Q.1 Why was the Information Technology Act 2000 enacted?
Ans: The Information Technology (IT) Act 2000 aims to provide a legal and regulatory framework for promotion
of e-Commerce and e-Governance.
Q.2 When was the IT Act 2000 enacted?
Ans: The IT Act 2000 was enacted on 7th June 2000 and was notified in the official gazette on 17th October 2000.
Q.3 Where is the IT Act 2000 applicable?
Ans: The IT Act 2000 is applicable to the whole of India.
Q.4 What are the major provisions contained in the IT Act 2000?
· Extends to the whole of India
· Electronic contracts will be legally valid
· Legal recognition of digital signatures
· Digital signature to be effected by use of asymmetric crypto system and hash function
· Security procedure for electronic records and digital signature
· Appointment of Controller of Certifying Authorities to license and regulate the working of Certifying
Authorities
· Controller to certify the public keys of the Certifying Authorities (CAs)
· Controller to act as repository of all digital signature certificates
· Certifying Authorities to get Licence from the Controller to issue digital signature certificates
· Various types of computer crimes defined and stringent penalties provided under the Act
· Appointment of Adjudicating Officer for holding inquiries under the Act
· Establishment of Cyber Regulatory Appellate Tribunal under the Act
· Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and not to any Civil Court
· Appeal from order of Cyber Appellate Tribunal to High Court
· Act to apply for offences or contraventions committed outside India
· Network service providers not to be liable in certain cases
· Power of police officers and other officers to enter into any public place and search and arrest without
warrant
· Constitution of Cyber Regulations Advisory Committee to advise the Central Government and the Controller
Q.5 What does the IT Act enable?
Ans: The IT Act enables:
· Legal recognition of Electronic Transaction / Record
· Legal recognition of digital signature is at par with the handwritten signature
· Electronic Communication by means of reliable electronic record
· Acceptance of contract expressed by electronic means
· e-Commerce and Electronic Data interchange
· e-Governance
· Electronic filing of documents
· Retention of documents in electronic form
· Uniformity of rules, regulations and standards regarding the authentication and integrity of electronic
records or documents
· Publication of official gazette in the electronic form
· Interception of any message transmitted in the electronic or encrypted form
· Prevention of Computer Crime, forged electronic records, international alteration of electronic records
fraud, forgery or falsification in e-Commerce and electronic transaction
Q.6 What is authentication and how does IT Act 2000 authenticate the electronic records?
Ans: Section 3(2) of the IT Act 2000 provides that “The authentication of the electronic record shall be effected
by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic
record into another electronic record.”
Explanation.-For the purposes of this sub-section, “hash function” means an algorithm mapping or translation of
one sequence of bits into another, generally smaller, set known as “hash result” such that an electronic record
yields the same hash result every time the algorithm is executed with the same electronic record as its input making
it computationally infeasible-
a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm;
b) that two electronic records can produce the same hash result using the algorithm.
Q.7 Can use of electronic records or digital signature be valid in Government and its agencies?
Ans: Yes. Filing of forms, applications etc. in electronic form will be valid in Govt. and its agencies. Section 6(1)
of the Act states that
Where any law provides for-
a) the filing of any form. application or any other document with any office, authority, body or agency owned or
controlled by the appropriate Government in a particular manner;
b) the issue or grant of any licence, permit, sanction or approval by whatever name called in a particular manner;
c) the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other
law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue,
grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed
by the appropriate Government.
Q.8 Who can issue a digital signature certificate to a subscriber?
Ans: A Certifying Authority can issue a digital signature certificate to a subscriber. Section 35 of the Act and the
Certifying Authorities Rules framed under the Act stipulate the methods for issuance of a digital signature
certificate.
Q.9 Can a CA suspend the digital signature certificate issued by it?
Ans: Yes, if the CA gets a request from the subscriber or from an authorized person of the subscriber to suspend
digital signature certificate. CA can also suspend the Digital Signature Certificate in public interest. [Ref :
Section 37 of the Act].
Q.10 When can a digital signature certificate be revoked?
Ans: The conditions for revocation of digital signature certificates have been provided in Section 38 of the IT
Act,2000 as follows :
· A Certifying Authority may revoke a Digital Signature Certificate issued by it-
o where the subscriber or any other person authorised by him makes a request to that effect; or
o upon the death of the subscriber, or
o upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company.
· Subject to the provisions of sub-section (3) and without prejudice to the provisions of sub-section (1), a
Certifying Authority may revoke a Digital Signature Certificate which has been issued by it at any time, if it is of
opinion that-
o a material fact represented in the Digital Signature Certificate is false or has been concealed;
o a requirement for issuance of the Digital Signature Certificate was not satisfied;
o the Certifying Authority’s private key or security system was compromised in a manner materially affecting
the Digital Signature Certificate’s reliability;
o the subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has
been dissolved, wound-up or otherwise ceased to exist
· A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of
being heard in the matter.
Q.11 How will the Certifying Authorities be appointed?
Ans: The Controller of Certifying Authorities (CCA) appointed u/s 17 of the IT Act issues licenses to Certifying
Authorities and exercises supervision over their activities.
Q.12 Is there any restrictions on the number of applicants applying for a licence to become a CA?
Ans: No, there is no restriction on the number of applicants applying for a licence to become a CA.
Q.13 Can a digital signature certificate issued by foreign Certifying Authority be valid in India?
Ans:Yes. Controller of CA may give recognition to foreign certifying authorities and the digital signature
certificate issued by them will be valid under Section 19 of the Act.
Q.14 What are the functions of Controller?
Ans: The IT Act has defined the functions of Controller u/s 18. These are as follows :
· exercising supervision over the activities of the Certifying Authorities;
· certifying public keys of the Certifying Authorities;
· laying down the standards to be maintained by the Certifying Authorities;
· specifying the qualifications and experience which employees of the Certifying Authorities should possess;
· specifying the conditions subject to which the Certifying Authorities shall conduct their business;
· specifying the contents of written, printed or visual materials and advertisements that may be distributed or
used in respect of a Digital Signature Certificate and the public key;
· specifying the form and content of a Digital Signature Certificate and the key,
· specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;
· specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be
paid to them;
· facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with
other Certifying Authorities and regulation of such systems;
· specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers;
· resolving any conflict of interests between the Certifying Authorities and the subscribers;
· laying down the duties of the Certifying Authorities;
· maintaining a data base containing the disclosure record of every Certifying Authority containing such
particulars as may be specified by regulations, which shall be accessible to public.
Q.15 What are the civil offences under the IT Act 2000?
Ans: Section 43 of the IT Act describes the civil offences :
· Unauthorised copying, extracting and downloading of any data, database
· Unauthorised access to computer, computer system or computer network
· Introduction of virus
· Damage to computer System and Computer Network
· Disruption of Computer, computer network
· Denial of access to authorised person to computer
· Providing assistance to any person to facilitate unauthorised access to a computer
· Charging the service availed by a person to an account of another person by tampering and manipulation
of other computer
Section 44 of the IT Act provides for penalty on failure to furnish information, return etc. to the Controller by
Certifying Authorities
Q.16 What are the criminal offences stipulated by IT Act 2000?
Ans: Chapter XI (Sections 65 to 75) of the IT Act describes the criminal offences along with punishments for
them. These are as follows:
· Tampering with computer source documents
· Hacking with computer system
· Electronic forgery I.e. affixing of false digital signature, making false electronic record
· Electronic forgery for the purpose of cheating
· Electronic forgery for the purpose of harming reputation
· Using a forged electronic record
· Publication of digital signature certificate for fraudulent purpose
· Offences and contravention by companies
· Unauthorised access to protected system
· Confiscation of computer, network, etc.
· Publication of information which is obscene in electronic form
· Misrepresentation or suppressing of material facts for obtaining Digital Signature Certificates
· Breach of confidentiality and Privacy
· Publishing false Digital Signature Certificate
Q.17 What is excluded from the purview of the IT Act?
Ans: Section 1(4) states that “Nothing in this Act shall apply to:
· A negotiable instrument as defined in section 13 of the Negotiable Instruments Act, 1881;
· A poer-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;
· A trust as defined in section 3 of the Indian Trusts Act, 1882;
· A will as defined in clause
· of section of the Indian Succession Act 1925 including any other testamentary disposition by whatever name
called;
· Any contract for the sale or conveyance of immovab;e property or any interest in such property;
· Any such class of documents or transactions as may be notified by the Central Government in the Official
Gazette.
Q.18 Are network service providers liable for offences committed by third party?
Ans: No.
Section 79 of the Act states that :
For the removal of doubts, it is hereby declared that no person providing any service as a network service
provider shall be liable under this Act, rules or regulations made thereunder for any third party information or
data made available by him if he proves that the offence or contravention was committed without his knowledge
or that he had exercised all due diligence to prevent the commission of such offence or contravention.
Explanation.-For the purposes of this section, -
· ”network service provider” means an intermediary;
· ”third party information” means any information dealt with by a network service provider in his capacity as
an intermediary”
Q.19 Who can apply for grant of licence to act as a Certifying Authority (CA)?
Ans: The following persons can apply to the Controller for grant of licence in the prescribed form :
· an individual, being a citizen of India and having a capital of five crores of rupees or more in his business
or profession;
· a company having -
o paid up capital of not less than five crores of rupees; and
o net worth of not less than fifty crores of rupees
· a firm having -
o capital subscribed by all partners of not less than five crores of rupees; and
o net worth of not less than fifty crores of rupees
· Central Government or a State Government or any of the Ministries or Departments, Agencies or
Authorities of such Governments
The application can be made u/s 21
Q.20 What security measures, CAs have to adhere to?
Ans: IT Security Guidelines and Security Guidelines for Certifying Authorities have been detailed in Schedule II
and III of the IT Rules notified October, 2000.
Q.21 What is the maximum penalty for the offences?
Ans: The penalties for damage to computer, computer system etc. have been fixed as damages by way of
compensation not exceeding Rupees one crore (Rs. 1,00,00,000/-) to affected persons.
Q.22 What does damage to computer system mean ?
Ans: The damage to computer system is defined in section 43 is defined in Section 43 as: “If any person without
permission of the owner or any other person who is incharge of a computer, computer system or computer network,
· accesses or secures access to such computer, computer system or computer network;
· downloads, copies or extracts any data, computer data base or information from such computer, computer
system or computer network including information or data held or stored in any removable storage medium;
· introduces or causes to be introduced any computer contaminant or computer virus into any computer,
computer system or computer network;
· damages or causes to be damaged any computer, computer system or computer network, data, computer
data base or any other programmes residing in such computer, computer system or computer network;
· disrupts or causes disruption of any computer, computer system or computer network;
· denies or causes the denial of access to any person authorised to access any computer, computer system or
computer network by any means;
· provides any assistance to any person to facilitate access to a computer, computer system or computer
network in contravention of the provisions of this Act, rules or regulations made thereunder;
· charges the services availed of by a person to the account of another person by tampering with or
manipulating any computer, computer system, or computer network”
Q.23 What are the duties of subscribers?
Ans: Chapter VIII of the Act defines the duties of the subscribers as :
· Generation of key pair
· Acceptance of Digital Signature Certificate which inturn certifies to all who reasonably rely on the
information contained in the Digital Signature Certificate that-
o the subscriber holds the private key corresponding to the public key listed in the Digital Signature
Certificate and is entitled to hold the same;
o all representations made by the subscriber to the Certifying Authority and all material relevant to the
information contained in the Digital Signature Certificate are true;
o all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.
· Control of private key
o Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the
public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure to a person not
authorised to affix the digital signature of the subscriber.
o If the private key corresponding to the public key listed in the Digital Signature Certificate has been
compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in
such manner as may be specified by .the regulations.
Q.24 Who is liable for in case a subscriber loses his private key?
Ans:The subscriber shall be liable for his digital signatures till he has informed the Certifying Authority that the
private key has been compromised.
Q.25 How does IT Act deal with Hacking?
Ans: IT Act defines hacking as [Section 66] “Whoever with the intent to cause or knowing that he is likely to
cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in
a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.”.
Further for the first time, punishment for hacking as a cyber crime is prescribed in the form of imprisonment upto
3 years or with fine that may extend to Rs 2,00,000/- or both. [Section 66]
Q.26 What is meant by Online Contracts?
Ans: E-commerce portals usually specify detailed transaction rules in accordance with which any specific
transaction can be initiated, conducted and concluded. A contract concluded over the Internet involves :
· The dispatch and receipt of a proposal in an “electronic record” from one contracting party i.e., the
proposer / offerer, to the other party, i.e., the acceptor, and
· The acceptance of the proposal in such electronic record, by the acceptor and the dispatch of such
acceptance, in an electronic record by the acceptor to the proposer.
Section 13 of the IT Act specifies the manner and time when dispatch and receipt of an electronic record occur.
Dispatch of an electronic record occurs, “when it enters a computer resource outside the control of the
originator”, unless agreed to the contrary between the originator and the addressee.
Q.27 What is the evidentiary value of Online Contracts?
Ans: The IT Act provides for legal recognition and protection to electronic records and digital signatures. An
electronic record is defined as “data, record or data generated, image or sound stored, received or sent in an
electronic form or microfilm or computer generated micro fiche”. The Indian Evidence Act deals with the manner
of providing documents by requiring proof of documents through primary evidence.
The IT Act provides evidentiary value to electronic records by introducing a new section 65B in the IEA which
deems any information contained in an electronic record which is printed on a paper, stored, recorded or copied
in optical or magnetic media, to be a “document” if certain conditions specified are met.
In such cases, the information is deemed to be “admissible in any proceedings” without further proof or
production of the original. Thus the electronic maintenance of records will lead to a whole scale reduction in costs
in relation to record keeping as well as facilitate e-commerce
Q.28 In case of any contravention of the provisions of Act, who will adjudicate?
Ans: The Section 46 of the IT Act,2000 provides for appointment of an Adjudicating Officer who will be an
officer not below the rank of a Director to the Government of India or an equivalent officer of state government
The Adjudicating Officer shall adjudicate on specific cases in accordance with the provisions of Sections 43 to 47
of the Act. The Adjudicating Officer has been given the powers of a Civil Court.
Q.29 How are the criminal offences dealt with under the Act?
Ans: For criminal offences described under Chapter XI of the Act, the power to investigate has been given to a
police officer not below the rank of a Deputy Superintendent of Police. Thereafter it will be tried in regular court.
Q.30 In case of dispute, where can an appeal be made?
Ans: The Act provides for establishment of one or more Cyber Regulations Appellate Tribunal (Chapter X of the
Act). The Cyber Regulations Appellate Tribunal shall be an appellate body where appeals against the orders of
the CCA and of the Adjudicating Officers shall be preferred. The Tribunal shall not be bound by the principles of
the Code of Civil Procedure but shall follow the principles of natural justice and shall have the same powers as
those vested in a Civil Court. Against an order or decision of the Cyber Appellate Tribunal, an appeal shall lie to
the High Court.
Q.31 Does IT Act suggest changes/modifications in other prevailing Acts?
Ans: Yes. The following Acts need to be modified
· Indian Evidence Act, 1872
o Section - 3, 17, 22, 34, 35, 39, 47, 59, 65, 67, 73, 81, 85, 88, 90, 131
· Indian Penal Code, 1860
o Section - 29, 167, 172, 173, 175, 192, 204, 463, 464, 466, 468, 469, 470, 471, 474, 476, 477A
· Banker’s Book Evidence Act, 1891
o Section - 2
· Reserve Bank of India Act, 1934
o Section 58 (Sub section (2) clause (p) - To enable RBI to formulate rules to provide for Electronic Fund
Transfer
Q.32 Is there any advisory committee for helping frame Rules and Regulations under the Act?
Ans: Section-88 provides for constitution of the Cyber Regulation Advisory Committee to advise :
(3)(a) The Central Government either generally as regards any rules or for any other purpose connected with the
Act;
(3)(b) The Controller in framing the regulations under the Act.
Q.33 Can Controller of Certifying Authorities direct any Law Enforcment Agency to intercept any information
transmitted through any computer resources?
Ans: Yes. section 69 of the IT Act 2000 empowers the Controller do so:
· If Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing
incitement to the commission of any cognizable offence, for reasons to recorded in writing, by order, direct any
agency of the Government to intercept any information transmitted through any computer resource.
· The subscriber or any person in charge of the computer resource shall, when called upon by any agency,
which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the
information.
· The subscriber or any person who fails to assist the agency referred to in sub-section (2) shall be punished
with an imprisonment for term which may extend to seven years.
Q.34 What is the key size prescribed by the IT Act for the CAs?
Ans: The Regulations specify that the CAs will use a key of length (in RSA algorithm)2048 bits. The CA being
certified by the CCA should also have a key length of 2048 bits. The users will use a key length of 1024 bits (in
RSA algorithm).
Q.35 What is the frequency of the change of the key pairs?
Ans: The CA’s key pairs shall be changed every three to five years (except during exigencies as in the case of key
compromise when the key shall be changed immediately). The Certifying Authority shall take appropriate steps to
ensure that key changeover procedures as mentioned in the approved Certificate Practice Statements are adhered.
The subscriber’s keys pairs shall be changed every one to two years.
Q.36 How is the end user protected in case of cessation of Certifying Authority?
Ans: Rule 21 provided for reasonable protection of subscribers against cessation of operation of a CA. Rule 21
Requirements Prior to Cessation as Certifying Authority.- Before ceasing to act as a Certifying Authority, a
Certifying Authority shall, -
· give notice to the Controller of its intention to cease acting as a Certifying Authority: Provided that the
notice shall be made ninety days before ceasing to act as a Certifying Authority or ninety days before the date of
expiry of licence;
· advertise sixty days before the expiry of licence or ceasing to act as Certifying Authority, as the case may
be, the intention in such daily newspaper or newspapers and in such manner as the Controller may determine;
· notify its intention to cease acting as a Certifying Authority to the subscriber and Cross Certifying Authority
of each unrevoked or unexpired Digital Signature Certificate issued by it : Provided that the notice shall be given
sixty days before ceasing to act as a Certifying Authority or sixty days before the date of expiry of unrevoked or
unexpired Digital Signature Certificate, as the case may be;
· the notice shall be sent to the Controller, affected subscribers and Cross Certifying Authorities by digitally
signed e-mail and registered post;
· revoke all Digital Signature Certificates that remain unrevoked or unexpired at the end of the ninety days
notice period, whether or not the subscribers have requested revocation;
· make a reasonable effort to ensure that discontinuing its certification services causes minimal disruption to
its subscribers and to persons duly needing to verify digital signatures by reference to the public keys contained in
outstanding Digital Signature Certificates;
· make reasonable arrangements for preserving the records for a period of seven years;
· pay reasonable restitution (not exceeding the cost involved in obtaining the new Digital Signature
Certificate) to subscribers for revoking the Digital Signature Certificates before the date of expiry;
· after the date of expiry mentioned in the licence, the Certifying Authority shall destroy the
certificate-signing private key and confirm the date and time of destruction of the private key to the Controller.
Q.37 Are there any standards prescribed in the IT Act 2000?
Ans: Yes standards are prescribed in the Rules framed under the IT Act.
Q.38 What are the standards prescribed in the IT Act ?
Ans: Public-key Cryptography Standards (PKCS)
· ” PKCS#1 - PKCS#12
Federal Information Processing Standards (FIPS)
· FIPS 180-1, Secure Hash Standard (SHA)
· FIPS 186-1, Digital Signature Standard (DSS)
· FIPS 140-1 level 3 and 4, Security Requirement for Cryptographic Modules; Elliptic Curve (EC) systems
Public-key cryptography based on the emerging Institute of Electrical and Electronics Engineers (IEEE) standard
P1363 for three families:
· Discrete Logarithm (DL) systems
· Elliptic Curve Discrete Logarithm (EC) systems
· Integer Factorization (IF) systems;
RSA encryption RSA,
Rabin-Williams signatures; Directory Services (LDAP ver 3)
· X.500 for publication of Public Key Certificates and Certificate Revocation Lists
· X.509 version 3 Certificates as specified in ITU RFC 1422
· X.509 version 2 Certificate Revocation Lists;
Q.39 When was the Controller of Certifying Authorities (CCA) appointed?
Ans: Controller of Certifying Authorities was appointed on November 2000.
{ 0 comments… add one now }