies to gain
knowledge about consumers choices and preferences.70

Surveillance Technologies71

Whenever a person browses, visits a site, sends an email or chats online, he leaves his
‘distinctive’ IP address behind. It is possible either by searching IP registration databases or by
conducting a trace route, to determine an approximate physical location of an IP address. Other
surveillance technologies being widely used are Cookies, Globally Unique Identifier, “GUID”, Web
bugs, Email or document bugs, Spyware and Online digital profiling, Disintermediation and
Reintermediation etc.

Globally Unique Identifier (GUID)

GUID is software that is embedded in the computer’s hardware. It can be read remotely from across
the network. For example, one may find GUID embedded on Ethernet cards, used in Local Area
Network (LAN). The result would be eavesdropping of all the computers connected through LAN.

Web Bugs

Web bugs are being increasingly used by online advertisers to create a users’ database. It could be a
part of a banner ad on a website’s web page that a person is viewing. The embedded instructions
would cause the person’s browser to transmit to the advertiser’s server, the URL of the page the
person is visiting, whether the person has clicked or not on the banner ad. 73

Email & Document Bugs

It is a good tool in the hands of a sender of an email and documents to know whether the recipient has
read the email or opened the document. As these electronic messages /documents could be laden with
web bugs and they “call home” and report the time and date the message was opened.74

Spy ware

Some software developers have included code (Trojans, Backdoor Santas, Adware or Drive-by-
Downloads etc.), within their applications that cause the user’s computer to transmit information back
to the software developer via Internet75. One use of technology is to deliver advertising content to the
user that is tailored to the information that the spy ware gathers and another is to scan the user’s hard
drive to see what other software he has installed, adding this information to a profile of the user that
will be used for marketing purposes.76

70
Robert I. Berkman et al. Digital Dilemmas: Ethical Issues for Online Media Professionals:Iowa State Press,
2003.
71
Supra note 31
72
Ibid
73
Ibid
74
Ibid
75
Kavita Arumugam,Demographics of Adware And Spyware A Thesis available at
http://etd.auburn.edu/etd/bitstream/handle/10415/192/SANYASI_ARUMUGAM_58.pdf?sequence=1 accessed
on 17th December 2013at 1.30 AM.
76
Zittren Jannathan. The future of the internet and how to stop it . Yale University Press and
359
Online Digital Profiling

International online advertising companies insert ads on web pages with cookies tagged on them.
Once clicked, they start building up the user’s profile as he moves from one site to another. This is
how the advertising companies, known as profilers build a comprehensive profile of the user’s surfing
habits and use it to put ads targeting him on their partner sites, using profiling software tool(s).77

UNIT-III: E-COMMERCE-ONLINE PAYMENT, E-BANKING AND LEGAL ISSUES

Disintermediation and Reinter-mediation

Intermediation is one of the most important and interesting e-commerce issue related to loss of
jobs. The services provided by intermediaries are :

i) matching and providing information which can be fully automated, and is likely to be in e-
marketplaces that provide free services.

ii) The value added service requires expertise and this can only be partially automated.

The phenomenon by which Intermediaries, who provide mainly matching and providing
information services is called Disintermediation.78 The brokers who provide value added services or
who manage electronic intermediation or infomediation, are not only surviving but may actually
prosper, this phenomenon is called Reintermediation. The factors that should be considered here are
the enormous number of participants, extensive information processing, delicate negotiations, etc.
They need a computer mediator to be more predictable.79

From E-Commerce to M-commerce

One of the rapidly growing areas of e-commerce is mobile (or m-) commerce. M-commerce was born
due to new technological advances, such as, GSM networks, WAP protocols ( Wireless Application
Protocol is for accessing information over a mobile wireless network), and 3G technologies. Actually,
m-commerce was long perceived but was first introduced in the late 1990s. By using innovative
technologies, mobile operators have promised to consumers more effective ways of communicating
and transacting their business.80

If e-commerce can be seen as a dynamic ‘commercial’ process, then m-commerce can be referred
to as a dynamic ‘techno-commercial process. It is far more consumer oriented than e-commerce
practices. M-commerce depends on the ‘efficient’ assimilation and adaptation of technology by the
consumer, for the consumer, of the consumer. 81 In the last 20 years, the world has seen evolution of
new communication technologies are as under:

New Haven, 2008.

77
Supra note 46
78
Turban Efraim et al. Information Technology For Management : Transforming Organizations In The Digital
Economy.6th JohnWilley and Sons India Edition, 2008.
79
Case Study On E Governance System Of India available at
http://share.pdfonline.com/404ef648d6864f089043c37f891ca8a6/Final%20E-Com%20Print.htm accessed on
15th December 2013 at 2AM.
80
Supra note 1
81
Maamar Zakaria:“Commerce, E-Commerce, and M-Commerce: What Comes Next?” 12: 46, December
2003:Communications Of The Acm:251
360
1G: First step of cellular architecture, represented by brick like phones,

•2G: Introduced digital technology. Primarily used for voice communications but data features
like short messaging service (SMS) allowed,

•2.5G: Currently the most prevalent technology standard, has better software allowing increased
data rates

•3G: Promises greater bandwidth, bigger data pipes to users allowing more information flow,
and

•4G: High speed multimedia delivery smart phones.

Table 2: Describes evolution from 1G (First Generation Mobile Phones) to the current 4G (Fourth
Generation Mobile Phones):

It is important to note that a website is useful, if it does something practical, such as allow
customers to access their accounts or businesses to cut costs by improving & streamlining business
processes. Similarly, if ‘m-commerce’ is to complement ‘e-commerce’ – it must have practical
applications.82 Moreover, m-commerce has its own distinctive features, namely, Personalisation, On
Demand Services, and Micropayments

M-commerce is about Personalization

It includes: made for me services (examples, like ringtones, ringback tones, gaming etc.) , sms/mms
,instant messaging , mobile blogging , real time responses, mobile banking etc.

M-commerce is about On Demand Services

All information, especially personal information has to cope with new demand. People want
to access their personal data & their personal software-environment anytime, anywhere. 83.

M-commerce is about Micropayments

It is a financial payment in an amount that is small relative to the transaction costs that would
be incurred in making the payment using traditional payment mechanism. Eg. Desktop access has
migrated to mobile environment. 84

Differentiating between E-commerce & M-commerce:

The question – is there a difference between the two? The answer is YES and it is NO also! YES, in
the sense that in India for the large section of society e-commerce meant use of computer, and
computer network for online transactions. The e-commerce remained confined to metropolitan
centers, there existed a digital divide – digital haves’ and digital have-nots’. On the other hand, in the
last 15 years, mobile phone is the first screen for the majority of the population, whereas for urban
population in India – mobile has been the third screen – the earlier two were TV and Computer. This

82
Infra note 43
83
Åkesson Maria: “ Value proposition in m-commerce: exploring service provider and user perceptions
available at http://www.diva-portal.org/smash/get/diva2:239430/FULLTEXT01 accessed on 15th December
2013 at 8PM.
84
Report on E-Commerce And Development, The UNCTAD Secretariat 2001.
361
difference has made use of mobile applications complementary for urban dwellers for e-commerce
purposes, and supplementary for the rest of the population. 85

NO, in the sense that m-commerce is a logical extension of e-commerce processes. E-

commerce includes m-commerce. These days, desktops are mobile and with the result all e-commerce
applications are available on mobile phone as well. It is for the user to decide from where he is
performing commercial transaction – whether from a computer or from a communication device.86

Comparison between E-Commerce and M-commerce is given as below87:

Sr. No E-Commerce M-Commerce

1. (Client/server) Approach (Mobile-agent) Approach

2. The searching process may be boring the mobile agent can do the searching as per the
and repeatative specification of requirement

3. The search process ties down resources, The search process, frees up your resources.
while you visit each site in turn

4. If the network gets down, you may need It is less dependent on the network condition as
to search it from the beginning. the searching is done at the remote sites by
mobile agent.

5. It is time-consuming because you visit Efficient as the search can be proceeded in

the sites only one by one. parallel by sending out multiple agents.

6. Device: Imovable or portable, Public or Device: Portable handy private device. Eg.
private. Eg. Desktop, PC, Notebook etc Mobile, PDA etc

(Table 3: describes comparison between E-commerce and M-commerce)

Bitcoin vs Electronic Money

The current realities of Bitcoin mean it is still a long way off from reaching the unbanked. Only the
financially included can access the Bitcoin system through the necessary digital connections to the
Internet.

Bitcoin has had a volatile journey since it was launched in 2009, attracting attention among
conventional investors as well as the black market. Regulators and policy makers are also following
Bitcoin, raising the occasional eyebrow as they evaluate Bitcoin’s risks and benefits and how to
regulate this little understood virtual currency. Some media reports have confused Bitcoin with more
popular electronic money (e-money) schemes used in many low-income countries to reach the
unbanked. But the two are markedly different and should not be conflated. This Brief provides
information about Bitcoin and contrasts Bitcoin with e-money to avoid alarm about the former to the
detriment of the latter.

85
Sharma Vakul.White Paper on E-commerce. IAMAI Pub. 2010
86
Khalled hassanian et al:” Understanding M-commerce: A Consumer Centric Model.”, 3 (2002) : QJEC :247.
87
Chan, Lee et al , E-Commerce: Fundamentals and Applications. John Wiley & Sons, Ltd., England:2001.

362
 (TABLE SOURCE:BITCOINVSEMONEY.JPG)

View an infographic comparing Bitcoin and e-money

Virtual Currency

One way to comprehend virtual currency is to first understand fiat currency. Fiat currency is any legal
tender designated and issued by a central authority that people are willing to accept in exchange for
goods and services because it is backed by regulation and because they trust this central authority. Fiat
money is similar to commodity-backed money in appearance and usage, but differs in that it cannot be
redeemed for a commodity, such as gold (European Central Bank 2012).By contrast, virtual currency
is “a type of unregulated, digital money, which is issued and usually controlled by its developers, and
used and accepted among the members of a specific virtual community.” Although there are different
types of virtual currencies (European Central Bank 2012), this Brief will focus on virtual currencies
with “bidirectional flow” since these currencies intersect most directly with the real economy. Virtual
currencies with bidirectional flow may be bought and sold according to prevailing exchange rates and
may be used to purchase both real and virtual goods and services.88

Bitcoin

88
Sarah Rotman Parker, Bitcoin vs Electronic Money ,23 January 2014 vaailable at
http://www.cgap.org/publications/bitcoin-vs-electronic-money
363
Bitcoin was launched in 2009 as an alternative to fiat currencies by an unknown computer scientist
using the pseudonym Satoshi Nakamoto (n.d.). Bitcoins are not printed like fiat money, but instead
are “mined” using computing power in a distributed global network of volunteer software developers.
At its core, Bitcoin is nothing more than a digital file that lists every transaction that has ever
happened in the network in its version of a general ledger called the “block chain.” Bitcoin is the first
example of a growing category of money known as cryptocurrency in which open-source software
solves complex mathematical calculations to mine more Bitcoins (Coin Desk 2013a). These “miners”
make the Bitcoin network function by validating transactions and thereby creating new Bitcoins. This
occurs when the Bitcoin network collects all the transactions made during a set period of time (usually
every 10 minutes) into a list called a “block.” Miners confirm these blocks of transactions and write
them into the block chain by competing against each other to solve mathematical calculations. Every
time a miner’s system finds a solution that validates a block of transactions, that miner is awarded 25
Bitcoins (Coin Desk 2013b). Every four years, this reward is halved so that the total number of
Bitcoins will never exceed 21 million. For a new user not interested in the mining process, the most
popular way to obtain Bitcoins is through a traditional exchange where fiat currency is converted into
Bitcoins and then stored in a Bitcoin wallet. Wallets come in many forms, including desktop access,
mobile access, and online web-based access. Each has its own risks as both desktop and mobile access
are susceptible to hackers, a hard drive crash, or a lost mobile device. Online access uses third parties
that may also be hacked, cheat its users, or go bankrupt (Lee 2013).89

Today, there exist a wide variety of electronic payment systems - most of them incompatible
with each other. The broad categories of electronic payment systems are [12]:

 Electronic cash system

 Electronic cheque system

 Smart card-based electronic payment system

 Online credit card payment system

Electronic Cash (eCash) Payment System

Electronic cash (e-Cash) also called digital cashis digital moneythat provides private customers with
a safe, fast and low-cost means of payment on the Internet. Created by lots of individual parties, it
moves through multiple networks instead of the current bank system and is best suited for
micropayments. Electronic cash is independent of any network or storage device and portable. The
electronic cash units and their values can be defined independently of real currency. The application
of e-cash requires that both the merchant and the customer establish e-cash accounts at the issuing
bank, which issue tokens to their customers. In this electronic payment system, tokens are the
payment instruments that represent monetary values. A customer must install a "cyber wallet" onto his
computer, which will store the money requested from the bank.When the consumer contacts the bank
in order to withdraw electronic cash, the bank verifies his identity, issues the amount of electronic
cash and at the same time deducts the amount of cash from the consumer's account. The electronic
cash can only be spent on sites that accept the electronic cash for payment. When the goods are
shipped to the consumer, the merchant can present the electronic cash to the bank, which will then
credit the merchant's account for the transaction amount. In e-cash transactions, the payee does not
know the payer's identity and the issuing bank may or may not keep the identity of the recipient of
the electronic bank notes, which makes the customer to remain anonymous. The anonymity of the
customer allows for double spending as the customer can present same tokens (payment instruments)

89
Ibid
364
for different payment transactions.Anonymity of users and double spending of the same tokens have
been the major security holes of e-cash payment system. The only security mechanism provided by e-
cash payment system is the encryption of payment instruments (tokens or coins) generated by a given
customer. It makes use of single-factor authentication mechanism, which is not adequate for
electronic payment systems involved in critical portions of payment processing. The critical payment
function would be compromised if a user’s single-factor authentication process failed. This means that
electronic payment system (e.g., e-cash) with a single-factor authentication has poor security level.90

Electronic Cheque (eCheque) Payment

System Electronic cheques are the equivalent of paper-based cheques. The electronic cheques are
initiated during an on-screen dialog and the funds are transferred over a computer network at the time
of the transaction. Authorised users are assigned a portable electronic chequebook which is an
amalgam of a secure hardware device and specialised software. The electronic chequebook which
stores and delivers the customer's private-key and certificate information is used for generating and
signing eCheques. The electronic chequebook Interfaces with financial management and transaction
processing software of the issuing bank. The payer writes the eCheque on a computer,
cryptographically signs it, and e-mails it via the Internet. The payer signs the eCheque using the
secure hardware device, and includes its authenticating certificate, signed by the issuing bank. The
payee receives the eCheque, verifies the payer's signature on the eCheque, endorses it, writes a
deposit slip, and signs the deposit slip. The endorsed cheque is then sent by e-mail to the payee's bank
for deposit. The payee's bank personnel verify the payer's and payee's signatures, credit the deposit,
and then clear and settle the endorsed eCheque by sending it to the payer's bank. The payer's bank
verifies the payer's signature once again and the amount on the eCheque is debited from the payer's
account. The electronic cheque payment system make use eCheque payment instrument, which is the
digital form or representation of the paper cheque. The eCheque is protected by PIN and digital
signature. This means that it makes use of a two-factor authentication mechanism in verifying the
users during payment process. This authentication mechanism requires a user to prove his or her
identity with two items of data. It is more secure than a single-factor system.91

Smart Card Payment System

Smart cards are a credit-card-sized, plastic card with an embedded integrated circuit chip providing
users with mobility and data portability, i.e. direct access to cash or services. It combines plastic and
magnetic cards used for different identification purposesinto one card, which can access multiple
services, networks and the Internet. The chip therefore, reduces the number of cards, making one card
the access key to many accounts. The smart card as a payment instrument has processing power that
allows the smart card payment system to be used for multiple functions and/or applications . This of
course, reduces the overall number of cards in the consumer’s wallet, though there are many
arguments and issues about whether or not smart card is secured and safe enough to store such
information. International standards for the smart card procedures and the smart card itself are both
still evolving. In general, smart cards currently cannot display information or directly accept input
from the user. For the user to access the information the smart card contains, the card needs an
interface to communicate with a reader or terminal, such as a merchant point-of-sale. A vast amount
of information and possible cash is stored on the smart card. If the card is lost or stolen, there is no
way to recover the information or the money. This causes a true potential fraud or major fraud
vulnerability of smart card payment system. The smart card payment system provides three-factor
authentication security mechanism for the verification and authentication of a given user. These are

90
Analysis of Security Issues in Electronic Payment Systems , International Journal of Computer Applications
(0975 – 8887) Volume 108 – No. 10, December 2014 10
91
ibid
365
personal identification number (PIN), digital signature, and fingerprint biometric. This mechanism
increases the security level of this payment system.92

Online Credit Card Electronic Payment

System The concept of credit has been around for centuries. Starting in the early 1800s, local
merchants allowed trusted customers to make purchases without paying the total cost upfront. This
intuitive concept allowed sellers to reach a larger base of customers who could then pay their debt
over time. The idea of enabling purchases by extending credit spread quickly, and in the early 1950s,
a terminal moment occurred: the invention of the credit card.

A credit card is an account that lends money to the consumer, meaning consumers are allowed to
purchase goods or services on credit. The credit card, being a token of trust, transfers the risk of
granting credit from a merchant to the card-issuing bank. Both consumers and merchants must register
with a bank. The participants involved in credit card payments include:

 Customer/Cardholder: The consumer doing the purchase, using a credit card that has been issued
by its issuer.

 Issuer: The financial institution (i.e. bank) that issues the card to the cardholder. The issuer
guarantees payment for authorised transactions.

 Merchant: The merchant offers the goods and services, and has a financial relationship with the

acquirer.

 Acquirer: The financial institution of the merchant. The acquirer processes credit card
authorisations and payments.A cardholder visits a cyber-storefront via a browser. After selecting the
items to be purchased, the customer (online shopper) fills out a payment request, and selects from the
credit cards he wants to use and the customer transmits the payment request to the payment gateway
(or merchant's web server). At the payment gateway, the information is send to the merchant.

The merchant generates a request-for-payment authorization from the cardholder’s financial

institution. His digital signature, transaction identifier and payment instructions are included in the
encrypted request and forwarded to a payment card-processing centre or payment gateway of the
acquirer, where it is decrypted, processed and verified. After the transaction is verified, the payment
card-processing centre converts the authorisation request into the format used by financial networks
and then forwards it for approval to the cardholder's bank (issuer) for authorisation. The issuing bank
returns an approval or denial response to the payment gateway in response to the authorisation
request. The payment gateway will send this response (authorisation or failure) to the merchant. If the
bank approves the authorisation, the payment gatewaya notification in the form of a digitally signeand
encrypted message to the merchant, which can be claimed later from the merchant's bank for deposit.
Once the merchant has received the payment gateway's digital signature, he will ship the goods to the
cardholder knowing that the customer transaction has been approved. The merchant will request
settlement from the issuer, via the payment gateway via the acquirer. The online credit electronic
payment system applies a two-factor authentication mechanism in verifying the users during payment
process.93

Online Payment System

92
Supra note 91
93
Supra note 91
366
 For effective growth of e-commerce, a secured online payment system is a necessity. Often online
payment system is being referred to as Electronic Fund Transfer (EFT). EFT means transferring
money from one bank account to another in the same (intra bank) or different bank branches
(interbank). EFT has been in use since 1960s when banks first started using proprietary EDI network
to share banking information. This was later converted into automated clearing houses. At global
level, to facilitate faster fund transfer between the remitter and beneficiary, the payment instructions
are sent through telex, SWIFT (Society for Worldwide Interbank Financial Telecommunications),
Wire Transfer, CHIPS (Clearing House Interbank Payment System) etc. 94 In E/I-commerce,
customers are generally unknown, hence the payments are to be ensured before delivery of goods and
services through EFT.

In India, electronic fund transfer system has got a fillip when the Central Government brought in
forth the Negotiable Instruments (Amendment and Miscellaneous Provisions) Act, 2002, by
introducing the concept of a “truncated cheque” in section 6 (b) of the said Act.

Section 6(a) “ a truncated cheque” means a cheque which is truncated during the course of a
clearing cycle, either by the clearing house or by the bank whether paying or receiving
payment, immediately on generation of an electronic image for transmission, substituting the
further physical movement of the cheque in writing.

As evident from the aforesaid section, the truncation process involves replacing physical cheques with
their electronic images, which will travel through the stages of the clearing cycle. During the whole
process of truncation the instrument would remain with the collecting bank. Over the period of time,
the Reserve Bank of India (RBI) has taken various initiatives to introduce technology to facilitate
electronic fund transfer at both corporate and retail banking level. For example, electronic settlement
in the form of the electronic funds transfer services – Electronic Clearing Services (ECS), i.e., Credit
Clearing and Debit Clearing and retail Electronic Funds Transfer(EFT).

Electronic payment may be made through Debit Card, Credit Card, Electronic Cash, and
Electronic Cheques etc. Electronic Payment System is not free from risk. Only a well-designed
electronic payment system can minimize the risk.95

94
Ms. Deshmukh Vaishnavi.J. ET AL: “Payment Processing Systems and Security for E-Commerce: A Literature
Review.” 2:5International Journal of Emerging Research in Management &Technology ISSN: 2278-9359.
95
Supra note 2
367
 ( Image 5 : Describing : Online payment process)

(Source : http://businesstoday.intoday.in/story/start-ups-challenege-to-online-payment-gateway-
segment/1/196305.html)

Role of RBI

Apart from electronic and card payment, mobile banking is one of the other constructive facilities
provided by banks for facilitating transfer of funds through mobiles. Safeguards need to be taken in
this arena as well and thus RBI has introduced Master Circular that provides operative guidelines for
banks. Information Security is most critical to the business of mobile banking services and its
underlying operations. Therefore, technology used for mobile banking must be secure and should
ensure confidentiality, integrity, authenticity and non-repudiability. In this regard consumer
complaints and consumer protection issues have been dealt with by the bank. Taking into account the
risks arising out of unauthorized transfer through hacking, denial of service on account of
technological failure etc. banks providing mobile banking would need to assess the liabilities arising
out of such events and take appropriate counter measures like insuring themselves against such risks,
as in the case with internet banking. Banks are required to make mandatory disclosures of risks,
responsibilities and liabilities of the customers on their websites and/or through printed material. In
cases where the customer files a complaint with the bank disputing a transaction, it would be the
responsibility of the service providing bank, to expeditiously redress the complaint. Banks may put in
place procedures for addressing such customer grievances. The grievance handling procedure
including the compensation policy should be disclosed. Customers complaints / grievances arising out
of mobile banking facility would be covered under the Banking Ombudsman Scheme. The
jurisdiction of legal settlement would be within India.96

UNIT-IV: TAXATION ISSUES IN CYBER SPACE

As e-commerce occurs in various forms and between various entities in the market, the
question is how to tax it , if the taxing good or service is a digital download. The Governments’ have
always been taxing brick and mortar businesses as per the statutory provisions, businesses are being
taxed on the principles of physical presence or ‘substantial nexus’ criteria;97in a state where their
product is delivered. Presumably the point of sale is the state to which the goods are shipped, and
thus, the consumer owes sales taxes to this state.98 It is important that transactions should not be
immune from taxation solely because the sale is conducted through a medium distinct from that of a
traditional brick-and-mortar retailer. Similarly, it is not prudent to tax these e-commerce models
purely on the basis of traditional approach to ‘brick & mortar’ taxation as they have their own unique
features.

Uniqueness of E-Commerce Taxation

96
RBI / DPSS No. 1501 / 02.14.003 / 2008-2009 dated February 18,2009, also see DPSS (CO) PD
No.1462/02.14.003 / 2012-13 dated February 28,2013 25 DPSS.CO.PD.Mobile Banking. No. 2/02.23.001/2014-
15
97
Swain John A.:“State Income Tax Jurisdiction: A Jurisprudential and Policy Perspective.” 1:45 William and
Mary Law Review, Article 5.
98
Ibid
368
 Tax revenues are a major source of income to the Governments. One major concern in
Ecommerce is which taxing authority has the right to collect the revenues.99 It is the nature of the
‘technology based transactions’ which has given rise to:

(i) the lack of ‘physical’ connection between a consumer and a seller located in different state;

(ii) changing location of web servers hosting the E-commerce website;

(iii) which country has the right to tax the transaction, and at what rate?;

(iv) non-taxation of digital goods, like software, music and data (or information);

(v) export and import of digital goods across international borders without paying customs duty
(or tariffs), bypassing the existing policies, regulations and tax system;

(vi) a parallel channel of transactions, ignoring the traditional documents based banking practices;

It is the nation state’s constitutional prerogative to levy taxes on any online economic activity
and has a right to define its own e-commerce taxation principles. Moreover, it is a myth that electronic
tax is ‘additional’ tax burden – the fact is it is a new tax, which is applicable in lieu of other indirect
taxes. Hence, new tax system is required to be redefined100

Taxing E-Commerce in India

The term “taxation” has been defined in Article 366(28) of the Constitution of India as:
‘taxation’ includes the imposition of any tax or impost, whether general or local or special, and ‘tax’
shall be construed accordingly;” it should be read along with Article 265, which states that: “no tax
shall be levied or collected except by authority of law”. 101 Thus while introducing any taxation
regime to tax e-commerce in India on domestic or international e-commerce merchants, it would be
interesting to see whether the tax laws in India, define business connection, the Permanent
Establishment, Online supply/delivery of goods (intangible) goods and services.

Establishing Business Connection

A business connection usually means an existence of business relationship between the
‘business entities’. The Income Tax Act, 1961 has not provided any exacting definition to the
expression “business connection”.102 As per section 9(1)(i), the said expression has often been used to
denote business relationship between a resident and a non-resident, also, even as an agent, any person
in India may have any business connection with the non-resident [section 163(1)(b)]. Almost 40 years
later, the Finance Act, 2003 has inserted Explanations 2 & 3 in sub-section (1), in clause (i) of section
9 of the Income Tax Act (effective from April 1, 2004), to identify what constitutes a ‘business
connection’ rather than physical ‘permanent’ location of ‘businesses. However, the Finance Act 2003
made no reference to applicability of the term ‘business connection’ vis-à-vis e-commerce.

99
Lukas Araon: “Draft Copy: Tax Bytes: A Primer On the Taxation of Electronic Commerce” available at
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC4QFjAA&url=ht
tp%3A%2F%2Fgovinfo.library.unt.edu%2Fecommerce%2Fdocument%2FAaronLukasFedReg.doc&ei=1hzDU
sCiE4TqiAfP5YGoDA&usg=AFQjCNHIohodi2EfnnniMUgguaTcb9Iw1g&sig2=fN-
UvxTr942DNBiaScepCA&bvm=bv.58187178,d.aGc accessed on 11 November 2013 at 4 PM.
100
Supra note 46
101
Ibid
102
Circular No. 1/2004, dated 2-1-2004: SECTION 9-Income Deemed To Accrue Or Arise In India
[Corresponding To Section 42 Of The 1922 Act available at
http://law.incometaxindia.gov.in/Directtaxlaws/act2005/sec_009.htm accessed on 23rd December 2013 at 9
PM.
369
 It was held by the Supreme Court in CIT v. R.D. Aggarwal & Co.103, that “A ‘business
connection’ must be real and intimate, and through or from which income must accrue or arise
whether directly or indirectly to the non-resident.

Establishing Permanent Establishment (PE)

The concept of PE took time to develop in India. In fact, it was DTAA104 with the U.S., when
for the first time in 1989 the term PE (Article 5) was first defined.

The term permanent establishment shall include especially:

(a) a place of management;
(b) a branch;
(c) an office;
(d) a factory;
(e) a workshop;
(f) a mine, an oil or gas well, a quarry or any other place of extraction of natural resources;
(g) a warehouse in relation to a person providing storage facilities for others;
(h) a farm, plantation or other place where agricultural, pastoral, forestry or plantation activities are
carried on;
(i) premises used as a sales outlet or for receiving or soliciting orders;
(j) an installation or structure, or plant or equipment, used for the exploration for or exploitation of
natural resources;
(k) a building site or construction, installation or assembly project, or supervisory activities in
connection with such a site or project,

An enterprise shall not be deemed to have a permanent establishment merely by reason of :

(a) the use of facilities solely for the purpose of storage or display of goods or merchandise
belonging to the enterprise ;
(b) the maintenance of a stock of goods or merchandise belonging to the enterprise solely for the
purpose of storage or display ;
(c) the maintenance of a stock of goods or merchandise belonging to the enterprise solely for the
purpose of processing by another enterprise;
(d) the maintenance of a fixed place of business solely for the purpose of purchasing goods or
merchandise, or of collecting information, for the enterprise; or
(e) the maintenance of a fixed place of business solely for the purpose of advertising, for the supply
of information, for scientific research, or for similar activities which have a preparatory or
auxiliary character, for the enterprise.

A PE postulates the existence of an enduring and permanent nature of a foreign enterprise in

another country.105 The Finance Act, 2002 has introduced the definition of Permanent Establishment

103
[1965] 56 ITR 20 (SC).
104
Double Taxation Avoidance Agreement - an Agreement for the avoidance of double taxation and the
prevention of fiscal evasion with respect to taxes on income. India has so far signed DTAAs with 76 countries.
370
(PE) in the IT Act, 1961. It shall mean to include a fixed place of business through which the business
of enterprise is wholly or partly carried on [section 92F(iiia)], a wide variety of arrangements, like a
place of management, a branch, an office, a factory a workshop or a warehouse etc. 106

The definition of PE as introduced by the Finance Act, 2002 is similar to The OECD Model Treaty,
which defines PE as ‘a fixed place of business through which the business of an enterprise is wholly
or partly carried on.’ [Art. 5(1)]. According to the New OECD Commentary, on the ‘OECD Model
Treaty’ issued on January 28, 2003, a website is ‘a combination of software and electronic data” and
“does not in itself constitute tangible property’.107 Paragraphs 42.1 to 42.10 have been added
immediately after paragraph 42 of the Commentary on Article 5. It further clarifies:

(a) whether a website constitutes a “place of business”?

(b) whether location of a server constitutes a permanent establishment (PE):

- when an ISP hosts a website of the company, would it give rise to a PE where the ISP
server is located? Or

- when the company owns (or leases) and operates the server on which the website is
stored?

(c) whether the location of a computer equipment constitutes a permanent establishment when
functions performed through that computer equipment exceeds the preparatory or auxiliary
threshold?

In India, the concept of PE though defined, till date no clarification(s) has been issued regarding
extension of the concept of PE to include e-commerce and related activities. It is thus imperative that
a clear reference to e-commerce taxation must be given in statute books.

Taxing Digital Goods & Services

In India, under Article 366 (13) of the Constitution the expression good includes all materials,
commodities and articles. Different enactments over the years have further enlarged the definition of
goods. By virtue of Articles 286(2) Parliament may by law formulate principles for determining when
a sale or purchase of goods takes place in any of the ways mentioned in clause (1) and by Article
269(3) Parliament may by law formulate principles for determining when a sale or purchase of goods
takes place in the course of inter-State trade or commerce. This led to the enactment of the Central
Sales Tax Act, 1956. Subsequently, Parliament, inserted clause (29-A), defining the expression “tax
on the sale or purchase of goods” in expansive terms in Article 366 of the Constitution108.

There is no Constitutional provision, Central or State tax legislation, which specifically define
“intangible goods”,…. it would be difficult to extend the expression “sale or purchase of goods” to
cover the “intangible goods” as well. However, the Constitutional Bench of five judges in Tata
Consultancy Services v. State of Andhra Pradesh109, it was held by the Honble Supreme Court that in
India, the test to determine whether a property is “goods”, for purposes of sales tax, is not whether the
property is tangible or intangible or incorporeal. The test is whether the concerned item is capable of

105
Edwin van der Bruggen, “International Tax Aspects of Providing Consulting Services on the Premises of the
Client” available at http://www.journal.au.edu/abac_journal/2001/may01/international.pdf accessed on 24th
December 2013 at 6AM.
106
Guidance Note on Report Under Section 92E Of The Income-Tax Act, 1961 (Transfer Pricing) [Based on the
law as amended by the Finance Act, 2012]
107
Supra note 46
108
Constitution (Forty-sixth Amendment) Act, 1982
109
AIR 2005 SC 371
371
abstraction, consumption and use and whether it can be transmitted, transferred, delivered, stored,
possessed etc. e.g., copyright, and software, bringing them within the purview of state taxation.

Nevertheless, in India, law is yet to distinguish between a digital ‘good and service’.
Downloading of MP3 music, streaming videos, films, software patches, applications may fall under
the category of digital goods, but if someone has subscribed to Value Added Services110 or any other
online service under a contractual arrangement then such a user will be charged with service tax. All
the ISPs in India are charging service tax on net connectivity and byte downloads making Internet
access/digital downloads under the ambit of service tax, which may be referred to as bit tax.

Applicability of VAT111
No State in India has defined ‘digital goods’ in its VAT regime till date. Nevertheless, e-
commerce service providers providing physical delivery of goods have obtained Tax Payer’s
Identification Number (TIN) under VAT and charging the applicable VAT from the individuals/users,
who have used their website/portal and ordered goods online. The Centre and the States are now
embarked on to design and implement a ‘Dual’ Goods and Services Tax (GST), to be levied
concurrently by both levels of government112. The multi-stage value-added taxes that the GST would
replace are the CENVAT, the Service Tax levied by the Centre and the VAT levied by the States.
Under this regime of GST, both goods and services would be subject to concurrent taxation by the
Centre and the States113. The advent of e-commerce involves online delivery which will affect taxes
on commodities and services in a crucial manner114. Given the rapid growth of e-commerce in India,
the tax administration will have to review the existing tax procedures.

Tax issues in Cross-Border e-Commerce

Residence based taxation:

The concept of 'place of effective management' is not used in the Indian tax laws and has a limited
role to play in determining residential status. As per section 6(3) of the ITA, a company is treated as a
resident of India for Indian tax purposes and taxed in India in respect of its worldwide income only if
it is either incorporated under the laws of India or wholly managed from India. Whereas, as per the
provisions of Article 4 of the DTAA, the residential status of a person would have to be determined in
accordance with the domestic laws of respective countries. 115 Further, if a company is regarded as a
resident under the domestic laws of both the member nations to a DTAA, then the residential status
would be determined by its place of effective management.116 The key decision makers through video
conferencing and other like facilities could participate in control and management of a non-resident
company,117 but only a part of the control and management would be situated in India as opposed to
whole control and management to be situated in India as required under section 6(3) of the ITA. 118

110
A Content Service Provider in arrangement with the Carrier (telecom service provider) under the National
Numbering Plan (short code) provides SMS based content, including content, interactive, & information
services
111
Supra Note 5
112
Announced by the Empowered Committee of State Finance Ministers in November 2007.
113
As decided by the Empowered Committee of State Finance Ministers, 2008.
114
Purohit, Mahesh C. Sales Tax and Value Added Tax in India.Gayatri Publications, New Delhi, 2001.
115
Nishith Desai et al,.Taxation of Electronic Commerce in India.Taxmann Allied Services (P.) Ltd., 2002.
116
Ibid
117
Prof. S. M., Imamul Haque. E-Commerce in India: Issues & Remedies. 1:3:Business Spectrum : January --
June 2014
118
Desai Nitish et al, “Taxation of Electronic Commerce in India presented to Central Board of Direct Taxes,
India in response to the Report of the High Powered Committee by The eCom Taxpert Group” available at
372
Source based taxation:

Where the ‘place of effective management' concept cannot be applied, the source rule of
taxation should be applied. Since it requires a fixed place of business, in an e-commerce environment,
implementation of the source rule will face complexities. Certain e-commerce transactions change the
mode of delivery from physical to electronic form, which may raise characterization issues. The
above contradicts with the characterization of income should not change with the change in mode of
delivery from physical to digitised form. In the case of cross border commerce, income derived by a
person may be taxed in the source country ‘having connection with generation of income’. 119 A
sufficient connection for this purpose would require the foreign enterprise to have a Permanent
Establishment in the host jurisdiction.120

Challenges before Tax authorities

At global level, Taxation authorities need to enhance technical knowledge to mach up to

electronic reality as procuring information from taxpayers and certifying tax compliance in an e-
commerce is a sever issue .Some major challenges are :

(i) Identifying the tax payer, in Ecommerce.

(ii) Obtaining access to verifiable information and documents.

(iii) Obtaining access to encrypted data

(iv) Developing a response to the advent of electronic money (e-cash) and ensuring efficient
mechanism for collecting tax especially from non-resident tax payers.

(v) Need for initial inter-government and multi-jurisdictional co-operation and agreement to
synchronize the taxation treatment.

(vi) Need to monitor cross-border business activities on the Internet.

(vii) Privileges such an extended filing dates for tax returns could be granted to tax payers
who conduct their dealings with the tax authorities electronically.

(viii) General legislations and domain registration requirements and investment

attraction.121

The revenue authorities should not simply focus upon taxation of e-commerce per se. Rather, their
analysis should extend more broadly to ensure a deeper understanding of the nature of e-business as it
is today and as it will develop tomorrow.

http://www.taxmann.com/bookstore/professional/taxation-of-electronic-commerce-in-india.aspx 25 October
2012 at 12 am
119
Ibid
120
Ibid
121
Mr. Dayana M.k, “E-commerce And Taxation”, available at
http://www.manupatrafast.com/articles/PopOpenArticle.aspx?ID=2cf77603-926f-43c0-86b8-
6842bcd1de7b&txtsearch=Subject:%20Taxation accessed on 22nd October 2012 at 2 pm.
373
 UNIT-V: SECURITY AND EVIDENCE IN E-COMMERCE

International Legal Framework:

With the maturation of electronic commerce the use of electronic contracts has been vastly increased
globally. The two major users of electronic contract worldwide are US (United States) and EU
(European Union). Both of them provide contrasting approaches to the contracts in the sphere of
internet. Although the internet is more or less impacted by the US, the EU is making really good
influence when it occurs to the regularization of the Internet. There are two wide classes of electronic
contracts. First, those contracts that deals with physical commodities or services. Second, those
contracts that deals with electronic materials (software, images, e-delivered texts, etc.). In the U.S.,
there are two uniform state acts designed to bring legal certainty to electronic transactions, these are:
the Uniform Computer Information Transaction Act (“UCITA”) and the Uniform Electronic
Transaction Act (“UETA”). UCITA deals with contracts or transactions in “computer information”.
UETA, by contrast, is a statute with broader reach focusing on all types of electronic transactions.
These uniform acts are not binding law in a particular state until the country prefers to embrace the act
through its respective legislative process. This framework includes the following Directives: E-
Commerce Directive, Unfair Contract Terms Directive, E-Signature Directive, Directives on
Consumer Credit, Travel Packages Directive etc. The foundation behind legislations of the EU and
the U.S. for electronic contracts is that the both legality of electronic contracts by making them legal
validity. Nevertheless, the U.S. laws are more extensive in range. UETA covers all cases of contracts,
not just electronic contracts, and UCITA cover all characters of computer information contracts. In
contrast, the EU directives typically deal only with consumer contracts by exempting B2B
transactions.122

Ecommerce Disputes

Since E-commerce involved more than two or more parties to a Single Transaction, so here it can be
said that Disputes are inevitable. Generally there are two types of E-Commerce Disputes: Contractual
Disputes like B2B, B2C and Non-contractual Disputes like Copyright infringement and Defamation
etc. Other than the above noted disputes, there is diverse category of issues which may arise during
the E-commerce Transaction i.e. Jurisdictional Issues and Issues relating to Choice of Laws etc. The
issue regarding the Territorial Jurisdiction has become more complex day by day in the E-commerce
transaction.123
Recognising the Ecommerce Transaction

• The Delhi High Court, in the case of World Wrestling Entertainment, Inc v M/S Reshma
Collection [FAO(OS) 506/2013, held that because of the advancements in technology and the
rapid growth of new models of conducting business over the internet, it is possible for an
entity to have a virtual presence in a place which is located at a distance from the place where
it has a physical presence. The availability of transactions through the website at a particular
place is virtually the same thing as a seller having shops in that place in the physical world.
The Court held that virtual presence is as good as physical presence.

Online contracts and terms of service

122
Julia Hörnle, The European Union Takes Initiative in the Field of E-Commerce, Available at
https://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/hornle/
123
Nemil Shah, Electronic Contract/Agreements – A General Overview, Vol-2, Issue-12, 2016 ISSN: 2454-1362,
http://www.onlinejournal.in Imperial Journal of Interdisciplinary Research (IJIR) Page 223
374
 • Online contracts in India are governed under the Indian Contract Act and validated under
Section 10A of the Information Technology Act.

• The relationship between the customers and the e-commerce entities are governed by the
Terms of Service (ToS) (for websites) and End-User License Agreement (EULA) (used for
downloadable or packaged software).

• Typical contracts for e-commerce sites are in the form of “click wrap contracts” and “browse
wrap contracts”, are standardised and leave no scope for negotiation as they are on a “take-it-
or-leave-it basis”.

• In India, we do not have case laws pertaining to enforceability of online contracts but in other
countries typical problem areas pertaining to the terms of service have surrounded the
following:

• i) Arbitration clause which exclusively determines the arbitration forum and the courts which
have jurisdiction in case of any dispute. This can place undue cost on the other party. Courts
may reject this choice and allow the customers to sue in another location also.

• ii) A choice of law clause which decides the law of the country that will apply. For example, a
clause which states laws of Singapore will be applicable. What if the buyer is in India? Can
the contract completely exclude Indian law? Courts may reject a clause like this.124

Best practices for terms of service

While there is no way to have certainty on whether Terms of Service (TOS) will be treated as
enforceable before a court, ecommerce sites may follow the follow certain “best practices”:

i. When a customer is registering for the service, the entire Terms of Service should be
presented in a clear readable format and ensure that the customer has read them (example
through a timer that detects if the customer clicks on “I Agree” too soon or by disabling the “I
Agree” feature until the customer scrolls down till the bottom of the provisions).

ii. The e-commerce site should ensure that important terms and conditions are presented in a
concise manner. In some jurisdictions, it is safer if the more one-sided terms (such as
arbitration or limitation of liability clause) are presented near the “I Accept” button.

iii. An opportunity must be given to the customer to save or print the terms of service

iv. The Terms of Service must be identifiable at a conspicuous place on the website, which
will be easy to locate in case a customer needs to refer to them again.

v. Changes to terms of service must be bought to the notice of the customers in a prominent
manner and customers must be given an opportunity to accept them. For example, Facebook,
Google and LinkedIn do this very clearly by prompting users to a drop down box or a pop-up
which requires them to take a click-based action, such as ‘Dismiss’ or ‘I Agree’. Ideally, there
must also be a “Decline” button which should of the same size as the “I Agree” button,
although few sites implement this.

124
Amartya Bag, How to draft terms of service for e-commerce websites? available at
https://blog.ipleaders.in/how-to-draft-terms-of-service-for-e-commerce-websites/

375
 vi. The e-commerce site should present or direct users to the terms and conditions every time
a purchase is made at the site. Indian e-commerce and travel sites do this.

Another problem that the e-commerce sites might face relates to usage of the website by
minors. Under the Indian law, a contract is not enforceable against a minor. It is essential that
the website must mention in its terms of service that the service is available only to persons
above 18 years of age. Typically websites such as YouTube require confirmation that the
users are ‘above 18’ before granting access to certain types of content. However, it might be
practically difficult to restrict minors from creating accounts using fake information. 125

IN THE HIGH COURT OF DELHI AT NEW DELHI in W.P.(C) 3672/2012 and CM

Nos.7709/2012, 12197/2012 and 6888/2013 in the matter of K.N.GOVINDACHARYA versus
UNION OF INDIA and ORS ., DOD- 23.08.2013

• With regard to the issue of whether children can open accounts with social networking sites
such as Facebook and Orkut, the Hon`ble court stated that there is no dispute that children
below the age of 13 years are not permitted to open such accounts. It is not in dispute that if it
comes in the knowledge of any person that a child below the age of 13 years has opened such
an account he may make a complaint to the social networking site who shall then take
appropriate action, after verification, for deletion of that account. Further observations were
made about the intermediary liability.

Security and privacy

• An online transaction involves sharing of personal information by the consumer, which

includes crucial identifiable information like name, address, phone number, email-ids, credit
card number and other related details – such details need to be protected by the site. E-
commerce sites often collect other information like search and usage patterns and purchase
history which helps them to post targeted ads and recommendations. Some data like credit
card numbers and banking details are sensitive personal information and requires a higher
degree of protection.

• It is important for websites to create mechanisms to maintain data security in respect of

various categories of personal user data that must be protected under the Information
Technology (Sensitive Personal Data and Information) Rules, including payment-related
information, whether payment is made through net banking, debit cards, credit cards, wallet
payment and even through mobile banking. Interestingly, tracking user behaviour and
providing recommendations is not considered ‘personal information’ under the rules –
however, most businesses include the right to collect such information on an anonymous basis
through their user policies and terms of service.

• Security practices could include data protection measures like fire-walls, secured servers with
proper authentication and authorisation processes, encryption of data as per industry standards
and constant real-time auditing and integrity checks.

• In case of breach of data protection obligations, the concerned site might have to pay
compensation – the Information Technology Act (IT Act) does not provide a ceiling on the
amount of damages that are payable. Therefore, users whose data is breached can claim very
high amounts of compensation (which is extremely risky for the business) so long as they can
prove the damage.

125
Ibid

376
 • The IT Act also provides for criminal punishment of upto 3 years’ imprisonment or fine of
upto INR 5 lakhs if data security obligations are breached.

Intellectual Property

• One of the important aspects that an e-commerce company should keep in mind while they
are starting their business is protection of their intellectual properties and they should be
careful that they do not violate other’s IP.

Some of the important forms of intellectual property that an e-commerce website should
protect:

• Trademarks: One of the primary IP protections that an e-commerce website can avail of is
registering its trade name, slogan and logo as a trademark. In most cases the logo or the name
of the entity is determined by the founders or the public relation or marketing agency taking
into consideration the customer considerations and perceptions. However, it is advisable to
take advice from a lawyer, who can tell you about existing registered trademarks or potential
sustainability of the mark as a good trademark.

• Websites: In the current world, having a website for any organisation is a must. Domain
names are considered to be trademark, and you can file a trademark infringement suit against
anyone who uses your domain name for fraudulent purpose. It is suggested that you must
book your domain name even before starting formally. The design, images and illustration
used in a website are protected under copyright laws. There is no specific need to apply for
copyright of the website – however, registration simplifies the process for establishing
copyright as it acts as a prima facie evidence of copyright, unless a third party can establish
that it had created the website before you. If you are getting your website designed by a
freelancer or any other agency, it is advised that the development agreement must contain a
copyright assignment clause granting you the copyright of the website created.

• Software/Platforms: Another important IP asset of an e-commerce venture lies in the

proprietary platform that it develops. Though Indian law does not allow patenting of software,
software can be protected under copyright law. However, while developing the platform one
needs to be careful about the following points: That the developer has assigned you copyright
to the software in an appropriate manner. The development agreement has a representation
and warranties clause which clearly states that the developer has not copied any intellectual
property of third parties or has the right to third party IP and will be able to sub-license such
right to you. If the developer has used open source codes, whether the developed software can
be adequately protected under copyright law (generally open source licenses require the
persons using the code to release the new code under the same license)

• One should also be careful that they are not infringing IPs of third parties; the sites should
take appropriate permissions for using logos of third parties, links to third-party websites.

• E-commerce sites must be cautious that the vendors are not using their platform to sell pirated
or fake goods, which infringes on the intellectual property rights of a third party. Lack of
effective monitoring might not only damage the reputation of the website, but also lead to
serious legal complications if not handled in a proper manner (see the chapter on intermediary
liability). Representations and warranties must be taken from the vendors that they are not
selling any goods which violate the intellectual property of a third party. Apart from

377
 contractually limiting the liability (intermediaries are generally not liable for third party
content), the e-commerce sites must have an explicit take-down procedure for IP violation.126

Contractual issues relating to E-commerce

Disputes that arise out of some non-fulfilment of any contractual obligation are said to be known as
Contractual Disputes.

• Validity of online contracting

Though there is no specific provision with respect to validation of online contract under the
Information Technology Act but the validity of online contract cannot be challenged solely on the
technical grounds as held in one of the landmark case. For the same reason there are as such no
provisions under IT Act with respect to validity of online contract, But the Supreme Court in Trimex
International FZE Ltd. Dubai v. Vedanta Aluminium Ltd., ARBITRATION PETITION NO. 10
OF 2009 DOD: 22 January, 2010; while recognizing the validity of e-transaction has held that e-
mails exchanges between parties regarding mutual obligations constitute a contract.

Time of formation of contract

• When Section 4 of the Contract Act is read with Section 13 of the Information Technology
Act one can infer that a contract is binding once the acceptor dispatches the information
through electronic means and such information is outside his control.

Revocation of offers and acceptances

• Under the Indian Contract Act, section 5 states that an offer can be revoked any time before
the acceptor dispatches his acceptance. Considering the effect of the same on the electronic
contract one can say that the electronic contract can be revoked once the acceptor dispatches
his acceptance; he has no control over it any more, this can be because the electronic record
has entered into computer resource outside the acceptor’s control.

Place of contract and the jurisdiction of court

• Where the letter of acceptance is posted that would be considered as the place where contract
is concluded. On the other hand, it is the place where offeror receives the acceptance, in case
of instantaneous contracts.

• Under the Information Technology Act there are provisions which says that the place of
dispatch and receipt is the place where the parties i.e. the originator and the acceptor have
their place of business.

• Authentication of electronic records

Electronic records are authenticated by way of digital signatures and it is important to have
legal recognition which is provided by the Act.

• Non-Contractual Issues relating to E-commerce

Non-contractual disputes are basically those disputes that arise due to non-observance of any
statutory obligation on part of the parties to the transaction.

• Copyright Disputes

126
Ibid
378
 • Whenever any person, firm or company uses or makes a copy of any kind of copyrighted
material without permission, which amount to Infringement of the Copyright. For example,
when Y. Co. Ltd. uses the copyrighted database of X Co. Ltd. to make another English-
Gujarati Dictionary, Y. Co. Ltd. can be sued under the provisions of the Copyright Act.

• There are other issues regarding Failure in Data Privacy, Domain Name issues, Right of Free
Expression and Registration of the Geographical Indication and its uses, which falls under
this category.127

Jurisdictional Issues regarding E-commerce:

• Traditionally and generally, Jurisdiction of the Court is decided from its subject matter,
pecuniary and territorial matter by the Courts.

• E-commerce websites operating from India have to follow Information Technology Act, 2000
along with other relevant laws. They also have to follow the Information Technology
(Intermediaries guidelines) Rules 2011 known as Cyber law Due Diligence requirements.

• Not only in India, in almost all the countries, E-commerce segment is governed by the many
laws of the country. There are certain laws in India, which are amended with the
commencement of the Information Technology Act, 2000.

• According to the Provisions of the IT Act, 2000, any person irrespective of his nationality,
commits any crime or offence in India or outside India related to Computer or other related
equipments is liable.

Civil procedure Code,1908

• In India, Section 20 of the Civil Procedure Code deals with jurisdiction of the court:

“Section 20, CPC, 1908 reads as:

• Subject to the limitations aforesaid, every suit shall be instituted in Court within the local
limits of whose jurisdiction –

• (a) the defendant, or each of the defendants where there are more than one, at the time of the
commencement of the suit, actually and voluntarily resides, or carries on business, or
personally works for gain; or

• (b) any of the defendants, where there are more than one, at the time of the commencement of
the suit actually and voluntarily resides, or carries on business, or personally works for gain,
provided that in such case either the leave of the Court is given, or the defendants who do not
reside, or carry on business, or personally work for gain, as aforesaid, acquiesce in such
institution; or

• (c) the cause of action, wholly or in part, arises.”

Section 13 of Civil Procedure Code provides for the effect of foreign judgement on the courts of
India. It likewise caters for the enforcement in all the cases except the below issues:

• (a) Where it has not been articulated by a Court of competent jurisdiction,

127
Devadatt Kamat, INFORMATION TECHNOLOGY ACT, 2000 — A CONTRACTUAL PERSPECTIVE
(2004) 1 SCC (Jour) 11
379
• (b) Where it has not been made on the merits of the lawsuit,

• (c) Where it appears along the typeface of the proceedings to be launched on an incorrect
survey of international legal philosophy or a refusal to recognize the law of India in cases in
which such law is applicable;

• (d) Where the proceedings in which the judgment was obtained are opposed to natural justice;

• (e) Where it has been obtained by fraud,

• (f) Where it has a claim based on a breach of any law in force in India.

• Section 44 A of the Civil Procedure Code provides for the enforcement of decrees of the
Indian courts in the countries, in which the central government has declared by notification
and which have entered into mutual relationships and agreements. If in case a state does not
have a mutual correspondence with our country, then enforcement of any decree can only be
done by commencing a fresh suit on that foreign decree, or on the original underlying cause
of action, or both in a domestic Indian court of competent jurisdiction.

The Indian Penal Code

Section 4 of the Indian Penal Code:

“offence includes every act committed outside India which, if committed in India, would be
punishable under this Code.”

• There does not seem too much jurisprudence in India on the issue of jurisdiction in cases of e-
commerce. Unlike U.S., the courts in India have their own discretionary powers over deciding
the Jurisdiction of the case. However there are some instances where in the courts had in the
preliminary stages assumed jurisdiction over a matter.

• There is also one principal on which the Supreme Court relies for the issues regarding
Jurisdiction is Forum Convenience Test. If the court is satisfied that there is some other
available forum having competent jurisdiction where the case may be tried more suitably for
the interest of all the parties and the ends of justice so in appropriate cases, the Court may
refuse to exercise its discretionary jurisdiction by invoking the doctrine of forum
convenience.

• The principles of Private International Laws are accepted in India. It is open to the parties to
agree to choose one or more competent courts to decide their disputes if more than one court
has jurisdiction to try their case. It was held in Ramanathan Chettiar v Soma Sunderam
Chettiar, AIR 1964 Mad 527 that India accepts the well established principle of private
international law that the law of the forum in which the legal proceedings are instituted
governs all matters of procedure.

• Section 20 of the Indian Contract Act states that an agreement where both parties are under
mistake as to matter fact, is void. However, according to the terms and conditions of some e-
commerce websites, a mistake of fact does not render the contract void and the e-commerce
website cannot be held liable for the same, i.e a mistake of fact.

The Information Technology Act, 2000.

• 1. The IT Act defines three parties: originator, intermediary and addressee. Originator is the
one who originates electronic message while addressee is the one who receives electronic

380
 message, both of them does not include the intermediary. The terms are not same as promisor
and promissee of Indian Contract act, they are only to define communication process.

• 2. Section 11 lays down certain conditions as to when an electronic record shall be attributed
to the originator. The conditions are:

• a. the record be sent by the originator himself,

• b. sent by an authorized person on behalf of the originator, or

• c. Sent by an information system programmed by or on behalf of the originator

• d. to operate automatically.

• It states that in case of contract the meeting of minds is important. However in case of e-trade
the only minds that meet are programmed systems.

• Section 13 of the IT Act,2000

(1) Save as otherwise agreed to between the originator and the addressee, the despatch of an electronic
record occurs when it enters a computer resource outside the control of the originator states

Hence according to section 13 ,the issues of the time and place of dispatch and receipt of an electronic
record decides the issues of jurisdiction in electronic contracts, and the location of the computer
resource is irrelevant.

• In electronic contracts, there is no defined place of consummation of the contract and no

mention about the proper law for the parties belonging to different nations.

• Thus the courts have to enforce the laws of the state which bears the closest connection with
the contract. The most of the B2B contracts include the jurisdiction and the governing law for
the subsequent disputes. In such kind of contracts the courts usually upheld the contract
between the parties and allow them to answer according to the contract.

• But still the courts impose certain limitations especially for B2C contracts only because the
grounds of consumer protection are nearly related to the public at large. Thus, the legislations
of various nations and international convention have prohibited the exclusion of the
jurisdiction of the courtroom in the B2C contract.

• Accordingly the protection of the rights and remedies are provided to the consumers by
section 28( agreement in restraint of court proceeding is void –ab-inition of the Indian
Contract Act and Section 11 (2)-( jurisdiction) of the Consumer Protection Act, 1986. The
above provisions disregard the agreement between consumer and the seller in respect of
choice of forum and governing law are concerned.

Laws Applicable to Non-Contractual Disputes

• The problem of determination of applicable law may also arise under circumstances in which
there is no contract between the parties. Therefore the general rule is that the law of the
country where the direct damage occurred (lex loci damni), regardless of the place where the
action resulting in the damage was taken, or the places where indirect consequences occur
will be applicable. Though the parties in the Issues regarding Choice of Law in E-
commerce Transaction

Consumer Protection Act,1986

381
 • A consumer has various rights that are granted to him by the provisions of numerous
consumer laws enacted in the country.

• Consumer Protection Act, 1986 is the fundamental and principle Act that lays down and
guarantees rights to consumers. This Act enumerates the three tier redressal mechanism that
exists in India namely at the district, state and national levels to redress any consumer dispute
.

• However , the law until recent times was ambiguous as to whether such provisions would be
applicable to online transactions.

• On July 8, 2014 the Minister of State for Consumer Affairs, Food and Public Distribution, in
a written reply in Lok Sabha made an announcement of including online transactions also in
the ambit of Consumer Protection Act, 1986.

• This fundamentally meant that complainants can approach various Consumer Forum i.e.
District Consumer Forum, State Commission and National Commission for resolution of their
grievances.

• Though such an announcement does not necessarily transform into a law, it was a vital step to
bring into effect, a mechanism for safeguarding the rights.

• However, even this does not mean that there is a separate mechanism for redressal of
disputes arising out of online transactions or that new provisions that specially cater to e-
commerce have been introduced.

• In effect the provisions of the Consumer Protection Act, 1986 are made applicable to online
transactions as well.

• Prior to this recent express declaration, the Consumer Protection Act, 1986 was impliedly
applied to online transactions, in accordance with the definitions provided under the Act. Any
person who buys any good or avails or hires any service for any consideration, whether paid
or otherwise, except for commercial use is regarded as a consumer under the Consumer
Protection Act, 1986.

• Buyer as per Sale of Goods Act, 1930 is defined as any person who buys or agrees to buy
goods.

• Thus following these two definitions, any person who pays or agrees to pay a price for a
particular good can be regarded as a consumer, irrespective of such a sale being online.

• Further, Consumer Protection Act, 1986 becomes applicable when there is a “defect in goods”
or “deficiency in services”. Hence only if one of the above two criteria are satisfied Consumer
Protection Act,1986 would come into play.

Online shopping and Fraud

• When dealing with the question of e-commerce, online shopping portals cannot be forgotten
and the violation of consumer rights in this regard also forms an important facet. Online
shopping portals provide various reliefs in case of defective products, considering the
shopping portal is notified within the prescribed and mandated time .

• Eg. Myntra provides a 30-day exchange window for some of its items like apparels and
accessories. On the other hand Home Shop 18 requires you to notify them of defects within
48 hours from the time of delivery. 22Consumers rights can be violated in cases where the

382
 online shopping portal itself is fraud .In the recent times the case of Timtara.com was brought
into limelight, where the customers were duped of their money, after the goods for which
advance money was paid were not delivered. Goods were promised to be delivered within 21
days but in this case were never delivered. In the end, the directors of Timtara.com were
arrested after the consumers created a hue and cry in social media platforms .This served as a
teaching to all the consumers who earlier did not make an effort to be aware of the rights
afforded to them. The true meaning of the proverb Caveat Emptor was thus exhibited here.

• The trader is practising any unfair trading practices or restrictive trading practise, has charged
more than the MRP displayed on the goods or Selling hazardous goods without appropriate
warning

• In e-commerce the major concern is about efficient delivery of the goods. However , there is
no redressal provided if goods are not delivered in the time specified. Such intricacies create
more trouble to the online consumers due to the anonymity of the seller.

 Many complaints have been filed by online consumers regarding the same in consumer
forums, however the unclear laws and the consequent ambiguity has resulted in their
grievances not being paid heed to.
 A consumer has various rights that are granted to him by the provisions of numerous
consumer laws enacted in the country. Consumer Protection Act, 1986 is the fundamental and
principle Act that lays down and guarantees rights to consumers. This Act enumerates the
three tier redressal mechanism that exists in India namely at the district, state and national
levels to redress any consumer dispute .However , the law until recent times was ambiguous
as to whether such provisions would be applicable to online transactions.
 On July 8, 2014 the Minister of State for Consumer Affairs, Food and Public Distribution, in
a written reply in Lok Sabha made an announcement of including online transactions also in
the ambit of Consumer Protection Act, 1986.
 This fundamentally meant that complainants can approach various Consumer Forum i.e.
District Consumer Forum, State Commission and National Commission for resolution of their
grievances. Though such an announcement does not necessarily transform into a law, it was a
vital step to bring into effect, a mechanism for safeguarding the rights. However, even this
does not mean that there is a separate mechanism for redressal of disputes arising out of
online transactions or that new provisions that specially cater to e-commerce have been
introduced. In effect the provisions of the Consumer Protection Act, 1986 are made applicable
to online transactions as well. Prior to this recent express declaration, the Consumer
Protection Act, 1986 was impliedly applied to online transactions, in accordance with the
definitions provided under the Act. Any person who buys any good or avails or hires any
service for any consideration, whether paid or otherwise, except for commercial use is
regarded as a consumer under the Consumer Protection Act, 1986.
 Buyer as per Sale of Goods Act, 1930 is defined as any person who buys or agrees to buy
goods.3 Thus following these two definitions, any person who pays or agrees to pay a price
for a particular good can be regarded as a consumer, irrespective of such a sale being online.
Additionally, contract of sale4 as defined under the Sale of goods Act, 1930 is indicative of
the fact that such may apply to online transactions along with regular transactions. Thus,
earlier though there was absolutely no express mention of e-commerce falling under the ambit
of Consumer Protection Act, 1986 these provisions impliedly provided a right to consumer to
seek redressal under the same. However, Consumer Protection Act, 1986 only provides a
narrower picture.
 The Act does not provide a solution to the various loopholes that are brought about by online
transactions due to their impersonal nature, which may be considered their flipside as well.
The scope that Consumer Protection Act, 1986 has with respect to e-commerce is thus
restricted to providing a redressal mechanism that is applicable to direct transactions as well.
383
 Further, Consumer Protection Act, 1986 becomes applicable when there is a “defect in goods”
or “deficiency in services”. Hence only if one of the above two criteria are satisfied Consumer
Protection Act,1986 would come into play. In e-commerce the major concern is about
efficient delivery of the goods. However , there is no redressal provided if goods are not
delivered in the time specified .Such intricacies create more trouble to the online consumers
due to the anonymity of the seller . Many complaints have been filed by online consumers
regarding the same in consumer forums, however the unclear laws and the consequent
ambiguity has resulted in their grievances not being paid heed to.

REMEDIES AVAILABLE IN CASE OF IPR INFRINGEMENT IN CYBERSPACE

CIVIL REMEDY

• Injunctions

• Damages

• Account of Profits

• Recovery of Expenses, including lawyer’s fees

• Disposal of infringing goods and material/implements for their production

• Other remedies, (Anton Piller Order, Roving Anton Piller order, Mareva Injunctions, Norwich
Pharmacal Orders, Order of disclosure).

STATUTORY PROVISIONS:

• © : Section 55 of the Copyright Act, 1957

• Designs: Section 22(2) of the Designs Act, 2000

• TM: Section 135 of the Trade Marks Act, 1999

• Patents: Section 106 & 108 of the Patents Act, 1970

PRODUCTION & APPRECIATION OF E-EVIDENCE IN COURT

The Indian Evidence Act, 1872

• Section 65B provides for the admissibility of the electronic records. It states that any
information contained in an electronic record which is printed on a paper, stored, recorded or
copied in optical or magnetic media produced by a computer shall be deemed to be also a
document and shall be admissible in any proceedings, without further proof or production of
the original, as evidence. Hence , an e-contract can thus be admissible as evidence and such a
positive step ensures that the contracts if entered by a consumer online for provision of a
particular good or service , if breached can be brought into limelight.

• The admissibility of electronic document is also now recognized as per Section 17 of the
Evidence Act which has been amended to include a statement in oral, documentary or
electronic form which suggests an inference to any fact at issue or of relevance.

• Section 65B gives a method to illustrating proof in backing of electronic records, for example,
demonstrating that the PC from where the electronic archive is achieved or delivered was

384
 utilized as a part of conventional course of exercises and there was no extent of tampering
with the same.

• Therefore, E-mail being an electronic document is admissible under the sections mentioned
above provided its authenticity is proved beyond doubt.

• Section 65B is of utmost importance in accepting emails as admissible evidence by the courts.
The courts have rejected emails as evidence, where a certificate in accordance with section
65B was not provided.

• Section 65-B of the Evidence Act, which consists of four sub-sections, expands the meaning
of “computer output by referring it as the original device or machine from which the end
result was procured. It specifies that the onus of proving its originality lies on the person who
sought to produce it as evidence.[

• “In assessing the evidential weight the court ought to consider the nature of the route in
which the data message was made, secured or passed on; “the trustworthiness of the path in
which the authenticity of the data message was kept up; the path in which the originator of the
data message or electronic record was recognized; and whatever other noteworthy variables.”

For the purpose of admissibility of electronic record, a three conditions are important to be fullfilled

: 1. Document in question – is an electronic record [as defined under S.2(1)(t) of the IT Act, 2000],

2. Produced by a computer [as defined under S.2(1)(i) of the IT Act, 2000], and

3. Accompanied by a certificate, fulfilling the conditions laid down S.65 (B)(2)-(B)(4).

Procedure for proving authenticity of E-mail:

• Authentication ought to be made through a witness who can recognize the initiation and the
archives appearance, substance, substance, inward examples, or other particular qualities.

• The individual creating the email as proof must show who or what began the email and
whether the substance is finished in the structure proposed, free from mistake or manufacture.

• In revelation, the advocate needs to demonstrate that the printed copy of the email
confirmation is steady with the one in the PC and incorporates all the data held in the
electronic report. The individual ought to have the capacity to recoup passwords that
demonstrate his ownership or possession, and distinguishing substance of documents that are
particular to a client.

• Help of a Tech or an IT expert can likewise be taken to demonstrate that the email is genuine.
With the assistance of IP locations and also Meta information of both servers of the
beneficiary and sender can be made witness to demonstrate realness.

• Other than call logs, the date/time and substance of messages and email can be valuable. Such
information can likewise be verified with supporter records kept by the administration
supplier.

• Sec. 79A of IT Act,2000- Expert Evidence:

• 96 [ 79A Central Government to notify Examiner of Electronic Evidence. -The Central

Government may, for the purposes of providing expert opinion on electronic form evidence
before any court or other authority specify, by notification in the Official Gazette, any
Department, body or agency of the Central Government or a State Government as an
385
 Examiner of Electronic Evidence. Explanation. -For the purposes of this section, "electronic
form evidence" means any information of probative value that is either stored or transmitted
in electronic form and includes computer evidence, digital audio, digital video, cell phones,
digital fax machines.]

• In the case of SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra128 the Delhi High Court
assumed jurisdiction where a corporate reputation was being defamed through e-mails. And in
this case, the Delhi High Court restrained the employee from sending mails and defaming the
company.

• Appreciation of Evidence

• Kajal Sen v.State of Assam129

“The process by which a judge concludes whether or not a fact is proved is called appreciation of
evidence. It is a duty of the court to appreciate evidence minutely, carefully, and to analyse it.

• Electronic Evidence

Electronic evidence means that the “evidence which existed in electronic (intangible) form is being
produced in tangible form.

• Electronic Record

• S.2(1)(t) “Electronic record” means data, record or data generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro fiche;

• Anvar P.V. versus Basheer

• In Anvar P.V. vs. P.K. Basheer130theApex Court rendered a landmark judgment where it held
that “the person requires only to mention in the certificate that the same is to the best of his
knowledge and belief which should be attached to the electronic record like pen drive,
computer printout, Video Compact Disc (VCD), Compact Disc (CD), etc., referring to which
statement is sought to be given in evidence, when the same is produced in evidence. All these
protections are taken to guarantee the source and validness, which are the two trademarks
relating to electronic record looked to be utilized as confirmation. Electronic records being
more prone to altering, modification, transposition, extraction, should be taken into account as
evidence after careful examination as otherwise it can result in tragedy of equity.” The same
view was accepted in Suhdir Jain Vs. R.P. Mittal131.

• The question of deciding jurisdiction in disputes pertaining to infringement/passing off

through ecommerce is no longer res integra.

P.R. Transport Agency vs. Union of India & others132

Background of the case

128
CS(OS) No. 1279/2001 (Delhi High Court, 2001)
129
AIR 2002 SC61
130
[AIR 2015 SC 180]
131
202(2013)DLT770
132
(AIR 2006 All 23)
386
 • In the current case there was an e-auction held by Bharat Coking Coal Ltd. for coal. The
petitioner’s bid was accepted and the acceptance letter was sent to the petitioner via e-mail.
Upon receiving such acceptance, the petitioner deposited Rs. 81.12 lakhs through a cheque
and the same was accepted and encashed by BCC but the same didn’t deliver the coal. The
BCC via email informed the petitioner that due to some technical and unavoidable reasons the
petitioner’s bid was cancel. The same was challenged by PRTA in the High Court of
Allahabad. The BCC challenged the court’s jurisdiction.

• Issues raised by PRTA

It was raised by the petitioner that the petitioner received the communication on his email at
Chandauli (U.P.) hence the contract was deemed to be completed at Chandauli (U.P.). It was also
contended that the place of cause of action is where the contract was completed when the originator
received the acceptance.

• Points considered by the court

• The court considered that in the case when the contract is made through telephone, telex or
fax it is said to be completed where the acceptance is received. The court also further
discussed that in case of e-mail there is no fixed point either of transmission or receipt as the
mail is stored in a server which can be accessed from anywhere. But with respect to e-contract
it has been observed that the place of business of the originator or the acceptor is to be
considered. The same is given under Section 13(3) of the IT Act. Thus the acceptance of bid
in the current case was deemed to be completed at Chandauli or Varanasi (U.P.).

• Decision of the court

• The court held that the contract was completed as the acceptance was received by the
petitioner at Chandauli/Varanasi (U.P.). As both the places are situated within territorial
jurisdiction of High Court of Allahabad the court had jurisdiction over that as part of cause of
action had arisen in U.P.

Trimex International FZE Limited, Dubai vs. Vendata Aluminum Ltd.133

• Recognizing the validity of e-transaction, it was held that e-mails exchange between parties
regarding mutual obligations constitute a contract. Electronic contracts are governed by the
basic principles elucidated in the Indian Contract Act, 1872, which mandates that a valid
contract should have been entered with a free consent and for a lawful consideration between
two adults. It also finds recognition under section 10A of the Information Technology Act,
2000 that provides validity to e-contracts. Accordingly, both Indian Contract Act, 1872 and
Information Technology Act, 2000 needs to be read in conjunction to understand and provide
legal validity to e-contracts. Further, provisions of the Evidence Act, 1872 also provides that
the evidence shall be admissible in electronic form subject to the conditions in the section
65B. A single judge of the Delhi High Court, while granting an injunction to Anchor, held
that taglines and slogans enjoy the same protection as a trade marks. The court held that P&G
could not claim as a defence that its use was not trademark use, on account of the fact that
they themselves had applied for registration of the two marks used by them (ie, “All Around
Protection” and “Allrounder”). The court held that the defendants cannot approbate and
reprobate at the same time. On the use aspect also, the court found that the manner that these
taglines were used by P&G, it constituted trademark use and not descriptive use.

Trimex International Fze, Dubai vs Jayswals Neco Ltd., O.M.P. 348/2008, High Court of Delhi
133

387
This decision was affirmed by the Division Bench (Procter and Gamble Manufacturing (Tianjin)
Company Limited and others v Anchor Health and Beauty Care Private Limited134
. The Division Bench categorically held that use of taglines such as All Around Protection in
advertising constitutes trademark use and further observed that “advertisements grab attention and
are sometimes better known than the branded products themselves; such
slogans/taglines/expressions are marketing and communication tools par excellence and directly
impact the consumers by encouraging them to choose certain goods or services over others”. This
decision was also affirmed by the Indian Supreme Court. Indian courts recognise use of a domain
name as metatags as infringement of trademarks. The courts have become proactive in
recognising different ways of committing acts of infringement in the age of fast-growing
technology.

The Bombay High Court in People Interactive (I) Pvt Ltd v Gaurav Jerry135

The Court recognised that the use of a registered trademark/domain name of a person as a meta tag by
another for diverting web traffic amounts to infringement of trademark.

In another decision, Mattel, Inc and Others v Jayant Agarwalla and Others136

The Delhi High Court had found the defendants guilty of infringement by using metatatags and
hyperlinking.

IN M/S Consim Info P.Ltd. VS. M/S Google India P.Ltd.& Ors.137

The Hon`ble Supreme Court of India passed an order restraining the Respondent No-2,3,4 from
displaying their names in the website of the petitioner in the "AdWords" programme of the Google.

In Eicher Motors Limited V/S Saurabh Katar & Others138,

Eicher Motors Ltd, which manufactures and sells the Royal Enfield bike, filed an infringement suit
against Saurabh Katar and Kuldeep Singh, for infringing their trademark ENFIELD, ROYAL
ENFIELD and BULLET. The suit filed before the Delhi High Court, also claimed infringement of
copyright of the logos and the website of Eicher Motors Ltd. Eicher alleged that Saurabh Katar and
Kuldeep Singh were selling products on ebay using the Plaintiff’s registered trademarks.

• Eicher Motors Ltd. is a leading automobile manufacturer and sells various types of two-
wheelers including bikes, automobile parts and components through its unit Royal Enfield.
The trademarks ENFIELD and BULLET are well known trademarks in the Indian markets.
The website of the plaintiff “royalenfield.com” is extremely distinctive with a unique visual
look and feel.

• The defendants were found to be selling bike care products, apparels and other lifestyle/
related products such as riding gear, rain suits, caps, t-shirts, readymade garments, jeans,
trousers, jackets, gloves, helmets, headgears, boots and shoes, mugs, key-chains, bike covers

134
2014 Indlaw DEL 1931) as well as the Supreme Court in ARBITRATION PETITION NO. 10 OF 2009
135
[Suit (L) NO. 622 OF 2014]

136
[2008 (38) PTC 416]

137
SLP(C) NO. 30064-30065/2012

138
Decided on Wednesday, December 16, 2015, By the High Court of Delhi in CS (OS) No. 2998 of 2015. ] 1
388
 etc under the trademarks ‘Royal Enfield’ and ‘Bullet’. The Defendant had registered the
domain name “www.royalfieldmotorcycle.co.cc” which is deceptively similar to that of the
plaintiff.

• The Court in this case, passed an ex-parte interim injunction against the sellers, and restrained
them from “using, transferring, alienating or offering for sale or creating any third party
interest in the domain name, and from using images, distinctive expressions and features of
the plaintiffs website so as to result in infringement of trademark, passing off, infringement of
copyright of the plaintiff”.

Luxottica S.R.L and Anr. versus Mr. Munny139

Luxottica Sunglasses – The defendant was caught selling counterfeit Ray-Ban sunglasses and
taken to court. The parties arrived at a settlement, where in lieu of damages, the defendant was
asked to donate Rs. 10,000/- to a charitable organization and 500 pairs of unbranded sunglasses to
the Blind Relief Association. The Court observing this remarked, “In my view, such innovative
alternatives go a long way in serving the cause of the civil society. In cases like the one at hand,
the companies such as the plaintiff`s are not looking for pecuniary damages as their claim in
pecuniary terms is miniscule, compared to their world wide operation, and the scale of infractions.
Their concern is really, to maintain the integrity of the intellectual property i.e., the asset in
issue.”

Louis Vuitton Malletier Versus Mr.Manoj Khurana & Ors.140

• The plaintiff has filed the present suit for permanent injunction restraining infringement of
registered trademarks, passing off, dilution, tarnishment, damages and delivery up against the
defendants.

• By order dated 30th August, 2013 the Delhi High Court had passed an ex parte ad interim
injunction in favour of the plaintiff and against the defendants restraining them from
manufacturing, selling and/or offering for sale, advertising, directly or indirectly dealing in
wallets, handbags, purses, belts and other goods etc. bearing the trademarks of the plaintiff or
any deceptively variant thereof amounting to infringement of plaintiff’s trademarks, copyright
and passing off.

• It was held that even in India LV logo, the Toile Monogram and the Damier pattern are well-
known mark under Section 11(6) of the Trademarks Act, 1999.

• Therefore, a decree for permanent injunction in terms of para clause 41 (a) to (c) of the plaint
was passed in favour of the plaintiff and against the defendants.

• The plaintiff was held to be entitled for costs of Rs.50,000/-.

Enforcement Issues regarding E-commerce:

• Why there is lack of effective implementation of E-contracts in India?

• The concepts and mechanism of e-contracts is mostly affected and covered by the present
laws i.e. The Indian Contract Act, 1872 and The Information Technology Act, 2000.

139
CS(OS) 1846/2009 IA No.12595/2009 (U/s 149 read with S.151 CPC) decide by DR. JUSTICE S. MURALIDHAR,
High Court Of Delhi At New Delhi on 25.09.2009
140
C.S.O.S.No. 1668 of 2013
389
 Therefore said issue is isolated into two sections i.e. The Indian Contract Act, 1872 and The
Information Technology Act, 2000.

The Indian Contract Act, 1872:

• 1. According to the Section 2 of The Indian Contract Act, 1872, Stages for the formation
contract are Invitation to Proposal – Proposal – Acceptance – Promise – Consideration –
Agreement – Contract.

• In e-contracts from the websites like Amazon, Flipkart, Snapdeal; when the online purchase is
made (not cash on delivery) the display of items is seen as invitation to the offer, while when
the item is bought it can be seen as acceptance of offer. It isn’t clear in online purchase that at
what point seller gives its acceptance. The confermation of purchase is given only after
customer pays for the item, which is clearly not according to the stages of contract.

• The grey area arises even when on some of the websites mere browsing can unintentionally
enter browser into agreement, it happens when the terms and conditions of the use of website
are hidden or not clearly mentioned. Sometimes these conditions are mentioned into the
corner of the website for which the user has to scroll the page. Everyday ecommerce websites
like amazon, flipkart, snapdeal etc. are its popular examples.

• 3. Section 4 (read with Section 13 of IT Act) of the Indian Contract Act states that the
communication of acceptance is complete as against the proposer when the acceptance is put
in a course of transmission so as to be out of the power of the acceptor. However in case of e-
contracts this cannot be applicable as sometimes due to any technical error the mail cannot be
reached to the opposite party as held by the supreme court in case of B.G. Kedia v. G.
Parshottamdas and Co. A House of Lords decision on a similar case declared the

• applicability of the mailbox rule to e-contracts as impractical.

• One of the best methods that one can apply while shopping online is by paying cash on
delivery. In such a scenario, the credit and debit card information and other personal
information is not provided. Additional safety measures should be adopted by consumers to
ensures safeguards by not saving the banking information online.

Cyber-Insurance: A Safeguard in Defence of Virtual and Computer Liabilities

The growth of e-commerce have compelled insurance firms to start with adopting the requirement
for virtual obligations by generating insurance policies particularly created for computer-connected
damage and accountability. Unfortunately, accessibility is restricted and there is no typical cyberspace
insurance policy which includes all e-commerce transactions.141Therefore, buyers of cyber insurance
should make sure that those are not simply copied from traditional insurance policies, but includes all
potential losses resulting from their cyber transactions. A few insurance firms now propose an
extensive choice of cyber-insurance to include damages because of virtual happenings. Illustratively,
some firms propose for security cracks of websites by giving safeguard for computer instrument, e-
data, and storage related threats, rest suggest a specific insurance policy for undertaking of capital
companies. These insurance policies have detached the question-if missing e-data is a corporeal
property by unequivocally giving coverage for computer device, hard drives, electronic data

141
Cyberspace Insurance ,Technoinsurance.com, accessed on. 1,July 2014)
<http://www.technoinsurance.com/newcyberi.htm>
390
processing, software exposures, and system break downs.142Additionally, some of the insurance
companies and security businesses also arrange for deceit avoidance technology to e-commerce
transactions. They will provide suggestions to guarantee improved safety, which can comprise of
whatsoever from rearranging firewalls, reworking accessibility policies, and safeguarding systems
against any corporeal damage.143Although merely some of insurance firms presented Internet
insurance a couple of years ago and most new e- business liability policies are less than a year old, the
policies are becoming more widespread.144Furthermore, no insurance policy is probable to include any
damage undergone by e-commerce transactions consequential from an integrally corrupt commercial
undertaking. So, to know, whether the clue behind the commerce is integrally corrupt or not,
insurance will not include the damages from that trade, irrespective of the fact that if it inculcates
virtual transactions.

Vital Issues in-front of Insurers145

Cybercrime threat is a rather diverse type of business risk. Its intrinsic demerits contain lot of issues.
There are also a number of outside issues which may lead to a hurdle to prevalent accessibility of this
kind of reporting.

The intrinsic demerits of Cybercrime threat:

Calculating the possibility of happening and deciding the commercial consequence is essential for
threat evaluation. Since cyber threats or safety violation can result in to various commercial effects. It
is complex to count the result. Cyber threat is a comparatively novel idea and insurance companies are
yet creating typical practices and monetary replicas to decide suitable cost for this threat.
Nonexistence of past statistics is main issue confronted while deciding the best price of an insurance
policy and to guarantee the threat. As different weakness may be misused concurrently throughout
various corporations around the globe, cyber threats safety occurrences are extremely connected and
may result to enormous damages throughout the world. Furthermore, cyber threats are extremely co-
dependent and a bargained system may lead to the weakness of other systems in a sole corporation.
For big MNC`s like commercial services organisations, cyber safety events can expose up all
software, IT systems, and infrastructure to attack. Insurers can face the complex issues to check the
threat of a peculiar cyber insurance policy. Illustratively, a corporation possibly decrease savings in IT
security which would grow cybercrime threat during the policy coverage.

Absence of Principles and regulatory mechanism for Cybercrime Insurance

The insurability of cyber threats is affected by absence of standard lawful explanations of cyber
accountability around the world. The web is world-wide but the jurisdiction of state legislations is
limited by physical frontiers. This leads to misunderstanding over pertinent legislations for any trans-
border threats; it’s a normal demerit of cyber threats. Moreover, the probability of huge damages
includes limited additional coverage across the cyber insurance business. Insurers and reinsurers are
scared of a cyber- storm a main tragedy connecting concurrent threats around the world, effecting
numerous entitlements. While IT security solution providers work to arrange for safeguard from all
weaknesses, every year new weaknesses are revealed and misused in cybercrime threats. Absence of
acceptance of IT systems and security principles by insurers can result into miscommunication.

142
AIG.com, Press Release (last visited 2nd .Aug1,2014) <http://www.aig.com/corpsite/pr2/pro04 17 97.html>;
See Chubb.com, Technology Businesses: Overview <http://www.chubb.com/businesses/tig/>.
143
Cybersource available at <http://www.cybersource.com/press/releas- es/1999/99102001.htm>. accessed
on 11 July 2014 at 4PM.
144
Dimitry Elias Leger, Why Internet Insurance Isn't The Best Policy, FORTUNE, Jul. 10, 2000, at 260.
145
Supra note 8
391
Hence, insurers must form principle set of security measures to enumerate the security level at each
insured firm.

The Impact of Cybercrime Insurance across the Value Chain

Emerging products to address cybercrime risk will impact most areas of the insurance value chain,
from product design to claims. The areas of most impact will be product design, policy
administration, underwriting and claims, but the new risk will also affect front office and legal.

Product Design

While launching new policies and products, insurers must identify standard definitions, terms of use,
criteria for eligibility, and design of a policy document while adhering to local regulations. Insurers
must also determine a set of premium rates for standard coverage policies and configure the new
product across all core processing systems.

Policy Administration & Underwriting

Offering cybercrime insurance will have a significant impact on an insurer’s underwriting processes.
Insurers will need to define procedures to:

 Analyse the risk of covering a particular company.

 Assess the level of IT security in place.
 Determine the price of covering the cybercrime risk.

Apart from pre-issue activities, insurers also need to manage external factors such as regulatory
changes and any differences that may affect IT security for the insured. For example, implementation
of any new system; change in security procedures; or expansion of infrastructure can all change the
risk of cybercrime.

Claims Processing

Claims processing and investigation for cybercrime insurance policies require significant input from
technology and IT security experts. Claims need to be assigned to a team that includes claims
adjustors, IT professionals, and security industry experts. Procedures and models must be defined to
calculate the potential loss from any cybercrime incident, especially in case of third-party liability.
Insurers also must assess whether existing fraud detection and prevention capabilities are applicable to
cybercrimes or if new ones are needed.

Front Office

Today’s insurance companies are experiencing significant growth in the channels through which they
sell insurance. Cybercrime insurance products can be sold through many of these emerging channels
or an insurer may choose to use an existing distribution network. Either way, sales people, agents, and
customer service representatives will require training on cybercrime and legal issues to sell this new
insurance.

Legal

Legal counsels at insurance companies need to define legal terms related to cybercrime and manage
litigation for the new cybercrime insurance products. Cybercrime insurance involves a combination of
knowledge of both insurance and technology so insurers planning to offer these products need a wide
range of solutions and services across the insurance value chain.

Position of Cyber Insurance in India:

392
Need for Cyber Insurance:

All companies face a breadth of liability exposures they have never faced before due to increased
reliance and use of the internet. While these may arise out of use of technology and the internet in
different ways, they are broadly classified as Cyber Liability. Primary exposure is due to the
vulnerability of loss arising out of use of the net. Computer viruses and hackers together caused an
estimated US$ 16 billion in damages in the year 2003 alone. Recent surveys indicate that computer
crime threats originate from both inside and outside an organization’s network of systems and
equipment’s, as well as employees. Other loss exposures can arise due to loss of data from power
outages, improper storage and protection of sensitive customer and website visitor data (i.e., dates of
birth, PIN, credit cards, drivers’ license numbers, Social security numbers, etc.).

In fact, recent experiences of Indian companies have proven these exposures are no longer the
exclusive preserve of developed countries, but have reared their heads in India too, going by the
recent cyber thefts of customer data at several high profile BPO companies, as well as internet airline
booking frauds which have hit several Indian airline carriers in the past couple of months. The
exposure also includes the business loss incurred in restoring business confidence among customers
following such contingencies.146 Any quality conscious company now prioritizes installation of formal
security systems and internet usage protocol to prevent attacks by hackers as well as disgruntled
employees. It was revealed that 90% of 1,400 organizations they surveyed recognize that information
security is of the highest priority and 78% identified risk reduction as their major influence on
security spending. Despite this priority, a significant portion of these organizations still could not
guarantee that their systems were fool proof and were vulnerable.147

In India, recently an outsourcing firm EXL services, lost a key client due to confidential client data
breach. Some company employees shared a procedural document externally in violation of the
company’s strict client confidentially policies, resulting in the US based client ending the contract
as it failed to comply with the provision of the agreement in handling client information. Another
instance is of a high-profit data raid on Sony’s Play station Network database, with hackers scamming
credit-card details, password and home addresses from the system of intelligence-analysis firm. This
resulted in a 23 –day closure of the Play Station online network, and Sony suffered an estimated
financial loss of $171m and a drop in its share price in the four month was 55% following the breach.
Ponemon Institute, a privacy and information research firm conducted a research in 2011 on Cost of
Data Breach in India, for India based companies .It was found that the cost of data breach is 2,105
INR for one compromised record and the customers churn or breach. In fact customer churn or
turnover following a data breach is 2.1%. The Indian BPO industry has grown nine times from $1.6
billion to $14.7 billion in just a decade. By 2020, Indian outsourcing industry (IT and BPO) which is
currently at $60 billion is expected to reach $225 billion. Here Data Privacy is going to be the biggest
emerging business risk of global cyber-crime was estimated to be $88bn –with an individual falling
victim to computer crime every 19 second. Moreover, there are thousands of websites operating
across the world involved in illegal activities camouflaged as legal. The websites offer easy earning
ant net users especially new ones fall for the bait easily .The problem is acute in India since internet
user addition is by millions, every year. The scam websites with new hundreds of users’ 148.The
major scams that manage to hook new internet users that in India are as follows:

• Phishing Scams with Mail appearing to come from Genuine Website

• Fake employment offers

146
AIG’s eBusiness Risk Solutions Group, survey 2003
147
Ernst & Young’s “Global Information Security Survey 2003
148
Why you Need Cyber Liability Insurance available at https://smallbusiness.yahoo.com/advisor/why-cyber-
liability-insurance-174046460.html …. Accessed on 15. 08.2014 at 9AM.
393
• Fake investment companies offering High Returns

• Paid Survey Scam

• Fake online Home jobs

• Fake Lottery Jackpot Offer

• Hacking

• Identity Theft in Bank.149

Conclusion and Suggestions

The e-commerce is the backbone for new economy, which is revolutionary and dynamic in
nature; whether it is E-commerce or M-commerce, it create opportunities for both the entrepreneurs
and the consumers. However, there are some challenges to strike a balance between improvement in
technology and legal frame work. Hence, based on above study, the following findings and
recommendations are be suggested :

 E-commerce in India includes broadly three areas, software exports, web-enabled services, &
etrade. Hence agenda inculcating ecommerce should be prepared for the future multilateral
trade.

 With respect to the privacy and data protection, it is essential to have appropriate Terms of
Service and Privacy Policy for all e-commerce and m-commerce practices.

 The concept of electronic taxation is still in the budding stage. There is a need to recognize
the prospective of e-commerce and to introduce new e-taxation practices. The government
should prepare a policy to deal with the challenges in Ecommerce at both the central and the
state VATs.150 Future tax policy on e-commerce should be consistent with the principles of
international taxation to regulate Ecommerce and its development.

 As the ecommerce laws are fundamentally targeted to protect the citizens, and challenges in
implementation strategy, the awareness among the citizens is required to be done,. Adequate
training should be provided to the relevant government officials who would draft and
implement policies relating to e-commerce.151

 Parallel to IT Act, Certifying and authentication authorities have to be fully operational to sort
out the issues of security and payments. Banking laws and regulations thus need to be
adjusted to the new formats and requirements so that EFT and plastic money can work
without any hassle and fraudulent activities.

149
Sanjeev Soni ,Need For Cyber Liability Insurance available at http://insurancesuvrveyors.com , accessed on 2,
June 2014 at 8 PM
150
Mahesh C Purohit, Vishnu Kanta Purohit et el.E-commerce and Economic Development (A Study Sponsored
by the South Asia Network of Economic Research Institutes) available at
http://saneinetwork.net/Files/06_08.pdf accessed on 23rd October 2012 at 1 am.
151
Radha krishan , “Law in online business with special focus on India” available at http://webuser.hs-
furtwangen.de/~heindl/ebte-08ss-law-in-business-Krishan.pdf accessed on 27th October 2012 at 2 pm

394
 E-contracts can be considered as basis of the e-business or e-commerce and as the technology
evolves the need for protection of e-contract is also increasing. The e-contracts have its own
advantages and disadvantages. Though it reduces costs, time, resources and improve services
through automation but on the other hand it raises queries with respect to the legal mechanism
which governs the e-contracts.
 The world as we probably aware it, is evolving. Practically consistently e-contracts make it
less demanding for all business and people to do exchanges. Be that as it may, just like the
case with all new advances, there is a mind boggling and complex side to e-contracts.
Implementing them in the conventional sense is difficult and there is an inescapable
requirement for a devoted lawful instrument to uphold e-contracts. Most created nations have
understood this and have sanctioned particular laws to implement e-contracts. India too needs
to understand this and step in the same bearing. All things considered, advancement is an
inside and out procedure which intends to concentrate on enhancing every one of the
parameters of the general public that we live in and concentrating on viable implementation
of e-contracts ought to be no special case.
Summary:

With the technological advancement, the acceptance of e-commerce has enormously improved owing
to its fast and expedient way of trading goods and services. India is providing a base for e-commerce
business models. This module is conceptual study which describes and analyse ecommerce, its
perspectives and issues involved. It inculcates the concept of e-commerce, business models for e-
commerce, differences between electronic commerce and M-commerce, concept of online payment
along with types, uses and issues involved, Ecommerce and online advertising: its types, advantages
and disadvantages and lastly taxing ecommerce in India: concept, principles, issues and suggestions.
Lastly, it is concluded that ecommerce is backbone of economy and creates opportunities to all
investors involved. Some recommendations are also provided to meet challenges vis-à-vis issues
involved in the process of Ecommerce through specific policy making, implementation strategy and
awareness.

Bibliography:

1. Dr. Bhasin Madan Lal. “E-Commerce and M-Commerce Revolution: Perspectives, Problems
and Prospects.” December 2005: The Chartered Accountant : 824
2. Gandhi Sunil Kr. “E-Commerce And Information Technology Act, 2000.”, 11:March 2006
:Vidyasagar University Journal of Commerce.
3. McIntosh Joanna (ed) “WTO, E-Commerce and Information Technology” available at
http://www.iie.com/publications/papers/wunsch1104.pdf .
4. Teitelman Robert et. al, How the Cash Flows? : 58:Aug.1996: Institutional Investor.
5. Janesan Moneque et al Business Process Redesign for effective e-commerce processes in the
service industry available at
http://is.ieis.tue.nl/staff/hreijers/Papers/Beta%20report%20bpr.pdf.
6. Kuller Edwin, Approaches to Ecommerce available at
http://www.emarketservices.com/clubs/ems/prod/eMarket%20Services%20-
%20Approaches%20to%20ecommerce.pdf accessed on 2nd November 2013 at 12AM..
7. Mahadevan , “Business Models for Internet Based E-Commerce”. 42: 2000: California
Management Review Summer .
8. Dr. Khurana Anil , “Introduction to Ecommerce” available at
http://www.ddegjust.ac.in/studymaterial/mcom/mc-201.pdf .
9. Turban Efraim et al Electronic Commerce.:6th Prentice Hall Press Upper Saddle River, NJ,
USA: 2010.
10. Joseph P. T. S. J., Ecommerce an Indian Perspective: PHI Learning Pvt. Ltd., 23-Dec-2011.
11. Sharma Vakul on E-commerce: A New Business Paradigm in Legal Dimensions of
Cyberspace edited by Verma S.K. et al. ILI Publication: 2004.
395
12. Khem:“Development of Ecommerce” available at
http://www.siteforinfotech.com/2012/11/development-of-e-commerce.html.
13. Sharma Vakul, Information Technology – Law & Practice: Universal Law Publishing: 2009.
14. Maamar Zakaria:“Commerce, E-Commerce, and M-Commerce: What Comes Next?” 12: 46,
December 2003:Communications Of The Acm:251
15. Sharma Vakul.White Paper on E-commerce. IAMAI Pub. 2010
16. Khalled hassanian et al:” Understanding M-commerce: A Consumer Centric Model.”, 3
(2002) : QJEC :247.
17. Chan, Lee et al , E-Commerce: Fundamentals and Applications. John Wiley & Sons, Ltd.,
England:2001.
18. Emmanuel Marilly et al: “Service Level Agreements: A Main Challenge for Next Generation
Networks” available at http://www-rp.lip6.fr/adanets/PublicDoc/Papers/001_ECUMN02-
SLA-NGN.pdf..
19. Ackeram Mark S.: Privacy in persuasive Environments: next generation labeling protocols: 8
Pers Ubiquit Comput (2004): 430–439.
20. Sharma Vakul. Handbook of Cyber Laws .Macmillan India, 2002.
21. Michel Cyger, Domain Name Purchase Sale Agreement available at
http://www.domainsherpa.com/domain-name-purchase-sale-agreement/.
22. Abbott Frederick M.: “ On The Duality Of Internet Domain Names: Propertization and Its
Discontents 1: 3: 2013: Journal Of Intellectual Property And Entertainment Law: 1.
23. Richardson Helen H.:“Website Development Agreements/Licensing of Website Content”
available at http://files.ali-cle.org/thumbs/datastorage/skoobesruoc/source/CL035_SL035-
Ch07_thumb.pdf.
24. Carol A. Kunze, “Web Site Legal Issues” 2: 14: 1998 Santa Clara Computer & High
Technology Law Journal:477
25. Singh Debudatta: Variants of online Advertising available at
http://www.slideshare.net/rajarajurani/internet-advertising-5655436
26. Robert I. Berkman et al. Digital Dilemmas: Ethical Issues for Online Media
Professionals:Iowa State Press, 2003.
27. Ms. Deshmukh Vaishnavi.J. ET AL: “Payment Processing Systems and Security for E-
Commerce: A Literature Review.” 2:5International Journal of Emerging Research in
Management &Technology ISSN: 2278-9359.
28. Purohit, Mahesh C. Sales Tax and Value Added Tax in India.Gayatri Publications, New
Delhi, 2001.
29. Prof. S. M., Imamul Haque. E-Commerce in India: Issues & Remedies. 1:3:Business
Spectrum : January -- June 2014
30. Desai Nitish et al, “Taxation of Electronic Commerce in India presented to Central Board of
Direct Taxes, India in response to the Report of the High Powered Committee by The eCom
Taxpert Group” available at http://www.taxmann.com/bookstore/professional/taxation-of-
electronic-commerce-in-india.aspx
31. Clayton W. Chan “Notes :Taxation of Global E-Commerce on the Internet: The Underlying
Issues and Proposed Plans” available at
http://www.winthrop.com/portals/0/pdf/claytonchan.pdf , also see Pallavi Dinodia,
AnujTiwari E-commerce – International approach available at
http://www.srdinodia.com/images/upload/E-Commerce%20-
%20International%20Approach.pdf
32. Mr. Dayana M.k, “E-commerce And Taxation”, available at
http://www.manupatrafast.com/articles/PopOpenArticle.aspx?ID=2cf77603-926f-43c0-86b8-
6842bcd1de7b&txtsearch=Subject:%20Taxation.

396
397
 Paper- V

THE INFORMATION TECHNOLOGY ACT, 2000

Introduction
In the early 1980s, William Gibson, then a relatively unknown author, wrote an award-
winning science fiction novel set in a not-too-distant future. The novel, Neuromancer,
involved large corporations that replaced governments and computer hackers who waged war
against secure data. Neuromancer set the stage for an entire genre of science fiction that
would have a profound influence on the computer and telecommunications community. What
made this such an influential and somewhat prophetic work was that a large part unfolded in
a setting that had no physical existence. Gibson named this setting cyberspace.

"Cyber" is a prefix used to describe a person, thing, or idea as part of the computer and
information age. Taken from kybernetes, Greek word for "steersman" or "governor," it was
first used in cybernetics, a word coined by Norbert Wiener and his colleagues. The virtual
world of internet is known as cyberspace and the laws governing this area are known as
Cyber laws and all the netizens of this space come under the ambit of these laws as it carries
a kind of universal jurisdiction. Cyber law can also be described as that branch of law that
deals with legal issues related to use of inter-networked information technology. In short,
cyber law is the law governing computers and the internet.

The growth of Electronic Commerce has propelled the need for vibrant and effective
regulatory mechanisms which would further strengthen the legal infrastructure, so crucial to
the success of Electronic Commerce. All these regulatory mechanisms and legal
infrastructures come within the domain of Cyber law.

Cyber law is important because it touches almost all aspects of transactions and activities on
and involving the internet, World Wide Web and cyberspace. Every action and reaction in
cyberspace has some legal and cyber legal perspectives.1

Cyberspace represents a 24x7x365 medium, which is always in flux. Cyberspace is a virtual

space-it has no boundaries, no geographical mass. It is a space inhabited by bytes. It
represents an interconnected space created by computers, computer systems and computer
networks. Should it be regulated? Regulating cyberspace means regulating both – computer
and the man behind the computer. But is it possible to regulate computer? The answer is yes.
You regulate the man and you would end up regulating computer!

Cyberspace requires cyber laws. Physical laws have limitations in the sense that they are uni-
dimensional in application. They are meant for the physical world, which is static, defined
and incremental, whereas cyberspace is dynamic, undefined and exponential. It needs
dynamic laws, keeping pace with the technological advancement.

1
Rajkumar S. Adukia, “Overview of Cyber Laws in India” available at http://taxguru.in/finance/overview-
cyber-laws-india.html

398
Emergence of Cyber Laws
Cyber Laws is a new branch of law. It came into existence with the spread of computers and
Internet and it is growing fast. So, what is cyber law? It is that branch of law, which regulates
human behaviour vis-à-vis computers. Law cannot regulate machine, but it can regulate the
man behind the machine! The term “Cyber Law” encompasses all the cases, statutes and
constitutional provisions that impact persons and institutions who control the entry to
cyberspace, provide access to cyberspace, create the hardware and software which enable
people to access cyberspace, or use their own computers to go “on-line” and enter
cyberspace.

Interestingly, in the modern context, computers have become integral part of our everyday
existence and thus cyber laws have become part of every day activity. As one cannot ignore
computer, likewise, one cannot ignore cyber law as well.

The Beginning of Cyber Laws

The Indian Parliament enacted in the Fifty-first Year of the Republic of India, an Act called
the Information Technology Act, 2000. This Act is based on the Resolution A/RES/51/162
adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the
Model Law on Electronic Commerce earlier adopted by the United Nations Commission on
International Trade Law (UNCITRAL) in its twenty-ninth session. The Act is not only in
tune with the UNCITRAL’s Model Law on Electronic Commerce but it also unfolds various
aspects of information technology to promote efficient delivery of Government services by
means of reliable electronic records.

The Information Technology Act (hereinafter Act) is:

(a) an enabling Act,
(b) a facilitating Act, and
(c) a regulatory Act

An Enabling Act – it is an enabling Act, as it enables a legal regime for electronic records
and electronic signatures.

A Facilitating Act – it is a facilitating Act, as it facilitates both e-commerce and e-governance

practices and processes.

A Regulatory Act – it is a regulatory Act, as it regulates cyber crimes (cyber contraventions

and cyber offences).

The Act came into effect from October 17, 2000. Only recently, the Act has been amended
and the amended Act is effective from October 27, 2009.The Act has got 90 sections spread
over in XIII chapters and 2 Schedules in all. The Act applies to the whole of India, including
the State of Jammu & Kashmir [section 1(2)]. In order to extend the provisions of Act to the
State of Jammu & Kashmir, Article 253 of the Constitution has been used:

Article 253. Legislation for giving effect to international agreements.- Notwithstanding

anything in the foregoing provisions of this Chapter, Parliament has power to make any law
for the whole or any part of the territory of India for implementing any treaty, agreement, or
convention with any other country or countries or any decision made at any international
conference, association or body.

399
The application of the Act is very broad based, it applies to any offence or contravention
thereunder committed outside India by any person [section 1(2)], irrespective of his
nationality, if the act or conduct constituting the offence or contravention involves a
computer, computer system or computer network located in India [section 75]. For example,
suppose a person in Paris sends a computer contaminant (virus) to disrupt the railway
reservation network located in India, then that someone, irrespective of his nationality has
committed an offence involving a computer, computer system or computer network located
in India and thus chargeable under the Act.

In today's highly digitalized world, almost everyone is affected by cyber law. For example:
 Almost all transactions in shares are in demat form.
 Almost all companies extensively depend upon their computer networks and keep their
valuable data in electronic form.
 Government forms including income tax returns, company law forms etc. are now filled
in electronic form.
 Consumers are increasingly using credit cards for shopping.
 Most people are using email, cell phones and SMS messages for communication.
 Even in "non-cyber crime" cases, important evidence is found in computers / cell phones
e.g. in cases of divorce, murder, kidnapping, tax evasion, organized crime, terrorist
operations, counterfeit currency etc.
 Cyber-crime cases such as online banking frauds, online share trading fraud, source code
theft, credit card fraud, tax evasion, virus attacks, cyber sabotage, phishing attacks, email
hijacking, denial of service, hacking, pornography etc are becoming common.
 Digital signatures and e-contracts are fast replacing conventional methods of transacting
business.

Background of Information Technology Act, 2000

♦ United Nations Commission on International Trade Law (UNCITRAL) adopted a model
law on Electronic Commerce in 1996.
♦ The United Nations in 1997 recommended that all member countries should give
favourable consideration to that model law.
♦ In India the Information Technology Act was passed in 2000, based on the model law.
Date of commencement of the Act- 17.10.2000. It is a landmark Act in the direction of
boosting E-commerce in India.

Salient Features
1. The Act simultaneously amended the following Acts-
# The Indian Penal Code Act, 1860;
# The Indian Evidence Act, 1872;
# The Reserve Bank of India Act, 1934;
# The Banker’s Book Evidence Act, 1891.
2. Gave legal recognition to electronic records (Section 4 of the Act)
3. Gave legal recognition to digital signatures (Section 5 of the Act)
4. Provided for Certifying Authorities and Subscribers in connection with digital signature
(Section 17 to 42 of the Act)
5. Made provision for penalties for cyber offences (Section 43 to 47 of the Act)
6. Established Cyber Appellate Tribunal (Section 48 to 64 of the Act)

400
7. Listed cyber offences (Section 65 to 78 of the Act). 2

2
Sunil Kr. Gandhi , “Communication E-Commerce And Information Technology Act, 2000”, Vidyasagar
University Journal of Commerce,(11)March 2006,82.

401
List of Rules Framed under Information Technology Act, 2000
1. Information Technology (Certifying Authorities) Rules, 2000
2. The Cyber Regulations and Appellate Tribunal (Procedure) Rules, 2000.
3. The information Technology (Certifying Authority) Regulations, 2001
4. The information Technology (Other Powers of Civil Court Vested in Cyber Appellate
Tribunal) Rules, 2003.
5. The information Technology (Other Standards) Rules, 2003.
6. The information Technology (Qualification and Experience of Adjudicating Officers
and Manner of Holding Enquiry) Rules, 2003.
7. The information Technology (Use of Electronic Records and Digital Signature) Rules,
2004.
8. The information Technology (Security Procedure) Rules, 2004.
9. The Cyber Appellate Tribunal (Salary, Allowances and other terms and conditions of
service of Chairperson and Members) Rules, 2009.
10. The Cyber Appellate Tribunal (Procedure for Investigation of Misbehavior or
Incapacity of Chairperson and Members) Rules, 2009.
11. The information Technology (Procedure and Safeguards for Interception Monitoring
and Decryption of information) Rules, 2009.
12. The information Technology (Procedure and Safeguard for Blocking for Access of
Information by Public) Rules, 2009
13. Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009
14. The Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011
15. Information Technology (Intermediaries guidelines) Rules, 2011
16. Information Technology (Guidelines for Cyber Cafe) Rules, 2011
17. The information Technology (Recognition of Foreign Certifying Authorities Operating
under a Regulatory Authority) Regulation, 2013.
18. The information Technology (Recognition of Foreign Certifying Authorities Not
Operating under a Regulatory Authority) Regulations, 2013.
19. The information Infrastructure Protection Centre and Manner of Performing Functions
and Duties) Rules,2013.
20. The information technology (The Indian Emergency Response Team and Manner of
Performing Functions and Duties) Rules,2013.
21. Information Technology (Preservation and Retention of Information by Intermediaries
Providing Digital Locker Facilities) Rules, 2016
22. Information Technology (Security of Prepaid Payment Instruments) Rules 2017

Important Definitions
The Act has provided tow sets of definitions in techno-legal terminology: (a) functional, and
(b) operational to help in understanding both functional and operational nuances of the Act.

Functional Definitions
Section 2 (1)(a) “access”, with its grammatical variations and cognate expressions, means
gaining entry into, instructing or communicating with the logical, arithmetical or memory
function resources of a computer, computer system or computer network;

Section 2(1)(ha) "Communication Device" means Cell Phones, Personal Digital Assistance,
or combination of both or any other device used to communicate, send or transmit any text,
video, audio, or image.

402
Section 2(1)(i) “Computer” means any electronic, magnetic, optical or other high speed data
processing device or system which performs logical, arithmetic and memory functions by
manipulations of electronic, magnetic or optical impulses and includes all input, output
processing, storage, computer software or communication facilities which are connected or
related to the computer in a computer system or computer network.

Section 2(1)(j) “ Computer Network” means the inter-connection of one or more computers
or computer systems or communication device through-
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communications media; and
(ii) terminals or a complex consisting of two or more interconnected computers or
communication device whether or not the interconnection is continuously
maintained;

Section 2(1)(k) “computer resource” means computer, communication device, computer

system, computer network, data, computer database or software.

Section 2(1)(o). “data” means a representation of information, knowledge, facts, concepts or

instructions which are being prepared or have been prepared in a formalized manner, and is
intended to be processed, is being processed or has been processed in a computer system or
computer network, and may be in any form (including computer printouts, magnetic or
optical storage media, punched cards, punched tapes) or stored internally in the memory of
the computer;

Section 2(1)(p) “digital signature” means authentication of any electronic record by a

subscriber by means of an electronic method or procedure in accordance with the provision of
section 3;

Section 2(1)(t) “electronic record” means data, record or data generated, image or sound
stored, received or sent in an electronic form or micro film or computer generated micro
fiche;

Section 2(1)(ta) "electronic signature" means authentication of any electronic record by a

subscriber by means of the electronic technique specified in the second schedule and includes
digital signature;

Section 2(1)(v) “information” includes data, message, text, images, sound, voice, codes,
computer programmes, software and databases or micro film or computer generated micro
fiche;

Operational Definitions
Section 2(1)(f) “ asymmetric crypto system” means a system of a secure key pair consisting
of a private key for creating a electronic signature and a public key to verify the electronic
signature;

Section 2(1)(b) “addressee” means a person who is intended by the originator to receive the
electronic record but does not include any intermediary;

403
Section 2(1)(h) “Certification practice statement” means a statement issued by a Certifying
Authority to specify the practices that the Certifying Authority employs in issuing Electronic
Signature Certificate.

Section 2(1)(na). "Cyber cafe" means any facility from where access to the internet is offered
by any person in the ordinary course of business to the members of the public.

Section 2(1)(nb) "Cyber Security" means protecting information, equipment, devices,

computer, computer resource, communication device and information stored therein from
unauthorized access, use, disclosure, disruption, modification or destruction.

Section 2(1)(za). “Originator” means a person who sends, generates, stores or transmits any
electronic message; or causes any electronic message to be sent, generated, stored or
transmitted to any other person but does not include an intermediary;

Section 2(1)(w) "Intermediary" with respect to any particular electronic records, means any
person who on behalf of another person receives, stores or transmits that record or provides
any service with respect to that record and includes telecom service providers, network
service providers, internet service providers, web hosting service providers, search engines,
online payment sites, online-auction sites, online market places and cyber cafes.

Section 2(1)(b). “addressee” means a person who is intended by the originator to receive the
electronic record but does not include any intermediary;

Section 2(1)(ze) “Secure system” means computer hardware, software and procedure that –
(a) are reasonably secure from unauthorized access and misuse;
(b) provide a reasonable level of reliability and correct operations;
(c) are reasonably suited to performing the intended functions; and
(d) adhere to generally accepted security procedures;

These aforesaid definitions reflect the broad sweep of the Act from providing enabling set-up
for recognising digital and electronic signatures; to facilitate electronic communication
processes by recognising three parties: Originator, Intermediary & Addressee; to create a
regulatory environment from the point of view of not only regulating cyber crimes, but also
articulating on cyber security and related issues.

Introducing Digital & Electronic Signatures

The idea behind introducing digital and electronic signatures was to adopt a technology that
makes communications or transactions legally binding. The functional equivalent approach
extended notions such as “writing”, “signature” and “original” of traditional paper-based
requirements to a paperless world. That is, in order to be called legally binding all electronic
communications or transactions must meet the fundamental requirements, one authenticity of
the sender to enable the recipient (or relying party) to determine who really sent the message,
two message’s integrity, the recipient must be able to determine whether or not the message
received has been modified en route or is incomplete and third, non-repudiation, the ability to
ensure that the sender cannot falsely deny sending the message, nor falsely deny the contents
of the message [section 3].

Digital signatures are based on asymmetric, or public key, cryptography and are capable of
fulfilling the demand of burgeoning e-commerce by not only providing message

404
authentication, integrity and non-repudiation function but also making it highly scalable.
Another important feature is the involvement of a trusted third party, “Certifying Authority”,
to issue digital signature certificate. Basically a digital signature is a two way process,
involving two parties: signer (creator of the digital signature) and the recipient (verifier of the
digital signature). A digital signature is complete, if and only if, the recipient successfully
verifies it.

In short, it can be said that the process of digital signature involves the converting electronic
record into secret code first, and then translating the codes into a small number by applying a
formula. Each licensed Subscriber uses unique secret code and formula, which is known to
him only. This is done through private key. Based on private key techniques, public key is
designed.3
To accept or reject digital signatures, one must ask the following questions:
(a) Whether the Certifying Authority (trusted third party) is a licensed one?
(b) Whether a digital signature has been created as per the technology standards prescribed
under the law?
(c) Whether the digital signature verification process has been successful?
Affirmative answers to all above questions will give legal inviolability to the digital
signatures by making them legally binding to the signer (sender).
Digital signature establishes the principle that, in an electronic environment, the basic legal
functions of a signature are performed by way of a method that identifies the signer of an
electronic message and also confirms that the said signer approved the content of that
electronic message.

Differentiating Between Digital Signature & Electronic Signature

Technologically speaking, there is no difference between a digital signature and a electronic
signature. Both perform the same set of functions – signer’s authentication, message integrity
and non-repudiation. Digital signature is a sub set of electronic signature. The Amendment
Act, 2008, in order to maintain continuity with the regime of the digital signature has
introduced the concept of ‘electronic signature’ 4. Examples of electronic signatures may
include biometric signatures, passwords, PINs, encryption applications etc.
However, under the new provision, S.66C,5the means by which the identifying information is
accessed is discounted and only the act of making fraudulent or dishonest use of the
information itself is criminalised. S.66C deals with deceitful use of passwords, electronic
signatures.6
E-governance Initiatives

3
Ibid
4
Sharma, Vakul, (3rd Ed. 2010): Information Technology – Law & Practice, Universal Law Publishing
5
Section 66C, ITAA, 2008: Whoever, fraudulently or dishonestly makes use of the electronic
signature,password or any other unique identification feature of any other person, shall be punished with
imprisonment of either description for a term which may extend to three years and shall also be liable to fine
with may extend to rupees one lakh.
6
Amlan Mohanty, “New Crimes under the Information Technology (Amendment) Act” , the Indian Journal of
Law and Technology (7) 2011.

405
The Information Technology Act, 2000 has granted the legal sanctity to limited range of e-
governance functions.

These e-governance functions are based upon ‘functional equivalent approach’ in order to
extend offline governmental functions and practices to the online environment. The idea is to
facilitate efficient government-citizen interface by giving due legal recognition to digital
signatures and electronic records. Functional equivalent here implies “functional exactness” –
whether it is in paper form (record) or paperless form (electronic record).

Physical Governance E-Governance

Legal recognition to paper documents Legal recognition to electronic records
Signatures Digital signatures/Electronic signatures
Retention of records Retention of electronic records
Publication of Official Gazette Publication of Electronic Gazette
Delivery of services Electronic delivery of services
Table: Functional Equivalent Approach

In fact, Chapter III of the IT Act gives legal recognition to the electronic governance. Section
4 to10 (including section 6A) highlight the extent of electronic governance rights conferred
by the IT Act, to: (i) the Government (ii) e-governance service provider and (iii) the
individual.

Limited E-governance Rights

If on one hand sections 4 to 8 recognize true spirit of e-governance in India by advocating e-
governance rights, then on the other, it is section 9 of the IT Act, which limits e-governance
rights. This section does not confer a right upon any person to insist that any Ministry or
Department of the Central or State government (or any authority or body) to accept, issue,
create, retain or preserve any document in the form of electronic records or to participate in
any monetary transaction in the electronic form.

Thus the onus is on the department/institution – whether to follow sections 4 to 8 of the IT

Act? That is, whether to opt out or to opt in? It is imperative that the department/institution
must assess its IT strengths and weaknesses and take a call accordingly.

Further, the Amendment Act has also introduced section 10A – the aim and object of this
section is to recognize legal binding character of online contracts. This section is in the spirit
of Article 11: Formation and validity of contracts of the UNCITRAL Model Law of E-
commerce, 1996. It provides legal certainty as to the conclusion of contracts by electronic
means. It deals not only with the issue of contract formation but also with the form in which
an offer (proposal) and an acceptance may be expressed. It covers not merely the cases in
which both the offer and the acceptance are communicated by electronic means but also cases
in which only the offer or only the acceptance (or revocation of proposals and acceptances) is
communicated electronically.

Prior to 2006 when the Government of India formally launched its National e-Governance
Plan (NeGP), which is discussed in Chapter 7 of this Report, some Departments of
Government of India as well as State Governments had initiated steps to adopt e-Governance.
In this context it would be useful to highlight some of the important e-Governance initiatives
implemented by the Union and State Governments in the last 10 to 15 years, assess their

406
strengths and weaknesses and identify the lessons learnt from them. These initiatives are
discussed under the following categories:

i. Government to Citizen (G2C) initiatives

ii. Government to Business (G2B) initiatives
iii. Government to Government (G2G) initiatives

The e-Governance scenario in India has come a long way since computers were first
introduced. The focus now is on extending the reach of governance to have a major impact on
the people at large. As stated earlier, e-Governance is an important tool to enhance the quality
of government services to citizens, to bring in more transparency, to reduce corruption and
subjectivity, to reduce costs for citizens and to make government more accessible. A large
number of initiatives have been taken in this category by the Union and the State
Governments. Some of these are described in the following paragraphs.

G2b initiatives encompass all activities of government which impinge upon business
organizations. These include registrations under different statutes, licenses under different
laws and exchange of information between government and business. The objective of
bringing these activities under e-Governance is to provide a congenial legal environment to
business, expedite various processes and provide relevant information to business.

G2B initiatives encompass all activities of government which impinge upon business
organizations. These include registrations under different statutes, licenses under different
laws and exchange of information between government and business. The objective of
bringing these activities under e-Governance is to provide a congenial legal environment to
business, expedite various processes and provide relevant information to business.

Within the government system there is large scale processing of information and decision
making. G2G initiatives help in making the internal government processes more efficient.
Many a time G2C and G2B processes necessitate the improvements in G2G processes. 7

Parties to Electronic Communication Process

The Act identifies three parties to the electronic transmission process: the originator [S.2
(1)(za)], the intermediary [S.2 (1)(w)] and the addressee [S.2 (1)(b)]. All three parties
perform specific functions with respect to an electronic message. Originator sends, generates,
stores or transmits any electronic message; whereas, intermediary is a facilitator who on
behalf of another person receives, stores or transmits or provides any service with respect to
that message; and addressee is the recipient of that message (record).

Section 11 is about attribution of electronic records, whereas section 12 takes into account the
importance of acknowledgement of receipt (in the case of electronic communications).
Further as per section 13(1) the dispatch of an electronic record occurs when it enters a
computer resource outside the control of the originator. The process of “dispatch” involves
‘sending off’ (electronic transmission) of the electronic record to a destination. The Act
defines the time of dispatch of an electronic record as the time when it enters a computer
resource [S.2 (1)(k)] outside the control of the originator, which may be the computer
resource of the addressee (or an intermediary).

7
Egovernance: Initiatives in India available at http://arc.gov.in/11threp/ARC_11thReport_Ch4.pdf.

407
Adopting Security Procedures
Only a secured system leads to secure transactions. From the users perspective, the Act
concerns with the application of security procedures at the users level. The aim is to protect
the communication (message) and not the medium (Information technology Infrastructure). It
is for this purpose the Act talks about secured electronic records [section 14] and secured
electronic signatures [section 15] by applying appropriate security procedures.
The presumption is that an electronic record is a secured one from that specific point of time
when any security procedure has been applied to it to the time of its verification at the
recipient’s end, till the recipient proves it otherwise.

Role of Controller of Certifying Authorities

One of the key components of Public Key Infrastructure (PKI) is the Controller of Certifying
Authorities (CCA). A certifying authority has to receive a licence from the ‘Root’ certifying
authority or controller of certifying authorities, before it starts issuing digital signature
certificates to the subscribers. The issuing certification authority’s digital signature on the
digital signature certificate can also be verified by using the public key of the certification
authority listed in the repository of ‘root’ or controller of certifying authorities. Repositories
are on-line databases of certificates and other information available for retrieval and use in
verifying digital signatures.

It is thus important that the certifying authorities should follow established rules and
regulations as laid down under the law. The Information Technology Act, 2000, under
Chapter VI provides detailed provisions for the Controller of Certifying Authorities to
regulate Certifying Authorities. Furthermore, the Information Technology (Certifying
Authorities) Rules, 2000 and the Information Technology (Certifying Authorities)
Regulations, 2001 have provided detailed guidelines for certifying authorities.

CCA

CAs

Subscriber

Figure.1: Levels of Hierarchy

This establishes multi level authorities, often referred to as Public Key Infrastructure (PKI)
hierarchy where a set of Certifying Authorities is subordinate to the superior Certifying
Authority (Controller of Certifying Authorities).

The Office of the Controller of Certifying Authorities provides a platform for PKI to operate
under the Act. It has a statutory role to identify, apply and draw awareness regarding
application of specific form of technology. Furthermore, it establishes functional attributes
for Certifying Authorities.

408
In order to understand the functions of the Controller of Certifying Authorities, apart from
following the key provisions of the Act one must also follow its Certification Practice
Statement (CPS) along with Information Technology (Certifying Authorities) Rules, 2000
and Information Technology (Certifying Authorities) Regulations, 2001.

Furthermore, the two guidelines4: ‘Information Technology Security Guidelines’ and

‘Security Guidelines for Certifying Authorities’ issued under Information Technology
(Certifying Authorities) Rules, 2000 supplement the knowledge base.

The Controller has wide ranging powers, including [section 18]:

(a) exercising supervision over the activities of the Certifying Authorities;

(b) certifying public keys of the Certifying Authorities;

(c) laying down the standards to be maintained by the Certifying Authorities;

(d) specifying the qualifications and experience, which employees of the Certifying
Authorities should possess;

(e) specifying the conditions subject to which the Certifying Authorities shall conduct
their business;

(f) specifying the contents of written, printed or visual materials and advertisements that
may be distributed or used in respect of a Electronic Signature Certificate and the
public key;

(g) specifying the form and content of a Electronic Signature Certificate and the key;

(h) specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities;

(i) specifying the terms and conditions subject to which auditors may be appointed and
the remuneration to be paid to them;

(j) facilitating the establishment of any electronic system by a Certifying Authority either
solely or jointly with other Certifying Authorities and regulation of such systems;
(k) specifying the manner in which the Certifying Authorities shall conduct their dealings
with the subscribers;

(l) resolving any conflict of interests between the Certifying Authorities and the
subscribers;

(m) laying down the duties of the Certifying Authorities; and

(n) maintaining a database containing the disclosure record of every Certifying Authority
containing such particulars as may be specified by regulations, which shall be
accessible to public.

409
The success of PKI depends on the acceptance of the digital signature certificates as means of
identification and authentication in the paperless environment. It should also recognize
foreign Certifying Authorities for faster implementation of digital signature certificates
regime [section 19]. A foreign Certifying Authority may provide cross certification
arrangement to the local licensed CA thereby creating global acceptability of locally issued
digital signature certificates.

CCA has the power to renew license of CAs [section 23]; follow procedure for grant or
rejection of license [section 24], and suspension of license [section 25]. One of the critical
powers of the Controller is to investigate contraventions [section 28].

Yahoo v. Controller of Certifying Authorities

The Controller of Certifying Authorities had sometime ago published an Order it passed
against Yahoo India imposing 11 lakhs for not replying to multiple notices under Sec. 28 of
the Information Technology Act, 2000 (link here). The notices were based on
“requests/references from the intelligence bureau, Ministry of Home Affairs, Government of
India on regular basis on sensitive issues relating to national security, integrity and defense.“

The 11 Lakh fine

A Nice Place to Stay on the Internet by Thomas Hawk licensed under CC BY-NC 2.0
Subsequently, the CCA recorded that Yahoo, “failed to respond to the above said notices
from the Office of Controller of Certifying Authorities during the4 last six months which led
to avoidable delays in sensitive investigations. That only on 19.07.2011 the company
collectively replied to the notices submitting that the Controller is not the competent authority
to seeks disclosure of user information.”

The CCA which also acts as a quasi-judicial authority to determine contraventions framed
four issues whose findings are given below:

1. Whether the notices were simpliciter requests and not notices for the purposes of
investigations under Sec. 28.

“The company’s contention that since the words “for the purpose of Investigation of certain
contraventions committed under the Act”, have not been used in the notice, making it a
request simpliciter, is untenable. It is significant to note that all the notices and show cause
notice made reference to section 28 of the Act only. Once a notice is issued under section 28
of the Act, it is but obvious that the information is required “for the purpose of investigation
of certain contraventions committed under the Act”. The notices issued to the company made
it clear in no uncertain terms that under section 28 of the Act, the company is to provide
certain details and it is always to the knowledge of the company that the said section gives
CCA or any officer authorized by him the power to investigate any contravention of the
provisions of this Act, rules or regulations made there under; and therefore also the authority
and competence to seek information, which has been questioned by the company.“

2. Whether the Company’s contention that there was no investigation underway of any
contravention of the provision of the Act, when the aforementioned notices were served
upon the company is correct.

410
“14. It was clear that the information required was for investigation purpose only. The user
details sought are neither figment of imagination of the Intelligence Bureau, nor of the Office
of Controller. This information has been sought for protecting national security, integrity
and defence. Hence, the Company’s plea that there was no investigation underway of any
contravention of the provision of Act. When the aforementioned notices were served upon the
company is untenable and incorrect. The company has failed to give any coherent reason
why it came to a conclusion that there was no investigation underway of any contravention
of the provision of Act. When the aforementioned notices were served upon the company.“

3. Whether the Company by disclosing user details as requested under various notices would
be violating provisions of Section 72A and also make the office of the CCA liable under
Section 72 of the Act ?

“16. Section 72 also provides the same saving clause, permitting disclosure of information as
provided under the Act. The CCA cannot be made liable under section 72 for exercising the
authority entrusted upon him under section 28 of the Act. Further, section 84 of the Act
grants protection to the Controller or any person acting on behalf of him for anything
which is in good faith done or intended to be done in pursuance of the Act or any rule,
regulation or order made thereunder. All the notices as well as the show cause notice
have been issued to the company without malafide intent and in good faith in the
background of context and circumstances. The allegations of highhandedness and
tendency to coerce are uncalled for.“

4. Whether the Company is liable under Section 44(a) of the Acft for its failure to furnish
information and/or documents as directed by the CCA and also under the provisions of
Secs. 174/175 of the Indian Penal Code, 1860 ?

”19. In my view, such a complete disregard of statutory authority by the company is

reprehensible and condemnable. The company’s plea that the Controller is not a
competent authority in its delayed response to the notices, is incorrect in the view of the
stated position of law under the Act. Wherein section 28 empowers the Controller or any
officer authorized by him the power to investigate any contravention of the provisions of this
Act, rules or regulations made there under. There is an inherent contradiction in the
company’s submission, on one hand it recognizes that the Office of CCA is competent
under section 28 of the Act to investigate, and on other, it challenges the competency of
the Controller or any officer authorized by him to issue notices under section 28 of the
Act.“

Straight to the High Court

Under the IT Act, orders of the CCA are directly appealable to the Cyber Appellate Tribunal.
However, the Cyber Appellate Tribunal seems to be more or less defunct since it does not
have any members which have been appointed by the Central Government and even its last
Presiding Office, Justice Mr. Rajesh Tandon retired on June 30, 2011. It seems that due to
these peculiar circumstances, Yahoo filed a writ petition in the Delhi High Court (W.P.
6654/2011) challenging the Order of the CCA.

On the very first date of hearing (14.09.2011), the Hon’ble Court was pleased to stay the
operation of CCA Order and the penalty imposed under it. This stay is a conditional stay,
Yahoo! to enjoy the stay has to provide the information saught by the CCA within a week.

411
The Order also records the lines of argument which may be developed by Yahoo in the
future. The Order records that,

“2. The senior counsel for the petitioner has contended that the respondent No.2 in pursuance
to the notices issued under Section 28 of the Act was not empowered to seek the information
sought and as such the petitioner cannot be said to be in violation thereof for not complying
therewith. It is further contended that the respondent No.2 is not even empowered to impose
the penalty / fine as has been done. It is stated that the information if any required can be
sought under Section 69 of the Act and which the petitioner is willing to furnish.

3. The matter requires consideration.“

This litigation throws up several significant questions including,

a) which is the proper authority to issue such notices ? does the CCA have such a power
even when there are detailed rules framed under Sec. 69 which provide for other
authorities to issue notices to intermediaries to disclose data of their data ? If yes, then
how do these authorities work together to share subscriber data ?

b) are other intermediaries also receiving notices from the CCA ? if yes, how are they
responding to them ? how much subscriber data are they disclosing ?

c) how long will the position of the presiding member of the Cyber Appellate Tribunal lie
vacant ? does this reflect lethargy on part of the government to fill the vacancy or it
means that there is just not enough work to justify the appointment ? 8

Role of Certifying Authorities (CAs)

CAs plays a very crucial role in supporting the PKI. They are in fact the providers of digital
signatures. In India there are presently seven CAs, licensed by CCA providing Digital
Signature Certificates (DSCs) to the subscribers. They are:

1. National Informatics Centre (NIC)

2. Safescrypt
3. Tata Consultancy Services (TCS)
4. Institute for Development and Research in Banking Technology (IDRBT)
5. Disclosure Record of (n) Code Solutions CA
6. Disclosure Record of e-Mudhra CA
7. Disclosure Record of CDAC CA
8. Disclosure Record of Capricorn CA
9. Disclosure Record of NSDL e-Gov CA

CAs issue DSCs (or Electronic Signature Certificates – section 35). The Certifying Authority
has to assure the identity of the subscriber by adopting certain validation procedures. The
process of validation is a process performed by the Certifying Authority following
submission of an electronic (digital) signature certificate application as a prerequisite to
approval of the application and the issuance of an electronic (digital) signature certificate. A
certifying authority has every right to grant the electronic (digital) signature certificate or for
reasons to be recorded in writing, reject the application.

8
Apar Gupta, Nov 22 2011 @ 2:21 PM Delhi High Court, Intermediaries, Privacy Law

412
CAs has the power to suspend and revoke the Certificate under section 37 and 38
respectively.

Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004, has
provided the necessary legal framework for filing of documents with the Government as well
as issue of licenses by the Government. It also provides for payment and receipt of fees in
relation to the Government bodies.

On the same day, the Information Technology (Certifying Authorities) Rules, 2000, also
came into force. These rules prescribe the eligibility, appointment and working of Certifying
Authorities (CAs). These rules also lay down the technical standards, procedures and security
methods to be used by a CA. These rules were amended in 2003, 2004 and 2006.

Information Technology (Certifying Authority) Regulations, 2001 came into force on 9 July
2001. They provide further technical standards and procedures to be used by a CA. Two
important guidelines relating to CAs were issued. The first are the Guidelines for submission
of application for license to operate as a Certifying Authority under the IT Act. These
guidelines were issued on 9 July 2001.

Next were the Guidelines for submission of certificates and certification revocation lists to
the Controller of Certifying Authorities for publishing in the National Repository of Digital
Certificates. These were issued on 16 December 2002.9

Role of Subscribers
Chapter VIII of the Information Technology Act, 2000 is about the Duties of Subscribers
(Sections 40-42). The aforesaid sections of the Act have to be understood along with the
Information Technology (Certifying Authorities) Rules 2000 and Information Technology
(Certifying Authorities) Regulations 2001 made thereunder. It is also important that due
consideration should also be given to the Certification Policy Statement (CPS) of the licensed
Certifying Authority.
Process of Adjudication & Regulation under the Act
The Chapter on Penalties and Adjudication [Chapter IX] under the Act highlights not only the
penalty provisions for damage to computer, computer system or computer network but also
the process of adjudication. This chapter highlights the penalty provisions vis-à-vis cyber
contraventions. It is important to note that sections 43-45 are the ones that fall in the category
of ‘cyber contraventions’.

Section 43 is a very important provision in the sense that it identifies ten different causes of
causing damage to computer, computer system or computer network. Likewise, section 43A
deals with failure to protect any sensitive personal data or information. The contravener –
whether of section 43 or section 43 A – is liable to pay damages by way of compensation to
the person so affected. It is for the affected person to assess the value of damage caused and
approach the appropriate Forum – whether the Adjudicating Officer or a Civil Court for
redressal.
These sections address different issues and hence impose variable penalties on the offenders.
The pecuniary jurisdiction of the Adjudicating Officer under the Act is upto rupees five crore
[section 46(1A)] and any affected person may seek redressal accordingly, and supposing the

9
Rohas Nagpal, “Jurisprudence of Indian Cyber Law” available at http://www.cyberlawdb.com/main/india

413
affected person assesses the value of damage caused beyond rupees five crore, then the said
person may have to approach the competent Civil Court for redressal [section 46(1A)
proviso]. Section 44 is about maintaining book of account or records, furnishing or filing any
return or information to the Controller or the Certifying Authority, whereas section 45 is
about imposing residuary penalty.

The Adjudicating officer ‘s power under the amended Act in Section 46 (1A) is limited to
decide claims where claim for injury or damage does not exceed 5 crores. Beyond 5 crore the
jurisdiction shall now vest with competent court. This has introduced another forum for
adjudication of cyber contraventions. The words ‘competent court’ also needs to be clearly
defined. As per Section 46(2),the quantum of compensation that may be awarded is left to the
discretion of Adjudicating officers.This leaves a wide room for subjectivity and quantum
should be decided as far as possible objectively keeping in view the parameters of amount of
unfair advantage gained amount of loss caused to a person (wherever quantifiable), and
repetitive nature of default. The Information Technology (qualification and experience of
adjudicating officers and manner of holding enquiry) Rules,2003 lay down the scope and
manner of holding inquiry including reliance on documentary and other evidence gathered in
investigations. The rules also provide for compounding of contraventions and describe factors
that determine quantum of compensation or penalty.

In the IT Act,2000 the office of adjudicating officer had the powers of civil court and all
proceedings before it are deemed to be judicial proceedings. A new change is incorporated in
Section 46(5)© whereby the Adjudicating officers have been conferred with powers of
execution of orders passed by it, including order of attachment and sale of property, arrest
and detention of accused and appointment of receiver. This empowers the office of
Adjudicating officer and extends greater enforceability and effectiveness of its orders.

Section 43. Penalty for damage to computer, computer system, etc.

If any person without permission of the owner or any other person who is incharge of a
computer, computer system or computer network, —

(a) accesses or secures access to such computer, computer system or computer network or
computer resource;

(b) downloads, copies or extracts any data, computer data base or information from such
computer, computer system or computer network including information or data held or stored
in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into
any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network,
data, computer data base or any other programs residing in such computer, computer system
or computer network;

(e) disrupts or causes disruption of any computer, computer system or computer network;

(f) denies or causes the denial of access to any person authorized to access any computer,
computer system or computer network by any means;

414
(g) provides any assistance to any person to facilitate access to a computer, computer system
or computer network in contravention of the provisions of this Act, rules or regulations made
thereunder;

(h) charges the services availed of by a person to the account of another person by tampering
with or manipulating any computer, computer system, or computer network,

(i) destroys, deletes or alters any information residing in a computer resource or diminishes
its value or utility or affects it injuriously by any means,

(j) steals, conceals, destroys, or alters or causes any person to steal, conceal, destroy, or alter
any computer source code used for a computer resource with an intention to cause damage.

Any access without permission of the owner or any other person who is incharge of such
computer, computer system or computer network (or computer resource) shall attract penalty
under the said provision.

An affected party under S.43 has a right to seek damages from the wrongdoer by compelling
him to pay for the damage done. The remedy lies in the law of tort. The purpose of the law of
tort is to adjust losses and offer compensation for tortuous liability.

Further, the new amendments have introduced S.43A, which has made it abundantly clear
that where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to
pay damages by way of compensation to the person so affected.

Role of Adjudicating Officer

Section 46(1) has made it very clear that for the purpose of adjudging whether any person has
committed a contravention of any of the provisions of this Act or of any rule, regulation,
direction or order made thereunder, there shall be an adjudicating officer for holding an
inquiry in the manner prescribed by the Central Government.

The Central Government as per the Gazette Notification for Information Technology Rules,
2003 under the short title “Qualification and Experience of Adjudicating Officer and Manner
of Holding Enquiry10”.

Some of its important provisions are:

(a) to exercise jurisdiction in respect of the contraventions in relation to Chapter IX of the

Act;
(b) to receive complaint from the complainant;
(c) to issue notices together with all the documents to all the necessary parties to the
proceedings, fixing a date and time for further proceedings;
(d) to hold an enquiry or dismiss the matter or may get the matter investigated;

10
vide Gazette Notification G.S.R. 220(E), dated 17th March, 2003 has notified ‘Scope and Manner of Holding
Inquiry’.

415
(e) to enforce attendance of any person or persons;
(f) to fix a date and time for production of documents (including electronic records) or
evidence; and
(g) to hear and decide every application, as far as possible, in four months and the whole
matter in six months.

It is very much clear from the language of the aforesaid Gazette Notification that the
Adjudicating Officer is to act as a quasi-judicial authority.

Further, the newly substituted provision sub-section (1A) has increased the pecuniary
jurisdiction of the Adjudicating Officer under the Act is upto rupees five crore (from the
earlier limit of rupees one crore) and any affected person may seek redressal accordingly.
Moreover, if the affected person assesses the value of damage caused to him beyond rupees
five crore, then the said person may have to approach the competent court for redressal
[section 46(1A) proviso].

Chapter IX providing for ‘Penalties, Compensation and Adjudication’ is a self-contained

code. It also lays down factors for adjudging the quantum of compensation. Since, the
amount of compensation is not to exceed rupees five crore, it is important that the
adjudicating officer must create an objective framework to arrive ‘reasonably’ at the
compensation amount under section 47 of the Act.

The Adjudicating officer ‘s power under the amended Act in Section 46 (1A) is limited to
decide claims where claim for injury or damage does not exceed 5 crores. Beyond 5 crore the
jurisdiction shall now vest with competent court. This has introduced another forum for
adjudication of cyber contraventions. The words ‘competent court’ also needs to be clearly
defined. As per Section 46(2),the quantum of compensation that may be awarded is left to the
discretion of Adjudicating officers.This leaves a wide room for subjectivity and quantum
should be decided as far as possible objectively keeping in view the parameters of amount of
unfair advantage gained amount of loss caused to a person (wherever quantifiable), and
repetitive nature of default. The Information Technology (qualification and experience of
adjudicating officers and manner of holding enquiry) Rules,2003 lay down the scope and
manner of holding inquiry including reliance on documentary and other evidence gathered in
investigations. The rules also provide for compounding of contraventions and describe factors
that determine quantum of compensation or penalty. In the IT Act,2000 the office of
adjudicating officer had the powers of civil court and all proceedings before it are deemed to
be judicial proceedings. A new change is incorporated in Section 46(5)© whereby the
Adjudicating officers have been conferred with powers of execution of orders passed by it,
including order of attachment and sale of property, arrest and detention of accused and
appointment of receiver. This empowers the office of Adjudicating officer and extends
greater enforceability and effectiveness of its orders. 11

Role of Appellate Authority

The Act has established the Cyber Appellate Tribunal [section 48] having appellate
jurisdiction. Being an appellate authority is entitled to exercise its appellate jurisdiction both
on fact as also in law over a decision or order passed by the Controller of Certifying
Authorities or the adjudicating officer. Its power to examine the correctness, legality or

11
Infra Note 19

416
propriety of the decision or order passed by the Controller of Certifying Authorities or the
Adjudicating Officer is absolute.

A Cyber Appellate Tribunal consists of a Chairperson and such number of other Members,
as the Central Government may notify [section 49]. The appellate tribunal is now completely
revamped into a multi-member set up, which is in fact in tune with the current legislative
policy of constituting multi-member Tribunals whenever Special Acts have been legislated.

Under section 57 an appeal to Cyber Appellate Tribunal can be filed by any aggrieved party,
who has been aggrieved by an order made by Controller or an adjudicating officer under this
Act. And the appeal before the Tribunal shall be filed within a period of forty -five days from
the date on which a copy of the order made by the Controller or the Adjudicating Officer is
received by the person so aggrieved.

Further, section 58 has made it very clear that the Cyber Appellate Tribunal shall have, for
the purposes of discharging its functions under this Act, the same powers as are vested in a
civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the
following matters, namely—
(a) summoning and enforcing the attendance of any person and examining him on oath;
(b) requiring the discovery and production of documents or other electronic records;
(c) receiving evidence on affidavits;
(d) issuing commissions for the examination of witnesses or documents;
(e) reviewing its decisions;
(f) dismissing an application for default or deciding it ex parte;
(g) any other matter, which may be prescribed.

Section 61 empowers both Adjudicating Officer and the Cyber Appellate Tribunal to have an
exclusive jurisdiction to entertain any suit and proceeding in respect of any matter under this
Act. It excludes the jurisdiction of civil courts to entertain any suit or proceeding in respect of
any matter, which an adjudicating officer appointed under this Act or the Cyber Appellate
Tribunal constituted under this Act, is empowered by or under this Act to adjudicate the
contraventions.

Moreover, The Act provides a second forum of appeal in the form of the High Court (the first
being the Cyber Appellate Tribunal) to any person aggrieved by any decision or order of the
Cyber Appellate Tribunal. An appeal is to be filed within sixty days from the date of
communication of the decision or order of the Cyber Appellate Tribunal to him on any
question of fact or law arising out of such order [section 62].

Also, section 63 provides for compounding of any contravention under this Act either before
or after the institution of adjudication proceedings by the Controller or such other officer as
may be specially authorized by him in this behalf or by the adjudicating officer, as the case
may be, subject to such conditions as the Controller or such other officer or the adjudicating
officer may specify.

Cyber Offences
The Act has provided a set of sections from sections 65-74 covering all aspects of cyber
offences. The difference between ‘cyber contravention’ and ‘cyber offence’ is more about the
degree and extent of criminal activity rather than anything else.

417
 Cyber Contraventions Cyber Offences
Deals primarily with unauthorized access toDeals with computer, computer system or
computer, computer system or computer computer network or computer resource
network or computer resource related serious offences
Offender to face civil prosecution Offender to face criminal prosecution
Offender liable to pay damages by way of Offender punishable with imprisonment
compensation term or fine or with both
Triable before the Adjudicating Officer Triable as per the Criminal Procedure
Code (Cr.PC)
Table : Comparison Between Cyber Contraventions and Cyber Offences
In order to complement the understanding of the cyber offences under the Act, it is important
that the criminal law of India, which has been codified in the Indian Penal Code, 1860 and
the Code of Criminal Procedure, 1973 should also be taken into consideration. The Penal
Code deals specifically with offences whereas the Criminal Procedure Code is all about
criminal procedures. While the Penal Code is the substantive law, the Criminal Procedure
Code is the adjective law.

Based on the aforesaid Classification of offences against other laws, the offences as given out
in the Chapter XI of the Act has been classified subject to section 77B of the Act, as
cognizable/non-cognizable, bailable/non-bailable and by what Court triable in the table
below12:
Cognizable/ Bailable/ By what
Section Offence Non- Non- Court
cognizable bailable triable?
Tampering with
Magistrate of
S.65 computer source Cognizable Bailable
the first class
documents
Magistrate of
S.66 Computer related offences Cognizable Bailable
the first class
Punishment for sending offensive
Magistrate of
S.66A* messages through communication Cognizable Bailable
the first class
service, etc.
Punishment for dishonestly
Magistrate of
S.66B receiving stolen computer resource Cognizable Bailable
the first class
or communication device
Magistrate of
S.66C Punishment for identity theft Cognizable Bailable
the first class
Punishment for cheating by
Magistrate of
S.66D personation by using computer Cognizable Bailable
the first class
resource
Magistrate of
S.66E Punishment for violation of privacy Cognizable Bailable
the first class
Non- Court of
S.66F Punishment for cyber terrorism Cognizable
bailable Session
Punishment for publishing or
S.67
transmitting obscene material

12
Supra note 1

418
 in electronic form

First Conviction

Cognizable Bailable Magistrate of

Second Conviction first class

Cognizable Non- Magistrate of

bailable first class

Punishment for publishing or

transmitting of material containing
sexually explicit act, etc. in
electronic form
67A
First Conviction Non-
Cognizable Magistrate of
bailable
first class
Second Conviction
Cognizable Magistrate of
Non-
first class
bailable

Punishment for publishing or

transmitting of material depicting
children in sexually explicit act,
etc. in electronic form
67B
First Conviction
Non- Magistrate of
Cognizable bailable first class
Second Conviction
Magistrate of
Cognizable Non- first class
bailable
Preservation and retention of Magistrate of
67C Cognizable Bailable
information by intermediaries the first class
Power of the Controller to give Non- Any
S.68 Bailable
directions cognizable Magistrate
Power to issue directions for
interception or monitoring or Non- Magistrate of
S.69 Cognizable
decryption of any information bailable the first class
through any computer resource
Power to issue directions for
blocking for public access of any Non- Magistrate of
S.69A Cognizable
information through any computer bailable the first class
resource
Power to authorize to monitor and
collect traffic data or information Magistrate of
S.69B Cognizable Bailable
through any computer resource for the first class
cyber security

419
 Non- Court of
S.70 Protected system Cognizable
bailable Session
No provision
S.70A National nodal agency
for offence
CERT-IN to serve as national Non- Any
S.70B Bailable
agency for incident response cognizable Magistrate
Penalty for Non- Any
S.71 Bailable
misrepresentation cognizable Magistrate
Breach of Non- Any
S.72 Bailable
confidentiality and privacy cognizable Magistrate
Punishment for disclosure of
Magistrate of
S.72A information in breach of lawful Cognizable Bailable
the first class
contract
Penalty for publishing Electronic
Non- Any
S.73 Signature Certificate false in Bailable
cognizable Magistrate
certain particulars
Non- Any
S.74 Publication for fraudulent purpose Bailable
cognizable Magistrate
*Section 66A- Struck Down by Hon’ble Supreme Court of India through judgment in the
matter of Shreya Singhal Vs Union of India (24.03.2015)
Table : Classification of Offences Under Information Technology Act

Section 65 Tampering with computer source documents

The aforesaid section provides, whoever knowingly or intentionally conceals, destroys or
alters or intentionally or knowingly causes another to conceal, destroy or alter any computer
source code used for a computer, computer program, computer system or computer network,
when the computer source code is required to be kept or maintained by law for the time being
in force, shall be punishable with imprisonment up to three years, or with fine which may
extend up to two lakh rupees, or with both.

The idea behind the aforesaid section is to protect the ‘intellectual property’ invested in the
computer programs. It is an attempt to extend the protection to computer source documents
(codes) beyond what is available under Copyright laws, i.e., the Copyright Act, 1957

Section 66 Computer related offences

Computer related offences as articulated above include every sort of computer related
offences. Under this section, if any person, dishonestly or fraudulently, does any act referred
to in section 43, he shall be punishable. In other words, to be charged under section 66, any
person must cause a computer resource to perform a function with dishonest or fraudulent
intent to secure access, knowing that the access he intends to secure is unauthorized.

What distinguishes section 66 from section 43 is that the act must have been done dishonestly
or fraudulently. The offender under section 66 shall be punishable with imprisonment for a
term, which may extend to three years or with fine which may extend to five lakh rupees or
with both.

*66A Punishment for sending offensive messages through communication

service, etc. -

420
This section penalises sender of the message, which may be:
(a) grossly offensive or menacing in character; or
(b) known to be false, but is being sent purposefully and persistently to cause annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred,
or ill will; or
(c) cause annoyance or inconvenience or to deceive or to mislead the addressee or recipient
about the origin of such messages.

Offences under section 66A are punishable with imprisonment for a term, which may extend
to three years and with fine.
*Section 66A- Struck Down by Hon’ble Supreme Court of India through judgment in the
matter of Shreya Singhal Vs Union of India (24.03.2015)

The judgment of Hon'ble Apex Court in case titled Shreya Singhal Vs Union of India
[MANU/SC/0329/2015] has observed that:

"119. In conclusion, we may summarise what has been held by us above:

(a) Section 66A of the Information Technology Act, 2000 is struck down in its entirety being
violative of Article 19(1)(a) and not saved Under Article 19(2).

(b) Section 69A and the Information Technology (Procedure & Safeguards for Blocking for
Access of Information by Public) Rules 2009 are constitutionally valid.

(c) Section 79 is valid subject to Section 79(3)(b) being read down to mean that an
intermediary upon receiving actual knowledge from a court order or on being notified by the
appropriate government or its agency that unlawful acts relatable to Article 19(2) are going to
be committed then fails to expeditiously remove or disable access to such material. Similarly,
the Information Technology "Intermediary Guidelines" Rules, 2011 are valid subject to Rule
3 Sub-rule (4) being read down in the same manner as indicated in the judgment.
........."

66B.- Punishment for dishonestly receiving stolen computer resource or

communication device. –
The aforesaid section provides that whoever dishonestly receives or retains any stolen
computer resource or communication device knowing or having reason to believe the same to
be stolen computer resource or communication device, shall be punished with imprisonment
of either description for a term, which may extend to three years or with fine which may
extend to rupees one lakh or with both.

66C. – Punishment for identity theft–

The aforesaid section provides that whoever, fraudulently or dishonestly make use of the
electronic signature, password or any other unique identification feature of any other person,
shall be punished with imprisonment of either description for a term which may extend to
three years and shall also be liable to fine which may extend to rupees one lakh.

Instances of identity theft include, phishing, denial of service, distributed denial of service,
data theft, installation of spyware, cookies etc. may be covered under this provision.

421
66D. – Punishment for cheating by personation by using computer resource. –
The aforesaid section provides that whoever, by means of any communication device or
computer resource cheats by personation, shall be punished with imprisonment of either
description for a term which may extend to three years and shall also be liable to fine which
may extend to one lakh rupees.

Instances of creating clone websites, email frauds, email forgeries, data theft, loss of privacy,
etc. may be covered under this provision.

Cyber Terrorism
The new amendments have provided a comprehensive definition of cyber terrorism.

(1) Whoever,-

(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike
terror in the people or any section of the people by –

(i) denying or cause the denial of access to any person authorized to access computer
resource; or (ii) attempting to penetrate or access a computer resource without authorisation
or exceeding authorized access; or (iii) introducing or causing to introduce any Computer
Contaminant

and by means of such conduct causes or is likely to cause death or injuries to persons or
damage to or destruction of property or disrupts or knowing that it is likely to cause damage
or disruption of supplies or services essential to the life of the community or adversely affect
the critical information infrastructure specified under section 70, or

(B) knowingly or intentionally penetrates or accesses a computer resource without

authorisation or exceeding authorized access, and by means of such conduct obtains access to
information, data or computer database that is restricted for reasons of the security of the
State or foreign relations; or any restricted information, data or computer database, with
reasons to believe that such information, data or computer database so obtained may be used
to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the
security of the State, friendly relations with foreign States, public order, decency or morality,
or in relation to contempt of court, defamation or incitement to an offence, or to the
advantage of any foreign nation, group of individuals or otherwise, commits the offence of
cyber terrorism.

It further provides that whoever commits or conspires to commit cyber terrorism shall be
punishable with imprisonment which may extend to imprisonment for life’.

Perhaps the most contentious issue in relation to the Amendment Act is that of cyber
terrorism, which is essentially the convergence of terrorism and cyberspace. Terrorism, by
itself is not a new phenomenon, but with the development of modern technologies, the
creation of laws specifically dealing with the same or related acts, conducted through the
medium of cyberspace, was imminent.

An analysis of this section can be fractioned into the first and second clause, the subject
matter of each being considerably dissimilar with their own particular complications. The
section is comprehensive in that sub-clause (A) first enumerates the methods by which the act

422
is committed, the wrongful conduct, as it were, and then proceeds to describe the potential
damage that may be caused by such acts. However, in the portion describing the likely
damage, the definition is restricted to cases linked to destruction of property or death of
individuals. While the clause also speaks of damage to essential supplies and critical
information infrastructure, there is no mention of damage to private property. Using the
generally accepted definition of cyber terrorism, it is clear that damage need not be restricted
to property belonging to the government. So long as it induces fear in the minds of people, it
may be regarded as terrorism. Also, being a provision specific to cyber terrorism, it is
surprising that the term in cyber-crime, especially in relation to cyber terrorism. Considering
the content of the law, there does not appear to be widespread discrepancies with cyber
terrorism-centred legislations across the world taking cognizance of the fact that there is an
increasing use of computers to facilitate attacks of terrorism, and that ‘it is safer and more
convenient to conduct disruptive activities from a remote location over the Internet than it is
driving planes into buildings’. As regards penalties, imprisonment for life appears to be the
norm across jurisdictions and uniformly the harshest amongst all internetrelated crimes.

It is inconceivable to think that the cyber terrorism provision in the ITAct will lie stagnant in
the years to come, given the dynamic nature of terrorist activity, which is bound to traverse
yet unforeseen criminal territories, but it is discomforting to see that the first legislation
addressing the incidence of cyber terrorism falls drastically short in terms of
comprehensiveness, clarity and particularity.

Cyber Offences & Obscenity

The Information Technology Act has covered all aspects of offences related to cyber
obscenity. It provides punishment for (i) violation of bodily privacy [section 66E] (ii)
publishing or transmitting obscene material in electronic form [section 67] (iii) publishing or
transmitting of material containing sexually explicit act, etc., in electronic form [section 67A]
and (iv) child pornography [section 67B]. The Act thus provides a comprehensive cyber
obscenity penal code.

Preservation and Retention of Information by Intermediaries

Under section 67 C, it has been provided that the intermediary shall preserve and retain such
information as may be specified for such duration and in such manner and format as the
Central Government may prescribe and further any intermediary who intentionally or
knowingly contravenes the provisions shall be punished with an imprisonment for a term
which may extend to three years and shall also be liable to fine.

Power of Controller to Give Directions

The Controller of Certifying Authorities being the statutory authority under the Act
maintaining PKI have been given power to direct a Certifying Authority or any employee of
such Certifying Authority under section 68 of the Act, but the fact is that his power may also
be extendable to the subscriber of a digital signature certificate, by virtue of S.18 (l), which
states that the Controller has also the power to resolve any conflict of interests between the
Certifying Authorities and the subscribers.

Interception & Monitoring of Electronic Communications

Sections 69, 69A & 69B have provided a mechanism to intercept and monitor electronic
communications in India. If section 69 empowers both Central and State Governments to
undertake such steps to intercept any information transmitted through any computer resource,
then section 69A empowers only the Central Government to block access by the public any

423
information generated, transmitted, received, stored or hosted in any computer resource. And
further, section 69B provides that Central Government to seek technical assistance from any
intermediary or any person in-charge of the Computer resource and such entities to extend all
facilities to such agency (of the Central Government) to enable online access or to secure and
provide online access to the computer resource generating, transmitting, receiving or storing
such traffic data or information.

Any intermediary (or computer incharge or a subscriber), who intentionally or knowingly

contravenes the provisions shall be punished with an imprisonment for a term, which may
extend to three years and shall also be liable to fine.

The measures suggested in sections 69 and 69A are to be taken in the interest of the
sovereignty or integrity of India, defense of India, security of the State, friendly relations with
foreign States or public order or for preventing incitement to the commission of any
cognizable offence relating to above or for investigation of any offence. Whereas provisions
under section 69B are to be seen from the aspects of cyber security.

In The High Court of Gujarat at Ahmedabad in the matter of Gaurav Sureshbhai Vyas Vs
State of Gujarat [C/WPPIL/191/2015] while dealing with PIL, regarding emergency
situation in Gujarat and blocking of mobile internet service has observed that-
“If the comparison of both the sections in the field of operations is made, barring
certain minor overlapping more particularly for public order, one can say that the
area of operation of Section 69A is not the same as that of Section 144 of the Cr.PC.
Section 69A may in a given case also be exercised for blocking certain websites,
whereas under Section 144 of the Code, directions may be issued to certain persons
who may be the source for extending the facility of internet access. Under the
circumstances, we do not find that the contention raised on behalf of the petitioner
that the resort to only Section 69A was available and exercise of power under Section
144 of the Code was unavailable, can be accepted.

During the relevant period, the disturbances went on throughout the State and there
were serious disturbances of law and order. Rioting had taken place at various places
and the State would be zealous to control the same by applying all modes available in
law. By observing that it cannot be said that the powers were exercised in neither
arbitrary manner nor it can be said that there was perverse exercise of the power
without there being any objective material. Hence the said contention fails.”

The High Court of Delhi in the matter of Maulana Mahmood Asad Madani Vs. Union of
India, [MANU/DE/3061/2013] while dealing with the issue of Section 69A Information
Technology Act has observed that:

The petitioner filed a petition seeking a direction to Union of India to completely

remove and block the links of the entire movie/trailer of the move, Innocence of
Muslims and all the clips emanating from the said movie, uploaded on YouTube.

The learned Additional Solicitor General informed that it had, in exercise of powers
under Section 69A of the Information Technology Act, 2000, already blocked as many
as 157 Uniform Resource Locators (URLs) hosting content related to clipping titled
Innocence of Muslims. He further informed that in spite of the same, variants of the

424
 film were still available on the internet, resurfacing on different servers from different
locations by changing the addresses.
In addition, 52 more URLs were blocked under the provision of rules notified under
Section 69A of the Information Technology Act.

The court disposed of the writ petition by directing that as and when any URL being
used for hosting the film in question is brought to the notice of the respondents, they
would make a request to the concerned service provider to block such a URL so that
it is not used for the purpose of hosting the offensive film.

Critical Information Infrastructure

Section 70 empowers both Central and State Governments to declare any computer resource,
which directly or indirectly affects the facility of Critical Information Infrastructure, to be a
protected system. And “Critical Information Infrastructure” has been defined as the computer
resource, the incapacitation or destruction of which, shall have debilitating impact on national
security, economy, public health or safety.

Under section 70A provides for creation of an organization of the Government as the national
nodal agency in respect of Critical Information Infrastructure Protection. Further, section 70
B Indian Computer Emergency Response Team (CERT-IN) to serve as national agency for
incident response.

Section 70 has a very important definition added by the IT (amendment) Act, 2008. The
explanation to Section 70 defines what is “Critical Information Infrastructure” .It
encompasses the computer resource the destruction of which not only has an adverse impact
on defence of India but also economy, public health or safety. This is very significant step as
today our IT infrastructure may also be used to manage certain services offered to public at
large, destruction of which may directly affect public health and safety. Hence, their
protection is equally important as is the maintaining of security and sovereignty of India.

By virtue of Section 70 A and B Indian CERT has been appointed as the National nodal
agency for Critical Information Infrastructure Protection. The CERT shall play an
indispensable role in maintaining cybersecuriy within the country. A very important step is
coordination between CERT and service providers, data centres, body corporates,and other
persons ( Section 70B (6)). That will lead to effective performance of the role of CERT in. It
has multiple roles education, alert system, emergency response, issuing guidelines, reporting
of cyberincident amongst other functions. Incase any person fails to comply with its
directions; such person shall be punishable with imprisonment of term that may extend to one
year and fine of one lakh or both. It also excludes the court from taking cognizance of any
offence under this section except on a complaint made by authorized officer of CERT to
prevent misuse of the Section.

Offences Related to Electronic Signature Certificates

Sections 71, 73 and 74 refer to offences related to electronic signature certificates.

Section 71 Penalty for misrepresentation

It provides that whoever makes any misrepresentation to, or suppresses any material fact
from, the Controller or the Certifying Authority for obtaining any license or Electronic
Signature Certificate, as the case may be, shall be punished with imprisonment for a term

425
which may extend to two years, or with fine which may extend to one lakh rupees, or with
both.

Section 73 Penalty for publishing electronic Signature Certificate false in certain

particulars
This section provides that no person shall publish a Electronic Signature Certificate or
otherwise make it available to any other person with the knowledge that:
(a) the Certifying Authority listed in the certificate has not issued it; or
(b) the subscriber listed in the certificate has not accepted it; or
(c) the certificate has been revoked or suspended,

unless such publication is for the purpose of verifying a digital signature created prior to such
suspension or revocation. And any person who contravenes the provisions of sub-section (1)
shall be punished with imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both.

Section 74 Publication for fraudulent purpose

It provides that whoever knowingly creates, publishes or otherwise makes available a
Electronic Signature Certificate for any fraudulent or unlawful purpose shall be punished
with imprisonment for a term which may extend to two years, or with fine which may extend
to one lakh rupees, or with both.

Digital Signatures and Evidence Act

The Indian Evidence Act 1872 is a piece of legislation dealing with evidences that can be
produced or admitted in a court of law by the litigating parties. The law which was enacted in
1872 naturally did not envisage electronic signatures and records as evidences. Hence in view
of the widespread use of electronic records and Electronic signatures including DS it was felt
necessary to amend the said Act to make it in conformity with the changing trends in the
society.

Section 3 of the Evidence Act 1872 provides for interpretation or definition of certain words
or expressions used in the Act. The said section was amended to include electronic records
also in the definition of the term "evidence". Further section 47A has been inserted to provide
that when the Court has to form an opinion as to the electronic signature of any person, the
opinion of the Certifying Authority which has issued the electronic Signature Certificate is a
relevant fact.

Section 67A has been inserted which protects the secure electronic Signature (DS). It
provides that if the electronic signature of any subscriber is alleged to have been affixed to an
electronic record the fact that such electronic signature is the electronic signature of the
subscriber must be proved except when the same is a secure elrctronic signature. Section 73A
has been newly inserted to provide that the court may direct the concerned person or
Certifying Authorities (CA) to ascertain whether DS is that of the person by whom it is
purported to have been affixed. It may also direct any other person to apply the public key
listed in the electronic Signature Certificate and verify the electronic signature purported to
have been affixed by that person.

Section 85B(1) provides that In any proceedings involving a secure electronic record, the
Court shall presume unless contrary is proved, that the secure electronic record has not been
altered since the specific point of time to which the secure status relates. Section 85B (2)

426
provides that unless the contrary is proved the court shall presume that the secure electronic
signature is affixed by subscriber with the intention of signing or approving the electronic
record. It further provides that there shall be no presumption relating to authenticity and
integrity of the electronic record or any electronic signature if the same is not secure. Section
85C deals with situations where the Court shall presume, unless contrary is proved, that the
information listed in a Electronicl Signature Certificate is correct, except for information
specified as subscriber information which has not been verified, if the certificate was
accepted by the subscriber13

Digital Signatures and The Indian Penal Code

Indian penal code 1860 (IPC) is in operation in India very successfully for the last 152 years.
Nobody seriously felt the need for an amendment because of its excellent draughtsmanship.
But a need was felt for addition of certain provisions to take care of the new developments in
the field of electronics and information technology. Thus through the Information
Technology Amendment Act 2008 IPC was also amended. The salient features of the
amendments are discussed below.

Section 73A has been inserted to provide the same provision as in section 47A of the Indian
evidence Act discussed above in this article. Section 464 has also been amended to provide
that the said section shall be made applicable to electronic records and electronic signatures
also. Section 464 deals with situations when a person is said to make false document or
electronic record. Section 466 provides for forging of electronic records also. There are
amendments to sections 4, 40,118,119 also which are not dealt with in this article for want of
space.14
Breach of Confidentiality and Privacy

The Act provides data protection provisions and considers breach of confidentiality &
privacy as an offence.
Section 72 Breach of confidentiality and privacy
The aforesaid section provides that any person who, in pursuant of any of the powers
conferred under this Act, rules or regulations made there under, has secured access to any
electronic record, book, register, correspondence, information, document or other material
without the consent of the person concerned discloses such electronic record, book, register,
correspondence, information, document or other material to any other person shall be
punished with imprisonment for a term which may extend to two years, or with fine which
may extend to one lakh rupees, or with both.

Section 72 A Punishment for Disclosure of information in breach of lawful

contract
Further a new section 72A has been incorporated vide the new amendment Act. It provides
that any person including an intermediary who, while providing services under the terms of
lawful contract, has secured access to any material containing personal information about
another person, with the intent to cause or knowing that he is likely to cause wrongful loss or
wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful
contract, such material to any other person shall be punished with imprisonment for a term
13
Available at http://www.certificatetiger.com/News/law-of-digital-signature.htm.
14
Guidelines for Usage of Digital Signatures in e-Governance Version 1.0 (December 2010) Department of
Information Technology Ministry of Communications and Information Technology Government of India
available at http://doitc.rajasthan.gov.in/Guidelines_for_Usage_of_Digital_Signatures_in_e-Governance_-
_v1[1].0_revised_sent_by_DIT.pdf.

427
which may extend to three years, or with a fine which may extend to five lakh rupees, or with
both.

Universal Jurisdiction of the Act

Section 75 of the Act takes a broader view of cyber crimes, committed by cyber criminals. It
is not concerned with the territoriality and nationality of cyber criminals.
The essential ingredients are of the section are:
(a) Any person, irrespective of nationality
(b) An offence or contravention committed outside India
(c) The said offence or contravention must have been committed against a computer,
computer system or computer network located in India.

The Act talks about the widest jurisdiction power. It aims to brings within the jurisdiction of
Indian court any act which is an offence under the Act. Section 1(2) of the Act states that: “It
shall extend to the whole of India and, save as otherwise provided in this Act, it applies also
to any offence or contravention there under committed outside India by any person.”

Also S. 75 of the Act is widely defined and it extends jurisdiction to any offence or
contravention committed outside India by any person. Further, under this provision
nationality of a person is not a relevant consideration. But in cases of cross border issues, the
Act is silent.15

Further, section 76 provides that all devices whether computer, computer system, floppies,
compact disks, tape drives or any other storage, communication, input or output device which
helped in the contravention of any provision of this Act, rules, orders or regulations made
thereunder are liable to be confiscated. Moreover, section

77 provides that the compensation, penalties or confiscation not to interfere with other
punishment.

If section 63 provided compounding of contraventions, then under section 77A compounding

of offences have been provided. Under the said section a Court of competent jurisdiction may
compound offences other than offences for which the punishment for life or imprisonment for
a term exceeding three years has been provided under this Act. It also provides that the Court
shall not compound such offence where the accused is by reason of his previous conviction,
liable to either enhanced punishment or to a punishment of a different kind. Moreover, it is
further being provided that the Court shall not compound any offence where such offence
affects the socio-economic conditions of the country or has been committed against a child
below the age of 18 years or a woman.

Cognizability & Investigation of Offences

Under a newly incorporated section 77 B offences with three years imprisonment to be
cognizable and the offence punishable with imprisonment of three years shall be bailable.
Moreover under sections 78 & 80, a police officer not below the rank of Inspector shall
investigate any offence under this Act. In the previous Act, offences punishable with
imprisonment of three years were non-bailable and were to be investigated by a police officer
not below the rank of Deupty Superintendent of Police.

15
Dr. G A Solanki, “Jurisdiction in Cyber Space: Where to File a Suit?” Volume : 1 | Issue : 10 | October 2012
ISSN - 2250-1991 available at http://theglobaljournals.com/paripex/file.php?val=NTQy

428
The Section 78, of the Act is amended to confer power to investigate offences under the Act
from DSP level to Inspector level. This will be instrumental in quicker investigation in the
cybercrime cases provided adequate tools and training is provided.

Section 80, has been amended and power to enter and search in a public place is now
vested in any police officer not below the rank of inspector or any authorized officer of
central government or state government. Such officer is empowered to arrest without
warrant a person found therein who is reasonably suspected of having committed or of
committing or being about to commit any offence under this Act. However, this section
may be misused easily. Unless it is reasonably suspected that a person has committed , is
committing or is about to commit an offence, he should not be arrested without warrant .
Otherwise cybercafés, in particular could be adversely affected.

Immunity to the Intermediaries

Section 79 of the Act provides immunity to the intermediaries. This immunity is not absolute,
it is subjected to certain do’s and don’ts to be exercised by such intermediaries.

This section provides that an intermediary shall not be liable for any third party
information16, data, or communication link hosted by him.
If and only if:
(a) the function of the intermediary is limited to providing access to a communication system
over which information made available by third parties is transmitted or temporarily
stored; or

(b) the intermediary does not-

(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission

(c) the intermediary observes due diligence while discharging his duties under this Act and
also observes such other guidelines as the Central Government may prescribe in this
behalf

But the aforesaid condition of immunity shall not be applicable, if:

(a) the intermediary has conspired or abetted or aided or induced whether by threats or
promise or otherwise in the commission of the unlawful act
(b) upon receiving actual knowledge, or on being notified by the appropriate Government
or its agency that any information, data or communication link residing in or
connected to a computer resource controlled by the intermediary is being used to
commit the unlawful act, the intermediary fails to expeditiously remove or disable
access to that material on that resource without vitiating the evidence in any manner.

Further a new section 79A has been added, which provides that the Central Government may,
for the purposes of providing expert opinion on electronic form evidence before any court or
other authority specify, by notification in the official Gazette, any department, body or

16
"third party information" means any information dealt with by an intermediary in his capacity as an
intermediary.

429
agency of the Central Government or a State Government as an Examiner of Electronic
Evidence.

It is being provided that this Act being a special Act shall have overriding effect. That is, the
provisions of this Act shall have effect notwithstanding anything inconsistent therewith
contained in any other law for the time being in force [section 81]. Provided that nothing
contained in this Act shall restrict any person from exercising any right conferred under the
Copyright Act, 1957 or the Patents Act, 1970.

The Hon’ble Supreme Court of India in case titled Sharat Babu Digumarti Vs. Govt. of
NCT of Delhi [MANU/SC/1592/2016] while dealing with the issue of overriding effect of
statute has observed that –
“28……It has to be borne in mind that IT Act is a special enactment. It has special
provisions. Section 292 of the Indian Penal Code makes offence sale of obscene
books, etc. but once the offence has a nexus or connection with the electronic record
the protection and effect of Section 79 cannot be ignored and negated. We are
inclined to think so as it is a special provision for a specific purpose and the Act has
to be given effect to so as to make the protection effective and true to the legislative
intent. This is the mandate behind Section 81 of the IT Act. The additional protection
granted by the IT Act would apply.……

32...... We have also referred to Sections 79 and 81 of the IT Act. Once the special
provisions having the overriding effect do cover a criminal act and the offender, he
gets out of the net of the Indian Penal Code and in this case, Section 292…”

Further, the amendment Act has introduced the following sections as well: modes or methods
of encryption [section 84A], punishment for abetment of offences [section 84B], and
punishment for attempt to commit offences [section 84C].

Offences by CompaniesThe corporate responsibility for data protection is incorporated in

Section 43A in the amended IT Act, 2000 whereby corporate bodies handling sensitive
personal information or data in a computer resource are under an obligation to ensure
adoption of ‘reasonable security practices’ to maintain its secrecy, failing which they may be
liable to pay damages. Also, there is no limit to the amount of compensation that may be
awarded by virtue of this section. This section must be read with Section 85 of the IT
Act,2000 whereby all persons responsible to the company for conduct of its business shall be
held guilty incase offence was committed by a company unless no knowledge or due
diligence to prevent the contravention is proved.

Insertion of this provision is particular significance to BPO companies that handle such
sensitive information in the regular course of their business. This provision is important to
secure sensitive data and is hence a step in the right direction. However, the challenge is to
first elucidate what we qualify as “ reasonable security practices” . The Act in explanation to
Section 43A indicates these procedures designed to protect such information from
‘unauthorised access, damage, use, modification, disclosure, or impairment, as may be
specified in an agreement between parties’ or as may be specified by any law for the time
being in force and in absence of both, as may be prescribed by Central Government in
consultation with professional bodies/associations. The law explaining the definition of
‘reasonable security practices’ is yet to be laid down and/or Central government is yet to

430
frame its rules thereon. Perhaps, we can take guidance from certain foreign laws on data
protection & standards laid down in European Union or by organizations such as OECD in
protection of sensitive personal data. It is a challenge for the Central Government to prescribe
in consultation with professional bodies the information that will fall within the meaning of
“sensitive personal data or information”. To describe what these parameters should be is
beyond the scope of this Article but is an interesting issue for discussion. 17

Section 85 of the Act introduces the concept of ‘collective responsibility’ of a company. Any
contravention committed by a company would tantamount to contravention committed by
every person who, at the time the contravention was committed was in charge of, and was
responsible to, the company for the conduct of business of the company.

Proviso to the sub-section (1) of section 85 provides that any such person if he proves that the
contravention took place without his knowledge or that he exercised all due diligence to
prevent such contravention. Knowledge here means actual or constructive knowledge and due
diligence means reasonable steps taken by a person in order to avoid commission of an
offence or contravention.

The sub-section (2) of section 85 makes any such director, manager, secretary or other officer
‘individually’ liable if it is proved that the contravention has taken place with the consent or
connivance of, or is attributable to any neglect on the part of any such person(s). The said
person(s) is liable to be proceeded against and punished as per the provisions of the Act.

Hence, it is important to distinguish between the two sub-sections: sub-section (1) highlights
collective responsibility and makes every person of the company liable, whereas sub-section
(2) creates individual liability only.

Other officers may include persons duly authorized by the Board of the Directors, managing
agent, constituted attorney etc.

Also, the Information Technology Act, being a Central Act, under section 87, the Central
Government is being authorised to make rules to carry out the provisions of this Act. Also,
under section 88, the Central Government has constituted Cyber Regulations Advisory
Committee’ to advice: (a) the Central Government regarding any rules or for any other
purpose connected with this Act and (b) the Controller in framing the regulations under this
Act. Further, section 90 grants limited power to the State Government to frame Rules vis-à-
vis e-governance practices and procedures.

Conclusion
The Information Technology Act, 2000 and the (Amendment) Act, 2008 should be seen as
proactive legislations. This legislation is a kind of omnibus legislation, which provides for a
regulatory mechanism vis-à-vis e-commerce, e-governance, electronic signatures (PKI), data
protection, cyber-crimes, investigation, and confiscation procedures etc.

The IT (Amendment) Act,2008 from an overall perspective has introduced remarkable

provisions and amendments that will facilitate the effective enforcement of cyberlaw in India.
India is now technologically neutral with electronic signatures replacing the requirement of
17
Karnika Seth ,National Seminar on Enforcement of Cyberlaw , New Delhi on 8th May 2010 IT Act 2000 vs
2008- Implementation, Challenges, and the Role of Adjudicating Officers available at
http://www.sethassociates.com/wp-content/uploads/IT-Act-2000-kvs-20083.pdf.

431
digital signatures . The importance of data protection in today’s information technology age
cannot be undermined and it finds place in Section 43,43A, ,66, 72 of the IT Act,2000. In this
era of convergence the definition of ‘communication device’ and ‘intermediary’ have been
rightly inserted/revisited and validity of e-contracts is reinforced by insertion of Section 10 A.
Section 46(5)© of the IT Act is a welcome provision that empowers the Adjudicating officers
by conferring powers of execution on the office of Adjudicating officer at par with a civil
court. Plethora of new cybercrimes have been incorporated under chapter XI as offences
under the amended Act to combat growing kinds of cybercrimes particularly, serious crimes
such as child pornography, and cyber terrorism. The Intermediaries have been placed under
an obligation to maintain and provide access to sensitive information to appropriate agencies
to assist in solving cybercrime cases under Section 67C, Section 69. However, liability of
ISPs has been revisited and onus shall lie on complainant to prove lack of due diligence or
presence of actual knowledge by intermediary as proving conspiracy would be difficult.
These are some of the challenges that cyberlaw enforcement teams will be faced with The
power of interception of traffic data and communications over internet will need to be
exercised in strict compliance of rules framed under respective Sections in the Act conferring
such powers of monitoring, collection, decryption or interception. Power for blocking
websites should also be exercised carefully and should not transgress into areas that amounts
to unreasonable censorship. Many of the offences added to the Act are cognizable but
bailable which increases the likelihood of tampering of evidence by cybercriminal once he is
released on bail. The police must therefore play a vigilant role to collect and preserve
evidence in a timely manner .For this , the police force will need to be well equipped with
forensic knowledge and trained in cyberlaws to effectively investigate cybercrime cases.The
introduction of Examiner of Electronic Evidence will also aid in effective analysis of digital
evidence & cybercrime prosecution.

Having discussed the new amendments and challenges before Indian cyberlaw regime ,
employing the strategies recommended below can facilitate the enforcement of cyberlaws in
our country –
(1) educating the common man and informing them about their rights and obligations in
Cyberspace. The practical reality is that most people are ignorant of the laws of the
cyberspace, different kinds of cybercrimes, and forums for redressal of their
grievances. There is an imperative need to impart the required legal and technical
training to our law enforcement officials, including the Judiciary and the Police
officials to combat the Cybercrimes and to effectively enforce cyberlaws .

(2) The reporting and access points in police department require immediate attention. In
domestic territory, every local police station should have a cybercrime cell that can
effectively investigate cybercrime cases . Accessibility is one of the greatest
impediments in delivery of speedy justice.

(3) Also we have only one Government recognized forensic laboratory in India at
Hyderabad which prepares forensic reports in cybercrime cases. We need more such
labs to efficiently handle the increasing volume of cybercrime investigation cases.
Trained and well-equipped law enforcement personnel - at local, state, and global
levels can ensure proper collection of evidence, proper investigation, mutual
cooperation and prosecution of cybercases.

432
(4) Further under Section 79 of the IT Act ,2000 no guidelines exist for ISPs to
mandatorily store and preserve logs for a reasonable period to assist in tracing IP
addresses in Cybercrime cases. This needs urgent attention and prompt action.

(5) The investigation of cybercrimes and prosecution of cybercriminals and execution of

court orders requires efficient international cooperation regime and procedures.

Although Section 1(2) read with Section 75 of the IT Act,2000, India assumes prescriptive
jurisdiction to try accused for offences committed by any person of any nationality outside
India that involves a computer, computer system or network located in India, on the
enforcement front, without a duly signed extradition treaty or a multilateral cooperation
arrangement, trial of such offences and conviction is a difficult proposition.

IT (Amendment) Act, 2008 is a step in the right direction , however, there are still certain
lacunae in the Act, which will surface while the amendments are tested on the anvil of time
and advancing technologies!18

18
Refer Supra note 19

433
Amendment to various enactments like the Indian Panel Code 1860, Indian
Evidence Act, 1872, Bankers Books Evidence Act,1891, Reserve Bank of India
Act, 1934.

In the following acts given below there were various amendments which were brought by the
Information Technology Act 2000.

(1) Indian Penal Code (45 of 1860)

(a) Here 29A was inserted which talks about the “Electronic Record”, which defines
that the electronic record would be having the same meaning as given under the
Section 2 sub-section (1) clause t. Here Electronic record comprises of data, record
or data generated, image or sound stored, received or sent in an electronic form or
micro film or computer generated micro fiche. ( with effect from 17-10-2000)

(b) Here in Section 167, here electronic record was added. Section 167 talks about the
public servant framing an incorrect document with the intent to cause injury. With
the change in the section now the public servant can be charge for framing an
incorrect electronic record.

(c) Section 172, here with the change brought now the person can be made liable if
there is failure to produce the “electronic record” in a Court of Justice which is in
response to the Summon, Notice or Order.

(d) Section 173, which talks about the intentional preventing the service of summons or
other proceeding or publication, here the addition of the word “electronic record”,
was done to the existing provision.

(e) Section 175, the word “electronic record” was added, the section which make liable
for the Omission to produce [document or electronic record to public servant or
Court of justice which a person is legally bound to produce.

(f) Section 192, which give punishment for fabricating false evidence, the word
“electronic record” was added which now read as “make any false entry in any book
or record or electronic record or make any document or electronic record containing
a false statement.

(g) Section 204, which talks about the secretion or destruction of a document which
was to be produced before the court, the word “electronic record” was added with
the existing provision.

(h) Section 463, which talks about the forgery, here the addition of the electronic
record, was done to the section which now says “whoever make any false
documents or false electronic record or part of a document or electronic record.

(i) Section 464, which talks about making false document- here there was certain
changes which were brought namely with the starting line there was an addition of
false electronic record which is now read as A person is said to make a false
document or false electronic record even if a person make or transmit the electronic
record.

434
 (j) Section 466, which deals with the forgery of the record of Court or of public register
etc, here the substitution of “Whoever forges a document” was done with “Whoever
forges a document or an electronic record”. In accordance to this section here a
register include any list, data or record of any entries maintained in the electronic
form as defined in clause(r) of sub-section (1) of section 2 of the Information
Technology Act, 2000.

(k) Section 468 which talks about the Forgery for the purpose of cheating, here the
addition of the electronic record was added to the provision which now read as
whoever commits forgery, intending that the “document or electronic record forged
shall be used for the purpose of cheating shall be punished”.

(l) Section 469 which talks about the Forgery for purpose of cheating, here the addition
of the “electronic record” to the existing provision was done.

(m) Section 470 which talks about “a forged document” here substitution where the
word “document” at both the places was done by “document or electronic record”

(n) Section 471, which talks about forging of the document, here there was substitution
of “document or electronic record” was done on the places where document was
used.

(o) Section 474, here word “whoever has in his possession any document” is substituted
“whoever has in his possession any document or electronic record” as description
mentioned in Section 466 of the Code.

(p) Section 476, which talks about the counterfeiting device or mark used for
authenticating documents other than those described in section 467 or possessing
counterfeit marked material- here in this section the words “any document” was
substituted with “any document or electronic record”.

(q) Section 477A, which talks about the falsification of accounts, here the words “book,
paper, writing” at both the places was replaced with the words “book, electronic
record, paper, writing”.

(2) Indian Evidence Act 1872,

Here with the passage of the information technology act recognition was given to
electronic record and documents, here in the definition part of the act all document
including electronic records were substituted with word like Digital signature, electronic
form, secure electronic record, information as used in ITA were inserted which brought
the change in the evidentiary mechanism of the legislation.

(a) Here in Section 3, the word “electronic record” was substituted which now read as
“all document including electronic records produced for the inspection of the Court;
such document are called documentary evidence.

(b) Here in Section 17, for the word “oral or documentary” the words “oral or
documentary or contained in electronic form was substituted, this section talks
about the submission that are considered as admission.

435
(c) Here in Section 22 other Section 22A was inserted which talks about oral
admissions as to the contents of electronic records are relevant.

(d) Here in Section 34, an addition of “electronic form” was done which come under
statement made under special circumstances, which talks about the entries in the
book of account, including those maintained in an electronic form when relevant.

(e) Here in Section 35, the places where “record” was used was replaced with the
“record or an electronic record”.

(f) Here in Section 39, which comes under how much of a statement is to be proved
and talks about the evidences of which evidentiary value is taken, here addition of
“electronic record” here court has to be really careful while taking evidentiary value
of the electronic record.

(g) Section 47A was inserted after Section 47, which talks about the Opinion as to
electronic signature when relevant.

(h) Here in Section 59 the word “content of documents” the words “content of
documents or electronic records” was substituted in the provision.

(i) After Section 65 Section 65A was inserted which talks about the special provisions
as to evidence relating to electronic record.

(j) A very outstanding provision was included which is known as Section 65B which
talks about the Admissibility of electronic records.

(k) After Section 67 Section 67A was inserted which talks about proof as to electronic
signature.

(l) After Section 73 of Indian Evidence Act, Section 73A was added which is proof as
to verification of digital signature.

(m) After Section 81, Section 81A was inserted which is the presumption as to
electronic agreements.

(n) After Section 85, Section 85A, 85B and 85C was inserted this talks about
presumption as to electronic agreements, electronic records electronic signatures
and electronic signature certificates.

(o) After Section 88, Section 88A was inserted which talks about presumption as to
electronic messages.

(p) After Section 90, Section 90A was inserted which is the presumption as to
electronic records five year old.

(q) Section 131 was substituted with the production of documents or electronic records
which another person, having possession, could refuse to produce.

436
(3) The Bankers Book Evidence Act 1891
Prior to the amendment any evidence brought in the court was required to be the original
ledger or other register but with the amendment banker books include ledgers, day-books,
cash-books, account-books and all other books used in the ordinary business of a bank
whether kept in the written form or as printouts of data stored in a floppy, disc, tape or
any other form of electro-magnetic data storage device, with the introduction of
information technology act certain amendment were brought which were as follows:-

(a) In Section 2, clause (3) banker books include ledgers, day-books, cash-books
,account-books and all other books used in the ordinary business of a bank whether
kept in the written form or a printouts of data stored in a floppy, disc, tape or any
other form of electromagnetic data storage device.

(b) In Section 2 clause (8) which talks about the fact taken into account while issuing
the “certified copy” of any bank statement, it is described in two ways

1) When the book of a bank are maintained in written form

2) When the book of a bank are stored in any electro-magnetic data storage device
and

3) When the book of a bank are stored in a floppy, disc, tape or any other electro-
magnetic data storage device and with the printout of such entry or a copy of
such printout together with such statements certified in accordance with the
provision of Section 2A.

(c) After Section 2, Section 2A was inserted which are the Conditions in the printout,
which talks about a certificate related to the printout of entry or copy of printout
with the certificate by the principal accountant or branch manager, certificate by the
person in-charge of computer system containing a brief description of the computer
system and further certificate describing about state of computer system to the best
knowledge of person in-charge of the computer system.

Amendment to the Reserve Bank of India Act 1934

In Section 58 in subsection (2) after clause (p) the following clause was inserted namely (pp)
which is the regulation of fund transfer through electronic mean as well as laying down the
conditions for interbank manner, obligations and participation in fund transfer.

437
The Information Technology (Procedure and Safeguards for Interception,
Monitoring and Decryption of Information) Rules, 2009 and Corresponding
International Legislation in US, UK & Europe

In Excising the power conferred by clause(y) of sub-section (2) of section 87, read with sub-
section (2) of section 69A of the Information Technology Act 2000, the Central government
hereby makes the following rules

Rule 1: Short title and commencement

Rule 2: Definitions
Here definition of Act, Communication, Communication link, Competent Authority,
Computer resource, decryption, decryption assistance, decryption direction, decryption key,
decryption key holder, information, interception device, intermediary, monitor, monitoring
device and review committee.

Rule 3: Direction for interception or monitoring or decryption of any information

Here it says no person can do interception, monitoring or decryption of any information
generated transmitted received or stored in any computer resource except with the order of
the competent authority where such order need to be issued by the Joint Secretary of the
Government of India who has been authorised by the competent authority and where it is not
feasible in case of emergency the permission of the Head or the senior most officer of the
security and law enforcement agency at the Central Level and Officer authorised in this
behalf not below the rank of inspector General of Police or an officer of equivalent rank at
the state or Union territory level, and also the officer who intercept need to inform the
competent authority about the emergency and approval is not obtained the activity is need to
be cease within the Said period of seven working days.

Rule 4: Authorisation of agency of Government

Here it is given that the Competent authority would be authorising the agency of the
government to intercept, monitor or decrypt information generated, transmitted received or
stored in any computer resource as specified in sub-section (1) of Section 69 of the Act.

Rule 5: Issue of decryption direction by competent authority

Under this rule the direction for the decryption to the decryption key holder is given by
competent authority which is defined under Rule (3).

Rule 6: Interception or monitoring or decryption of information by a State beyond its

jurisdiction
Here the mechanism for dealing with the information which is beyond the territorial
jurisdiction is given, which says the secretary in-charge of the Home Department in that State
or Union territory shall be request to the secretary in the ministry of home affairs
Government of India for issuance of direction to the appropriate authority.

Rule 7: Contents for direction

Here while issuing the direction the reason is needed to be given and the copy of such
direction shall be forwarded to the Review Committee within the period of seven working
days

Rule 8: Competent authority to consider alternative means in acquiring information

438
Here direction to the competent authority is given which says competent authority should
acquire necessary information as needed and under rule (3) such direction is only to be issued
only when it not possible to acquire the information by any other means.

Rule 9: Direction of interception or monitoring or decryption of any specific

information
Here the direction for the interception or monitoring or decryption of any information
generation, transmitted, received or stored in any computer resource from any person or class
of persons or relating to any particular subject is given.

Rule 10: Direction to specify the name and designation of the officer to whom
information to be disclosed
Here under rule 3 it would be specifying the name and designation of the authorised officer to
whom the disclosure of information is authorised and shall be subject to the provision of
section 69 sub-section (1) of the said act.

Rule 11: Period within which direction shall remain in force

Here the direction for interception, monitoring or decryption shall remain in force unless
revoked for period not exceeding sixty days from the date of issue and can be renewed from
time to time but not exceeding the total period of one hundred and eighty days.

Rule 12: Authorised agency to designate nodal officer

Here the nodal officer under rule 4 is authorised by the competent authority which should not
be below the rank of Superintendent or police or additional superintendant of police or the
officer of equivalent rank.

Rule 13: Intermediary to provide facilities, etc.

Here the officer issuing the official order will make a request in writing to the designated
officer of intermediary or person in-charge of computer resources and on the receipt of
direction the designated person of intermediary or person-in charge of computer resource
should provide corporation.

Rule 14: Intermediary to designate officers to receive and handle

Here direction to the intermediary and person in charge of computer resource is given, which
says they have to appoint officers for receiving and handling the requisition.

Rule 15: Acknowledgement of Instruction

Here the designated officer of the intermediary or person in-charge of computer resource
would be acknowledging the instruction received from the nodal officer of the concerned
agency within 2 hours of receipt of such intimation or direction

Rule 16: Maintenance of records by designated officer

The designated officer shall maintain the proper record of particulars of person, computer
resource, email accounts, website address etc. and further the name of the officer to whom the
information is disclosed including number of copies of information made, mode and method
by which such copies are made under these rules.

Rule 17: Decryption key holder to disclose decryption key or provide decryption
assistance

439
In accordance to the Rule 12, decryption directions is addressed by the Nodal Officer to the
Decryption key holder for disclosing the decryption key or provide the decryption assistance.

Rule 18: Submission of the list of interception or monitoring or decryption of

information
In every 15 days, the Designated Officer shall provide the list of interception or monitoring or
decryption authorisation to the Nodal Officer

Rule 19: Intermediary to ensure effective check in handling matter of interception or

monitoring or decryption of information
As directed under Rule 3, the intermediary or person in charge of computer resource shall
provide technical assistance and computer equipment and access to the equipment whenever
requested by the agency under Rule 4 for performing interception or monitoring or
decryption.

Rule 20: Intermediary to ensure effective check in handling matter of interception or

monitoring or decryption of information
Rule 20 provides the outmost care which is to be provided by the intermediary while
handling the interception or monitoring or decryption of information so that there is no
unauthorised access to that information.

Rule 21: Responsibility of intermediary

Here the intermediary would be held liable for any violation which is done by its employees
regarding the secrecy and confidentiality of information or interception or monitoring or
decryption of information or any unauthorised interception.

Rule 22: Review of directions of competent authority

The Review Committee has to review its directions once in every two months in accordance
to the directions issued under Rule 3 and Section 69(2) of the Act and if the Review
Committee finds any violation of the provisions of the Act then it would set aside that order
for interception.

Rule 23: Destruction of records of interception or monitoring or decryption of

information
Every record of interception shall be destroyed by the security agency in every 6 months
except for the cases in which the information is required for functional requirements.

Rule 24: Prohibition of interception or monitoring or decryption of information without

authorisation
Any person who intercepts the information without authorisation under Rule 3 or Rule 4
within India shall be punished accordingly under the relevant provision of the Law.
The intermediary or person in-charge of the computer resource and its employees shall
adhere to strict secrecy and confidentiality of the intercepted information.

Rule 25: Prohibition of disclosure of intercepted or monitored decrypted information

The intermediary or any of its employees or person in-charge of computer resource shall not
disclose the intercepted information except for the purpose of investigation or in judicial
proceedings before the Competent Court in India also the intercepted information shall not be
disclosed in public without the prior order of Competent Court in India.

440
UK Investigatory Powers Act, 2016
Section 45 provides Interception by providers of postal or telecommunications services

(1) The interception of a communication is authorised by this section if the interception is

carried out—
(a) by, or on behalf of, a person who provides a postal service or a telecommunications
service, and
(b) for any of the purposes in subsection (2).

(2) The purposes referred to in subsection (1) are—

(a) purposes relating to the provision or operation of the service;
(b) purposes relating to the enforcement, in relation to the service, of any enactment
relating to—
(i) the use of postal or telecommunications services, or
(ii) the content of communications transmitted by means of such services;

(c) purposes relating to the provision of services or facilities aimed at preventing or

restricting the viewing or publication of the content of communications transmitted by
means of postal or telecommunications services.

(3) A reference in this section to anything carried out for purposes relating to the provision or
operation of a telecommunications service includes, among other things, a reference to
anything done for the purposes of identifying, combating or preventing anything which
could affect—
(a) any telecommunication system by means of which the service is provided, or
(b) any apparatus attached to such a system.

441
The Information Technology (Procedure and Safeguards for Blocking for Access
of Information by Public) Rules, 2009 and Corresponding International
Legislation in US, UK & Europe

IT (Procedure and safeguards for Blocking for access of Information by Public) Rules, 2009
Vide G.S.R 781(E), dated 27/10/2009 which came into force on 27/10/2009:

These rules are framed in excise of powers conferred by Section 87(2)(z) r/w Section 69A (2)
of IT Act.

Rule 3 provides the definition of designated officer not below the rank of Joint Secretary
(JS) for the purpose of issuing direction for blocking for access by the Public any information
generated, transmitted, received, stored or hosted in any computer resource us/ 69A (2).

Rule 4 provides the definition of Nodal officer of organization, designation, intimation to

Central Government in Department of Information Technology (DoIT) under Ministry of
Communications and Information Technology, publish of name of Nodal Officer on website.

Rule 5 provides the issue of direction to block for access by the public by Designated
Officer (DO).

Rule 6 Provides the procedure for forwarding request to block by organization in the
prescribed format

Rule 7 Provides the formation of Committee for examination of request consisting of DO, as
Chairperson and representative not below the rank of JS is Ministry of Law & Justice, Home
Affairs, Information & Broadcasting and the Indian CERT appointed under 70B (1).

Rule 8 provides the detailed procedure for examination of request received under Rule 6 &
Rule 7 including identification of person / intermediary, issue of notice for appearance and
adjudication.

Rule 9 provides the procedure for blocking of Information in cases of emergency.

Rule 10 provides process of court for blocking of information in case of an order from the
competent court in India for blocking any information or part of it in a computer resource, the
DO shall, submit a certified copy of court order to the Secretary of DoIT and also initiate
action.

Rule11 provides expeditious process of disposal of request within 7 working days from the
date of receipt of request.

Rule 12 provides action for non-compliance of direction by intermediary, the DO shall with
prior approval of the Secretary, DoIT initiate appropriate action for breaching rule 9.

Rule 13 provides intermediary to designate one person to receive and handle directions for
blocking of access by the public and the designated person of intermediary shall acknowledge
receipt of the direction to DO with 2 hours on the receipt of the direction through email/ fax
signed with electronic signature.

442
Rule 14 provides for meeting of Review Committee once in every two months to record
whether the directions issued under these rules are in accordance with the provisions of
Section 69A(1) of the Act.

Rule 15 provides for maintenance of complete records with respect to request received and
action taken thereof by Designated Officer.

Rule 16 provides that requests and complaints received and actions taken thereof to be
confidential

The Apex Court in the matter of Shreya Singhal vs. Union of India
[MANU/SC/0329/2015] has observed that:

“107. Section 69A of the Information Technology Act has already been set out in paragraph 2
of the judgment. Under Sub-section (2) thereof, the 2009 Rules have been framed. Under Rule
3, the Central Government shall designate by notification in the official gazette an officer of
the Central Government not below the rank of a Joint Secretary as the Designated Officer for
the purpose of issuing direction for blocking for access by the public any information
referable to Section 69A of the Act. Under Rule 4, every organization as defined Under Rule
2(g), (which refers to the Government of India, State Governments, Union Territories and
agencies of the Central Government as may be notified in the Official Gazette by the Central
Government)-is to designate one of its officers as the "Nodal Officer". Under Rule 6, any
person may send their complaint to the "Nodal Officer" of the concerned Organization for
blocking, which complaint will then have to be examined by the concerned Organization
regard being had to the parameters laid down in Section 69A(1) and after being so satisfied,
shall transmit such complaint through its Nodal Officer to the Designated Officer in a format
specified by the Rules. The Designated Officer is not to entertain any complaint or request for
blocking directly from any person. Under Rule 5, the Designated Officer may on receiving
any such request or complaint from the Nodal Officer of an Organization or from a competent
court, by order direct any intermediary or agency of the Government to block any information
or part thereof for the reasons specified in 69A(1). Under Rule 7 thereof, the
request/complaint shall then be examined by a Committee of Government Personnel who
Under Rule 8 are first to make all reasonable efforts to identify the originator or intermediary
who has hosted the information. If so identified, a notice shall issue to appear and submit
their reply at a specified date and time which shall not be less than 48 hours from the date
and time of receipt of notice by such person or intermediary. The Committee then examines
the request and is to consider whether the request is covered by 69A (1) and is then to give a
specific recommendation in writing to the Nodal Officer of the concerned Organization. It is
only thereafter that the Designated Officer is to submit the Committee's recommendation to
the Secretary, Department of Information Technology who is to approve such requests or
complaints. Upon such approval, the Designated Officer shall then direct any agency of
Government or intermediary to block the offending information. Rule 9 provides for blocking
of information in cases of emergency where delay caused would be fatal in which case the
blocking may take place without any opportunity of hearing. The Designated Officer shall
then, not later than 48 hours of the issue of the interim direction, bring the request before the
Committee referred to earlier, and only on the recommendation of the Committee, is the
Secretary Department of Information Technology to pass the final order. Under Rule 10, in
the case of an order of a competent court in India, the Designated Officer shall, on receipt of
a certified copy of a court order, submit it to the Secretary, Department of Information
Technology and then initiate action as directed by the Court. In addition to the above
safeguards, Under Rule 14 a Review Committee shall meet at least once in two months and
record its findings as to whether directions issued are in accordance with Section 69A(1) and
if it is of the contrary opinion, the Review Committee may set aside such directions and issue

443
orders to unblock the said information. Under Rule 16, strict confidentiality shall be
maintained regarding all the requests and complaints received and actions taken thereof.
……

119. In conclusion, we may summarise what has been held by us above:

(a)…..

(b) Section 69A and the Information Technology (Procedure & Safeguards for Blocking
for Access of Information by Public) Rules 2009 are constitutionally valid.”

444
The Information Technology (Procedure and Safeguards for Monitoring and
Collecting Traffic Data or Information) Rules, 2009 and Corresponding
International Legislation in US, UK & Europe

Central Government made the following rules, namely –

Rule 3 No directions for monitoring and collection of data or information u/s 69B of IT Act,
2000 shall be issued, except by an order made by the competent authority. The competent
authority may issue directions for monitoring cyber incidents like security breaches etc. The
reasons shall be given for any such directions by the competent authority which shall be
forwarded with the review committee within a period of 7 days from such directions.

RULE 4 The competent authority may authorized any agency of the government for
monitoring and collection of information generated, transmitted, received in any computer
resource. The agency shall appoint one nodal officer not below the rank of deputy secretary
to the Government of India to send the requisition conveying directions under Rule 3 to any
person in charge of the computer resource or any concerned intermediary. The requisition
conveying directions for monitoring shall be made in writing or via Email. The intermediary
or the person in charge of the computer resource shall maintain proper records of requisition
received by him.

RULE 5 The intermediary or person in charge of the computer resource shall put in place
effective internal checks so that there is no unauthorized monitoring.

RULE 6 The intermediary or its employees or person in charge of the computer resource
shall be responsible for any violation of the provisions of the IT Act, 2000 for maintaining
secrecy and confidentiality.

RULE 7 The review committee shall meet at least once in 2 months to check whether the
directions issued under rule 3 are in accordance with section 69B of the Act.

RULE 8 The electronic record pertaining to such directions for monitoring the collection of
data shall be destroyed after the expiry of 9 months from the receipt of such direction/
creation of record.

RULE 9 Any person who without the authorization collects information or attempts to
monitor data at any place within India shall be punished accordingly under the relevant
provisions of the law.

RULE 10 The person who monitors or collects information shall not disclose the data to
anyone except for cyber threat & Incidents, for investigation or in judicial proceedings before
competent court in India.

RULE 11 The person maintaining information under these rules shall adhere to strict
confidentiality.

UK LAW ON MONITORING AND COLLECTION-

The Investigatory Powers Act, 2016 aims to completely overhaul the laws governing how the
state, police and spies can gather private communications or other forms of data to combat
crime, terrorism and other threats to national security and the UK's economic wellbeing.

445
The Act brings together all other investigatory powers which involve intrusion into
communications or private lives, including:

(a) The interception and reading of communications - this can only be carried out if
approved in person by the Home Secretary.

(b) "Interference" with computers - including hacking - to acquire information or for some
other investigative reason.

(c) A legal obligation on companies to assist in these officially sanctioned hacking

operations.

(d) The collection of massive amounts of internet or phone data so that it can be later
sifted looking for leads and patterns of criminality.

The Investigatory Powers Act, 2016 created a new body of commissioners, headed by the
Investigatory Powers Commissioner, responsible for overseeing the use of all investigatory
powers.

446
The Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2009 and Corresponding
International Legislation in US, UK & Europe

The Department of Information Technology notified Information Technology the 2011 Rules
on April 11, 2011 vide notification no. G.S.R. 313(E). The summary of the 2011 Rules are as
follows–

The Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules 2011 only apply to bodies corporate and persons located
in India.

Rule 3 of the 2011 Rules provides a list of items that are to be treated as "sensitive personal
data", and includes inter alia information relating to passwords, credit/ debit cards
information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are
used for authentication purposes), physical, physiological and mental health condition, etc. It
is further clarified that any information is freely available or accessible in the public domain
is not considered to be sensitive personal data.

Rule 4 imposes a duty on Body Corporate seeking sensitive personal data to draft a privacy
policy and ensure that they are easily accessible for people who are providing the
information. The privacy policy should be clearly published on the website of the body
corporate and shall provide for-

(a) The type of information that is being collected,

(b) The purpose for which it has been collected and
(c) The reasonable security practices that have been undertaken to maintain the
confidentiality of such information.

Rule 5 provides the guidelines that need to be followed by a Body Corporate while collecting
information and imposes the following duties on the Body Corporate:

(a) Obtain consent from the person(s) providing information in writing or by Fax or by e-
mail before collecting such sensitive personal data.

(b) Information shall not be collected unless it is for lawful purpose, and is considered
necessary for the purpose.

(c) Ensure that the person(s) providing information are aware about the fact that the
information is being collected, its purposes & recipients, name and addresses of the
agencies retaining and collecting the information;

(d) Retain the information for no longer than is required for the purposes for which the
information may lawfully be used;

(e) Offer the person(s) providing information an opportunity to review the information
provided and make corrections, if required;

(f) Before collection of the information, provide an option to the person(s) providing
information to not provide the information sought;

447
(g) Maintain the security of the information provided; and

(h) Designate a Grievance Officer, whose name and contact details should be on the website.
A maximum period of one month has been provided for resolution of such grievances.

Rule 6 provides that a Body Corporate must seek prior permission of the information
provider before disclosing such information to a third party. However, no prior permission is
required if request for such information is made by government agencies mandated under law
or any other third party by an order under law.

Rule 7 provides that a body corporate may transfer sensitive material to any other body
corporate who has to adhere the same rules as the former.

Rule 8 provides the reasonable security processes and procedures that may be implemented
by Body Corporate. International Standards (IS / ISO / IEC 27001) is one such standard
which can be implemented by a body corporate to maintain data security.

US LAW ON SENSITIVE DATA -

U.S. Law generally does not define sensitive personal data. Certain US laws, do provide
heightened requirement for certain protection of personal data. Like, Federal Trade
Commission Act, Children Online Privacy Protection Act (COPPA), Financial Services
Modernization Act (Gramm-Leach-Bliley Act (GLB)), Health Insurance Portability &
Accountability Act (HIPPA), Fair Credit Reporting Act, Telephone Consumer Protection
Act, Electronic Communications Privacy Act, Family Educational Rights and Privacy Act of
1974, Payment Card Industry Data Security Standard (PCI DSS)

UK LAW ON SENSITIVE DATA –

In United Kingdom, The Data Protection Act 1998 (the Act) regulates the processing of
personal data relating to living identifiable individuals. The Act sets out the requirements for
handling personal data and gives individuals the right to access information which is held
about them.

Everyone responsible for using data has to follow strict rules called ‘Data Protection
Principles’. They must make sure the information is:
(a) used fairly and lawfully
(b) used for limited, specifically stated purposes
(c) used in a way that is adequate, relevant and not excessive
(d) accurate
(e) kept for no longer than is absolutely necessary
(f) handled according to people’s data protection rights
(g) kept safe and secure
(h) not transferred outside the European Economic Area without adequate protection

There is stronger legal protection for more sensitive information, such as:
(a) ethnic background
(b) political opinions
(c) religious beliefs
(d) health
(e) sexual health

448
(f) criminal records

EU LAW ON SENSITIVE DATA –

The new EU data protection framework was adopted on 8 April 2016. General Data
Protection Regulation (GDPR) will replace the current Directive (Directive 95/46/EC). It will
take effect on 25 May 2018.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation
by which the European Parliament, the Council of the European Union and the European
Commission intend to strengthen and unify data protection for all individuals within the
European Union (EU).

The Sensitive Data in Europe is governed by GDPR.

Definition of Sensitive Data under the GDPR: Data consisting of racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade union membership, genetic data,
biometric data, data concerning health or data concerning a natural person's sex life or sexual
orientation.

Any processing of Sensitive Data must satisfy Consent must be freely given, specific,
informed and unambiguous. Requests for consent should be separate from other terms, and be
in clear and plain language. A data subject’s consent to processing of their personal data must
be as easy to withdraw as to give. Consent must be “explicit” for sensitive data. The data
controller is required to be able to demonstrate that consent was given.

The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to
impose fines for some infringements of up to the higher of 4% of annual worldwide turnover
and EUR20 million (e.g. breach of requirements relating to international transfers or the basic
principles for processing, such as conditions for consent). Other specified infringements
would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.

The GDPR places onerous accountability obligations on data controllers to demonstrate

compliance. This includes requiring them to:
(a) Maintain certain documentation,

(b) Conduct a data protection impact assessment for more risky processing (DPAs may
compile lists of what is caught), and

(c) Implement data protection by design and by default, e.g. data minimization

One of the key changes in the GDPR is that data processors have direct obligations for the
first time. These include an obligation to: maintain a written record of processing activities
carried out on behalf of each controller; designate a data protection officer where required;
appoint a representative (when not established in the EU) in certain circumstances; and notify
the controller on becoming aware of a personal data breach without undue delay. The
provisions on cross border transfers also apply to processors, and BCRs for processors are
formally recognized. The new statuses of data processors will likely impact how data
protection matters are addressed in supply and other commercial agreements.

449
An independent EDPB (European Data Protection Board) is to replace the Article 29
Working Party and will comprise the EDP Supervisor and the senior representatives of the
national DPAs. Its role includes issuing opinions and guidance, ensuring Consistent
application of the GDPR and reporting to the Commission (The European Commission).

450