CSE459

CYBER LAW AND

SECURITY AUDITING

Unit 2
 Cyber law •
•
why do we need cyberlaws
challenges to law and cybercrime scenario
the legal • digital signatures and the Indian IT act

perspectiv •
•
amendments to the Indian IT act
information technology act 2008 and its
es amendments
• the genesis of IT legislation in India
• objectives of IT legislation in India
• IT act and provisions related to cybercrime in
Indian penal code
Why do we need cyberlaws
Protection of individuals and organizations from cybercrimes.

Safeguarding data privacy and security.

Regulating e-commerce and ensuring consumer protection.

Protecting intellectual property rights in the digital space.

Preventing and controlling cybercrimes.

Supporting national security efforts.

Promoting trust and confidence in digital environments.

Facilitating international cooperation against cross-border cybercrimes.

Challenges to Law and Cybercrime
Scenario
• Jurisdictional Issues
• Cross-Border Crimes: Cybercrimes often cross national
borders, creating jurisdictional challenges. Criminals
may operate from different countries, making it difficult
for Indian law enforcement agencies to investigate,
prosecute, and bring perpetrators to justice.
• International Cooperation: Effective handling of cross-
border cybercrimes requires international cooperation
and treaties, which can be challenging to navigate due
to differing legal frameworks and interests.
Challenges to Law and Cybercrime Scenario

Outdated Legal Framework

Need for Modernization: India's primary legislation for cybercrimes, the

Information Technology Act of 2000 (amended in 2008), is considered
outdated in the face of new-age crimes like ransomware, advanced phishing
attacks, and complex financial frauds.

Lack of Comprehensive Laws: Current laws do not fully cover emerging

cybercrimes, including those related to artificial intelligence,
cryptocurrency, and digital privacy breaches.
Challenges to Law and Cybercrime Scenario

Limited Law Enforcement Capabilities

Skill Gap: Law enforcement agencies often lack the specialized

skills and training necessary to tackle sophisticated cybercrimes.
This includes knowledge in digital forensics, cybersecurity tools,
and understanding of advanced technologies.
Resource Constraints: Many police departments in India are under-
resourced, lacking the necessary technology, tools, and personnel
to effectively combat cybercrime.
Challenges to Law
and Cybercrime
Scenario
• Underreporting of Cybercrimes
• Lack of Awareness: Many victims
of cybercrime, especially in rural
areas, may not be aware of the
need or the process to report
cybercrimes.
• Fear of Repercussions:
Businesses and individuals may
avoid reporting cybercrimes due
to fear of reputational damage,
financial loss, or further attacks.
Challenges to Law
and Cybercrime
Scenario
• Privacy and Data Protection
Concerns
• Inadequate Data Protection Laws:
While the Digital Personal Data Protection
Act of 2023 has been enacted, there are
concerns about its implementation and
whether it adequately protects
individuals' privacy in the digital realm.
• Balancing Privacy and Security:
Striking a balance between national
security, law enforcement needs, and
individual privacy rights continues to be
a challenge.
 • Evolving Cyber Threat Landscape
• Sophisticated Attacks:
Cybercriminals are constantly
Challenge developing new tactics, such as
ransomware-as-a-service, deepfake
s to Law technology, and advanced social
engineering, making it difficult for
and laws and enforcement to keep up.
Cybercrim • State-Sponsored Cyber Attacks:
The involvement of nation-states in
e Scenario cybercrime adds another layer of
complexity, with attacks often aimed
at critical infrastructure and
government systems.
 • Digital Divide

Challenge • Urban-Rural Gap: There is a

significant digital divide between
s to Law urban and rural areas in India, which
impacts the ability to educate and
and protect all citizens equally from cyber
threats.

Cybercrim • Access to Technology: While digital

penetration is growing, a significant
e Scenario portion of the population still lacks
access to secure and reliable
internet, increasing their vulnerability
to cybercrimes.
 • Judicial Backlog and Delays
• Slow Legal Proceedings: The
judiciary faces a significant
Challenge backlog of cases, leading to
delays in the prosecution of
s to Law cybercrimes. This often
discourages victims from
and seeking legal recourse.
Cybercrim • Need for Specialized Courts:
The complexity of cybercrime
e Scenario cases may require specialized
cybercrime courts or dedicated
benches within existing courts
to handle such cases efficiently.
Challenges to Law
and Cybercrime
Scenario
• Judicial Backlog and Delays
• Slow Legal Proceedings: The
judiciary faces a significant backlog of
cases, leading to delays in the
prosecution of cybercrimes. This often
discourages victims from seeking
legal recourse.
• Need for Specialized Courts: The
complexity of cybercrime cases may
require specialized cybercrime courts
or dedicated benches within existing
courts to handle such cases
efficiently.
Digital signatures

• Digital signatures are cryptographic

techniques used to ensure the
authenticity, integrity, and non-
repudiation of digital messages or
documents. They are widely used in
various applications, including secure
email communication, digital contracts,
software distribution, and online
transactions.
Key Properties of Digital
Signatures

Authenticity: The recipient can confirm Integrity: Any alteration to the message Non-Repudiation: The sender cannot deny
that the message was indeed sent by the after it was signed would result in a having sent the message, as the signature is
holder of the private key, ensuring the mismatch of hashes, indicating that the unique to their private key.
sender's identity. message has been tampered with.
Digital signatures and the Indian IT act

Legal Recognition of Digital Signatures

Section 5 of the IT Act: This section grants legal recognition to digital

signatures, stating that when a law requires a signature, the
requirement is met in relation to an electronic document if the
document is signed with a digital signature.

Legally Binding: Digital signatures are considered equivalent to

handwritten signatures under Indian law. This means that contracts or
documents signed using digital signatures have the same legal standing
as those signed with ink.
 • Certifying Authorities (CAs)
• Section 17 of the IT Act: The Act
establishes the concept of Certifying
Authorities (CAs), which are licensed
Digital entities responsible for issuing digital
signatures signature certificates (DSCs). These
certificates bind public keys to specific
and the entities, allowing others to verify the
authenticity of the digital signature.
Indian IT • Controller of Certifying Authorities
act (CCA): The IT Act also provides for the
appointment of a Controller of Certifying
Authorities (CCA), who regulates the
CAs, ensuring they comply with the
legal standards and requirements.
 • A Certification Authority (CA) is a trusted entity that
issues digital certificates. These certificates are used to
verify the identity of entities (such as individuals,
organizations, or devices) on a network.
• Examples of Certification Authorities:
• DigiCert: A leading global CA known for providing
Certificati SSL/TLS certificates, code signing certificates, and other
PKI solutions.
on • Let's Encrypt: A free, automated, and open CA that
provides SSL/TLS certificates to enable HTTPS on
Authority websites.
• GlobalSign: Offers a range of digital certificates,
(CA) including SSL/TLS, code signing, email, and document
signing certificates.
• Comodo (now Sectigo): A well-known CA that provides
a variety of digital certificates, including SSL/TLS, code
signing, and email certificates.
• Symantec (now part of DigiCert): Previously one of the
largest CAs, offering SSL/TLS certificates before being
acquired by DigiCert.
Digital signatures and
the Indian IT act
• Digital Signature Certificates (DSCs)
• Section 35 of the IT Act: This section lays
down the procedure for obtaining a Digital
Signature Certificate. Individuals or
organizations seeking to use digital signatures
must obtain a DSC from a licensed Certifying
Authority.
• Class of Certificates: The IT Act allows for
different classes of DSCs, each serving specific
purposes. For example, Class 2 DSCs are
commonly used for filing income tax returns,
while Class 3 DSCs are required for e-tendering
and other high-security transactions.
Digital signatures and
the Indian IT act
• Presumption of Authenticity
• Section 85B of the IT Act: This section
provides that electronic records containing digital
signatures are presumed to be secure, valid, and
authentic, unless proven otherwise. This
presumption of authenticity supports the use of
digital signatures in legal proceedings.
Digital signatures and
the Indian IT act
• Security of Digital Signatures
• Section 15 of the IT Act: The IT Act requires
that digital signatures must be created in a
secure manner, using an asymmetric
cryptosystem and a hash function to ensure the
integrity and authenticity of the signed
document.
• Regulations for CAs: Certifying Authorities are
required to follow stringent security measures to
protect the digital certificates they issue,
ensuring that the private keys used to create
digital signatures are secure and not
compromised.
Digital signatures and
the Indian IT act
• Penalties and Offenses
• Section 43A of the IT Act: This section deals
with compensation for failure to protect sensitive
personal data and information. If a body
corporate is negligent in implementing
reasonable security practices and causes
wrongful loss or gain, they may be liable to pay
compensation to the affected person.
• Section 66C and 66D: These sections address
offenses related to identity theft and cheating by
personation, including unauthorized use of
another person's digital signature, which is
punishable under the Act.
Information Technology
(Amendment) Act,
2008
• The IT (Amendment) Act, 2008 made the
following key changes:
• Electronic Signatures Introduced:
Expanded legal recognition to all electronic
signatures, not just digital ones.
• Strengthened Regulation: Enhanced
oversight of Certifying Authorities to ensure
secure issuance of digital signatures.
• Security Mandates: Required organizations
to implement security measures for digital
data, with penalties for breaches.
• Simplified Usage: Made it easier to use
digital signatures and clarified penalties for
their misuse.
Digital Personal
Data Protection
Act, 2023,

• Applies to Personal Data: The Act governs the

processing of personal data collected, stored, or
processed digitally.
• Extraterritorial Reach: It applies to entities within
India and foreign entities processing Indian citizens'
data.
• Consent-Based Data Processing: Data
processing must be based on clear, informed, and
specific consent from individuals.
• Purpose Limitation: Data can only be processed
for the purpose it was collected for, and this purpose
must be communicated to the individual.
• Data Minimization: Only the necessary amount of
data should be collected and processed.
• Data Accuracy: Entities must ensure that the data
they process is accurate and up-to-date.
Digital Personal Data Protection Act, 2023,

Significant Penalties: Non-compliance can result in hefty fines, with penalties

reaching up to ₹250 crores (~$30 million) depending on the nature and severity of
the violation.

Breach Consequences: Severe breaches, especially those involving harm to

individuals, can attract the highest penalties.

Regulated Transfers: The Act provides guidelines for the transfer of personal data
outside India, ensuring such transfers meet adequate protection standards.

Government and National Security: Certain provisions allow the government to

exempt its agencies from some parts of the Act for reasons of national security,
public order, or in the interest of sovereignty.
Genesis of IT Legislation in India

Global Context and Need for Legislation:

Rise of E-Commerce: The 1990s saw the rapid growth of the internet and electronic
commerce globally, leading to the need for legal frameworks to govern online
transactions.

UNCITRAL Model Law on E-Commerce (1996): The United Nations Commission on

International Trade Law (UNCITRAL) adopted a model law on e-commerce, which
influenced many countries, including India, to draft legislation addressing the legal
aspects of electronic transactions.
Introduction of the IT Act, 2000

• First Comprehensive Cyber Law: The Information

Technology Act, 2000, was India’s first comprehensive
legislation addressing electronic commerce, digital
signatures, cybercrime, and electronic governance.
• Objectives: The Act aimed to facilitate electronic commerce
and the use of digital signatures, provide legal recognition for
electronic documents, and curb cybercrime.
Key Provisions of the IT Act,
2000
• Legal Recognition of Electronic Documents:
• Section 4: Grants legal recognition to electronic records, making them admissible in court.
• Section 5: Recognizes digital signatures as legally valid, equating them with handwritten signatures.
• Digital Signatures and Certifying Authorities:
• Sections 17-34: Establishes the framework for digital signatures, including the role of Certifying Authorities (CAs)
that issue digital certificates.
• Cybercrimes and Offenses:
• Sections 65-74: Defines various cybercrimes, such as hacking, unauthorized access, and data theft, and
prescribes penalties for these offenses.
• Electronic Governance:
• Sections 6-10: Facilitates e-governance by providing legal recognition to electronic filings, records, and contracts.
The IT (Amendment) Act,
2008
• Introduction of Electronic Signatures:
• Electronic Signatures: Broadened the scope beyond just digital
signatures to include a variety of electronic authentication methods.
• Legal Recognition: Section 3A provided legal recognition to electronic
signatures, allowing for more flexible and technologically neutral
authentication methods.
The IT (Amendment) Act,
2008
• Enhanced Provisions for Cybersecurity:
• Data Protection and Privacy: Introduced Section 43A,
mandating that organizations implement reasonable security
practices to protect sensitive personal data, with liability for
breaches.
• Introduction of New Offenses: New sections (66A, 66C, and
66D) were added to address emerging cybercrimes such as
identity theft, cyber fraud, and sending offensive messages
through communication services.
The IT (Amendment) Act,
2008
• Provisions for Intermediary Liability:
• Safe Harbor for Intermediaries: Section 79 was amended to provide
conditional safe harbor protection for intermediaries (e.g., internet
service providers, social media platforms), limiting their liability for third-
party content on their platforms, provided they comply with certain
conditions.
The IT (Amendment) Act,
2008
• Recognition of Electronic Governance:
• E-Governance Provisions Expanded: The amendment expanded
provisions for electronic governance, facilitating the electronic filing of
documents and communication with government agencies.
• Penalties and Compensation:
• Strengthened Penalties: The amendment increased penalties for
cyber offenses and introduced more stringent provisions for
compensating victims of cybercrime.
The IT (Amendment) Act,
2008

• Establishment of a Cyber Appellate Tribunal:

• Cyber Appellate Tribunal: The amendment established a
Cyber Appellate Tribunal to handle disputes and appeals
related to the IT Act, providing a specialized forum for
resolving cyber-related cases.
Cyber Appellate Tribunal (CAT)
• The Cyber Appellate Tribunal (CAT) was established by the IT (Amendment) Act, 2008, to
resolve disputes and handle appeals related to the Information Technology Act, 2000.

• Handles appeals against decisions by the Controller of Certifying Authorities and other IT Act-
related disputes.
• Headed by a Chairperson (usually a retired High Court judge) and includes members with IT
law expertise.
• Reviews and adjudicates cases related to digital signatures, data protection, and cybercrimes.
• Provides a specialized forum for efficient and expert resolution of IT-related legal issues.
Objectives of IT legislation in
India
• Legal Recognition: Validate electronic transactions and digital
signatures to ensure they have the same legal standing as paper
documents.
• Cybercrime Regulation: Define and penalize cybercrimes to
protect against hacking, fraud, and other online offenses.
• E-Governance: Facilitate electronic government services and
improve efficiency and transparency in public administration.
• Data Protection: Mandate security practices for handling personal
data and address data breaches.
Objectives of IT legislation in
India

• Regulation of Certifying Authorities: Ensure the integrity and

security of digital certificates issued by Certifying Authorities.
• Encouragement of Innovation: Support technological
advancements while ensuring legal compliance.
• Dispute Resolution: Provide mechanisms for resolving IT-
related disputes and enforcing compliance.
• International Compatibility: Align with global standards for
cross-border transactions and cooperation.
IT act and provisions related to
cybercrime in Indian penal code

• Section 65: Tampering with Computer Source Documents

• Punishes the act of knowingly altering, destroying, or concealing
computer source documents.
• Punishment: Imprisonment up to 3 years, a fine, or both.
• Section 66: Hacking
• Addresses unauthorized access to computer systems or networks,
including data alteration and destruction.
• Punishment: Imprisonment up to 3 years, a fine up to ₹5 lakh, or
both.
IT act and provisions related to
cybercrime in Indian penal code

• Section 66A: Sending Offensive Messages

• Penalizes the sending of offensive or false messages through
electronic means. (Note: This section was struck down by the
Supreme Court in 2015 for being unconstitutional.)
• Section 66B: Receiving Stolen Computer Resource
• Deals with receiving or retaining stolen computer resources or data.
• Punishment: Imprisonment up to 3 years, a fine up to ₹1 lakh, or
both.
IT act and provisions related to
cybercrime in Indian penal code

• Section 66C: Identity Theft

• Covers identity theft, including unauthorized use of someone's
credentials.
• Punishment: Imprisonment up to 3 years, a fine up to ₹1 lakh,
or both.
• Section 66D: Cheating by Personation
• Pertains to cheating by personation using computer resources.
• Punishment: Imprisonment up to 3 years, a fine up to ₹1 lakh,
or both.
IT act and provisions related to
cybercrime in Indian penal code
• Section 67: Publishing Obscene Material
• Penalizes the publication or transmission of obscene material in
electronic form.
• Punishment: Imprisonment up to 5 years, a fine up to ₹10 lakh, or both.
• Section 67A: Publishing Material Containing Sexually Explicit
Content
• Deals with the transmission of sexually explicit material.
• Punishment: Imprisonment up to 7 years, a fine up to ₹10 lakh, or both.
IT act and provisions related to
cybercrime in Indian penal code

• Section 67B: Child Pornography

• Addresses the transmission of child pornography and material depicting
minors in sexually explicit conduct.
• Punishment: Imprisonment up to 5 years, a fine up to ₹10 lakh, or both.
• Section 70: Protected System
• Concerns unauthorized access to systems deemed as "protected" by the
government.
• Punishment: Imprisonment up to 10 years, a fine, or both.
IT act and provisions related to
cybercrime in Indian penal code
• Section 419: Cheating by Personation
• Covers cheating by personation, which includes using computer systems
or electronic means to deceive.
• Punishment: Imprisonment up to 7 years, a fine, or both.
• Section 420: Cheating and Dishonestly Inducing Delivery of
Property
• Addresses cheating and fraud, including online fraud.
• Punishment: Imprisonment up to 7 years, a fine, or both.
IT act and provisions related to
cybercrime in Indian penal code

• Section 463: Forgery

• Covers forgery, including digital forgery and falsification of electronic records.
• Punishment: Imprisonment up to 2 years, a fine, or both.
• Section 471: Using Forged Documents
• Deals with the use of forged documents, which can include falsified electronic records.
• Punishment: Same as forgery (up to 2 years, a fine, or both).
• Section 503: Criminal Intimidation
• Pertains to threats made via electronic means.
• Punishment: Imprisonment up to 2 years, a fine, or both.
• ABC, a software engineer, was involved in a high-profile cybercrime case where he was accused of hacking into his former
employer’s database and stealing sensitive financial data.
• Charges:
• Section 66: Hacking
• Kumar was accused of unauthorized access to his former employer's financial database and manipulating data.
• Section 66C: Identity Theft
• He used credentials from his previous job to gain access to sensitive information and perform unauthorized
transactions.
• Section 67: Publishing Obscene Material
• Kumar was also charged with sending obscene material via email, although this was a minor part of the case.
• Section 420 (IPC): Cheating
• He was charged under IPC for deceitfully transferring funds from his former employer’s accounts for personal gain.
• Punishment:
• Section 66 (Hacking): Imprisonment for 3 years and a fine of ₹3 lakh.
• Section 66C (Identity Theft): Imprisonment for 2 years and a fine of
₹2 lakh.
• Section 420 (IPC - Cheating): Imprisonment for 5 years and a fine of
₹5 lakh.