[CYBER LAW]

MODULE – 01
(1) EVOLUTION OF CYBER LAW:
INTRODUCTION:
The computer-generated world of internet is known as cyberspace and the laws prevailing
this area are known as Cyber laws and all the users of this space come under the ambit of
these laws as it carries a kind of worldwide jurisdiction. Cyber law can also be described as
that branch of law that deals with legal issues related to use of inter-networked information
technology. In short, cyber law is the law governing computers and the internet.
The growth of Electronic Commerce has propelled the need for vibrant and effective
regulatory mechanisms which would further strengthen the legal infrastructure, so crucial to
the success of Electronic Commerce. All these governing mechanisms and legal structures
come within the domain of Cyber law.
Cyber law is important because it touches almost all aspects of transactions and activities
and on involving the internet, World Wide Web and cyberspace. Every action and reaction
in cyberspace has some legal and cyber legal angles.
CONCEPT OF CYBER SPACE:
Cyberspace refers to the virtual space in which all of IT-mediated communicated and actions
are taking place is often referred to as 'Cyber space'. Cyber space cannot be spatially
located. It is made up of intangible objects, such as your website, blog social networks,
email accounts, personal information and reputation, Cyberspace can be thought of as a
global electronic village with instantaneous communication and no geographical barriers".
CONCEPT OF INFORMATION TECHNOLOGY:
The technology relating to computer systems, their hardware, software and networks,
internet, and various applications running on the internet, is broadly referred to as
information technology of 'IT'. The Oxford Dictionary defines 'IT' as:
"The study or use of computers, telecommunication systems, and other devices for storing,
retrieving and transmitting information."
COMPUTER & WEB TECHNOLOGY:
Computer and Web technologies are fundamental components of the modern digital
landscape, enabling a wide range of activities from personal computing to global
communication and e-commerce.
S2 (1)(i), IT Act: Computer means any electronic, magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory functions by
manipulations of electronic, magnetic or optical impulses, and includes all input, output,
processing, storage, computer software or communication facilities which are connected or
related to the computer in a computer system or computer network.
In Whirlpool India Ltd v. Videocon Industries Ltd, the Bombay HC had to look into whether
a washing machine could be considered as a computer? It was observed that a washing
machine with a fuzzy logic system would now be accepted as a computer.
PROLIFERATION OF IT & THE NEED FOR REGULATION OF CYBER SPACE:
The proliferation of 'IT' has resulted in a concomitant proliferation of computer crime and
other forms of unauthorized access to computers, computer systems and computer data.
The protection of the integrity of all types and forms of lawfully created computers,
computer systems, and computer data is vital to the protection of the privacy of individuals
as well as to the well-being of financial institutions, business concerns, governmental
agencies, and others that lawfully utilize those computers, computer systems, and data. The
laws governing the physical world are, however, inept at governing transactions in cyber
space where the subject matter often is an intangible object such as one's email or
Facebook account or website or virtual currency or personal information. The regulation of
the cyber space, thus, requires specialized laws.
Traditional laws pose several constraints in dealing with cyber-crimes:
(i) Jurisdictional Issues:
Cyberspace has no geographic boundaries. A cybercrime may be committed using a
computer system or network located in another country. Where the Indian Penal Code 1860
provides for both territorial and extra-territorial jurisdiction. Its extra-territorial jurisdiction
is limited to offences committed by Indian citizens. This leaves ambiguity in the applicability
of the penal code to cyber offences that may be committed by foreign nationals overseas,
but, in a way their impact is felt in India. This 'transnational' element of cybercrime also
requires greater international cooperation investigation of offences in other countries and
arrest of cybercriminal of other nationalities will require established treaties and special
permissions.
(ii) Inapplicability of Conventional Definitions: Most crimes in cyberspace involve intangible
objects. This creates problems where conventional definitions of crime are involved. For
instance, the definition of trespass requires actual physical entry for conviction.
Constructive entry upon the property is not within the meaning of this section. In the case
of cyber trespass, or hacking where - there is no actual entry into the physical territory
where the computer is located this definition would fail. Similarly, the offence of theft is
made out when there exists an intent to remove for possession. Therefore, for data to be
stolen, it would have to be removed from possession of the owner. If the offender were to
simply copy the data onto a pen drive without erasing or modifying the original data in any
way, then it may not constitute 'theft' under the traditional definition of the term.
(iii) Creation of New Crimes: Cyber space has given birth to several new crimes which are
not recognized by conventional laws. For Example, a website can handle only a fixed
number of viewer or request (for information) at a given point of time. A cyber-criminal an
prevent the website from functioning by overloading it with requests (known as a denial of
service attack). This kind of attack can cause huge losses to an online business, but, there
would be no clear remedy under ordinary law. Similarly, the Act elevates the offence of
denial of access and introducing computer viruses with the intent of striking terror in a
section of people to the status of 'cyber-terrorism" and provides for significant punishment
for the same. Under section 66F the IT Act, the provision relating to cyber-terrorism, is
worded similar to Section 3 of the Prevention of Terrorism Act, 2002.
(iv) Issues with Gathering Evidence: The intangible nature of cyberspace and cybercrime
make traditional methods of gathering evidence inadequate. The 'scene of crime in
cyberspace is completely virtual and so is the object of the crime (data/information),
Additionally, this type of evidence can be modified very easily. For example, a criminal may
set up a program which erases all evidence from the computer if it is accessed by someone
other than himself. In this case, mere access to the computer may erase the evidence.
Therefore specific rules are required for extraction of evidence and maintaining its
authenticity.
(۷) Anonymity of Netizens: A cybercriminal can easily guard his identity. A cybercriminal can
use fake identities or create identify clones, for example. This makes gathering of evidence
difficult.
(vi) Monitoring of Crime: The sheer volume of information involved and being processed
every second makes monitoring and tracking of crime very difficult. Countries like United
States of America, including India, have put in place extensive internet surveillance
programmes to deal with this issue. However, such programmes can also be extremely
invasive in the personal lives of individuals, raising questions regarding the protection of
privacy.
(vii) Evidentiary value of Electronic Information: The extensive use of "IT" for
communication and documentation raised a new question on the admissibility of electronic
evidence. If a person was being stalked online, can copies of e-mails or screenshots of chat
room messages by the stalker be admissible as evidence? The pre-amended Indian Evidence
Act, 1872 recognised only two types of evidence, documentary evidence (i.e., paper based
evidence) and oral evidence (testimonials of witnesses).
(viii) Validity of Online Transactions: Traditional law does not deal with the validity of e-
contracts, digital signatures, e-commerce, etc. For example, is a contract entered into
through e-mails legally valid? Can be enforced in a court of law?
Thus, the need was felt to promulgate specialized laws to provide for the following:
Setting clear standards of behaviour for the use of computer devices;
(ii) Deterring perpetrators and protecting citizens;
(iii) Enabling law enforcement investigations while protecting individual privacy;
(iv) Providing fair and effective criminal justice procedures;
(v) Requiring minimum protection standards in areas such as data handling and retention;
and
(vi) Enabling cooperation between countries in criminal matters involving cybercrime and
electronic evidence.
EVOLUTION OF CYBER LAWS:
A. Early Cyber Laws:
The computer Misuse Act, 1990 of Great Britain
In the case of R.v.Gold & Schifreen (1988) the defendants had gained unauthorized access
to a computer network. The defendants were charged under the Forgery and Counterfeiting
Act, 1981 for 'defrauding by manufacturing a 'false instrument. It was held by the House of
Lords that:
"We have accordingly come to the conclusion that the language of an Act not designed to fit
them produced grave difficulties for both judge and jury which we would not wish to see
repeated. The appellants conduct amounted in essence, already stated, dishonestly gaining
access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it ix
thought desirable to make it so, that is a matter for the legislature rather than the courts."
This judgment brought the possibilities of cyber-crime and the inadequacy of existing laws
to deal with them to the notice of the legislature of Great Britain. It led to the enactment of
the Computer Misuse Act, 1990. This was among the first cyber laws to be enacted. It
recognized the following offences:
(i) Unauthorized access to computer material.
(ii) Unauthorized access with intent to commit or facilitate commission
of further offences.
(iii) Unauthorized acts with intent to impair, or with recklessness as to impairing, operation
of computer, etc.
B. Uniform International Standards for Cyber Law:
UNCITRAL Model Law on Electronic Commerce, 1996 - With the globalisation of business
the international community felt a need for a law which would set uniform standards for
electronic commerce. This led to the adoption of the UNCITRAL Model Law on Electronic
Commerce by the U.N. General Assembly (the Model Law').
C. India's first cyber law:
The Information Technology Act, 2000 - In view of the international recognition of
electronic transactions and its growing use within India, the Indian legislature felt the need
for providing a legal framework for ecommerce and digital signatures. It led to the
enactment of the IT Act, 2000.
 D. Uniform International Standards for Cyber Law: UNCITRAL Model Law on Electronic
Commerce, 1996.
With the globalization of business the international community felt a need for a law which
would set uniform standards for electronic commerce. This led to the adoption of the
UNCITRAL Model Law on Electronic Commerce by the U.N. General Assembly (the Model
Law').
This laid down the fundamental principles of e-commerce law:
(i) Non-discrimination: This principle requires the removal of any discrimination between a
physical document and an electronic one. It ensures that the document will not be denied
its' validity/enforceability solely on the grounds of it being in an electronic form.
(ii) Technological neutrality: This principle mandates that the provisions adopted in a law
should be neutral with respect to the technology involved. This ensures that the rapid pace
of development of technology does not lead to the law becoming redundant in no time.
(iii) Functional equivalence: Terms like 'writing', original', 'signed' etc. are specific to paper
based documents. This principle sets out the corresponding criteria for electronic
communication.
(2) INFORMATION TECHNOLOGY ACT, 2000:
In view of the international recognition of electronic transactions and its' growing use within
India, the Indian legislature felt the need for providing a legal framework for e-commerce
and digital signatures. It led to the enactment of India's first cyber legislation: the
information Technology Act, 2000 (the TT Act').
OBJECTIVES OF THE ACT:
(i) To give effect to the U.N. General Assembly's Resoluiton on the Model Law.
(ii) To provide legal recognition to e-commerce-transactions carried out by means of
electronic communication.
(iii) To facilitate electronic filings of documents with government agencies.
(iv) To amend the Indian Penal code, Indian Evidence Act, 1872, the Bankers' Books Evidence
Act, 1891, and the Reserve Bank of India. Act, 1934.
SCOPE OF IT ACT:
(i) To give effect to the U.N. General Assembly's Resolution on the Model Law.
(ii) To recognize filing of forms, issue of licenses, receipt of payment, etc. through electronic
means by the government.
(iii) To lay down rules in relation to electronic records- receipt, time of dispatch, etc.
(iv) To provide for a controller of Certifying Authorities in relation to issue of digital
signature certificates.
(v) To define offences and prescribes panelist.
(vii) To lay down liability of intermediaries.
(viii) To Prescribe extra territorial jurisdiction for cyber offences.
The provisions of this Act are not applicable to the following instruments:
(i) A negotiable instrument.
(ii) A power-of-attorney
(iii) A trust,
(iv) A will, including any other testamentary disposition.
(v) Any contract for the sale or conveyance of immovable property or any interest in such
property, and
(vi) Any such class of documents or transactions as may be notified by the Central
Government in the official Gazette.
IPC, 1860 amended by the Act: (BNSS, 2023):
Definition of electronic record was inserted. Extra-territorial jurisdiction of the IPC was
expanded to include all offences targeting computer resource in India. Sections relating to
false documents were amended to include false electronic records
Indian Evidence Act, 1872 amended: (BSA, 2023):
Definition of evidence was amended to include electronic records. Sections were inserted
with admissibility of e-records, proof and verification of digital signatures and presumptions
as to e-evidence
Banker's Book Evidence Act, 1891:
Definitions of banker's books and certified copies were amended to include data stored in
electronic devices and print outs were also inserted.
RBI Act 1934:
Powers to make regulations were amended to include regulations on fund transfer through
electronic means.
TECHNOLOGY & ITS IMPACTS ON SOCIETY AND POLITICS:
1. Positive impact on society:
A. Improved and quicker communication
B. Improved education and access to learning
C. Mechanised agriculture/labour
D. Easy to access information
2. Negative impact on society:
A. Increase in unemployment due to higher efficiency of machines
B. Increase in pollution, health and mental concerns
C. Increase in cybercrimes
D. Alienation of humans
E. Identity theft, gaming addiction, cyberbullying, defamation
3. Impact on politics:
A. Polarisation of groups: people leaning towards one policy will lean heavily towards it
and not be open to other ideas
B. Skillful use may make it a political weapon - depends on who wields it
C. Leaks and photoshops used to defame
D. Data privacy legislations
E. Tech giants make investments in political parties
GROWTH OF IT:
1. Information technology or IT is essential to the operation of the modern economy,
regardless of the industry.
2. This technology facilitates the transfer of information from one device to another,
making it essential for businesses to invest in it.
3. .Information technology is the use of computer, network and data management
systems to store, process, manipulate and retrieve information.
4. Information technology or IT is an integral component of most business functions,
without which communication and collaboration within and outside businesses and
organisations aren't possible.
SIGNIFICANCE OF IT:
A. Facilitates communication
IT has revolutionised the way people communicate with each other. Due to the Internet,
social media and smart devices, sharing information globally now takes seconds.
B. Improves data storage and management
The information technology industry has also changed the way businesses and individuals
store and manage their data. Due to advances in technology, many businesses now use
digital databases, which take less space, are cheaper to operate and are relatively protected
from physical damage.
C. Protects critical systems
A branch of information technology helps to secure computer systems, networks and
databases. IT security protects infrastructure from attacks and helps retrieve data after
technological disasters.
D. Boosts productivity and efficiency
A major importance of IT is that it helps boost productivity and efficiency. With digital
systems, people can perform tasks faster compared to manual methods.
E. Supports flexible work arrangements
Information technology is also changing how people work by providing the infrastructure to
support flexible arrangements, such as remote work and telecommuting.
FEATURES OF IT ACT:

 The Act is based on the Model Law on e-commerce adopted by UNCITRAL.

 It has extra-territorial jurisdiction.
 It defines various terminologies used in the Act like cyber cafes, computer systems,
digital signatures, electronic records, data, asymmetric cryptosystems, etc under
Section 2(1).
 It protects all the transactions and contracts made through electronic means and
says that all such contracts are valid. (Section 104)
 It also gives recognition to digital signatures and provides methods of
authentication.
 It contains provisions related to the appointment of the Controller and its powers.
 It recognises foreign certifying authorities (Section 19).
 It also provides various penalties in case a computer system is damaged by anyone
other than the owner of the system.
 The Act also provides provisions for an Appellate Tribunal to be established under
the Act.
 The Act describes various offences related to data and defines their punishment.
 It provides circumstances where the intermediaries are not held liable even if the
privacy of data is breached.
RECENT AMENDMENTS:
Amendment of 2008:
The amendment in 2008 brought changes to Section 66A of the Act. This was the most
controversial section as it provided the punishment for sending any offensive messages
through electronic mode. Any message or information that created hatred or hampered the
integrity and security of the country was prohibited. However, it had not defined the word
'offensive' and what constitutes such messages, because of which many people were
arrested on this ground. This section was further struck down by the Supreme Court in the
case of Shreya Singhal v. Union of India (2015). Another amendment was made in Section
69A of the Act, which empowered the government to block internet sites for national
security and integrity. The authorities or intermediaries could monitor or decrypt the
personal information stored with them.
The 2015 Amendment Bill:
The bill was initiated to make amendments to the Act for the protection of fundamental
rights guaranteed by the Constitution of the country to its citizens. The bill made an attempt
to make changes to Section 66A, which provides the punishment for sending offensive
messages through electronic means. The section did not define what amounts to offensive
messages and what acts would constitute the offence. It was further struck down by the
Supreme Court in the case of Shreya Singhal declaring it as violative of Article 19.
Information Technology Intermediaries Guidelines (Amendment) Rules, 2018:
* The intermediaries were required to publish and amend their privacy policies so that
citizens could be protected from unethical activities like pornography, objectionable
messages and images, messages spreading hatred, etc.
* They must provide the information to the government as and when it is sought within 72
hours for national security.
* It is mandatory for every intermediary to appoint a 'nodal person of contact' for 24x7
service.
* They must have technologies that could help in reducing unlawful activities done online.
The rules also break end-to-end encryption if needed to determine the origin of harmful
messages.
Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules
2021:
The government of India in 2021 drafted certain rules to be followed by the intermediaries.
The rules made it mandatory for intermediaries to work with due diligence and appoint a
grievance officer. They were also required to form a Grievance Appellate Tribunal. All
complaints from users must be acknowledged within 24 hours and resolved within 15 days.
It also provides a "Code of Ethics" for the people publishing news and current affairs, which
makes it controversial. Many believe that the rules curtail freedom of speech and
expression and freedom of the press.
The intermediaries were also required to share the information and details of a suspicious
user with the government if there was any threat to the security and integrity of the
country. As a result of this, writ petitions were filed in various high courts against the rules.
Recently, the Bombay High Court stayed in the case of Agij Promotion of Nineteenonea
Media Pvt. Ltd. vs. Union of India (2021) and Nikhil Mangesg Wagle vs. Union of India
(2021) the two provisions of the rules related to the Code of Ethics for digital media and
publishers.
CASE LAWS:
Shreya Singhal v. Union of India (2015):
Facts:
In this case, 2 girls were arrested for posting comments online on the issue of shutdown in
Mumbai after the death of a political leader of Shiv Sena. They were charged under Section
66A for posting the offensive comments in electronic form. As a result, the constitutional
validity of the Section was challenged in the Supreme Court stating that it infringes upon
Article 19 of the Constitution.
Issue:
Whether Section 66A is constitutionally valid or not?
Judgment:
The Court, in this case, observed that the language of the Section is ambiguous and vague,
which violates the freedom of speech and expression of the citizens. It then struck down the
entire Section on the ground that it was violative of Article 19 of the Constitution. It opined
that the Section empowered police officers to arrest any person whom they think has
posted or messaged anything offensive. Since the word 'offensive' was not defined
anywhere in the Act, they interpreted it differently in each case. This amounted to an abuse
of power by the police and a threat to peace and harmony.
M/S Gujarat Petrosynthese Ltd and Rajendra Prasad Yadav v. Union of India (2014):
Facts:
In this case, the petitioners demanded the appointment of a chairperson to the Cyber
Appellate Tribunal so that cases can be disposed of quickly and someone can keep a check
on the workings of CAT. The respondents submitted that a chairperson would be appointed
soon.
Issue:
Appointment of the chairperson of CAT.
Judgment:
The Court ordered the appointment of the chairperson and must see this as a matter of
urgency and take into account section 53 of the Act.

(3). JURISDICTIONAL ISSUES:

INTRODUCTION:
The ambit of Cyber law is so vast that cyber jurisdiction in a case involving various countries
is very difficult to ascertain. A website, app, product, or content in one country may be legal
but illegal in another, the parties may be residents or non-residents, which makes this
concept all the more complex. Cyber law’s jurisdiction depends on the kind of cybercrime
and the location from which it has been done.
At the end of the 20th century and the beginning of the 21st century, the use of computers
and mobile phones saw a significant rise. Later, with its increasing utility, the rise of the
internet began in the 1990s. In the last 15-16 years, the role of social media, online
payments, education, gaming, communication, movies, and search engines have eventually
become an essential part of everybody’s day-to-day life, and so did the misuse of it have
increased. The real reason behind this is the lack of stringent laws, awareness, lacunas in the
safety and privacy of a user and etc.
CYBER JURISDICTION:
Criminal activity on the web (internet) is termed cybercrime. Cybercrime is prevented and
protected by Cyber laws. The non-presence of physical boundaries on the internet and the
non-effective security of the data of the user is one of the main reasons for cybercrime.
With the increase in the number of internet users and free browsing content from all over
the world, it is easier for a person to get trapped in cybercrime by a person (hacker, internet
stalker, cyber-terrorist, scammer, and many others) in a different country. For instance, a
person might commit online fraud by claiming to sell some item from a particular country to
a person situated in a different country and taking payment online but not sending the item
specified. He indulged in this activity with other customers of different countries, and then a
question of cyber jurisdiction arises as to where the complaint will be filed.
Cyber law also governs cyberspace. “Cyberspace refers to the virtual computer world, and
more specifically, an electronic medium that is used to facilitate online communication.
Cyberspace typically involves a large computer network made up of many worldwide
computer sub-networks that employ the TCP/IP protocol to aid in communication and data
exchange activities.”
The fact that the internet has no boundaries, no restraints, and cybercrime posing the same
features results in conflicting laws. International law and municipal law have different
approaches, and cyber law is mainly tied between both, which results in no conclusion.
JURISDICTIONAL ISSUES IN CYBERSPACE:
Jurisdiction gives power to the appropriate court to hear a case and declare a judgment. In
cybercrime instances, the victim and the accused are generally from different countries, and
hence deciding which cyber jurisdiction will prevail is conflicting. The internet as stated
earlier has no boundaries; thus, no specific jurisdiction in cyberspace can be titled over its
use. A user is free to access whatever he wishes to and from wherever he wishes to. Till the
time a user’s online activity is legal and not violative of any law, till then there is no issue.
However, when such actions become illegal and criminal, jurisdiction has a crucial role to
play.
For example, if a user commits a robbery in country ‘A’ while sitting in country ‘B’ from the
server of the country ‘C,’ then which country’s jurisdiction will apply needs to be answered.
In this case, the transaction might have been done virtually, yet the people are present
physically in their respective countries governed by their laws and the court generally
decides the cyber jurisdiction of the country where the crime has been actually committed.
In cyberspace, there are generally three parties involved in a transaction: the user, the
server host, and the person with whom the transaction is taking place, with the need to be
put within one cyberspace jurisdiction. All three parties in this illustration belong to three
different countries, now the laws of ‘A,’ ‘B’ or ’C’ will be prevalent or not, or even municipal
laws will be applicable or international laws the issues of jurisdiction in cyberspace. The
extent of a court’s competency to hear a cross-border matter and apply domestic state laws
is another issue.
TYPES OF CYBER JURISDICTION:
There are three types of cyber jurisdiction recognized in international law, namely-
Personal Jurisdiction – It is a type of jurisdiction where the court can pass judgments on
particular parties and persons. In the case of Pennoyer v. Neff, The Supreme Court of the US
observed that the Due process enshrined in the constitution of the US constrains the
personal jurisdiction upon its implication on the non-resident, hence there is no direct
jurisdiction on the non-residents. However, this restraint was curbed by the minimum
contact theory which allowed the jurisdiction over the non-residents as well.
Subject-matter jurisdiction – It is a type of jurisdiction where the court can hear and decide
specific cases that include a particular subject matter. If the specific subject matter is of one
court but the plaintiff had sued in any other court then the plea will be rejected and the
plaintiff will have to file the case in the court which is related to that matter. For instance, a
complaint regarding a consumer good should be filed in the district consumer forum rather
than district court as district consumer forums specifically look at consumer-related cases.
In the same manner, all environmental-related cases are tried in NGT rather than a district
court.
Pecuniary Jurisdiction – This type of jurisdiction mainly deals with monetary matters. The
value of the suit should not exceed the pecuniary jurisdiction. There are various limits set
for a court that can try a case of a certain value beyond which it is tried in different courts.
For example, the district consumer forum looks at the matter not exceeding 20 lakh rupees,
the State consumer dispute redressal commission has pecuniary jurisdiction of more than 20
lakh rupees but not exceeding 1 crore, the National consumer dispute redressal commission
has pecuniary jurisdiction involving cases of more than 1 crore rupees in India. It is
dependent upon the claim made in proceedings and is structured in hierarchical order.
PREREQUISITES OF JURISDICTION:
There are three prerequisites of valid jurisdictions that are needed to be followed. A person
is compelled to follow the rules and regulations of the state. The state has the power to
punish a person violating such laws.
Prescriptive Jurisdiction – This type of jurisdiction enables a country to impose laws,
particularly for a person’s activity, status, circumstances, or choice. This jurisdiction is
unlimited. Hence, a country can enact any law, or legislation on any matter, even where the
person’s nationality is different, or the act happened at a different place. However,
International law prevents any state from legislating any such law contrary to other
countries interests.
Jurisdiction to Adjudicate – Under this jurisdiction, the state has the power to decide the
matter on a person concerned in civil or criminal cases despite the fact that the state was a
party or not; a mere relationship between both is sufficient. It is not necessary that a state
having the prescribed jurisdiction must also have jurisdiction to adjudicate.
Jurisdiction to Enforce – This jurisdiction depends on the existence of prescriptive
jurisdiction; hence if prescriptive jurisdiction is absent, then it cannot be enforced to punish
a person violating its laws and regulations; however, this jurisdiction is not exercised in an
absolute sense and a state cannot enforce its jurisdiction on a person or the crime situated
or happened in a different country.
THEORIES OF JURISDICTION:
Subjective territoriality– It lays down that if the act is committed in the territories of the
forum state, then its laws will be applicable to the parties. The act of the non-resident
person in the forum state is the key element under it. For example- A country can make a
law criminalizing an act in its territory, and then the subject aspect of the territoriality will
recognize it.
Objective territoriality – It is invoked when an act is committed outside the forum state’s
territorial boundary, yet its impact is on the forum state. It is also known as ‘Effect
Jurisdiction.’ It was established in the case of United States v Thomas in which the
defendant published phonographic material and to see and download it, he provided the
subscribers with a password after getting a form filled out which included their personal
details, and the plaintiff claimed it to be violative of its domestic laws, the court held that
“the effect of the defendant’s criminal conduct reached the Western District of Tennessee,
and that district was suitable for accurate fact-finding,” and the court has the cyberspace
jurisdiction.
In the landmark case of Playboy Enterprise, Inc. v Chuckleberry Publishing, Inc., the
defendant operated a website in Italy on which obscene photographs were displayed, and
some of its users were citizens of the USA. The court found it to be against US laws and
banned the website from falling under US jurisdiction; however, the court does not have
cyberspace jurisdiction to put a complete ban on the use by other users of different states.
Nationality – It is applied to the offender who is the national of the state; for example, if a
person of a state commits an offence in a foreign country that is punishable by domestic
laws, then the state has the power to punish its citizen.
Universality – The acts which are universally acclaimed as crimes such as hijack, and child
pornography. A cyber-criminal can be convicted in any country for committing such a
heinous crime. It presumes that the country has cyber jurisdiction to prosecute the offender
of a cybercrime.
TESTS EVOLVED:
There are several tests that determine cyberspace jurisdiction in the cases of cybercrime.
Minimum Contacts Theory:
This test is applicable where both or any of the parties are outside the territorial jurisdiction
of the court. In the landmark judgment in Washington v International Shoe Company, this
theory had evolved by the US Supreme Court. “
After this case, the court laid down three criteria-

 “The non-resident defendant must do some act or consummate some transaction

with the forum or perform some act by which he purposefully avails himself of the
privilege of conducting activities in the forum, thereby invoking the benefits and
protections.
 the claim must be one which arises out of or results from the defendant’s forum-
related activities, and
 exercise of jurisdiction must be reasonable.”
In the case of CompuServe Inc v Patterson, The court held that contracts related to
cyberspace are also covered under the domain of minimum contacts theory.
Sliding Scale Theory:
Sliding Scale theory is also known as Zippo Test. It is the most accepted test in deciding
personal jurisdiction in cyberspace cases. On the basis of the interactivity of the websites,
the jurisdiction is decided. The more the number of interactivities, the more the courts have
personal jurisdiction over it in the forum state.
For a passive website, the courts have almost no jurisdiction, while in the middle spectrum
site, the court may or may not have jurisdiction; however, in the case of a highly interactive
site, the court has cyberspace jurisdiction.
In the landmark case of Zippo Manufacturer v Zippo. Com, the plaintiff Zippo Manufacturer
of lighters in Pennsylvania sued the defendant Zippo. com for an infringing trademark. The
defendant had a lot of interactivity, hence the personal jurisdiction will be applicable to the
defendant.
Effects Test and International Targeting:
Few conditions are required to be satisfied for the Effect test, mainly the action taken
expressly against the forum state with the knowledge and intention that it will injure the
state. If the court thinks fit that the defendant’s action caused injuries to the forum state,
then personal cyberspace jurisdiction is asserted in cyberspace cases where no contact is
present.
In the landmark case of Calder v Jones, The Supreme Court of the US observed that the
court in the state can exercise personal jurisdiction over non-residents. In this case, the
editor and writer of a national magazine published a defamatory article on the residents.
The facts of the case are that the plaintiff Shirley Jones sued the distributor, the writer, and
its editor Calder of a national magazine, defaming her as an alcoholic. Jones was a resident
of California while the article was written and edited in Florida. Jones sued the defendants
in the court of California because the magazine had a vast circulation in the state. The court
held that the court of California has personal jurisdiction over the defendants.
In Panavision International v Toeppen, Toeppen the defendant indulged in cybercrime by
using the plaintiff’s trademark commercially and selling it back to him for a hefty amount.
The California court held that by applying the effects test, the court had personal
jurisdiction over the non-resident defendant.
JURISDICTION UNDER IT ACT 2000:
“Information Technology Act, 2000 in section 1(2) states that the Act extends to the whole
of India and applies also to any offence or contravention thereunder committed outside
India by any person.”
Further, “Section 75 states that subject to the provision of sub-section (2), the provision of
this act shall also apply to any offence or contravention committed outside India by any
person irrespective of his nationality. For the purpose of subsection (1), this act shall apply
to an offence or contravention committed outside India by any person if the act or conduct
constitutes an offence or contravention that involves a computer, computer system, or
computer network located in India.”
This provides prescriptive cyberspace jurisdiction in India, and any act committed violative
of this Act in India by a resident, or a non-resident will be punishable.

MODULE – 02
(1) CONSTITUTIONAL & HUMAN RIGHTS ISSUES IN CYBERSPACE:
INTRODUCTION:
Day in and day out we find human rights violations and privacy of an individual is at stake
with the recent advancements in the cyber space. A sincere effort is made to focus on the
asserted boundlessness of cyber space in order to examine how and to what extent the
activities are centred round.
FREEDOM OF SPEECH & EXPRESSION IN CYBER SPACE:
In the case of Indian Express Newspapers (Bombay) Private Ltd. And Ors. v. Union of India,
the Court highlighted that ‘the freedom of expression serves four broad social purposes:

 It helps an individual to attain self-fulfilment;

 It assists in the discovery of truth;
  It strengthens the capacity of an individual to participate in decision making; and
 It provides a mechanism by which it would be possible to establish a reasonable
balance between stability and social change.
Freedom of speech and expression is the very first fundamental freedom guaranteed by the
Constitution of India to all its citizens under Article 19(1)(a). This is not an absolute right and
is subject to certain reasonable restrictions which have been enumerated in Article 19(2).
This right, however, has been the fountain that has given rise to many further rights which
come under its ambit which have been reiterated by the Supreme Court in various cases
over time such as the right to information, the right to freedom of the press and the right to
freedom of opinion. The right to freedom of opinion is inextricably linked to the principle of
democracy enshrined in the Preamble to our Constitution.
However, the discrepancies between an anti-national and a critique have become
indistinguishable and this is a significant point of friction between the public and the
government, especially in the digital era with users on many social media platforms such as
Twitter, Facebook and Instagram, being able to find a common cause and voice to express
their views.
Effect of IT Rules, 2021:
The recently released Information Technology (Intermediary Guidelines and Digital Media
Ethics Code) Rules, 2021 have caused a public furore and a lot of controversy with the
majority public opinion being that these rules are unconstitutional on numerous grounds,
fundamentally on the ground of violation of the right to free speech and expression.
Through these rules, the government has brought OTT (over-the-top) platforms showcasing
films and audio-visual programs published by online content providers as well as the
platforms which showcase news and current affairs content on them under its wing.
Though the government defends this move by stating that there was a need for such rules
to be made as there was an increased number of complaints regarding the content
published on such platforms which hurt the sentiments and were offensive to individuals
such as scenes containing violence, nudity, obscenity, indecent representation of women
and child sex abuse material. Additionally, there was also content that hurt the religious
sentiments of people.
Prior to these rules, there existed no robust grievance redressal mechanism to effectively
address the complaints of the masses.The grounds on which the government can make such
orders are not given either nor are the reasonable restrictions on the content which is
permissible on these platforms clearly defined.
This ambiguity leaves the free voices of the users of these platforms at the mercy of the
government’s whims as any speech that the government remotely construes as directed
towards them in a negative light can automatically be morphed into ‘hate speech’ or ‘fake
news’.
In Anuradha Bhasin v. UOI, The SC adjudged on whether the internet shutdown and
restrictions on movement by the Government in the State of Kashmir where it dealt with
whether the fundamental right to freedom of speech and expression extended to the
internet as well
It questioned the validity of the internet shutdown in light of the same keeping in mind the
restrictions under Article 19(2).The court enumerated Article 19(2) which deals with the
‘reasonable restrictions’ which can be imposed on the freedom of speech and expression,
and how the right to information formed an integral part of the right to freedom of speech
and expression.
The essence of the court’s judgement in the above case was that indeed the right to
freedom of speech and expression was to be exercised by every individual and the extent to
which the restrictions on the same could be imposed could even be one of complete
prohibition.
However, if complete prohibition was imposed by the state on the exercise of this right then
the State would have to take absolute care to ensure that the prohibition should not
excessively burden free speech and why lesser alternatives could not be employed.
The proportionality test was established by the Court to assist the government in gauging
the restrictions before imposing them in the future. Online expression, being one of the
main sources of information diffusion, the court even reiterated in its judgement that the
freedom of expression guaranteed under Article 19 extended to the internet and thus a
complete shutdown of the same would have a negative effect on the circulation of free
speech and expression.
Freedom of speech is one of the human rights inherit by human in the world as stated in
Article 19 of the UDHR (Universal Declaration of Human Rights), the article states that
everyone has the right to freedom of opinion and speech, including the right to hold
opinions without interference and to seek, receive and convey information and ideas
through any media regardless of boundaries (region).
RIGHT TO ACCESS CYBER SPACE (ACCESS TO INTERNET):
In Anuradha Bhasin v. Union of India, The petitioner was the executive editor of the
Kashmir Times. She challenged the restrictions on landline, mobile and internet services in
Jammu and Kashmir in August, 2019. The SC held that the right to freedom of speech and
expression and Right to practise any profession, or to carry on any occupation, trade or
business over the medium of internet under Articles 19(1)(a) and 19(1)(g) respectively, has
been held to be constitutionally protected. Thus, a negative right to the internet subject to
restrictions under Articles 19(2) and 19(6) has been recognized.
Thus, any restriction to the right over the medium of internet, if imposed by the state, under
Article 19 have to pass muster of the proportionality test which as enumerated by the
decision in K.S Puttaswamy v. Union of India.
In Anuradha Bhasin v. Union of India, the question of a positive right to access to the
internet was left open to be determined later since the pleadings in this regard were not
made. This takes us to the question whether and how the right to access the internet can be
determined within our legal framework through judicial intervention in the future.
In Faheema Shirin v. State of Kerala, the High court has recognized that mobile phones and
internet access through it are part and parcel of daily life. The court looked at resolutions
adopted by the United Nations Human Rights Council and the General Assembly which
unequivocally point to the fact that internet access plays a key role in accessing information
and its close link to education and knowledge.
The court took the view that the right to be able to access the internet has been read into
the fundamental right to life and liberty, as well as privacy under Article 21. The court added
that it constitutes an essential part of the infrastructure of freedom of speech and
expression. The meaningful exercise of the right to freedom of speech and expression over
the medium of internet is dependent upon the access to the available infrastructure.
RIGHT TO PRIVACY:
According to Dr. Alan F. Westin: ‘privacy’ is “the claim of individuals, groups, or institutions
to determine when, how, and to what extent information about them is communicated to
others”.
In Gobind v. State of Madhya Pradesh, Privacy, in its simplest sense, allows each human
being to be left alone in a core which is inviolable yet the autonomy of the individual is
conditioned by her relationships with the rest of society. Personal Information is generally
defined as any information relating to an identified or identifiable natural person. It may be
referred to as personal data, personal information, non-public personal information, etc.
With the growth of the digital age, more and more personal information of consumers,
citizens finds its way into massive databases held by the private sector, and the
governments. Access to such data in such databases raise three social concerns that drive
the issue of privacy. These include individuals’ fears about:

 how personal information is used or shared;

 how it is protected;
 Who is accountable.
Right to privacy is coming under the expanded ambit of article 21 of Indian constitution. So,
whenever there is some cybercrime which is related to the person’s private property or its
personal stuff then the accused can be charged of violation of article 21 of Indian
constitution, and prescribed remedy can be invoked against the accused. The Hon’ble
Supreme Court has also dealt with the right to privacy in the context of interception of
phone calls in the case of Amar Singh v. Union of India.
RIGHT TO INTERNET:
There are broadly two ideas that make a case for the recognition of the right to meaningful
access which has received much attention from scholars. The first being that the right to
meaningful internet access can be brought in place if the State chooses to frame regulations
with regard to market conditions and distribution of resources with a view to enable
equitable access. This view has roots in Article 19(1)(a) and 21 of the Constitution. The
second advocates that the right to internet be recognized by the State in the form of a
statutory, sui generis right to internet access from existing international human rights
obligations.
In a recent judgment in Faheema Shirin v. State of Kerala, the High court has recognized
that mobile phones and internet access through it are part and parcel of the day to day life.
The court looked at resolutions adopted by the United Nations Human Rights Council and
the General Assembly which unequivocally point to the fact that how internet access plays a
key role in accessing information and its close link to education and knowledge. The court
took the view that the right to be able to access the internet has been read into the
fundamental right to life and liberty, as well as privacy under Article 21. The court added
that it constitutes an essential part of the infrastructure of freedom of speech and
expression.
Relevant Sections of the IT Act:

 S.43A - creates a liability on a body corporate (including a firm, sole proprietorship or

other association of individuals engaged in commercial or professional activities)
which possesses, deals or handles any sensitive personal data or information in a
computer resource that it owns, controls or operates to pay damages by way of
compensation, to the person affected if there is any wrongful loss or wrongful gain
to any person caused because of the negligence in implementing and maintaining
reasonable security practices and procedures to protect the information of the
person affected.
 S.72 - Penalty for breach of confidentiality and privacy, shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may
extend to Rs. 1,00,000 or with both.
 S.72A - mentions that any person (including an intermediary) who, while providing
services under the terms of a lawful contract, has secured access to any material
containing personal information about another person, with the intent of causing or
knowing that he is likely to cause wrongful loss or wrongful gain discloses, without
the consent of the person concerned, or in breach of a lawful contract, such material
to any other person, shall be punished with imprisonment for a term which may
extend to three years, or with fine which may extend to five lakh rupees, or with
both.
Currently, India’s most comprehensive legal provisions that speak to privacy on the internet
can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of
provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online
privacy. Provisions that clearly protect user privacy include:

 penalising child pornography,

 penalising hacking and fraud and
  defining data protection standards for body corporate.
Retired High Court Judge K.S. Puttaswamy filed a petition challenging the constitutionality
of the Aadhaar scheme, which required biometric data for obtaining a unique identity
number, arguing that it violated the right to privacy. A nine-judge bench of the Supreme
Court unanimously ruled that the right to privacy is a constitutionally protected right in
India. The court recognized privacy as an intrinsic part of the right to life and personal liberty
under Article 21 of the Constitution.

(2) PERSONAL DATA PROTECTION:

RIGHT TO DATA PROTECTION:

With steady development in the Artificial Intelligence (AI) many software applications like
Facebook, Google etc. have developed which,

 collect
 store the personal data of the user
 can also further process the data for any other purpose.
In the year 2018, the case of Cambridge Analytica has raised the eyes of many states over
the protection of personal data of their citizens.
Information about the data misuse was disclosed in 2018 by Christopher Wylie, a former
Cambridge Analytica employee, in interviews with The Guardian and The New York Times. In
response, Facebook apologised for their role in the data harvesting. CEO Mark Zuckerberg
testified in front of Congress.
There are about 80 countries around the world who have implemented various privacy
policies like,

 GDPR (General Data Protection Regulation) in the European Council,

 Brazil internet Act, 2014 in Brazil,
 Personal Information Protection and Electronic Data Act (PIPEDA) in Canada, etc. to
protect their citizen’s personal data
In India, we have the,

 IT Act, 2000
 Digital personal data protection act, 2023
Under S.43A of the IT Act, a body corporate who is

 possessing, dealing or handling any sensitive personal data or information of an

individual, and
 is negligent in implementing and maintaining reasonable security practices in
protecting the data and
  results in wrongful loss or wrongful gain to any person,
Then such body corporate may be held liable to pay damages to the person so affected.
There is no maximum limit specified in the act for the compensation that can be claimed by
the affected party in such circumstances.
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011 deals with the protection of “Sensitive personal
data or information of a person”, which includes the personal information relating to
Passwords, Financial information such as bank account or credit or debit card or other
payment instrument details, Sexual orientation, Medical records and history and Biometric
information
Under S.72A of the Information Technology Act, 2000, disclosure of information, knowingly
and intentionally, without the consent of the person concerned and in breach of the lawful
contract has been also made punishable with imprisonment for a term extending to 3 years
and fine extending to Rs 5,00,000.
Under S.69 of the IT Act, which is an exception to the general rule of maintenance of privacy
and secrecy of the information, provides that where the Government is satisfied that it is
necessary for the interest of:

 the sovereignty or integrity of India,

 defence of India,
 security of the State,
 friendly relations with foreign States,
 public order,
 for preventing incitement to the commission of any cognizable offence relating to
above, or
 For the investigation of any offence.
DIGITAL PERSONAL DATA PROTECTION ACT:
The India Digital Personal Data Protection Act 2023 (DPDPA) is a landmark legislation that
aims to safeguard the privacy of individuals in the digital age. The Act came into effect on
September 1, 2023, and it applies to all organizations that process personal data of
individuals in India.
The DPDPA protects personal data that is processed in India, regardless of whether the data
was originally collected in India or elsewhere. The Act also applies to the processing of
personal data of Indian citizens, even if the data is processed outside of India.
The DPDPA does not apply to personal data that is:

 Processed for law enforcement or national security purposes

 Processed for the purpose of journalism or artistic expression
 Processed for personal or family purposes.
KEY PRINCIPLES:
The DPDPA is based on six key principles:

 Lawfulness: Personal data must be processed lawfully, fairly, and transparently.

 Purpose Limitation: Personal data must be collected for specified, explicit, and
legitimate purposes and not further processed in a manner that is incompatible with
those purposes.
 Data Minimization: Personal data must be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are processed.
 Accuracy: Personal data must be accurate and, where necessary, kept up to date.
 Storage Limitation: Personal data must be kept in a form which permits
identification of data subjects for no longer than is necessary for the purposes for
which the personal data are processed.
 Integrity and Confidentiality: Personal data must be processed in a manner that
ensures appropriate security of the personal data, including protection against
unauthorized or unlawful processing and against accidental loss, destruction, or
damage, using appropriate technical or organizational measures.
Rights and duties of Data Principal:
The Act gives certain rights to the Data Principal which include the right to:
1. access information about personal data;
2. correct and erase personal data;
3. grievance redressal; and
4. nominate another individual to exercise rights in case of death or incapacity of the Data
Principal.
The duties of the Data Principal include:
1. complying with the provisions of all the laws;
2. ensuring no impersonation of another person while providing her personal data;
3. ensuring no suppression of material information;
4. not registering any false complaint or grievance; and
5. furnishing authentic information.
Obligations as a Data Fiduciary under the Digital Personal Data Protection Act (DPDPA),
2023:
Before knowing the obligations of a Data Fiduciary, let us understand who is a Data
Fiduciary. A person who either alone or with some other person decides for what purpose
or for what means the personal data is processed.
The obligations of Data Fiduciary are outlined under Chapter II of the Act. There are two
grounds under which the personal data of a Data Principal can be processed:
1. When the Data Principal has given her consent; or
2. When it is used for certain legitimate use.
Moreover, a Data Fiduciary can process the personal data of a Data Principal only for lawful
purposes. If the Data Principal is a child, it will include their legal guardian or parents. If the
Data Principal is a person who has a disability, it will include a legal guardian who will act on
their behalf.
PERSONAL DATA PROTECTION BILL, 2019:
In 2017, the central government had appointed Justice BN Sri krishna Committee and this
committee had released a white paper on Data Protection law in India. In 2018, the central
government had presented the personal data protection bill in the parliament but
subsequently, this bill was replaced by the personal data protection bill, 2019. The
Government of India, therefore, constituted a committee to propose a draft statute on data
protection. The committee proposed a draft law and the govt. of India has issued the
Personal Data protection Bill 2019 (PDP) Bill based on the draft proposed by the committee.
This will be India's first law on the protection of data and it will repeal S.43A of the IT Act.
The PDP Bill proposes a broader reach. It will not only apply to persons in India but also to
persons outside India in relation to business carried out in India. The PDP Bill proposes to
apply both on manual and electronic records. The PDP bill proposes creating a Data
Protection Authority in India, who are responsible for protecting the interest of data
principals, preventing misuse of personal data and ensuring compliance within the new law.
The PDP Bill proposes to protect Personal Data relating to the identity, characteristics trait,
attribute of a natural person and Sensitive Personal Data such as financial data, health data,
official identifier, sex life, sexual orientation, biometric data, genetic data, transgender
status, intersex status, caste or tribe, religious or political beliefs.
Pursuant to the PDPB being enacted into an Act, there are several compliances to be
followed by organisations processing personal data in order to ensure the protection of
privacy of individuals relating to their Personal Data. Consent of the individual would be
required for the processing of personal data. Based on the type of personal data being
processed, organisations will have to review and update data protection policies, codes to
ensure these are consistent with the revised principles such as update their internal breach
notification procedures, implement appropriate technical and organisational measures to
prevent misuse of data. Data Protection Officer to be appointed by the Significant Data
Fiduciary, and instituting grievance redressal mechanisms to address complaints by
individuals.
In Justice K.S Puttaswamy (Retd.) v. Union of India, the Hon'ble Supreme Court through its
9 Judge Bench held that the fundamental right to privacy is guaranteed under the
Constitution of India. The Court stated that every person should have the right to

 control the commercial use of his or her identity

 exclusively use and commercially exploit their identity and personal information,
  control the information that is available about them on the internet and
 disseminate certain personal information for limited purposes only which emanate
from this right.
This is for the first time the Supreme Court has expressly recognized the right of an
individual over his personal data.

MODULE – 03:
(1) UNCITRAL MODEL LAW:
Uniform International Standards for Cyber Law: UNCITRAL Model Law on Electronic
Commerce, 1996 - With the globalization of business the international community felt a
need for a law which would set uniform standards for electronic commerce. This led to the
adoption of the UNCITRAL Model Law on Electronic Commerce by the U.N. General
Assembly (the Model Law').
This laid down the fundamental principles of e-commerce law:
(1) Non-discrimination: This principle requires the removal of any discrimination between a
physical document and an electronic one. It ensures that the document will not be denied
its' validity/enforceability solely on the grounds of it being in an electronic form.
For example, Article 5 of the Model Law states that the legality of information shall not be
denied merely because it is contained in an electronic document.
(ii) Technological neutrality: This principle mandates that the provisions adopted in a law
should be neutral with respect to the technology involved. This ensures that the rapid pace
of development of technology does not lead to the law becoming redundant in no time.
For examples, Article 7 of the Model Law which lays down rules regarding a valid signature
of an electronic document prescribes a reliable 'method' which is used to indicate that
person's approval. Since the method has not been specified, the rule is not restricted to the
currently accepted method, which is digital signatures, and the law would continue to apply
regardless of any new development.
(iii) Functional equivalence: Terms like 'writing', original', 'signed' etc. are specific to paper
based documents. This principle sets out the corresponding criteria for electronic
communication.
For examples, the law of evidence generally required that the original document should be
presented as evidence. For a paper based document, if would mean a document that was
actually issued, or with original signatures, or which is not a photocopy or fax of another
document. Article 8 describes an original electronic document to be one where the
information if contains is the same as that when it was first generated in its final form.
India's First Cyber Law: The information Technology Act, 2000 This Resolution
recommended that. 'All states give favourable consideration is the UNCITRAL. Model law an
Electronic Commerce when they enact or revise their laws, in view of the need for
uniformity of the law applicable to alternatives to paper based forms of communication and
strange of information'.
(2) ADMISSIBILITY OF E-RECORDS:
According to Section 61 of BSA, electronic or digital records are explicitly deemed
admissible in evidence, challenging any denial solely on the grounds of their electronic
nature. Hence, it can be said that the enforceability of electronic records are at par with
traditional documents. Section 62 of BSA specifies the process for proving the contents of
electronic records in accordance with Section 63.
Conditions for Admissibility:
Section 63 of BSA outlines the conditions that must be satisfied for the admissibility of
electronic records. It states that information contained in an electronic record, when
produced by a computer or communication device, is considered a document. This
electronic document is then admissible in proceedings without requiring the original
document, provided certain conditions are met.
Conditions for Electronic Record Admissibility:
Section 63(2) details the conditions for admissibility of a computer output, which includes:

 Regular use of the computer or communication device for creating, storing, or

processing information.
 Regular feeding of information into the computer during ordinary activities.
 Proper operation of the computer or communication device during the relevant
period.
 Reproduction or derivation of information from the ordinary course of activities.
Treatment of Multiple Computers:
Section 63(3) addresses scenarios where multiple computers or communication devices are
involved in creating, storing, or processing information. It treats them collectively as a single
unit for the purpose of admissibility, providing a practical approach to electronic evidence in
various technological setups.
Certification Requirement:
Section 63(4) mandates the submission of a certificate, signed by a person in charge of the
computer or communication device and an expert, along with the electronic record. This
certificate must identify the electronic record, describe its production, and provide
particulars of the devices involved. Additionally, it should address the conditions outlined in
Section 63(2).
Provisions under IT act:

 Section 59 of the IT Act states that all facts, except the contents of electronic
records, can be proved by oral evidence.
 Section 65-A of the IT Act provides a special procedure for proving the contents of
electronic records.
Arjun Pandit Rao v. Kailash Kushanrao (July 2020):
Apex court, in a recent judgment, ruled that, it is essential to admit the electronic record as
evidence. The certificate submitted under this provision constitutes particulars of that
electronic records and identity inclusive of authorized signature of a person having official
responsibility in relation to the management and operation of the relevant device.
Anvar P.V. v. P.K. Basheer & Others (2014):
The Apex Court has given a landmark judgment in this case. It had ruled and helped to
resolve the conflicts judgements of various High Courts on the manner of the admissibility
of the Electronic (record) evidence. The Supreme Court ruled that secondary data in
CD/DVD/Pen Drive are admissible only with certificate. Oral evidence cannot prove the
electronic evidence, certificate is essential to prove that. Also, the opinion of the expert
under the act is not an escaping gate to bypass the procedure.
(3) CONCEPT OF PUBLIC & PRIVATE KEY:
Cryptography as a field emphasizes the need to guarantee secure communication and data
privacy. There are mainly two approaches available to perform this operation: – Private Key
Cryptography (RIC or Symmetric Key Cryptography) and Public Key Cryptography (PKE or
Asymmetric Key Cryptography). Although they are used to protect information, they work
differently and have certain benefits and drawbacks. In this article, the key focus is on
understanding the key aspects of a private and public key as well as the advantages and
disadvantages of using them.
Cryptography is the science of secret writing to keep the data secret. Cryptography is
classified into symmetric cryptography, asymmetric cryptography, and hashing.
What is a Private Key?
Private Key Encryption, also termed as symmetric Key Encryption requires the key that is
used to lock and the key used to unlock the message. This key must be kept concealed
between the two communicating entities to have reasonable security.
Advantages of Private Key Encryption:
Speed: These algorithms are faster as compared to asymmetric encryption algorithms and
hence used for encrypting large volumes of data.
Less Computational Power: In another way, it is advantageous since it requires fewer
calculations which makes it suitable for real-time use.
Limitations of Private Key Encryption:
Key Distribution Problem: The first and perhaps the major limitation is how to securely
transfer the said key among the parties. The problem with this event is that the key is
useless if it is intercepted, meaning that the security is lost.
Scalability Issues: That is why as the number of the users raises key management becomes
more complicated and thus it is not very scalable for large systems.
What is Public Key?
Public Key Encryption, or Asymmetric Encryption, involves a pair of keys: There is the public
key that is relatively known and the private key which is kept secret. While the public key
where everyone can get it from the internet is for encoding or encryption, the private key is
employed for decoding, decryption.
Advantages of Public Key Encryption:
Enhanced Security: The application of two keys means that there is no problem of secure
key distribution since with the public key anyone can encrypt the message while the private
key can only be known by the recipient.
Digital Signatures: The use of public key cryptography is employed to back up the concept
of digital signatures hence ensuring true and complete message.
Disadvantages of Public Key Encryption
Slower Performance: Asymmetric algorithms generally are slower and considerably more
resource-hungry as compared to symmetric algorithms.
Complexity: Another disadvantage that has been agreed upon is that the management and
application of public key infrastructure can be complicated.
(4) CRYPTO SYSTEM:
A cryptosystem is a structure or scheme consisting of a set of algorithms that converts
plaintext to ciphertext to encode or decode messages securely. The term cryptosystem is
shorthand for "cryptographic system" and refers to a computer system that employs
cryptography, a method of protecting information and communications with codes so only
those for whom the information is intended can read and process it.
To keep data secure, cryptosystems incorporate the algorithms for key generation,
encryption and decryption techniques. At the heart of cryptographic operations is a
cryptographic key, a string of bits used by a cryptographic algorithm to transform plaintext
into ciphertext or the reverse. The key is part of the variable data provided as input to a
cryptographic algorithm to execute this sort of operation. The cryptographic scheme's
security depends on the security of the keys used.
Cryptosystems are used for sending messages in a secure manner over the internet, such as
credit card information and other private data. In another application of cryptography, a
system for secure email might include methods for digital signatures, cryptographic hash
functions and key management techniques.
Components of a cryptosystem:
A basic cryptosystem includes the following:
Plaintext: Unencrypted information that needs protection.
Ciphertext: The encrypted, or unreadable, version of the plaintext information.
Encryption algorithm: The mathematical algorithm that takes plaintext as the input and
encrypts to ciphertext. It also produces the unique encryption key for that text.
Decryption algorithm: The mathematical algorithm that takes ciphertext as the input and
decodes it into plaintext. It also uses the unique decryption key for that text.
Encryption key: The value known to the sender that is used to compute the ciphertext for
the given plaintext.
Decryption key: The value known to the receiver that is used to decode the given ciphertext
into plaintext.

Types of cryptosystems:
Cryptosystems are categorized by the method they use to encrypt data, either
symmetrically or asymmetrically.
Symmetric key encryption:
The cryptosystem uses the same key for both encryption and decryption. In this method,
keys are shared with both parties prior to transmission and are changed regularly to prevent
any system attacks.
Asymmetric key encryption:
The cryptosystem uses different keys for encryption and decryption. The keys are
mathematically related, however. In this method, each party has its own pair of keys that is
exchanged during transmission.
(5) HASH FUNCTION:
Hash functions are used in digital signatures to guarantee the integrity of an electronic
record. It has been defined under the explanation to S.3 of the Act which is as follows:
"Hash function" means an algorithm mapping or translation of one sequence of bits into
another, generally smaller, set known as "Hash Result" such that an electronic record yields
the same hash result every time the algorithm is executed with the same electronic record
as its input making it computationally infeasible.

 to drive or reconstruct the original electronic record from the hash result produced
by the algorithm
 that two electronic records can produce the same result using the algorithm.
The hash function uses a method that is very similar to the process of encryption used in the
asymmetric crypto system. It consists of a simpler form of encoding and decoding that
converts information of one length to information of a smaller length using a mathematical
algorithm. For a given hash function, the smaller length to which the information is to be
converted is fixed. This means that a given 'hash function' will always produce a hash result
of the same length, regardless of the length of the information to which it is applied.
Therefore, the hash function consists of many translations in comparison with encryption,
which uses a 1:1 translation. Even a slight change in the document will produce a
completely different hash result. Therefore, the application of a hash function to an
electronic record produces a hash result that is completely unique to the record. This
guarantees the integrity of the document, since, even the slightest modification to the
document can be detected by an application the same has function to the information.
Another important feature of a hash result is that unlike in encryption, a hash result cannot
be 'decrypted to produce the original result. This guarantees the confidentiality of a
message that is sent, ensuing that no person who obtains access to the hash result of a
document will be able to derive the original information from it.

In summary, a hash function consists of an algorithm, mapping or translation, i.e, a kind of

mathematical formula. This mathematical formula converts one sequence of bits, ie,
information of one length into a sequence of a fixed smaller length. This smaller sequence is
known as a 'hash result; A given set of information produces the same result every time the
hash function is applied. It is impossible (computationally infeasible) to calculate or derive
the original information from its hash result. It is impossible for two separate electronic
records to produce the same hash result using the same hash function.
(6) AUTHENTICATION OF E-RECORDS USING DIGITAL SIGNATURE:
INTRODUCTION:
A signature can be said to be the ‘definite identity’ of an individual being expressed on a
piece of paper. To keep the ongoing transactions and the life of corporates, etc. to function
smoothly the advent of Electronic Signatures was necessary as before each and every
individual had to go through the whole document and go to the place where the documents
were present physically and then authenticate them via giving his/her signature but to keep
up with the fast pace of development this method proved to be outdated since now
individuals sitting from one part of the world could interact with someone who is at a
different part of the world or a country.
It was not possible and feasible in each scenario to travel far to such a distance just for the
purpose of authenticating the documents via signing them. So the need of Electronic
signatures was a must and this concept developed to meet the needs of the fast developing
world.
Concept of E-Signatures:
An Electronic signature provides an electronic representation of a particular person’s
signature which represents that individual’s identity electronically and when a particular
person gives his electronic signature on a particular document it works in the same fashion
as of a physical signature i.e. to give proof of consent and that person’s assent to the
contents of the document.
Electronic Signatures as defined under the law:
Electronic Signature is defined under Section 2 (ta) of Information Technology Act, 2000 as-
“Authentication of any electronic record by a subscriber by means of the electronic
technique specified in the second schedule and includes digital signature”.
The procedure of Digital Signature:
Rule 4 of the Information Technology (Certifying Authorities) Rules, 2000 explains the
digital signature’s procedure as:

 To sign any electronic record or any other piece of information, the person who is
signing first has to apply the hash function in the signer’s software (It is a function
used to map data of an arbitrary size into data of a fixed size). Values returned by
this function are known as hash codes, digests or hash values.
 This function computes a hash result of standard length unique to the record present
electronically.
 Signer’s software will convert this hash result using the private key of the signer in a
digital signature.
 The resulting Digital Signature will be unique to both electronic record and also the
private key used to create the digital signature.
  This Digital Signature will be attached to its electronic record and stored or
transmitted with the Digital Signature’s electronic record.
Verification of a Digital Signature:
Recipient will receive the Digital Signature and the original message. After it the following
two steps have to be followed:

 By applying the hash result a new message digest is to be recovered from the
original message.
 Signer’s public key will be applied to the digital signature which the recipient
receives and as the outcome of it another message digest will be recovered.
 And if both the message digests prove to be identical it will conclude that the
message has not been altered.
Rule 5 of Information Technology (Certifying Authorities) Rules, 2000 talks about the
method of verification of a digital signature:
“The verification of a Digital Signature shall be attained by computing a new hash result of
the original electronic record by means of a hash function used to create a Digital Signature
and by using the new hash result and the public key”.
Digital Signature Certificate (DSC):
It is a method to prove the electronic document’s authenticity and can be presented
electronically to access information, to prove the identity or sign the documents digitally.
Controller of Certifying Authorities appointed by the Central Government grants a license to
the Certifying Authorities in order to issue digital signature certificates to subscriber. A
Digital Signature Certificate is valid up to a maximum of three years period.
Elements of DSC:

 Name of the issuer.

 Owner’s name and public key.
 Public Key’s expiry date.
 Certificate’s Serial Number.
 User’s Digital Signature.
AUTHENTICATION:
Rule 3 of the Certifying Authority Rules prescribes the manner in which information be
authenticated by means of Digital Signature.
A Digital Signature shall,
(a) be created and verified by cryptography that concerns itself with transforming
electronic record into seemingly unintelligible forms and back again:
(b) use what is known as "public Key Cryptography", which employs an algorithm using
two different but mathematical related "keys" one for creating a Digital Signature
transforming data into seemingly unintelligible form, and another key for verifying a Digital
Signature or returning the electronic record to original form, the process termed as hash
function shall be used in both creating and verifying a Digital Signature. Computer
equipment and software utilising two such keys are often termed as "asymmetric
cryptography"."

Under this rule, the affixation of a digital signature involves two steps:

 Creation and
 Verification.
This is done using cryptography, which involves the conversion of the message into an
unintelligible form and vice-versa. The method of cryptography that is adopted here is
'public key cryptography, which involves two keys, one which converts the information into
an unintelligible form, and the other which reconverts it into the original form. The first key,
the private key, creates the digital signature, while the second, the public key, verifies it. The
explanation defines "asymmetric cryptography to refer to the computer software and
equipment which is involved with the use of the public key cryptography.
Creation of Digital Signature - Rule 3 of the CA Rules describes the process of creation of
the digital signature.
Transmission of the Record:

 The process of transmission of the electronic record is described in the last part of
Rule 4 of the CA Rules.
 After the digital signature is created, it is attached to the original electronic record.
 Thereafter, both the original electronic record in plain text and the digital signature
are transmitted to the recipient.
Verification of Digital Signature:
Rule 5 of the CA Rules describes the process of verification of a digital signature:
"The verification of a Digital Signature shall be accomplished by computing a new hash
result of the original electronic record by means of the hash function used to create a Digital
Signature and by using the public key and the new hash result, the verifier shall check-
(i) if the Digital Signature was created using the corresponding private key, and
(ii) if the newly computed hash result matches the original result which was transformed
into Digital Signature during the singing process.

 The verification software confirm the Digital Signature as verified if-

(a) the sender's private key was used to digitally sign the electronic record, which is
known to be the case if the sender's public key used to verify the signature because the
sender's public key will verify only a digital Signature created with the sender's private key,
and
(b) the electronic record was unaltered, which is known to be the case if the hash result
computed by the verifier is identical to the hash result extracted from the Digital signature
during the verification process."

 Upon receipt of the digital signature and the original record, the recipient will need
to verify the digital signature. For this purpose, the public key will have to be made
available to the recipient, either, prior to sending the digital signature, or along with
the record with the digital signature, or made publicity available for use by any
recipient.
 The Process of verification involves the following steps:
- Creation of a New Hash Result: The first step in the process of verification is the
application of the same hash function to the electronic record received by the recipient. This
results in the creation of a new hash result.
- Application of Public Key: Thereafter, the public key will be applied to the digital
signature that is attached with the electronic record received. This application will decrypt
the cipher text, to produce the hash result that was generated by the sender. The successful
application of the public key to produce the hash result indicates that the digital signature
was indeed created by the application of the sender's corresponding private key.
- Comparison of the Hash Results: The next step is the comparison of the hash result
obtained by the recipient with the hash result obtained by the sender. Electronic records
can very easily be modified or tampered with once in transit As mentioned earlier, even a
slight change in the document will produce a completely different hash result; thus,
indicating that the electronic document has been compromised with. On the other hand,
the obtaining of a hash function that is identical to the one obtained by the sender indicates
that the record received by the recipient was identical to the one that was sent by the
sender.
- A comparison of the hash result therefore, completes the verification of the digital
signature. With this, the process of authentication of the electronic record is complete.
Process of Authentication by a Digital Signature:
The steps for the affixation of a digital signature under S.3 of the Act read with Rules 3, 4
and 5 of the CA Rules can therefore be summarised as follows:

 A hash function is applied to the electronic record to produce a hash result

 The sender's private key is applied to the hash result, to produce an encrypted form
of the electronic record. This step indicates the creation of the digital signature.
 This encrypted record is sent along with the original document to the receiver
 The receiver applies the sender's public key to the document, and decrypts it to
obtain the original hash result of the document.
 He applies the hash function to the original document sent along with the encrypted
record to obtain a hash result again.
 He compares this hash result with the one obtained from the decryption.
 If the hash results are equal, the digital signature is verified.

A digital signature, therefore, guarantees the following with respect to the record:

 Authenticity:
The asymmetric crypto system guarantees the authenticity of the source of the electronic
document, i.e., it guarantees that the document was sent by the sender himself. Since the
private key is known only to the subscriber, the affixation of the digital signature onto the
document is evidence that it was affixed by the subscriber and no one else.

 Non-repudiation:
The asymmetric crypto system also guarantees non- repudiation of the document, i.e., once
the digital signature has been affixed by the sender and verified by the recipient, the sender
cannot deny having sent the document.

 Integrity:
The hash function guarantees the integrity of the record, i.e., the record has not been
altered while being transmitted to the recipient.

(7) PUBLIC KEY INFRASTRUCTRE:

The Public key infrastructure (PKI) is the set of hardware, software, policies, processes, and
procedures required to create, manage, distribute, use, store, and revoke digital certificates
and public keys. It is the set of technology and processes that make up a framework of
encryption to protect and authenticate digital communications. PKI uses cryptographic
public keys that are connected to a digital certificate, which authenticates the device or user
sending the digital communication. Digital certificates are issued by a trusted source, a
certificate authority (CA), and act as a type of digital passport to ensure that the sender is
who they say they are.
Public key infrastructure protect and authenticates communications between servers and
users, secure communications within an organisation to ensure that the messages are only
visible to the sender and recipient, and they have not been tampered with in transit.
It uses asymmetric encryption methods to ensure that messages remain private and also to
authenticate the device or user sending the transmission,

 Involves the use of a public and private key.

 The public key is available to anyone who requests it and is issued by a trusted
certificate authority. This public key verifies and authenticates the sender of the
encrypted message.
 The private, or secret, key. This key is kept private by the recipient of the encrypted
message and used to decrypt the transmission.
Complex algorithms are used to encrypt and decrypt public/private key pairs. The public key
authenticates the sender of the digital message, while the private key ensures that only the
recipient can open and read it.
Persons involved:
Controller -> certifying authorities -> subscriber
It is an organisational structure that is responsible for the establishment and maintenance
of a reliable system of public key cryptography.
CONTROLLER OF CERTIFYING AUTHORITIES:
Persons involved in PKI:
Controller -> certifying authorities -> subscriber
Section. 2(m), IT Act: "Controller" means the Controller of Certifying Authorities appointed
under S.17(1)
The Controller of Certifying Authorities (the "Controller") is the apex in the PKI hierarchy.
They are appointed by the Central Government for the supervision and control of the
Certifying Authorities (the "CA")
Their functions include,

 licensing of the CAs,

 specifying the form and content of an electronic signature and key,
 laying down applicable standards for CAs,
 recognition of foreign CAs, etc.
Such persons appointed under S.17 by Central Government and notified in Official Gazette
or may also appoint Assistant Controller, Deputy Controller
Subsidiary bodies:
A. RCAI: Root Certifying Authority of India:
- The Root Certifying Authority of India" (the "RCAI") has been established by the
controller to perform its function of licensing of CAs.
- This licensing is done through the issue of a X.509 certificate, known as Root
certificates, which certify the public keys of the CAs.
- It is the highest level of certification in India.
- The licence of a CA can be verified by a subscriber through this certificate on the
website of the Controller.
- The RCAI issues the Certification practice Statement (the "CPS") which is adopted by
the Controller, which is defined as follows:
"Certification Practice Statement means a statement issued by a certifying Authority to
specify the practices that the certifying Authority employs in issuing Electronic Signature
Certificates."
B. NRDC: National Repository of Digital Certificates:
- The National Repository of Digital Certificates (the "NRDC") was set up in view of S20
of the IT Act, which was later omitted by the Amendment Act.
- This repository contains all the digital signature certificates issued by the RCAI and by
licensed CAs.
- It also maintains the corresponding CRLs issued by them.
- The duties of the NRDC are as follows:

 Publishing Public Key certificates of licensed CAs.

 Publishing CRLs.
Functions of controller: (Section.18)

 Exercise supervision over certifying authority

 Lay down standards for certifying authority
 Specify the form and content of electronic signatures
 Specify the form and manner in which the accounts are to be maintained by
certifying authorities.
 Solve conflict of interest between certifying authorities
 S.19 - To recognise the foreign certifying authority.
 S.21 - To grant licence to CAs to issue electronic signature certificate
 S.25 - To suspend licence - The notice of suspension or revocation may be published
in the database maintained by the controller U/S.26.
Powers of Controller: (Section.27)
A. Power to Delegate:
The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any
officer to exercise any of the powers of the Controller under this Chapter.
B. Notify must disclose revoked/suspended licence in the public domain:
Where the licence of the Certifying Authority is suspended or revoked, the Controller shall
publish notice of such suspension or revocation, as the case may be, in the database
maintained by him.
C. power to investigate contravention:
Shall take up for investigation any contravention of the provisions of this Act, rules or
regulations made thereunder. The Controller or any officer authorised by him in this behalf
shall exercise the like powers which are conferred on Income-tax authorities under Chapter
XIII of the Income-tax Act, 1961 and shall exercise such powers, subject to such limitations
laid down under that Act.
D. Access to computers and data:
If he has reasonable cause to suspect that any contravention of the provisions of this Act,
rules or regulations made thereunder has been committed, have access to any computer
system, any apparatus, data or any other material connected with such system, for the
purpose of searching or causing a search to be made for obtaining any information or data
contained in or available to such computer system.
E. Power to issue directions for blocking the public access of any information through any
computer resource in the circumstances.
F. Power to authorise to monitor and collect traffic data or information through any
computer resource for cyber security.
G. Power to make regulations for carrying out the purposes of this Act

 After consultation with the cyber regulatory advisory committee and

 Prior approval of the Central Government.
CERTIFYING AUTHORITIES:
A certifying Authority is a body that has been authorised by the Controller to issue an
electronic signature certificate to a subscriber. It is defined under S.2 (1) (g) of the IT Act as
follows:
"Certifying Authority means a person who has been granted a licence to issue an Electronic
Signature Certificate under S.24". A CA is authorised by the controller via a Root Certificate.
Thereafter, CA plays two key roles in the PKI system,

 issues digital signatures to the subscriber,

  Verifies the digital signature of a subscriber on the request of the recipient, or the
relying party.
In order to perform these roles in a secure manner, the following obligations have been
imposed on the CA,

 Protection of their private key,

 Maintain a website and publish the licence, sub-CA certificates.
 Publish the name and contact information of the party responsible for the CA.
 In case of a compromise in their signing key, immediately revoke all subscriber
certificates, publish details in the CRL (Certificate revocation list) and report to the
RCAI.
 Have their Certification Practice Statement approved by the Controller.
Duties of certifying authorities (S30-34):
A. S.30: To follow certain procedures regarding security system:
make use of hardware, software, and procedures that are secure from intrusion and misuse,
provide a reasonable level of reliable services, adhere to security procedures to ensure the
secrecy and privacy of electronic signatures, be the repository of all Electronic Signature
Certificates, publish information regarding its practices, Electronic Signature Certificates and
current status of such certificates and observe the specified standards.
B. S.31: ensure compliance:
The certifying authority must ensure that every person employed or engaged by it complies
with the provisions of the Act, rules, regulations or order, made thereunder.
C. S.32: display its licence:
The certifying authority must display its licence at a conspicuous place in the premises in
which it carries on its business.
D. S.33: surrender its licence:
The certifying authority must surrender its licence to the controller on its suspension or
revocation.
E. S.34: make certain disclosures:
Disclosure of Electronic Signature Certificate, Certification Practice Statement (CPS), notice
of revocation and suspension of Certificates of Certifying Authority, Disclosure of facts
materially and adversely affecting the reliability of electronic signature certificate &
Disclosure of adverse effects to affected persons.
SUBSCRIBER:
At the bottom of the PKI hierarchy is the subscriber. The subscriber is imposed with the
obligations of obtaining a valid Digital Signature Certificate (DSC) from a licensed Certifying
Authority and thereafter, maintaining its authenticity by suitably protecting the private key.
A DSC acts as proof linking a particular subscriber following information to a particular key
pair. Thus, the DSC enables a relying party to,
A. identify the subscriber,
B. obtain the public key used by him, and
C. verify the purpose of the DSC, its validity period, key usage and class
D. verify the legality of the DSC through the public key of the CA issuing it.
Once verified both the relying party and the subscriber are bound by the electronic
transaction.
Procedure for issue of DSCs to a subscriber: (IT Act and CA Rules)
A. Any person can apply to a CA through its Registration Authority for a DSC.
B. The Registration Authority is the body of the CA which interacts with the subscribers
for the provision of CA services.
C. Application shall be in the application form provided by the CA and accompanied
with prescribed fee, as per the class of the application. A certification practice statement or
where there is no such statement, a statement containing such particulars, as specified by
regulations.
D. DSCs are usually issued with a lifetime of one or two years.
E. On expiry of a DSC, application may be made for its re-issue.
F. The CA may suspend or revoke the DSC.
G. The CA must publish notices of such suspensions/revocation in the CRIs.
Duties of subscribers:
The duties of subscribers are covered under chapter VIII of the IT Acts.
A. Generate Key pair:
On acceptance of a DSC, the subscriber shall generate the key pair of which the public key is
listed in the DSC
B. Duties:
The subscriber shall perform such duties as prescribed with respect to an electronic
signature.
C. Acceptance of DSC:
A subscriber is deemed to have accepted a DSC if he publishes it to one or more persons, or
in a repository, or in any other manner.
D. Certification of Subscriber:
Upon acceptance of a DSC, the subscriber certifies that he holds the corresponding private
key, and the representations made to the CA and the information in the DSC are true.
E. Control of Private Key:
The subscriber shall exercise reasonable care to retain control over the private key and
prevent its disclosures.
F. Compromise of private key:
In the event of a compromise of the private key, the subscriber shall inform the CA of the
same as soon as possible. Until the CA is informed, the subscriber will continue to be liable
for the use of the private key.
(8) ELECTRONIC RECORDS:
The preamble of the IT Act, 2000 reads "And whereas it is considered necessary to give
effect to the said resolution and to promote efficient delivery of Government services by
means of reliable electronic records." Electronic records play a vital role in cyber law and
governance
S.2(t) of the IT act - “electronic record” means data, record or data generated, image or
sound stored, received or sent in an electronic form or microfilm or computer generated
microfiche;
S.3: Authentication of E-records -Subject to the provisions of this section any subscriber
may authenticate an electronic record by affixing his digital signature. The authentication of
the electronic record shall be effected by the use of asymmetric crypto system and hash
function which envelop and transform the initial electronic record into another electronic
record. Any person by the use of a public key of the subscriber can verify the electronic
record. The private key and the public key are unique to the subscriber and constitute a
functioning key pair.
S.11: Attribution of electronic records:
An electronic record shall be attributed to the originator
(a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the originator in respect of
that electronic record; or
(c) by an information system programmed by or on behalf of the originator to operate
automatically.
S12: Acknowledgement of receiving of electronic record:
If the originator has not specified any specific mode of acknowledgement (an act by the
addressee that he/she has received the electronic record), the acknowledgement can be
given by a
- return mail by the addressee or
- automated response by the addressee or
- act by addressee that shows the acknowledgement.
S.13: Time and place of dispatch of electronic record:
(1) Save as otherwise agreed to between the originator and the addressee, the dispatch
of an electronic record occurs when it enters a computer resource outside the control of the
originator.
(2) Save as otherwise agreed between the originator and the addressee, the time of
receipt of an electronic record shall be determined as follows, namely:

 if the addressee has designated a computer resource for the purpose of receiving
electronic records.
 if the addressee has not designated a computer resource along with specified
timings, if any, receipt occurs when the electronic record enters the computer
resource of the addressee.
(3) Save as otherwise agreed to between the originator and the addressee, an
electronic record is deemed to be dispatched at the place where the originator has his place
of business, and is deemed to be received at the place where the addressee has his place of
business.
(4) The provisions of sub-section (2) shall apply notwithstanding that the place where
the computer resource is located may be different from the place where the electronic
record is deemed to have been received under sub-section (3).
(9) ELECTRONIC HEALTH RECORDS:
The Ministry of Health and Family Welfare notified the Electronic Health Record (EHR)
Standards for India in September 2013. ‘Electronic Health Record’ is a collection of various
medical records that are generated during any clinical encounters or events. It is a digitised
version of the patient’s medical history and contains patient-centred information in real-
time and is easily accessible to medical professionals.
S.3(21) of the Personal Data Protection Bill 2019 defines ‘health data’ as related to the
state of physical or mental health of the data principal.
Such electronic health records can collectively provide a summary of the various healthcare
events in the life of a person digitally which is a much better option to avoid all hassles
arising from tons of paperwork. Such a system is created with the aim that any person can
go to any health service provider/practitioner, any diagnostic centre or any pharmacy and
be able to access and have fully integrated health records in electronic format at any time.
Apart from this, there are many benefits for the collection of medical records such as

 evidence-based care,
 increasingly faster and accurate diagnosis,
  avoid repetition of unnecessary tests,
 improved health policy decisions,
 improved personal and public health
The government has also introduced the Digital Information Security in Healthcare Act
(DISHA) which aims to standardise and regulate the process related to storing, transmission
and use of ‘digital health data’ to ensure
A. reliability,
B. data privacy,
C. confidentiality and
D. security of digital health data along with the establishment of ‘National Digital
Health Authority’ and ‘Health Information Exchanges’.
In Balu Gopalakrishnan v. State of Kerala, the Kerala High Court while dealing with the
protection of the personal data of individuals who were COVID-19 positive passed an
interim order focusing on the breach of confidentiality issue. It stated that it is the duty of
the state government that all the information must be anonymized before sharing it with
the third party and the specific consent of the citizens is a must.
In Indian Medical Association v. V.P. Shanta, the Supreme Court held that medical services
would come within the purview of the Consumer Protection Act, 2019. Therefore, the
Negligence of the hospital or the doctor's lack of due care in maintaining electronic records
could be made liable under the nuances of the Consumer Protection Act, 2019.
(10) E-GOVERNANCE & E-RECORDS:
Chapter III of the IT Act deals with Electronic Governance. It is from S4 to S10A
S4: Legal recognition of electronic records:
Where any law provides that information or any other matter shall be in writing or in the
typewritten or printed form, then, notwithstanding anything contained in such law, such
requirement shall be deemed to have been satisfied if such information or matter is–
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference.
S6: Use of electronic records and electronic signatures in Government and its agencies:
S7: Retention of electronic records:
S7A: Audit of documents, etc., maintained in electronic form:
Where in any law for the time being in force, there is a provision for audit of documents,
records or information, that provision shall also be applicable for audit of documents,
records or information processed and maintained in the electronic form
S10A: Validity of contracts formed through electronic means:
Where in a contract formation, the communication of proposals, the acceptance of
proposals, the revocation of proposals and acceptances, as the case may be, are expressed
in electronic form or by means of an electronic records, such contract shall not be deemed
to be unenforceable solely on the ground that such electronic form or means was used for
that purpose
(11) EVIDENTARY VALUE OF E-RECORDS (SECTION.04):
Electronic records per S.2(1)(t) means: data, record or data generated, image or sound
stored, received or sent in an electronic form or microfilm or computer generated
microfiche. S.4 of the IT act gives legal recognition for electronic records

 Rupchand v. Mahabir Prasad: Tape recorder evidence is admissible evidence

 Pratap Singh v. State of Punjab: Tape recorder evidence is corroborative evidence
 Yusafalli Ismail Nagree v. State of Maharashtra: Tape recorder evidence - relevant
fact conditions
The conditions are:

 The time and accuracy of recording - proved by competent witness

 Voices must be properly identified
 Must be received with caution
 The court must ensure that it is proved beyond reasonable doubt by the
prosecutions
State v. Mohammad Afsal:
Issue: whether an expert needs to appear to prove the working condition of the
computer.
Held that expert evidence is not necessary. Rather, any person who is familiar with
the functions of computer is sufficient to appear.
20th Century Fox Film Corp. v. NRI Film Production:
Evidence collected via video conference is admissible
Essential elements of the electronic evidence as per the Indian Evidence Act are:

 Such produced information of electronic records should be produced by the person

having legally authorised control over that electronic device.
 Stored information has been stored on that electronic device
 Storage of information must occur during the day to day general course of the act of
that person.
 While storing or copying of that material information, the said electronic device
must be in a functioning state, to avoid any possible negative impact on its operation
or distort the accuracy & authenticity of its material contents.
 Any kind of storage or copying or making counterpart of the information required for
the production in the court of law as electronic evidence should be free from any
kind of distortion or manual edit or manipulation, it must be the authentic and
trustworthy information, which may get admitted as evidence in the court of law.