A Basic Guide to Indian IT Amendment ACT 2008 for all Cyber Security Professionals| Lucideus Research

Image Source

Introduction
This Document is containing all the related necessary changes related to all the Sections from Indian IT Act 2000. The Indian Information Technology Act 2000  was based on the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law. Thus the Act was enacted to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involved the use of alternatives to traditional or paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies. After the IT Act 2000, a new Act of Parliament received the assent of the President on 5th February 2009 has been established named IT Amendment Act 2008.

SECTION 3 - Authentication Of Electronic Records By Use Of Digital Signature
The Act provides that the authentication of the electronic record can be affected by the use of asymmetric cryptosystem and hash function which envelop and transform the initial electronic record into another electronic record.  The digital signature is created in two distinct steps.


  • The electronic record is converted into a message digest by using a mathematical function known as “hash function” which digitally freezes the electronic record thus ensuring the integrity of the content of the intended communication contained in the electronic record."
  • That two different electronic records can produce the same hash result using the algorithm. 


SECTION 3A - Authentication Of Electronic Records By Use Of Electronic Signature
the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and to no other person.
  • The signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person.
  • Any alteration to the electronic signature made after affixing such signature is detectable;
  • Any alteration to the information made after its authentication by electronic signature is detectable; and it fulfils such other conditions which may be prescribed.

SECTION 4 - Electronic Records
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is—rendered or made available in an electronic form; and accessible so as to be usable for a subsequent reference.

SECTION 5 - Legal recognition of Electronic Signatures
This section provides the legal recognition of Digital Signatures.

SECTION 6 - Foundation of Electronic Governance
It lays down the foundation of Electronic Governance. It provides that the filing of any form, application or other documents, creation, retention or preservation of records, issue or grant of any license or permit or receipt or payment in Government offices and its agencies may be done through the means of electronic form.

SECTION 6A -  Delivery of services by service provider.

For the purposes of this section, service provider so authorised includes any individual, private agency, private company, partnership firm, sole proprietor firm or any such other body or agency which has been granted permission by the appropriate Government to offer services through electronic means in accordance with the policy governing such service sector.

The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.

Subject to the provisions of sub-section (2), the appropriate Government may authorise the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate e-service charges by the service providers.

The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section:
Provided that the appropriate Government may specify different scale of service charges for different types of services.‟.
 

SECTION 7 - Retention Of Records
Where any law provides that documents, records or information be retained for a specific period, then the requirement will be said to have been met if the documents are retained in electronic format and if the information contained therein remains accessible so as to be usable for subsequent reference in the format it was originally created, generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received, including the details of the identification of the origin, destination, dispatch or receipt of such electronic record are available in the electronic record.

SECTION 7 A - Audit of Documents Etc Maintained in Electronic Form
Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in the electronic form”.


                  SECURE ELECTRONIC RECORDS AND SIGNATURES 


SECTION 14 - Secure Electronic Record
Where any security procedure is applied to an electronic record, at a specific point of time, then from such point onwards up to the time of verification, the record is deemed to be a secure electronic record. 

SECTION 15 - Secure Electronic Signature
An electronic signature shall be deemed to be a secure electronic signature if the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and the signature creation data was stored and affixed in such exclusive manner as may be prescribed.


                  REGULATION OF CERTIFYING AUTHORITIES 

SECTION 17 - Appointment of Controllers and their Officers
“Assistant Controllers”, the words “,Assistant Controllers, other officers and employees” shall be substituted; Assistant Controllers”, the words “, Assistant Controllers, other officers and employees” shall be substituted.”

SECTION 19 - Recognition of Foreign Certifying Authorities
The CCA, with the prior approval of the Central Government and subject to the conditions can recognise any foreign CA as a CA for the purposes of this Act. Once a foreign CA is granted recognition by the CCA, an Electronic Signature Certificate issued by such Certifying Authority will be valid for the purposes of this Act. 

SECTION 21 - License to Issue Signature Certificates
Any person can obtain a license to issue an ESC by making an application to the CCA. After receiving the application the CCA verifies whether or not such an applicant has satisfied the eligibility criteria, as specified by the Central Government in respect of qualification, expertise, manpower, financial resources and other infrastructure facilities.

SECTION 22 - License for Applications
Every application is required to be in the prescribed form. Along with the application the applicant is also required to file a certification practice statement, a statement including the procedures with respect to identification of the applicant etc.

SECTION 43 - Penalty For Damage To Computer, Computer System , ETC
In the marginal heading, for the word “Penalty”, the words “Penalty and Compensation” shall be substituted.
In clause (a), after the words “computer network”, the words “or computer resource” shall be inserted

SECTION 45 
Provides for residuary penalty. Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation of 25,000 INR to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees.


                      OFFENCES LISTED WITH PUNISHMENT AND FINES


The Act has specified that Tampering with computer source documents, Hacking computer system, Publishing of information which is obscene in electronic form or failure of a CA or its employees to follow the directions/ Orders of the CCA, failure to comply with Directions of Controller to a subscriber to extend facilities to decrypt information, accessing a protected system without proper authorization, material misrepresentation, Penalty for publishing Electronic Signature Certificate false particulars, Publication for fraudulent purpose, sending of grossly offensive information, false information, etc will be offences. (Some facts can same as IT ACT 2000)

The area of Cyber Security according to IT AMENDMENT ACT 2008 is functionalized by Indian Computer Emergency Response Team (CERT-In).

SECTION 65 - Tampering with computer source code documents 
If any person knowingly or intentionally: Conceals, destroys or alters or intentionally or   knowingly causes another to conceal, destroy, or alter any computer source code used  for a computer, computer   programme, computer system or computer network, when the computer source code is   required to be kept or maintained by law for the time being in force.
Imprisonment upto 3 years and Fine upto 200,000 INR.

SECTION 66 - Hacking with computer system dishonestly or fraudulently 
If any person, dishonestly or fraudulently does any act which results in damage to a computer or a computer system or secures unauthorized access to a secure computer system or downloads or copies data etc (acts described under section 43 of the Act), the he can be punished with a prison term which can extend upto two years or with a fine which can extend up to ₹Five Lakhs or both. Here the Act refers to the India Penal Code for interpreting the meaning of the words “dishonestly” and “fraudulently”.   
Imprisonment upto 3 years and Fine upto 500,000 INR.

*SECTION 66 A - Punishment for sending offensive messages through communication service
Any person who sends, by means of a computer resource or a communication device any information that is grossly offensive or has menacing character; or which he knows to be false, or sends any electronic mail or message so as to mislead the addressee about the origin of such message but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device, shall be punishable with imprisonment for a term which may extend to three years and with fine. 
Imprisonment upto 3 years and Fine upto 100,000 INR or both.

SECTION 66 B - Dishonestly receiving and retaining any stolen computer resource or communication device is also made punishable by amendment.
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen shall be punished.
Imprisonment upto 3 years and Fine upto 100,000 INR or both.

SECTION 66 C - Identity Theft 
Fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person. Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment.  
Imprisonment upto 3 years and Fine upto 100,000 INR or both.

SECTION 66 D - Cheating by Personation by using computer resource 
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment for a term.
Imprisonment upto 3 years and Fine upto 100,000 INR or both.

SECTION 66 E - Violation of Privacy 
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished.
Imprisonment upto 3 years and Fine upto 200,000 INR or both.

SECTION 66 F - Punishment for cyber terrorism
Any person with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by denying or cause the denial of access to any person authorized to access computer resource or attempting to penetrate or access a computer resource without authorisation or exceeding authorized access or introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism. 
Imprisonment for Life. 


SECTION 67 - Publish or transmit Obscene material - 1st time & Subsequent Obscene in Electronic Form
Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in h, shall be punished.
First conviction with imprisonment of three years and with fine five 5,00,000 INR and in the event of Second or subsequent conviction with imprisonment of five years and also with fine of 10,00,000 INR.

  • SECTION 67 A - Punishment for publishing or transmitting of material containing sexually explicit acts, etc., in Electronic Form
    Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished. 

    First conviction with Imprisonment of Five years and with Fine of 10,00,000 INR and in the event of Second or subsequent conviction with Imprisonment of Seven Years and also with  Fine of 10,00,000 INR.
  • SECTION 67 B - Punishment for publishing or transmitting of material depicting children in sexually explicit acts,etc., in Electronic Form.
Whoever, publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or facilitates abusing children online or records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished.
  • "Children" means a person who has not completed the age of 18 years.

  • First Conviction with Imprisonment of Five Years and with a fine of 10,00,000 INR and in the event of Second or subsequent conviction with imprisonment of seven years and also with fine of  10,00,000 INR.
  • SECTION 67 C - Preservation and Retention of Information by Intermediaries
    An intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe an any intermediary who intentionally or knowingly abstains from doing the same shall be punished.
    Imprisonment for Three years and shall also be liable to fine which is not defined. 

    SECTION 68 - Controller’s directions to certifying Authorities or any employees failure to comply knowingly or intentionally
    Any person who intentionally or knowingly fails to comply with any order under sub-section shall be guilty of an offence and shall be liable on conviction. 
    Imprisonment for Two years or a Fine of 1,00,000 INR or with Both.

    SECTION 69 - Power to issue directions for interception or monitoring or decryption of any information through any computer resource
    The CCA can direct a CA or the employees of such a CA to take such measures or cease carrying on such activities as specified in the order if those are necessary to ensure compliance with the provisions of this Act, Rules or any Regulations made there under. Any person intentionally or knowingly failing to comply with such an order will have committed an offence and will be liable on conviction.
    Imprisonment for Two years or to a Fine of 1,00,000 INR or to both. 
    • SECTION 69 A - Power to issue directions for blocking for public access of any information through any computer resource. Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of sovereignty and integrity of India, Defence of India, Security of the State, Friendly relations with foreign States or Public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-section. The Government is required to specify safeguards, subject to which the interception or monitoring or decryption is to be done. Any person, be it a subscriber or an intermediary or any other person who is in charge of the computer resource, is bound to extend all possible cooperation, technical assistance and facility as may be required by the authorities to access or to secure access to the computer resource containing such information; generating, transmitting, receiving or storing such information or intercept or monitor or decrypt or block the information, as the case may be or provide information stored in computer resource.

      Imprisonment for a Seven Years and also liable to fine or both.
    • SECTION 69 B - Power to authorise to monitor and collect traffic data or information through any computer resource for Cyber Security : The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorise any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. The Intermediary or any person in-charge of the Computer resource shall when called upon by such agency provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information. The government shall prescribe procedure and safeguards for monitoring and collecting traffic data or information. Any intermediary who intentionally or knowingly contravenes the provisions shall be punished.

      Imprisonment Three Years and shall also be liable to fine or both.
    • (i) “computer contaminant” shall have the meaning assigned to it in Section 43;
    • (ii) “traffic data” means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service and any other information.‟

    SECTION 70 - Any unauthorised access to such system Protected Systems
    The Government has notified certain computer resources as Critical Information Infrastructure to be a protected system. Critical Information Infrastructure refers to computer systems or resources the destruction or incapacitation of which would result in a debilitating impact on the national security, economy, public health or safety. The appropriate Government can, by notification in the Official Gazette, declare that any computer, computer system or computer network which directly or indirectly affects the facility of a Critical Information Infrastructure, to be a protected system and authorize the persons who are authorized to access protected systems. In this regards the Government can prescribe specific information security practices and procedures. Any person who secures unauthorized access or attempts to secure unauthorized access to a protected system, can be punished.

    Imprisonment of Ten Years and can also be liable to fine or both. 
    • SECTION 70 A - National Nodal Agency : The Central Government may, by notification published in the Official Gazette, designate any organisation of the Government as the national nodal agency in respect of Critical InformationInfrastructure Protection. The national nodal agency designated under sub-section  shall be responsible for all measures including Research and Development relating to protection of Critical Information Infrastructure.
    • SECTION 70 B -  Indian Computer Emergency Response Team (CERT-IN)to serve as national agency for incident response: The Central Government shall, by notification in the Official Gazette, appoint an agency of the Government to be called the Indian Computer Emergency Response Team. The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of cyber security, collection, analysis and dissemination of information on cyber incidents forecast and alerts of cyber security incidents, emergency measures for handling cyber security incidents coordination of cyber incidents response activities issue guidelines, advisories, vulnerability notes and white-papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents such other functions relating to cyber security as may be prescribed, For carrying out the above functions, the agency may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person.

      Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with such direction shall be punishable with Imprisonment for One year or with fine of 1,00,000 INR or with both. 

    SECTION 71 - Penalty for Misrepresentation or suppressing any material fact
    Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any licence or ESC, as the case may be, can be punished.

    Imprisonment to Two years, or with fine of 1,00,000 INR, or with both.  

    SECTION 72 - Penalty for breach of confidentiality and privacy of el. records, books, info., etc without consent of person to whom they belong.
    No other person can breach the Confidentiality of any Sensitive Document which can be Confidential and has maintaining privacy of electronic records, books, other information, raw data etc. without the consent of the Individual whom they belong too publicly.
    Imprisonment for Ten Years, or with fine, or with both. 

    • SECTION 72 A - Punishment for Disclosure of Information in Breach of Lawful Contract : No individual can publish a Electronic Signature Certificate or otherwise make it available to any other person with the knowledge that the CA listed in the certificate has not issued it or the subscriber listed in the certificate has not accepted it or the certificate has been revoked or suspended, unless such publication is in the course of verifying a electronic signature created prior to such suspension or revocation. Such a contravention can be punished.

      Imprisonment for Two Years, or with fine of 1,00,000  INR, or with both.
       
    SECTION 73 - Penalty for publishing False Digital Signature Certificate 
    Whoever knowingly creates, publishes or otherwise makes available a ESC for any fraudulent or unlawful purpose can be punished.

    Imprisonment for upto two years, or with fine upto 1,00,000 INR, or with both. 

    SECTION 74 - Fraudulent Publication 
    Whoever knowingly creates, publishes or otherwise makes available of any fraudulent document, which can be sensitive - insensitive, personal - impersonal, confidential - non-confidential etc. for the unlawful purpose can be punished.
    Imprisonment for upto two years, or with fine upto 1,00,000 INR, or with both

    SECTION 75 - Offences or Contravention committed outside India if the act or conduct constituting the offence involves a computer, computer system or computer network located in India
    The Act gives extra territorial jurisdiction in cases where the offence or contraventions are committed from outside India, by any person irrespective of his nationality. The provisions of this Act will apply also to any offence or contravention committed outside India by any person irrespective of his nationality if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. No penalty imposed or confiscation made under this Act can prevent the imposition of any other punishment to which the person affected thereby is liable under any other law for the time being in force. 

    SECTION 76 - Confiscation of any computer, computer system, floppies, CDs, tape drives or other accessories related thereto in contravention of any provisions of the Act, Rules, Regulations or Orders made. 
    Any peripheral related to computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act. rules, orders or regulations made there under has been or is being contravened, will be liable to confiscation. Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court can, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit. 

    SECTION 77 - Compounding of offence - Penalty and Confiscation shall not interfere with other punishments provided under any law
    This exemption is available only if: The intermediary’s role is limited to providing access to a communication system over which third parties transmit information or temporarily store the same.
    • The intermediary does not Initiate the transmission
    • Select the receiver of transmission or,
    • Modify the information contained in the transmission.

    The exemption would however stand withdrawn if intermediary conspires or abets the commission of an unlawful act or after having received the information from the government that any information, data or communication link residing in or connected with computer resources controlled by the intermediary, are being used to commit unlawful acts and such intermediary fails to act expeditiously in removing or disabling access to such link or resource.

    SECTION 77 B - Offences with Three years Imprisonment to be Bailable
    Not with standing anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), the offence punishable with imprisonment of three years and above shall be cognizable and the offence punishable with imprisonment of three years shall be bailable.



    Post a Comment

    0 Comments