Rohas NagpalAsian School of Cyber Laws

Information Technology Act, 2000 came into force in October 2000

Amended on 27th October 2009

Indian Penal Code

Evidence Act

Voyeurism is now specifically covered.

Acts like hiding cameras in changing rooms, hotel rooms etc is punishable with jail upto 3 years.

This would apply to cases like the infamous Pune spycam incident where a 58-year old man was arrested for installing spy cameras in his house to ‘snoop’ on his young lady tenants.

Publishing sexually explicit acts in the electronic form is punishable with jail upto 3 years.

This would apply to cases like the Delhi MMS scandal where a video of a young couple having sex was spread through cell phones around the country.

Collecting, browsing, downloading etc of child pornography is punishable with jail upto 5 years for the first conviction.

For a subsequent conviction, the jail term can extend to 7 years. A fine of upto Rs 10 lakh can also be levied.

The punishment for spreading obscene material by email, websites, sms has been reduced from 5 years jail to 3 years jail.

This covers acts like sending ‘dirty’ jokes and pictures by email or sms.

Bangalore student sms case

Compensation is not restricted to Rs 1 crore anymore on cyber crimes like: • accessing or securing access to a computer

• downloading, copying or extracting data

• computer contaminant or virus

• damaging computer

• disrupting computer

Compensation is not restricted to Rs 1 crore anymore on cyber crimes like: • providing assistance to facilitate illegal

access

• computer fraud

• destroying, deleting or altering or diminishing value or utility or affecting injuriously

• stealing, concealing, destroying or altering computer source code

The Adjudicating Officers will have jurisdiction for cases where the claim is upto Rs. 5 crore.

Above that the case will need to be filed before the civil courts.

A special liability has been imposed on call centers, BPOs, banks and others who hold or handle sensitive personal data.

If they are negligent in “implementing and maintaining reasonable security practices and procedures”, they will be liable to pay compensation.

It may be recalled that India’s first major BPO related scam was the multi crore MphasiS-Citibank funds siphoning case in 2005.

Under the new law, in such cases, the BPOs and call centers could also be made liable if they have not implemented proper security measures.

Refusing to hand over passwords to an authorized official could land a person in prison for upto 7 years.

The offence of cyber terrorism has been specially included in the law. A cyber terrorist can be punished with life imprisonment.

Sending threatening emails and sms are punishable with jail upto 3 years.

Hacking into a Government computer or website, or even trying to do so in punishable with imprisonment upto 10 years.

Cyber crime cases can now be investigated by Inspector rank police officers.

Earlier such offences could not be investigated by an officer below the rank of a deputy superintendent of police.

The Information Technology Act, 2000 took a "technology dependent" approach to the issue of electronic authentication.

This was done by specifying digital signatures as the means of authentication.

The defect in this approach is that the law is bound by a specific technology, which in due course of time may be proven weak.

The advantage of using a technology neutral approach is that if one technology is proven weak, others can be used without any legal complexities arising out of the issue.

An example of this is the MD5 hash algorithm that at one time was considered suitable.

MD5 was prescribed as suitable by Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 .

MD5 was subsequently proven weak by mathematicians.

In fact, Asian School of Cyber Laws had filed a public interest litigation in the Bombay High Court on the same issue.

Subsequently, the Information Technology (Certifying Authorities) Amendment Rules, 2009 amended the Rule 6 mentioned above.

MD5 was replaced by SHA-2.

The Information Technology (Amendment) Act, 2008 amends the technology dependent approach.

It introduces the concept of electronic signatures in addition to digital signatures.

Digital signatures are one type of technology coming under the wider term “electronic signatures”.

1. based on the knowledge of the user or the recipient e.g. passwords, personal identification numbers (PINs)

2. those based on the physical features of the user (e.g. biometrics)

3. those based on the possession of an object by the user (e.g. codes or other information stored on a magnetic card).

Digital signatures within a public key infrastructure (PKI)

biometric devices

PINs

user-defined or assigned passwords,

scanned handwritten signatures,

signature by means of a digital pen,

clickable “OK” or “I accept” boxes.

Hybrid solution like combined use of passwords and secure sockets layer (SSL)

It is a technology using a mix of public and symmetric key encryptions.

Fraudulently or dishonestly using someone else’s electronic signature, password or any other unique identification feature

3 years jail and fine upto Rs 1 lakh.

New provision

Section 65

Conceal / destroy / alter source code

3 years jail and / or fine upto Rs 2 lakh

Unchanged provision

Section 66

3 years jail and / or fine upto 5 lakh

New provision

Replaces ‘hacking’

dishonestly or fraudulently:

• accessing or securing access to a computer

• downloading, copying or extracting data

• computer contaminant or virus

• damaging computer

• disrupting computer

• denial of access

dishonestly or fraudulently:

• providing assistance to facilitate illegal access

• computer fraud• destroying, deleting or altering or

diminishing value or utility or affecting injuriously

• stealing, concealing, destroying or altering computer source code

Section 66A

3 years jail and fine

New provision

Covers following sent by sms / email:• grossly offensive

• menacing

• false information sent for causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will

• phishing, email spoofing

Email spoofing

SMS spoofing

Phishing

Asian School of Cyber Laws