The Information Technology Act, 2000
Purpose:
- To provide legal recognition for transactions carried out through electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce."
- To facilitate electronic filing of documents with government agencies.
- To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker's Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934, to align with the digital age.
- To address cybercrimes, data security, and related issues in the digital domain.
Key Chapters & Sections (Expanded):
| Chapter | Subject | Key Sections | Detailed Summary |
|---|---|---|---|
| I | Preliminary | 1 (Short Title, Extent, Application), 2 (Definitions) | * Scope: Applies to the whole of India and to offenses/contraventions committed outside India by any person involving a computer system located in India. Includes key definitions (Access, Addressee, Computer, Data, Electronic Record, etc.) |
| II | Digital/Electronic Signatures | 3 (Authentication of Electronic Records), 3A (Electronic Signatures) | * Establishes methods for authenticating electronic records. Digital signature uses asymmetric crypto system and hash function. Electronic signature can be any reliable authentication technique specified in the Second Schedule. |
| III | Electronic Governance | 4 (Legal Recognition of Electronic Records), 5 (Legal Recognition of Electronic Signatures), 6 (Use in Government Agencies), 6A( Delivery of services by service provider) | * Provides that if a law requires information to be in writing, that requirement is met if the information is accessible in electronic form. * Deals with how to offer services using electronic means through a provider |
| IV | Attribution, Acknowledgment | 11 (Attribution), 12 (Acknowledgment of Receipt), 13 (Time and Place of Dispatch) | * An electronic record is attributed to the originator if sent by the originator, someone with authority, or an information system programmed by the originator. * If sender did not stipulate on how the acknowledgement should be, then the acknowledgement should be done via communication or automated or otherwise, if stipulated, binding on receipt |
| V | Secure Records & Signatures | 14 (Secure Electronic Record), 15 (Secure Electronic Signature), 16 (Security Procedures and Practices) | * A "secure electronic record" is one to which a security procedure has been applied at a specific point in time. *A "Secure Electronic Signature" is one that is under the exclusive control of the signing party. * Prescribes security procedures. |
| VI | Certifying Authorities | 17 (Appointment of Controller), 18 (Functions of Controller), 19 (Recognition of Foreign CAs), 21 (License), 25 (Suspension), 26 (Notice of Suspension) | * Controller of Certifying Authorities appointed to supervise CAs. * Requires licenses to issue electronic signature certificates. * Controller may suspend or revoke Licenses |
| VII | Electronic Signatures Certificates | 35 (Certifying authority to issue), 37 (Suspension of Digital Signature Certificate), 38 (Revocation of Digital Signature Certificate) | * Provides a procedure for issuing electronic signature Certificates. * Provides ground for Suspension of Certificate for public interest and on subscriber request * Provides grounds for certyfyting authority revoking |
| VIII | Duties of Subscribers | 40 (Generating key pair), 40A (Duties of subscriber of Electronic Signature Certificate), 41 (Acceptance of Digital Signature Certificate), 42 (Control of private key) | * Ensures the subscriber retains control and takes reasonable care of the private key . |
| IX | Penalties & Adjudication | 43 (Damage to Computer), 43A (Failure to Protect Data), 44 (Failure to Furnish Information), 46 (Power to Adjudicate), 47 (Factors to be Taken into Account) | * Deals with the various violations and offenses. * Adjudicating officers are empowered to impose penalties or award compensation for various contraventions * Considerations for adjudicating officer such as the amount of unfair gain,amount of loss and nature of default |
| X | Appellate Tribunal | 48 (Appellate Tribunal), 57 (Appeal to Appellate Tribunal), 58 (Procedure and Powers of the Appellate Tribunal), 62 (Appeal to High Court) | * Established to hear appeals against orders made by the Controller or Adjudicating Officer. * The decisions are appealable to the high court |
| XI | Offences | 65 (Tampering with computer source documents), 66 (Computer related offences), 66A (Offensive Messages), 66B (Dishonestly Receiving Stolen Computer Resource) 69A (Power to issue directions for blocking for public access of any information) | * Deals with cyber terrorism, computer contamination, hacking, damage to computer systems, phishing, identity theft, violation of privacy, and the publication of obscene or sexually explicit material. |
| XII | Intermediaries | 79 (Exemption from liability of Intermediary) | * Provides limited liability for intermediaries for third-party content, as long as they observe due diligence and comply with government directions for removing unlawful content. * Requirements for intermediaries include-not initiating the transmission, select receiver of the transmission and select or modify the information contained in the transmission |
| XIII | Miscellaneous | 80 (Power of Police Officer), 81 (Act to Have Overriding Effect), 87 (Power to Make Rules) | * Provides to take action in order to detect and arrest, as well as the Act prevailing in all condition * Gives central goverment the power to make rules |
Key Concepts (Expanded):
- Electronic Record: Data, record, or generated image stored or sent electronically; can include data, text, images, sound, codes, and computer programs.
- Digital Signature: Authentication using asymmetric cryptography (key pair) and hash functions; requires a Digital Signature Certificate issued by a licensed CA.
- Electronic Signature: Any method adopted to authenticate an electronic record; must be reliable and may be specified in the Second Schedule. Includes Digital Signature.
- Certifying Authority (CA): Licensed entity that issues digital/electronic signature certificates, verifies identities, and ensures the security of the process.
- Computer Resource: Includes computer, computer system, computer network, data, computer database, and software.
- Intermediary: Entities like ISPs, telecom providers, web hosting services, search engines, and online payment sites.
- Cyber Security: Protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;
Detailed Cyber Offenses & Penalties (Examples):
Okay, here's the summary of Chapter XI of The Information Technology Act, 2000, presented in a Markdown table for easier readability:
Chapter XI - Offences (Summary)
| Offense (Section) | Potential Penalty | Key Points |
|---|---|---|
| Tampering with Computer Source Documents (65) | Imprisonment up to 3 years, or fine up to INR 2 Lakh, or both. | Intentionally concealing, destroying, or altering computer source code when required to be kept by law. |
| Computer-Related Offences (66) | Imprisonment up to 3 years, or fine up to INR 5 Lakh, or both. | Dishonestly or fraudulently performing acts mentioned in Section 43 (e.g., unauthorized access, downloading data, introducing viruses). |
| [66A. Offensive Messages] (Struck Down by Supreme Court) | (N/A) | (N/A) |
| Identity theft (66C) | Imp.: 3 years, Fine: 1 Lakh | Fraudently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person. |
| Receiving Stolen Computer Resource (66B) | Imprisonment of three year, Fine: 1 Lakh | Receiving or retaining stolen computer resources or communication devices. |
| Cheating by personation using Computer resources (66D) | Imprisonment of three year, Fine: 1 Lakh | Cheating by personating someone using a computer resource or communication device. |
| Violation of Privacy (66E) | Imprisonment up to 3 years, or fine up to INR 2 Lakh, or both. | Intentionally capturing, publishing, or transmitting the image of a private area of any person without consent. |
| Cyber Terrorism (66F) | Imprisonment for life. | Acts intended to threaten the unity, integrity, security, or sovereignty of India by disrupting computer resources. |
| Publishing/Transmitting Obscene Material (67) | 1st: Imp. up to 3 years, Fine up to INR 5 Lakh. Subsequent: Imp. up to 5 years, Fine up to INR 10 Lakh. | Publishing or transmitting obscene material in electronic form. |
| Preservation/Retention of Information by Intermediaries (67C) | Imprisonment up to 3 years and fine. | Violations of duty to preserve and retain specified information as prescribed. |
| Failure to Comply with Controller's Directions (68) | Imprisonment up to 2 years, or fine up to INR 1 Lakh, or both. | Failure to comply with directions from the Controller of Certifying Authorities. |
| Power to issue directions for interception or monitoring or decryption of any information 69 | Failure to assist authorities can result in Imprisonment for up to 7 years, and be liable to fine. | Powers to central government in order to keep the peace through monitoring activities if deemed nessacary. If the subscriber or intermediary or any person fails to assist the agency referred to in sub-section (3) shall be punished. |
| Misrepresentation for Obtaining License (71) | Imprisonment up to 2 years, or fine up to INR 1 Lakh, or both. | Making misrepresentations or suppressing facts to obtain a license or electronic signature certificate. |
| Breach of Confidentiality (72) | Imprisonment up to 2 years, or fine up to INR 1 Lakh, or both. | Disclosing information secured under the Act without consent. |
| Disclosure in Breach of Lawful Contract (72A) | Imprisonment up to 3 years, or fine up to INR 5 Lakh, or both. | Disclosing personal information in breach of a lawful contract, leading to wrongful loss or gain. |
| Publishing False Electronic Signature Certificate (73) | Imprisonment up to 2 years, or fine up to INR 1 Lakh, or both. | Publishing a certificate knowing it to be false or invalid. |
| Publication for Fraudulent Purpose (74) | Imprisonment up to 2 years, or fine up to INR 1 Lakh, or both. | Creating, publishing, or making available an electronic signature certificate for any fraudulent or unlawful purpose. |
Key Regulatory Bodies & Officers:
- Controller of Certifying Authorities: Appointed by the Central Government to supervise Certifying Authorities and regulate digital/electronic signatures.
- Indian Computer Emergency Response Team: Serves as national agency for incidents response.
Important Notes:
- The Act provides powers to the Central Government to issue directions, make rules, and establish committees to promote e-governance and combat cybercrime.
- Section 66A (offensive messages) was struck down by the Supreme Court.
- Amendments have been made to incorporate modern technologies and address evolving cyber threats.
- The Act aims to strike a balance between promoting e-commerce and protecting individual rights and data security.
Definitions
2. Definitions.—(1) In this Act, unless the context otherwise requires:
(a) "access" with its grammatical variations and cognate expressions means gaining entry into, instructing, or communicating with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network;
(b) "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary;
(c) "adjudicating officer" means an adjudicating officer appointed under sub-section (1) of section 46;
(d) "affixing electronic signature" with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature;
(da) "Appellate Tribunal" means the Appellate Tribunal referred to in sub-section (1) of section 48;
(e) "appropriate Government" means as respects any matter:
(i) enumerated in List II of the Seventh Schedule to the Constitution;
(ii) relating to any State law enacted under List III of the Seventh Schedule to the Constitution,
the State Government, and in any other case, the Central Government;
(f) "asymmetric crypto system" means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature;
(g) "Certifying Authority" means a person who has been granted a licence to issue an electronic signature Certificate under section 24;
(h) "certification practice statement" means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing electronic signature Certificates;
(ha) "communication device" means cell phones, personal digital assistants, or any other device used to communicate, send, or transmit text, video, audio, or image;
(i) "computer" means any electronic, magnetic, optical, or other high-speed data processing device or system performing logical, arithmetic, and memory functions, including all connected input, output, storage, software, and communication facilities;
(j) "computer network" means the inter-connection of computers or communication devices through:
(i) satellite, microwave, terrestrial line, wire, wireless, or other communication media; and
(ii) terminals or interconnected systems;
(k) "computer resource" means computer, computer system, computer network, data, computer database, or software;
(l) "computer system" means a device or collection of devices capable of performing logic, arithmetic, data storage, retrieval, and communication control functions using electronic instructions and data;
(m) "Controller" means the Controller of Certifying Authorities appointed under sub-section (1) of section 17;
(na) "cyber cafe" means a facility offering public access to the internet;
(nb) "cyber security" means protecting information, devices, and systems from unauthorized access, use, disclosure, disruption, modification, or destruction;
(o) "data" means any representation of information, knowledge, facts, concepts, or instructions, prepared in a formalized manner and intended to be processed in a computer system or network;
(p) "digital signature" means authentication of an electronic record using a subscriber's digital signature under section 3;
(q) "Digital Signature Certificate" means a certificate issued under sub-section (4) of section 35;
(r) "electronic form" means information generated, sent, received, or stored in digital formats including magnetic, optical, or computer memory;
(s) "Electronic Gazette" means the Official Gazette published in electronic form;
(t) "electronic record" means data, images, sound, or any other record generated or stored electronically;
(ta) "electronic signature" means authentication of an electronic record using electronic techniques as specified in the Second Schedule, including digital signatures;
(tb) "Electronic Signature Certificate" means a certificate issued under section 35, including Digital Signature Certificates;
(u) "function" in relation to a computer includes logic, control, arithmetic processing, deletion, storage, retrieval, and communication functions;
(ua) "Indian Computer Emergency Response Team" means an agency established under section 70B;
(v) "information" includes data, text, images, sound, voice, codes, programs, databases, or computer-generated microfiche;
(w) "intermediary" means any person providing services such as receiving, storing, or transmitting electronic records or providing related services, including telecom service providers, internet service providers, and online platforms;
(x) "key pair" means a mathematically related private key and public key used in asymmetric cryptosystems;
(y) "law" includes Acts, Ordinances, Regulations, and other official rules;
(z) "licence" means a licence granted to a Certifying Authority under section 24;
(za) "originator" means a person who sends, generates, stores, or transmits any electronic message but does not include intermediaries;
(zb) "prescribed" means prescribed by rules made under this Act;
(zc) "private key" means the key of a key pair used to create a digital signature;
(zd) "public key" means the key of a key pair used to verify a digital signature, listed in a Digital Signature Certificate;
(ze) "secure system" means systems that are secure from unauthorized access, reliable, and compliant with accepted security standards;
(zf) "security procedure" means procedures prescribed under section 16 for maintaining system security;
(zg) "subscriber" means a person to whom an electronic signature Certificate is issued;
(zh) "verify" means to determine whether:
(a) an electronic record was signed using a private key corresponding to the public key of the subscriber; and
(b) the record remains unchanged since it was signed.
(2) Any reference in this Act to an enactment or provision shall, in areas where such enactment or provision is not in force, be construed as a reference to the corresponding law or provision applicable in that area.
| Term | Definition | Section |
|---|---|---|
| Hash function | An algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as “hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input... | Explanation to Section 3(2) |
| Electronic Signature | authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature. | Section 3A(1) and (2) |
| Digital Signature | Authentication of an electronic record by affixing with private key and verifying it using the public key | Section 3 |
| Signed | With reference to a person, means affixing of his hand written signature or any mark on any document and the expression “signature” shall be construed accordingly. | Explanation to Section 5 |
| Computer contaminant | Any set of computer instructions that are designed to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or usurp the normal operation... | Explanation to Section 43 |
| Computer data-base | A representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner... | Explanation to Section 43 |
| Computer virus | Any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource... | Explanation to Section 43 |
| Damage | To destroy, alter, delete, add, modify or rearrange any computer resource by any means. | Explanation to Section 43 |
| Computer Source Code | The listing of programme, computer commands, design and layout and programme analysis of computer resource in any form. | Explanation to Section 43 |
| Body corporate | Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. | Explanation to Section 43A |
| Reasonable Security Practices and Procedures | Security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties... | Explanation to Section 43A |
| Sensitive Personal Data or Information | Such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. | Explanation to Section 43A |
| Electronic Cheque and Truncated Cheque | Electronic Cheque and Truncated Cheque shall have the same meaning as assigned to them in section 6 of the Negotiable Instruments Act, 1881 (26 of 1881). | Explanation to Section 81A |
| Under Circumstances Violating Privacy | circumstances in which a person can have a reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or (ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place. | Explanation to Section 66E |
| Transmit | means to electronically send a visual image with the intent that it be viewed by a person or persons | Explanation to Section 66E |
| Capture | with respect to an image, means to videotape, photograph, film or record by any means; | Explanation to Section 66E |
| Private Area | means the naked or undergarment clad genitals, public area, buttocks or female breast | Explanation to Section 66E |
| Publishes | means reproduction in the printed or electronic form and making it available for public; | Explanation to Section 66E |
| Critical Information Infrastructure | means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety. | Explanation to Section 70 |
| Third Party Information | means any information dealt with by an intermediary in his capacity as an intermediary | Explanation to Section 79 |
| Electronic Form Evidence | means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines. | Explanation to Section 79A |
| Modes or methods for encryption | The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption | Section 84A |