E-Commerce Security Issues: E-commerce systems are based upon

Internet use, which provides open and easy communications on a

global basis.

But, as the Internet is unregulated, unmanaged and uncontrolled, it

introduces a wide range of risks and threats to the systems operating
on it.

The important security issues related to e-commerce are:-

i. Access Control: If access control is properly implemented, many

other security problems, like lack of privacy, will either be
eliminated or mitigated.

Access control ensures only those that legitimately require access to

resources are given access. This includes both physical access as well
as logical access to resources.
ii. Privacy: Privacy ensures that only authorized parties can access
information in any system. The information should also not be
distributed to parties that should not receive it.

Issues related to privacy can be considered as a subset of issues related

to access control.

iii. Authentication: Authentication ensures that the origin of an

electronic message is correctly identified. i.e. having the capability to
determine who sent the message and from where or which machine.

iv. Non-Repudiation: Non-repudiation is closely related to

authentication and this ensures the sender cannot deny sending a
particular message and the receiver cannot deny receiving a message.

If this happens infrequently, it may not significantly harm e-

commerce, however, on a large scale this can be devastating. For
example, if many customers receive goods and then deny placing an
order, the shipping, handling and associated costs with the order can
be significant for the company processing the order.
v. Availability: Availability ensures that the required systems are
available when needed, i.e. the customer order systems are available
all the time.

Two major threats to availability problems are virus attacks and denial
of service.

One complicating factor for any e-commerce venture is security for

customer information, such as credit card numbers and personal data
and this issue has kept many customers form purchasing products on
the internet.

Risks involved in E-Commerce: Some of the common threats that

hackers pose to e-commerce systems include:-

a. Carrying out denial-of-service (D0S) attacks that stop access to

authorized users of a website, so that the site is forced to offer a
reduced level of service or, in some cases, cease operation completely.
b. Gaining access to sensitive data such as price lists, catalogues and
valuable intellectual property, and altering, destroying or copying it.

c. Altering the website, thereby damaging one s image or directing

one s customers to another site.

d. Gaining access to financial information about one s business or one s

customers with a view to perpetrating fraud.

e. Using viruses to corrupt one s business data.

Impact Upon the Business: All of these risks can have a significant
impact upon a business running an e-commerce service. The potential
business implications of a security incident include the following:-

a. Direct financial loss as a consequence of fraud or litigation.

b. Consequential loss as a result of unwelcome publicity.

c. Criminal charges if you are found to be in breach of the Data
Protection or Computer Misuse Acts, or other regulation on e-
commerce.

d. Loss of market share if customer confidence is affected by a denial-

of-service attack, or other.

The image presented by one s business together with the brands under
which one trade are valuable assets. Hence it is important to recognize
that the use of e-commerce creates new ways for both image and
brands.

Risks from Viruses, Trojans and Worms: Viruses, Trojan horses and
worms are all computer programs that can infect computers. They
spread across computers and networks by making copies of
themselves, usually without the knowledge of the computer user.

A Trojan Horse is a program that appears to be legitimate but actually

contains another program or block of undesired malicious,
destructive code, disguise and hidden in a block of desirable code.
Trojans can be used to infect a computer with a virus.
 A back-door Trojan is a program that allows a remote user or hacker
to bypass the normal access controls of a computer and gives them
unauthorized control over it.

Typically a virus is used to place the back-door Trojan onto a

computer, and once the computer is online, the person who sent the
Trojan can run programs on the infected computer, access personal
files, and modify and upload files.

Risks to E-commerce Systems: While some viruses are merely

irritants, others can have extremely harmful effects. Some of the
threats that they pose to e-commerce systems include:-

Corrupting or deleting data on the hard disk of the server.

Stealing confidential data by enabling hackers to record user

keystrokes.

Enabling hackers to hijack one s system and use it for their own
purpose.
 Using one s computer for malicious purposes, such as carrying out a
denial-ofservice attack on another website.

Harming customer and trading partner relationships by forwarding

viruses to them from the affected system.

How do viruses spread: Viruses are able to infect computers via a

number of different routes. These include:

CDs and pen drives containing infected documents.

Emails containing infected attachments.

Internet worms that exploit holes in one s system s operating system

when one is connected to the Internet.

Spyware: Spyware is software that is placed on one s computer when

one visit certain websites. It is used to secretly gather information
about one s usage and sends it back to advertisers or other interested
parties. In addition to tracking one s system use, it can also slow down
or crash one s computer.
 Protecting E-Commerce System:

Securing ones E-Commerce System: As the use of the Internet

continues to grow, websites are assuming greater importance as the
public face of business.

Moreover, the revenues generated by e-commerce systems mean that

organizations are becoming ever more reliant upon them as core
elements of their business.

With this high level of dependency upon the services provided by e-

commerce systems, it is essential that they are protected from the
threats posed by hackers, viruses, fraud and denial-of-service (DoS)
attacks.

Identifying E-Commerce Threats and Vulnerabilities: It is

important that one understand the risks facing his e-commerce
system, and the potential impact should any security incident arise.
 What are the Threats: Threats to e-commerce systems can be
either malicious or accidental. The procedures and controls one put
in place to protect the site should help minimize both.

Malicious threats could include:-

Hackers attempting to penetrate a system to read or alter sensitive

data.

Burglars stealing a server or laptop that has unprotected sensitive data

on its disk.

Imposters masquerading as legitimate users and even creating a

website similar to the original one.

Authorized users downloading a web page or receiving an email with

hidden active content that attacks your systems or send sensitive
information to unauthorized people.
 The potential threats to sensitive information can be
considered from three angles:-

Where (or who) are the potential sources of threats?

What level of expertise is the hacker likely to possess? How much

effort are they likely to expend in attempting to breach your security?

What facilities and tools are available to them?

The real threat may not be the most obvious one. Attacks from
authorized users (such as a dissatisfied employee or partner) are far
more common than attacks by hackers.

Risk Assessment: A risk assessment can be carried out to provide an

organization with a clear understanding of the risks facing its e-
commerce system and associated business processes, and the
potential impact if a security incident arises.
 A key part of a risk assessment is defining the business information
access requirements as it will cover the rules of access for different
groups of users.

Any analysis should also take into account of how electronic

transactions are verified. How do we know that an order has actually
come from a known customer. Where contracts are exchanged
electronically, who can sign them and how can it be proved that
which is the signed version?

Common E-Commerce Security Tools: One should introduce

sufficient security controls to reduce risk to e-commerce systems.
However, these controls should not be so restrictive that they damage
the employees performance.

Some of the common security controls are:-

i. Authentication: There are several techniques that can identify and

verify someone seeking to access an e-commerce system. These
include:-
 A user name and password combination, where the password can vary
in length and include numbers and characters.

Two-factor authentication requiring something the user has (eg. An

authentication token) and something the user knows (eg. A personal
identification number).

A digital certificate that enables authentication through the use of an

individual s unique signing key.

A person s unique physical attribute, referred to as a biometric. This

can range from a fingerprint or iris scan, through to retinal or facial-
feature recognition.

ii. Access Control: This restricts different classes of users to subsets of

information and ensures that they can only access data and services
for which they have been authorized. These include using:-

Network restrictions to prevent access to other computer systems and

networks.
 Application controls to ensure individuals are limited in the data or
service they can access.

Changes to access privileges must be controlled to prevent users

retaining them if they transfer between departments or leave the
business.

iii. Encryption: This technique scrambles data, and is used to protect

information that is being either held on a computer or transmitted
over a network. It uses technologies such as virtual private networks
(VPNs) and secure socket layers (SSLs).

iv. Firewall: Firewall is a hardware or software security device that

filters information passing between internal and external networks.

It controls access to the Internet by internal users, preventing outside

parties from gaining access to systems and information on the internal
network.
 A firewall can be applied at the network level to provide protection
for multiple workstations or internal networks or at the personal
level where it is installed on an individual PC.

A firewall typically takes one of two forms:-

a. Software firewall: Specialized software running on an individual

computer.

b. Network firewall: A dedicated device designed to protect one or

more computers.

Both types of firewall allow the user to define access policies for
inbound connections to the computers they are protecting.

Many also provide the ability to control what services the protected
computers are able to access on the Internet.

Most firewalls intended for home use come with pre-configured

security policies form which the user choose, and also allow the user
to customize these policies for their specific needs.
 Types of Firewalls: There are three basic types of firewalls
depending on:-

a. Whether the communication is being done between a single node

and the network, or between two or more networks.

b. Whether the communication is intercepted at the network layer, or at

the application layer.

c. Whether the communication state is being tracked at the firewall or

not.

With regard to the scope of filtered communication there exist:-

Personal firewalls: A software application, which normally filters

traffic entering, or leaving a single computer.

Network firewalls: Normally running on a dedicated network device

or computer positioned on the boundary of two or more networks.
Such a fire wall filters all traffic entering or leaving the connected
networks.
v. Intrusion Detection: The software related to intrusion detection
monitor system and network activity to spot any attempt being made
to gain access.

If a detection system suspects an attack, it can generate an alarm, such

as an e-mail alert, based upon the type of activity it has identified.

Despite the sophistication of these controls, they are only as good as

the people who use them and hence a continual awareness program is
a vital component of any security policy.

vi. Anti-Virus Software: Anti-virus software is used to protect against

viruses, Trojans and worms. It can detect them, prevent access to
infected files and quarantine any infected file.

There are different types of anti-virus software:-

Virus Scanners: Must be updated regularly, usually by connecting to

the supplier s website, in order to recognize new viruses.
 Heuristics Software: detects viruses by applying general rules about
what viruses look like. While it does not require frequent updates, this
software can be prone to giving false alarms.

The threat of virus infection can be minimized by:-

Using a virus checker on one s Internet connection to trap viruses both

entering and leaving the business IT system.

Running virus checkers on servers to trap any viruses that have

managed to evade the above check.

Running individual virus checkers on users PCs to ensure that they

have not downloaded a virus directly, or inadvertently introduced one
via a CD or floppy disk.

Other Methods of Preventing Viruses:-

Installing software patches provided by the supplier of one s operating

system to close security loopholes that could be exploited by viruses.
 Using a firewall to prevent unauthorized access to one s network.

Avoiding download of unauthorized programs and documents from

the Internet and ensuring that everyone in the organization adhere to
this policy.

One s system may still become infected even if the above guidelines
are followed. Hence regular back-ups of the data and software should
be taken so that the infected files can be replaced with clean copies if
required.

Virus Alerting Services: One can subscribe to a service or supplier

who will provide virus alerts. Some are available on a paid-for basis,
while others are provided by suppliers of anti-virus software to their
customers.

Spyware: There are software available that scan the systems and
detect for known spyware programs. Spyware can then be removed or
quarantined. As with anti-virus software, it is important to keep this
software up-t0-date.
vii. Digital Identity & Digital Signature: Digital identity refers to the
aspect of digital technology that is concerned with the mediation of
people s experience of their own identity and the identity of other
people and things.

Digital identity is a safe personal web platform that gives the

individual the power to control how they interact with the Internet
and share their personal information.

Each individual is assigned a personal web address that functions as a

master key to all his or her online communication.

Through a number of practical tools such as online business cards, CV,

favorites, personal messages, access control etc. the individual creates
and have full control of their online information.

With Digital identity each individual becomes an integrated part of

the Internet, so other websites, search engines and applications
automatically can interact with the online identity.
 The basis of Digital identity are:-

.is the online presence of an individual or business.gives access to

online services Authentication.

.defines the level of access to online services Authorization.

.is a repository of information for use by the subscriber, for the

subscriber.is the first point of all online communications.

Biometric: Biometric refers to the automatic identification of a

person based on his physiological or behavioral characteristics.
Example of physical characteristics include fingerprints, eye retinas
and irises, facial patterns and hand measurements; while examples of
behavioral characteristics include signature, gait and typing patterns.

This method of identification offers several advantages over

traditional methods involving ID cards or PIN numbers for various
obvious reasons:-
i. The person to be identified is required to be physically present at the
point-of-identification.

ii. Unlike biometric traits, PINs or passwords may be forgotten, and

tokens like passports and driver s licenses may be forged, stolen, or
lost.

iii. By replacing PINs (or using biometrics in addition to PINs),

biometric techniques can potentially prevent unauthorized access to
sensitive places and sensitive equipment.

Client-Server Network Security: According to the National Center

of Computer Data, computer security violations cost U.S. businesses
half a billion dollar each year.

Network security on the internet is a major concern for commercial

organizations, especially top management.
 Recently, the internet has raised many new security concerns. By
connecting to the internet, a local network organization may be
exposing itself to the entire population on the internet.

An internet connection effectively breaches the physical security

perimeter of the corporate network and itself to access from other
networks comprising the public internet.

For many commercial operations, security is simply is a matter of

making sure that existing system features, such as passwords and
privileges, are configured properly and need to audit all access to the
network.

A system that records all log-on attempts particularly the

unsuccessful ones can alert managers for the need of stronger
measures.

However, where secrets are at stake or where important corporate

assets must be made available to remote users, additional measures
must be taken.
 Hackers can use passwords guessing, password tapping, security
holes in programs, or common network access producers to
impersonate users and thus pose a threat to the server.

Client-Server network security problems manifest themselves in

three ways:-

i. Physical security holes result when individuals gain unauthorized

physical access to a computer.

For example, in a public workstation room, a hacker many reboot a

machine into single-user mode and tamper with the files, if
precautions are not taken.

On networks also hackers gain access to network systems by guessing

passwords of various users.

ii. Software security holes result when badly written program or

privileged software are compromised into doing things they
shouldn t.
 The most famous example is the send mail hole, which brought the
internet to its knees in 1988.

The more recent problem was the rlogin hole in the IBM RS-6000
workstations, which enabled a cracker (a malicious hacker) to create a
root shell or super user access mode. This is the highest level of
access possible and could be used to delete the entire file system, or
create a new account or password file resulting in incalculable
damage.

iii. Inconsistent usage holes result when a system administrator enables

a combination of hardware and software such that the system is
seriously flawed from a security point of view like the
incompatibility of attempting two unconnected but useful things
creates the security hole.

Problems like this are difficult to isolate once the system is setup and
running. Hence one should be carefully build the system with these
things in mind.
 To reduce these security threats, over the years, several protection
methods have been developed:-

a. Trust Based Security: Trust-based security means to trust everyone

and do nothing extra for ensuring security assuming that all the users
are trustworthy and competent in their use of the shared network.

b. Security through Obscurity: Most organizations in the mainframe

era practiced in a philosophy known as Security through Obscurity
(STO) the notion that any network can be secure as long as nobody
outside it s management group is provided information on a need
toknow basis.

Hiding account passwords in binary files or scripts with the

presumption that nobody will ever find them is a prime case of STO
(somewhat like hiding the house key under the doormat and telling
only family and friends).

In short, STO provides a false sense of security in computing systems

without hiding information.
c. Firewall and Network Security: The most commonly accepted
network, protection is a barrier, a firewall between the corporate
network and the outside world (untrusted networks).

Firewall is a method of placing a device a computer or a router

between the network and the internet to control and monitor all the
traffic between the outside world and the local networks.

Typically, the device allows insiders to have full access to the services
on the outside networks but grants only selective access based on
login names, password, IP address or other identifiers to the outsiders.

Data and Message Security:-

Encryption: The success of an e-commerce operation hinges on

myriad factors including the business model, the team, the
customers, the investors, the product, and the security of data
transmissions and storage.
 Data security has taken an increased importance because of a series of
high-profile cracker attacks have humbled popular web sites, resulted
in the impersonation of Microsoft employees for the purposes of
digital certification, and the misuse of credit card numbers of
customers at B2C entrepreneur who solicits, stores, or communicates
any information that may be sensitive if lost.

An arms race is underway: technologists are building new security

measures while others are working to crack the security systems. One
of the most effective means of ensuring data security and integrity is
encryption.

Encryption is a generic term that refers to the act of encoding data so

that those data can be securely transmitted via the Internet.
Encryption can protect the data at the simplest level by preventing
other people from reading the data.

In the event that someone intercepts a data transmission and

manages to deceive any user identification scheme, the data that
they see appears to be gibberish without a way to decode it.
 Encryption technologies can help in other ways as well by
establishing the identity of users (or abusers); control the
unauthorized transmission or forwarding of data; verify the integrity
of the data (i.e. it has not been altered in any way); and ensure that
users take responsibility for data that they have transmitted.

Encryption can therefore be used either to keep communications

secret (defensively) or to identify people involved in
communications (offensively).

E-commerce systems can use the following encryption techniques:-

a. Public Key Encryption or Asymmetric Key-based algorithm:

This method uses one key to encrypt data and a different key to
decrypt the same data. It is also called Public Key / Private Key
encryption.

b. Symmetric Key-based Algorithms or Block-and-Stream Ciphers:

Using these cipher types, the data is separated into chunks, and those
chunks are encrypted and decrypted based on a specific key.
 Stream ciphers are used more predominantly than block ciphers, as
the chunks are encrypted on a bit-by-bit basis. This process is much
smaller and faster than encrypting larger (block) chunks of data.

c. Hashing or Creating a Digital Summary of a String or File: This

is the most common way to store passwords on a system, as the
passwords aren t really what s stored, just a hash that can t be
decrypted.

Digital Signature (Electronic Signature): A digital signature is an

electronic signature that can be used to authenticate the identity of
the sender of a message or the signer of a document, and possibly to
ensure that the original content of the message or document that has
been sent is unchanged.

Digital signatures are easily transportable, cannot be imitated by

someone else and can be automatically time-stamped. The ability to
ensure that the original signed message arrived means that the sender
cannot easily repudiate it later.
 A digital signature can be used with any kind of message, whether it
is encrypted or not, simply so that the receiver can be sure of the
sender s identity and that the message has arrived intact.

A Digital Certificate contains the digital signature of the

certificate-issuing authority so that anyone can verify that the
certificate is original.

How it Works: Assume you are going to send the draft of a contract to
your lawyer in another town and want to give him the assurance that it
is unchanged it is from you only.

Copy and paste the contract into an e-mail note.

Using special software, obtain a message hash (mathematical

summary) of the contract.

Then use a private key that you have previously obtained from a
public-private key authority to encrypt the hash.
 The encrypted hash becomes your digital signature of the message.
(note that it will be different each time you send a message).

Other interesting issues worth pursuing for information related

to encryption include:-

Secure socket layer (SSL) protocols, which allow for the transmission
of encrypted data across the Internet by running above the traditional
TCP / IP protocols.

The effectiveness and occasion flaws in easilyaccessible

(freeware) security technologies such as PGP (Pretty Good Privacy Is
a popular program used to encrypt and decrypt email over the
Internet as well as authenticate messages with digital signatures and
encrypted stored files).

Other uses of encryption, such as the closely-related notions of digital

signatures, access controls, and watermarks.

The technical means by which keys use hash tables to achieve the
encryption and decryption process.
 Regulation of Certificate Authorities (CAs), Registration Authorities
that validate users as having been issued certificates and the
directories that store certificates, public keys and certificate
management information.

Policies that identify how an institution manages certificates for its

own personnel, including legal liabilities and limitations, standards
on contents of certificates, and actual user practices.
 Legal Issues in E-Commerce: Implementation of e-commerce
involves many legal issues. These issues can be classified as:-

i. Privacy: Privacy means the right to be left alone and the right to be
free of unreasonable personal intrusions.

Privacy Principles: The code s 10 principles for privacy are:-

1. Accountability: An organization is responsible for personal

information under its control and shall designate an individual or
individuals who are accountable for the organization s compliance
with the following principles.

2. Identifying Purposes: The purposes for which personal information

is collected shall be identified by the organization at or before the
time the information is collected.

3. Consent: The knowledge and consent of the individual are required

for the collection, use or disclosure of personal information, except
when inappropriate.
4. Limiting Collection: The collection of personal information shall
be limited to that, which is necessary for the purposes identified by
the organization and should be collected by fair and lawful means.

5. Limiting Use, Disclosure, and Retention: Personal information

shall not be used or disclosed for purposes other than those for
which it has been collected, except with the consent of the
individual or as required by the law. Moreover, personal information
shall be retained only as long as necessary for fulfillment of those
purposes.

6. Accuracy: Personal information shall be as accurate, complete, and

up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security

safeguards appropriate to the sensitivity of the information.

8. Openness: An organization shall make readily available to

individuals specific information about its policies and practices
relating to the management of personal information.
9. Individual Access: Upon request, an individual shall be informed of
the existence, use and disclosure of his or her personal information
and shall be given access to that information. An individual shall be
able to challenge the accuracy and completeness of the information
and have it amended as appropriate.

10. Challenging Compliance: An individual shall be able to address a

challenge concerning compliance with the above principles to the
designated individual or individuals for the organization s
compliance.

Protecting ones Privacy:-

1. Think before giving out personal information on a site.

2. Track the use of your name and information.
3. Keep your newsgroup's posts out of archives.
4. Use the Anonymizer when browsing.
5. Live without cookies.
6. Use anonymous remailers.

7. Use encryption.

8. Reroute your mail away from your office.

9. Ask your ISP or employer about a privacy policy.

ii. Cookies: Cookies are the piece of information that allows a Web site
to record the information coming in and going out. Through
cookies:-

Web sites can remember information about users and respond to

their preferences on a particular site.

Web sites can maintain information on a particular user across HTTP

connections.
 Reasons for Using Cookies: Cookies are usually used for the
following reasons:-

To personalize information.

To improve online sales / services.

To simplify tracking of popular links or demographics.

To keep sites fresh and relevant to the user s interests.

To enable subscribers to log in without having to enter a password

every time.
To keep track of a customer s search preferences.

Personal profiles created are more accurate than self-registration.

Solutions to Cookies: As cookies are stored at client s side (the

person who is navigating the site) and sends information about client
to server (web site), hence sometimes it can be dangerous for privacy.
Some solutions to avoid cookies are:-
 Users can delete cookie files stored in their computer on a regular
basis.
Use of anti-cookie software.

iii. Intellectual Property: Intellectual property is the intangible

property created by individuals or corporations. It is difficult to
protect since it is easy and inexpensive to copy and disseminate
digitized information.

Protecting Intellectual Property: Intellectual property is protected

under copyright, trade secret and patent laws.

1. Copyright: Copyright is a statutory grant that provides the creators

of intellectual property with ownership of it for 28 years.

2. Trade Secret: Trade secret is intellectual work such as a business

plan, which is a company secret and is not based on public
information.
3. Patent: Patent is a document that grants the holder exclusive rights
on an invention for 17 years.

4. Free Speech: Internet provides the largest opportunity for free

speech. Provisions in law for two cases that limit free speech are:-
a. Obscene material.
b. Compelling government interest.

iv. Indecency: Indecency is any comment, request, suggestion,

proposal, image, or other communication that, in context, depicts or
describes, in terms patently offensive as measured by contemporary
community standards, sexual or excretory activities or organs.

v. Taxation: Taxation is an issue as e-commerce companies do not

have to collect sales tax on their customer s purchases. While this is
an advantage to customers, it costs the government very high.
vi. Gambling: Gambling is an issue as the Internet makes it difficult to
decide where the transaction take place, and hence, which region s
law should regulate that transaction.

vii. Other Legal Issues: Some other legal issues are:-

What are the rules of electronic contracting, and whose jurisdiction

prevails when buyers, brokers and sellers are in different states and /
or countries?

How can gambling be controlled on the Internet as it is legal in many

countries and illegal in the other countries. How can the winner s tax
be collected?

When are electronic documents admissible evidence in the courts of

law? What one can do if they are not?

Time and place can carry different dates for the buyers and sellers
when they are across the ocean.
 Is a digital signature legal everywhere?

The use of multiple networks and trading partners makes the

documentation of responsibility difficult. How to overcome such a
problem?

Ethical Issues: Ethics is a branch of philosophy that deals with what

is considered to be right or wrong and the spread of electronic
commerce has created many new ethical issues.

For example the monitoring of e-mails by the company is highly

controversial as one group of people may agree to this and one may
disagree.

There are also differences regarding ethics among different countries.

What is unethical in one culture may be perfectly acceptable in
another.
 Hence, many companies and professional organizations have
developed their own codes of ethics a collection of principles
intended as a guide for its members.

Mason has categorized these ethical issues into the following:-

1. Privacy: Collection, storage, and dissemination of information about

individuals.

2. Property: Ownership and value of information and intellectual

property.

3. Accuracy: Authenticity, fidelity, and accuracy of information

collected and processed.

4. Accessibility: Right to access information and payment of fees to

access it.
 Cyber Law: Cyber law is a term which refers to all the legal and
regulatory aspects of Internet and the World Wide Web. Anything
concerned with or related to, or emanating from, any legal aspects or
issues concerning any activity of netizens and others, in Cyberspace
comes within the ambit of Cyber Law.

Aims of Cyber Law:-

1. To facilitate electronic communications by means of reliable

electronic records.

2. To facilitate and promote electronic commerce, to eliminate barriers

to electronic commerce resulting from uncertainties over writing and
signature requirements, and to promote the development of the legal
and business infrastructure necessary to implement secure electronic
commerce.

3. To facilitate the electronic filing of documents with government

agencies and statutory bodies, and to promote efficient delivery of
government services by means of electronic records.
4. To minimize the incidence of forged electronic records, intentional
and unintentional alterations of records, and fraud in electronic
commerce and other electronic transactions.

5. To promote public confidence in the integrity and reliability of

electronic records, electronic signatures and electronic commerce.

6. To establish uniform rules and standards regarding the

authentication and integrity of electronic records.

7. To create a legal infrastructure for the use of digital signatures.

Cyber Law in India: In May 2000, both the houses of the Indian
Parliament passed the Information Technology Bill. The Bill received
the assent of the President in August 2000 and came to be known as
the Information Technology Act, 2000. It was enacted on 7th June
2000 and was notified in the official gazette on 17th October 2000 and
is made applicable to the whole of India.
 Aim: The Information Technology (IT) Act 2000 aims to provide a
legal and regulatory framework for promotion of e-Commerce and e-
Governance.

The Act also aims to provide for the legal framework so that legal
sanctity is accorded to all electronic records and other activities
carried out by electronic means.

The Act states that unless otherwise agreed, an acceptance of contract

may be expressed by electronic means of communication and the
same shall have legal validity and enforceability.

Salient Provisions of Cyber Law: The IT Act 2000 attempts to

change outdated laws and provides ways to deal with cyber crimes.

In view of the growth in transactions and communications carried out

through electronic records, the Act seeks to empower government
departments to accept filing, creating and retention of official
documents in the digital format.
 The Act has also proposed a legal framework for the authentication
and origin of electronic records / communications through digital
signature.

From the perspective of e-commerce in India, the IT ACT 2000 and its
provisions contain many positive aspects.

Firstly, the implications of these provisions for the e-businesses would

be that email would now be a valid and legal form of communication
in our country that can be duly produced and approved in a court of
law.

Companies shall now be able to carry out electronic commerce using

the legal infrastructure provided by the Act.

Digital signatures have been given legal validity and sanction in the
Act.

The Act throws open the doors for the entry of corporate companies in
the business of being Certifying Authorities for issuing Digital
Signature Certificates.
 The Act now allows Government to issue notification on the web thus
heralding e-governance.

The Act enables the companies to file any form, application or any
other document with any office, authority, body or agency owned or
controlled by the appropriate Government in electronic form by
means of such electronic form as may be prescribed by the
appropriate Government.

The IT Act also addresses the important issues of security, which are
so critical to the success of electronic transactions. The Act has given a
legal definition to the concept of secure digital signatures that would
be required to have been passed through a system of a security
procedure, as stipulated by the Government at a later date.

Under the IT Act 2000, it shall now be possible for corporates to have a
statutory remedy in case if anyone breaks into their computer systems
or network and causes damages or copies data. The remedy provided
by the Act is in the form of monetary damages, not exceeding Rs. 1
crore.
 Contracting And Contract Enforcement: A legally binding contract
requires a few basic elements: offer, acceptance and consideration.
When the Contracting is performed electronically then these
requirements are difficult to establish.

There are various acts and laws are made for the contracting and
contract enforcement. Some of them are:-

Uniform Electronic Transactions Act:

It provides the means to effectuate transactions accomplished through

an electronic medium.

It seeks to extend existing provisions for contract law to cyber law by

establishing uniform and consistent definitions to electronic records,
digital signatures, and other electronic communications.

It is comprehensive law regarding business conduct.

 Uniform Commercial Code (UCC):

It provides a government code that supports existing and future

electronic technologies in the exchange of goods or of services related
to exchange of goods.

It provides clear language to address issues of offer and acceptance

required for formation of a contract.

Shrink-wrap Agreements (or Box Top Licenses):

The user is bound to the license by opening the package even though
he or she has not used the product or even read the agreement, which
has been a point of contention for some time.

The court felt that more information would provide more benefit to
the consumer given the limited space available on the exterior of the
package.
 Click-Wrap Contracts:

The software vendor offers to sell or license the use of the software
according to the terms accompanying the software.

The buyer agrees to be bound by the terms based on certain conduct.

IT Act 2000: The Information Technology Act 2000 aims to provide

a legal and regulatory framework for Promotion of e-commerce and e-
Governance. It was enacted on 7th of June 2000 and was notified in the
official gazette on 17th of October 2000. it is applicable to whole of
India.

Major Provisions Contained in the IT Act 2000 are:

Extends to the whole of India.

Electronic contracts will be legally valid.

Legal recognition of digital signatures.

 Digital signature to be effected by use of asymmetric crypto system
and hash function.

Security procedure for electronic records and digital signature.

Appointment of Certifying Authorities and Controller of Certifying

Authorities, including recognition of foreign Certifying Authorities.

Controller to act as repository of all digital signature certificates.

Certifying authorities to get License to issue digital signature

certificates.

Various types of computer crimes defined and stringent penalties

provided under the Act.

Appointment of Adjudicating Officer for holding inquiries under the

Act.

Establishment of Cyber Appellate Tribunal under the Act.

 Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal
and not to any Civil Court.

Appeal from order of Cyber Appellate Tribunal to High Court.

Act to apply for offences or contraventions committed outside India.

Network service providers not to be liable in certain cases.

Power of police officers and other officers to enter into any public
place and search and arrest without warrant.

Constitution of Cyber Regulations Advisory Committee who will

advice the Central Government and Controller.

The IT Act enables:

Legal recognition to electronic Transaction / Record.

Facilitate Electronic Communication by means of reliable electronic

record.
 Acceptance of contract expressed by electronic means.

Facilitate Electronic Commerce and Electronic Data interchange.

Electronic Governance.

Facilitate electronic filing of documents.

Retention of documents in electronic form.

Where the law requires the signature, digital signature satisfy the
requirement.
Uniformity of rules, regulations and standards regarding the
authentication and integrity of electronic records or documents.
Publication of official gazette in the electronic form.
Interception of any message transmitted in the electronic or
encrypted form.
Prevent Computer Crime, forged electronic records, international
alteration of electronic records fraud, forgery or falsification in
Electronic Commerce and Electronic Transaction.
 Authentication of the electronic Records in IT Act 2000: Section
3(2) of the IT Act 2000 has provided that The authentication of the
electronic record shall be effected by the use of asymmetric
crypto system and hash function which envelop and transform
the initial electronic record into another electronic record .

Explanation: For the purposes of this sub-section, hash function

means an algorithm mapping or translation of one sequence of bits
into another, generally smaller, set known as hash result such that an
electronic record yields the same hash result every time the algorithm
is executed with the same electronic record as its input making it
computationally infeasible:-

To derive or reconstruct the original electronic record from the hash

result produced by the algorithm.

That two electronic records can produce the same hash result using
the algorithm.
 Digital Signature: The digital signature is an encryption and
decryption process allowing both the positive identification of the
author of an electronic message (Who wrote the message) and
verification of integrity of the message (Has the message been
tampered with during transmission).

Civil Offences Stipulated by IT Act 2000: Section 43 and Section 44

of the IT Act prescribes the civil offences which covers:-

Copy or extract any data, database.

Unauthorized access and downloading files.

Introduction of virus.

Damage to computer System and Computer Network.

Disruption of Computer, computer network.

Denial to authorized person to access computer.

 Providing assistance to any person to facilitate unauthorized access to
a computer.

Charging the service availed by a person to an account of another

person by tampering and manipulation of other computer.

Failure to furnish information, return etc. to the Controller by

certifying authorities.

Criminal Offences Stipulated by IT Act 2000: Chapter XI (Sections

65 to 75) of the IT Act prescribes the criminal offences which covers:-

Tampering with computer source documents (i.e. listing of programs)

Hacking with computer system.

Electronic forgery i.e. affixing of false digital signature, making false

electronic record.

Electronic forgery for the purpose of Cheating.

 Electronic forgery for the purpose of harming reputation.

Using as genuine a forged electronic record.

Publication of digital signature certificate for fraudulent purpose.

Offences and contravention by companies.

Unauthorized access to protected system.

Confiscation of computer, network, etc.

Publication of information which is obscene in electronic form.

Misrepresentation or suppressing of material fact.

Breach of confidentiality and privacy.

Publishing false Digital Signature Certificate.

 Other Provisions / Acts that are not covered under the IT Act:-

Negotiable instrument.

Power of Attorney.

Trust.

Will.

Any contract for the sale or the conveyance of immovable property or

any interest in such property.