MODULE 1:

LAW AND POLICY IN INDIAN CYBERSPACE Traditional legal systems have had great difficulty in keeping
pace with the rapid growth of the Internet and its impact throughout the world. While some laws and
objectives have been enacted and a few cases have been decided that affect the Internet, they have left
most of the difficult legal issues to the future. Inspite of the recent proliferation of legislation world-
wide, it is unlikely that courts and legislators will be able to provide sufficient guidance in a timely
fashion to business [and lawyers] to enable them to engage in commerce on, or otherwise take
advantage of, the Internet in a manner that avoids or minimizes unexpected consequences or liabilities.
The Internet has tested the limits of regulation, prompting some to declare independence 1 and yet
others to declare it beyond the limits of governance2. One of the purposes of this text is to build a global
community of people who are thinking about all this in a serious way. As time passes, one aspect of
governance is clearly visible, the will of governments to be seen and felt on the Internet. Governments
across the world seem eager to put to rest the notions that cyberspace can't be governed. This view
underestimates the way governments and business figure out how to change the way things work.
There are four constraints on [human] behaviour and freedom. They are the law, norms (cultural and
social influences), markets and -- crucially -- architecture. Architecture is a regulator in real space as well
as cyberspace, and it is essential to think about both. Napoleon III wanted fewer revolutionaries, for
example. So he rebuilt Paris with wide streets, making it harder for revolutionaries to hide.

1.1 EXAMINING THE NEED FOR REGULATION

In some jurisdictions, the early adoption of legislation on digital signatures [defined in the Glossary], for
example, has not led to the increased take-up of new technology as anticipated3. Rather, legislation has
been bypassed because it has been regarded as not providing appropriate, market-oriented, non-
regulatory solutions. Some of that legislation is now regarded as a better example of what not to do,
than as a model which should be followed4. A number of laws currently being drafted in the US have
undergone significant changes in the course of the drafting process and more can be

Footnotes:

1. In February 1996, John Perry Barlow issued a manifesto called <A Declaration of the Independence of
Cyberspace>. http://www.eff.org/pub/Publications/John_Perry_Barlow/barlow0296.declaration.

2 Johnson, David R. /Post, David G., Law and Borders - The Rise of Law in Cyberspace, 48 Stanford Law
Review 1367 1402 [1996].

3. Despite the early enactment of digital signature legislation in the American State of Utah in 1995, the
first certification authority to set up under that legislation was not established until late 1997.

4. The Utah Act has been described as of more use dead than alive.
[Type the company address]

Page 2

expected before they reach their final form5. As lawyers understanding of the technology grows, and as
the uses and applications of the technology develop, in concert with the development of appropriate
business models, appreciation of the need for legislation and what is required in terms of its form and
content have also changed. It is clear that what needs to be avoided at this early stage is an undue rush
towards legislation where none is needed, or where the need for it has not yet been clearly
demonstrated. This is particularly so in India where there have been, as yet, few cases decided in the
courts dealing with the issues identified as likely to cause problems in electronic commerce. In other
words, it is difficult to judge the magnitude of legal problems being encountered, at least in terms of
measuring them through recourse to traditional means of resolution through litigation, although it is
clear that some action to remove obvious legal obstacles would certainly facilitate electronic commerce.
A number of international organisations are currently working on projects which have the potential to
significantly influence the direction of domestic regulation in a number of areas relevant to electronic
commerce6. India is actively engaged in those projects. This international work should be carefully
monitored to ensure that the Indian settings not only assist India's competitive advantage, but also keep
India in conformity with international norms, while ensuring that the economic, social and cultural
benefits of new technology are maximised. The UNCITRAL Model Law on Electronic Commerce uses the
term commercial and guidance on the meaning of that term may be gained from the definition used in
the Model Law7. To ensure consistency, this definition is identical to the definition used by UNCITRAL in
the Model Law on International Commercial Arbitration8. The UNCITRAL definition of commercial is,
however, very broad and covers a number of areas in which electronic commerce may raise particular
issues. For reasons of time and resources, we have not been able to consider specific sectors covered in
that definition and the particular issues raised by the greater use of electronic commerce. This text does
not

footnotes:

5. Recommendation 92 of the Financial System Inquiry 1997 (Wallis Report) recommended that
Australia should adopt internationally recognised standards for electronic commerce, including for
electronic transactions over the Internet and the recognition of electronic signatures.

6. These include work by: the UN Commission on International Trade Law on digital signatures and
certification authorities; work by the OECD on electronic commerce, digital signatures and certification
authorities; and work by APEC on certification practices and authorities.

7. Footnote **** to the Model Law on Electronic Commerce provides: The term commercial should be
given a wide interpretation so as to cover matters arising from all relationships of a commercial nature,
whether contractual or not. Relationships of a commercial nature include, but are not limited to, the
following transactions: any trade transaction for the supply or exchange of goods or services;
distribution agreement; commercial representation or agency; factoring; leasing; construction of works;
consulting; engineering; licensing; investment; financing; banking; insurance; exploitation agreement or
concession; joint venture and other forms of industrial or business co-operation; carriage of goods or
passengers by air, sea, rail or road.

8 The UNCITRAL Model Law on International Commercial Arbitration was adopted by India as a model
during the drafting of the Indian Arbitration and Conciliation Act, 1996.

[Type the company address]

Page 3

consider issues specific to the financial sector, but rather has focussed upon broader generic issues of
contract formation and statutory form requirements such as requirements for certain contracts to be in
writing or signed.

1.2 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED BY THE NEW MEDIA

The problem of jurisdiction in cyberspace is by far the most complex. The task before us is to examine
section key concepts that are necessary constituents of a tricky issue and perhaps juxtapose them
against an overview of methods and solutions. On an examination of jurisdiction under the Indian
Information Technology Act, 2000, [hereinafter the Indian IT Act]; one is faced with the question: Is
section 75 really as controversial as it seems? The answer is in the negative. The Act, continuing a long
tradition in law and commerce merely seeks to extend the boundaries of local/municipal law in a logical
way; as will be examined in the next chapter on Jurisdiction.

1.3 JURISDICTION IN CYBERSPACE: PROBLEMS AND PERSPECTIVES

Throughout human history, no regime of regulation or of dispute resolution has ever pretended to be
the sole source to which parties turn to ease business intercourse. In every culture and in every time,
private arrangements as well as governmental activity have attempted to reduce the occasions of
conflict necessitating the exercise of judicial decision-making. The economic world of cyberspace at the
beginning of the 21st century is no different. Trade depends on confidence: confidence on the part of
the buyer that goods or services will conform to legitimate expectations, and confidence on the part of
the seller that payment will be prompt and complete. Such confidence, in the interests of all parties, is
fostered by industry self-regulation that reflects an honest attempt to identify and resolve potential
conflicts before they arise. The forms of such regulation are many and are being actively explored, as e-
commerce becomes an increasingly important segment of the global economy. They include voluntary
codes of conduct, the provision of private arbitration for the resolution of disputes, escrow accounts,
agreements between buyers, sellers and credit card companies, amongst others.

1.4 THE RELEVANCE OF PHYSICAL LOCATION

In determining under what circumstances extraterritorial jurisdictional assertions are proper, courts and
legislatures focused in the last half of the 20th century, as they had previously, on physical location but
at a different temporal point. Most frequently, the focus was on where certain activities that gave rise
to the plaintiffs claim had occurred.

[Type the company address]

Page 4

Where a negligent act took place, where a contract was entered into9 or was to be performed, 10
where a service was performed, a security offered for sale, or a trademark infringed became the
touchstones of both personal and prescriptive jurisdictional inquiries. As long as such an act occurred
within the states boundaries, its assertion of both personal and prescriptive jurisdiction was proper. As
long as activities continue to occur in real space, the place of such occurrences remains relevant.11
Technology, however, reduces and frequently may eliminate the need for physical contact in the
creation of legally significant relationships between parties or between an actor and the state acting as
regulator. The legal system must then decide what relationship is necessary between the forum and
either the conduct occurring outside the forum or the parties. It is the tie between a party and a forum,
not necessarily a physical connection between the forum and the conduct of that party that is critical. If
the remote party (i.e. the party never physically in the forum) knows that the proximate party is in (or is
a habitual resident of) the forum when the remote party interacts with the proximate party, the remote
party has created a tie between itself and the forum state. Now it is the remote-party/forum
relationship at the time of interaction, 12 not at the time process is served, that matters. Whether such
a tie is sufficient to enable the forum to assert personal and prescriptive jurisdiction depends on an
analysis of additional factors (such as whether the remote party targeted the forum, discussed below),
but its existence is necessary to such assertions.

Footnotes:

9. Countries gave much thought to the rules regulating contract formation, presumably at least in part
to guarantee perceived desirable jurisdictional results. In Australia, for example, a contract is formed at
the time and place its acceptance is received by the offeror. The consumer is the offeror, so the typical
consumer contract is formed when and where the consumer receives the sellers acceptance. Brazil,
Columbia, and Romania also look to the residence of the offeror, although in Brazil a contractual choice
of a different law will be upheld if it is not in violation of public policy. See Nestor Nestor & Kingston
Petersen, Written Remarks, posted at <http://www.kentlaw.edu/cyberlaw>. In Canada, proposed
legislation would fix the address of the consumer as the place in which an on-line contract was formed.
See Canadian Law on Jurisdiction in Cyberspace, submitted by Arlan Gates, Paul Tackaberry and Adam
Balinsky, posted at <http://www.kentlaw.edu/cyberlaw> [hereinafter Gates].

10. The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of
another contracting state where the contractual obligation in question is to be performed. Title II,
Section 2, Article 5.

11. Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry. For
example, states continue to assert jurisdiction over their citizens with respect to claims that arise
outside of the state and to regulate conduct that occurs elsewhere which is intended to and does cause
substantial effects in the state. Nonetheless, a concern with where relevant acts took place is central to
many, if not most, decisions.

12. In some contexts, some countries have already implicitly recognised this in the specific context of
electronic commerce. Australias Electronic Transactions Act 1999 (Cth) provides default rules for the
place of dispatch and receipt of electronic communications (including the place of an offer or
acceptance of a contract) based on the partys place of business or ordinary residence.

[Type the company address]

Page 5

1.5 A PERSPECTIVE ON THE LEGAL CHALLENGES POSED BY THE NEW MEDIA:

The problem of jurisdiction in cyberspace is by far the most complex. The task before us is to examine
section key concepts that are necessary constituents of a tricky issue and perhaps juxtapose them
against an overview of methods and solutions. On an examination of jurisdiction under the Indian
Information Technology Act, 2000, [hereinafter the Indian IT Act]; one is faced with the question: Is
section 75 really as controversial as it seems? The answer is in the negative. The Act, continuing a long
tradition in law and commerce merely seeks to extend the boundaries of local/municipal law in a logical
way; as will be examined in the next chapter on Jurisdiction.

1.6 JURISDICTION IN CYBERSPACE: PROBLEMS AND PERSPECTIVES Throughout human history, no

regime of regulation or of dispute resolution has ever pretended to be the sole source to which parties
turn to ease business intercourse. In every culture and in every time, private arrangements as well as
governmental activity have attempted to reduce the occasions of conflict necessitating the exercise of
judicial decision-making. The economic world of cyberspace at the beginning of the 21 st century is no
different. Trade depends on confidence: confidence on the part of the buyer that goods or services will
conform to legitimate expectations, and confidence on the part of the seller that payment will be
prompt and complete. Such confidence, in the interests of all parties, is fostered by industry self-
regulation that reflects an honest attempt to identify and resolve potential conflicts before they arise.
The forms of such regulation are many and are being actively explored, as e-commerce becomes an
increasingly important segment of the global economy. They include voluntary codes of conduct, the
provision of private arbitration for the resolution of disputes, escrow accounts, agreements between
buyers, sellers and credit card companies, amongst others.

1.7 THE RELEVANCE OF PHYSICAL LOCATION

In determining under what circumstances extraterritorial jurisdictional assertions are proper, courts and
legislatures focused in the last half of the 20th century, as they had previously, on physical location but
at a different temporal point. Most frequently, the focus was on where certain activities that gave rise
to the plaintiffs claim had occurred. Where a negligent act took place, where a contract was entered
into 13 or was to be

Footnotes:

13. Countries gave much thought to the rules regulating contract formation, presumably at least in part
to guarantee perceived desirable jurisdictional results. In Australia, for example, a contract is formed at
the time and place its acceptance is received by the offeror. The consumer is the offeror, so the typical
consumer contract is formed when and where the consumer receives the sellers acceptance. Brazil,
Columbia, and Romania also look to the residence of the offeror, although in Brazil a contractual choice
of a different law will be upheld if it is not in violation of public policy. See Nestor Nestor & Kingston
Petersen, Written Remarks, posted at <http://www.kentlaw.edu/cyberlaw>.

[Type the company address]

Page 6

performed,14 where a service was performed, a security offered for sale, or a trademark infringed
became the touchstones of both personal and prescriptive jurisdictional inquiries. As long as such an act
occurred within the states boundaries, its assertion of both personal and prescriptive jurisdiction was
proper. As long as activities continue to occur in real space, the place of such occurrences remains
relevant.15 Technology, however, reduces and frequently may eliminate the need for physical contact
in the creation of legally significant relationships between parties or between an actor and the state
acting as regulator. The legal system must then decide what relationship is necessary between the
forum and either the conduct occurring outside the forum or the parties. It is the tie between a party
and a forum, not necessarily a physical connection between the forum and the conduct of that party
that is critical. If the remote party (i.e. the party never physically in the forum) knows that the
proximate party is in (or is a habitual resident of) the forum when the remote party interacts with the
proximate party, the remote party has created a tie between itself and the forum state. Now it is the
remote-party/forum relationship at the time of interaction,16 not at the time process is served, that
matters. Whether such a tie is sufficient to enable the forum to assert personal and prescriptive
jurisdiction depends on an analysis of additional factors (such as whether the remote party targeted the
forum, discussed below), but its existence is necessary to such assertions.

1.8 ESTABLISHING JURISDICTION OVER CYBERSPACE: TOWARDS A SIMPLER READING OF THE ACT
Some provisions of the Act have been deemed controversial. For example, section 75 states that the Act
will apply to an offence or contravention committed outside India by any person irrespective of his
nationality, if the act or conduct constituting the offence or contravention involves a computer,
computer system or computer network in India. A computer is only a medium for communication. The
use of a computer is not

Footnotes:

In Canada, proposed legislation would fix the address of the consumer as the place in which an on-line
contract was formed. See Canadian Law on Jurisdiction in Cyberspace, submitted by Arlan Gates, Paul
Tackaberry and Adam Balinsky, posted at <http://www.kentlaw.edu/cyberlaw> [hereinafter Gates].

14. The Brussels Convention, permits domiciliaries of contracting states to be sued in the courts of
another contracting state where the contractual obligation in question is to be performed. Title II,
Section 2, Article 5.

15. Of course, not all assertions of jurisdiction were based on this kind of conduct-based inquiry. For
example, states continue to assert jurisdiction over their citizens with respect to claims that arise
outside of the state and to regulate conduct that occurs elsewhere which is intended to and does cause
substantial effects in the state. Nonetheless, a concern with where relevant acts took place is central to
many, if not most, decisions.

16. In some contexts, some countries have already implicitly recognised this in the specific context of
electronic commerce. Australias Electronic Transactions Act 1999 (Cth) provides default rules for the
place of dispatch and receipt of electronic communications (including the place of an offer or
acceptance of a contract) based on the partys place of business or ordinary residence.

[Type the company address]

Page 7

materially different from the use of a phone or a car in the commission of a crime unless the computer
has been programmed for automatic action by its owner. It is not going to be easy to acquire
jurisdiction over a person not resident in India if a foreign country is the scene of the crime and the
criminal is not even an Indian citizen, merely because a computer or a computer system in India has
been utilised in some way or other in connection with the crime. Nevertheless, certainly, if
software/hardware in India is damaged by a hacker based in a foreign country, there can be no dispute
about Indias right to reach him and make him accountable for the crime committed in India alone.
Where contravention of any provisions of the Act has occurred is a matter of adjudication for
compensation purposes by the adjudicating officer and for criminal action by the court.

1.9 THE INDIAN ELECTRONIC COMMERCE LEGISLATION: A READING OF THE "ACT"

The Information Technology Act will go a long way in facilitating and regulating electronic commerce. It
has provided a legal framework for smooth conduct of e-commerce. It has tackled the following legal
issues associated with e-commerce: (a) requirement of writing; (b) requirement of a document; (c)
requirement of a signature; and (d) requirement of legal recognition for electronic messages, records
and documents to be admitted in evidence in a court of law. However, the Act, has not addressed the
following grey areas; (i) protection for domain names; (ii) infringement of copyrights laws; (iii)
jurisdiction aspect of electronic contracts (viz. Jurisdiction of Courts and tax authorities); (iv) taxation of
goods and services traded through e-commerce; and (v) stamp duty aspect of electronic contracts. The
main objective of the Act is to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly referred to as e-
commerce, which involve the use of alternatives to paper-based methods of communication and
storage of information to facilitate electronic filing of documents with the Government agencies. The
Act, apart from India, has extra-territorial jurisdiction to cover any offence or contravention committed
outside India by any person.

1.9.1 EXEMPTION/EXCLUSION

Page 8

The Act shall not apply to the following categories of transaction: (a) Any Negotiable Instrument; (b) A
Power of Attorney; (c) A Trust; (d) A will including any other testamentary disposition; (e) Any contract
for the sale or conveyance of immovable property; and (f) Any other documents or transactions as may
be decided by the Central Government.

1.10 DIGITAL SIGNATURES

With the passing of the Act, any subscriber (i.e., a person in whose name the Digital Signature
Certificate is issued) may authenticate electronic record by affixing his Digital Signature. Electronic
record means data record or data generated image or sound, store, received or sent in an electronic
form or microfilm or computer generated microfiche.
1.11 ELECTRONIC GOVERNANCE

Where any law provides submission of information in writing or in the type written or printed form,
from now onwards it will be sufficient compliance of law, if the same is sent in an electronic form.
Further, if any statute provides for affixation of signature in any document, the same can be done by
means of Digital Signature. Similarly, the filing of any form, application or any other documents with the
Government Authorities and issue or grant of any license, permit, sanction or approval and any receipt
acknowledging payment can be done by the Government offices by means of electronic form. From
now onwards retention of documents, records, or information as provided in any law, can be done by
maintaining electronic records. Any rule, regulation, order, by-law or notification can be published in
the Official Gazette or Electronic Gazette. The Act, however, provides that no Ministry or Department of
Central Government or the State Government or any Authority established under any law can insist
upon acceptance of document only in the form of electronic record.

1.11.1 ACKNOWLEDGEMENT AND DISPATCH OF ELECTRONIC RECORDS

An electronic record can be sent by the addresser himself or by a person acting under his authority. An
acknowledgement may be given by any communication by the addressee automatic or otherwise. Even
any conduct of the addressee is sufficient to indicate to the addresser that the electronic records have
been received which shall be treated as sufficient acknowledgement. The dispatch of electronic records
occurs when it enters a computer resource outside the control of the originator (i.e., addresser). Time of
receipt of electronic record shall be determined when electronic record enters the digital computer
resource or at the time when the electronic record is retrieved by the addressee. An electronic record is
deemed to be dispatched at the place where the addresser has his place of business and is deemed to
be received at the place where the addressee has his place of business.

1.11.2 SECURED ELECTRONIC RECORDS AND DIGITAL SIGNATURE

Under the Act, the Central Government has the power to prescribe the security procedure in relation to
electronic records and Digital Signatures, considering the nature of the transaction, the level of
sophistication of the Parties with reference to their technological capacity, the volume of transactions
and the procedures in general used for similar types of transactions or communications.

1.11.3 REGULATION OF CERTIFYING AUTHORITIES

The Central Government may appoint a Controller of Certifying Authority who shall exercise supervision
over the activities of Certifying Authorities. Certifying Authority means a person who has been granted
a license to issue a Digital Signature Certificate. The Controller of Certifying Authority shall have powers
to lay down rules, regulations, duties, responsibilities and functions of the Certifying Authority issuing
Digital Signature Certificates. The Certifying Authority empowered to issue a Digital Signature Certificate
shall have to procure a license from the Controller of Certifying Authority to issue Digital Signature
Certificates. Detailed rules and regulations have been prescribed in the Act, as to the application for
license, suspension of license and procedure for grant or rejection of license by the Controller of
Certifying Authority.
1.11.4 DIGITAL SIGNATURE CERTIFICATE

Any person may make an application to the Certifying Authority for issue of Digital Signature Certificate.
The Certifying Authority while issuing such certificate shall certify that it has complied with the
provisions of the Act. The Certifying Authority has to ensure that the subscriber (i.e., a person in whose
name the Digital Signature Certificate is issued) holds the private key corresponding to the public key
listed in the Digital Signature Certificate and such public and private keys constitute a functioning key
pair. The Certifying Authority has the power to suspend or revoke Digital Signature Certificate.

1.11.5 DUTIES OF SUBSCRIBERS

A subscriber can publish or authorise the publication of Digital Signature Certificate. Similarly, he can
accept such certificate. It is the responsibility of a subscriber to exercise reasonable care to retain
control of the private key corresponding to the public key listed in his Digital Signature Certificate and to
take all steps to prevent its disclosure to any unauthorised person.

1.11.6 PENALTIES AND ADJUDICATION

If any person without the permission of the owner, accesses the owner's computer, computer system or
computer net-work or downloads copies or any extract or introduces any computer virus or damages
computer, computer system or computer net work data etc. he shall be liable to pay damage by way of
compensation not exceeding Rupees One Crore to the person so affected. For the purpose of
adjudication, the Central Government can appoint any officer, not below the rank of Director to the
Government of India or any equivalent officer of any State Government, to be an Adjudicating Officer.
The Adjudicating Officer while trying out cases of this nature shall consider the amount of gain of unfair
advantage or the amount of loss that may be suffered by a person. The aforesaid provisions were not
incorporated in the Information Technology Act, 2000 and the same were suggested by the Select
Committee of Parliament17.

1.11.7 THE CYBER REGULATIONS APPELLATE TRIBUNAL

Under the Act, the Central Government has the power to establish the Cyber Regulations Appellate
Tribunal. The Tribunal shall have the power to entertain the cases of any person aggrieved by the Order
made by the Controller of Certifying Authority or the Adjudicating Officer.

Footnotes:

17. In Delhi, the first case under the Act has already been registered by the police based on an FIR filed
by a Retd. Army Officer whose Internet time has been "stolen" by the accused. However, the accused
has been granted bail by the City Court. Interestingly, although passed by the Parliament, the Act did
not come into force until recently and Notification to this effect was issued by the Central Government
in the Official Gazette on June 19, 2000. This was one of the pleas taken by the accused in the aforesaid
case.
1.11.8 OFFENCES

Tampering with computer source documents shall be punishable with imprisonment up to three years
or fine up to Rs. 2 lakhs or with both. Similarly, hacking with computer system entails punishment with
imprisonment up to three years or with fine upto Rs. 2 lakhs or with both. Publishing of information,
which is obscene in electronic form, shall be punishable with imprisonment up to five years or with fine
up to Rs. 1 lakh and for second conviction with imprisonment up to ten years and with fine up to Rs. 2
lakhs. 1.11.9 MISCELLANEOUS Under the Act, any police officer not below the rank of Deputy
Superintendent of Police or any other authorised officer of the Central or State Governments, may enter
in public place and search for arrest without warrant, any person who is reasonably suspected or having
committed or committing or of being about to commit any offence under the Act. 'Public place', includes
any hotel, shop or any other place intended for use or accessible to public18.

Footnotes:

18. This amendment was suggested by the Select Committee of Parliament. Under the Indian Penal
Code, even a constable has the aforesaid power. However, the power given to the designated police
officer is so wide that even on suspicion or on his conviction that an offence is about to be committed,
he can conduct search and arrest without any warrant. There is a wide spread fear that this may be
misused.

19. Section 77A provides that the offences under sections 66, 66A, 72 and 72A may be compounded by
the aggrieved person.

1.12 THE AMENDMENTS: A REACTION

The amendments to the Information Technology Act to a measurable extent are a reaction to recent
developments such as service provider liability issues and auction sites; sleazy MMS clips and the like. In
major part, desirable as most reactions are, offences under the Act have been made compoundable19;
that is to say, the parties can compound the case i.e. settle it between themselves. This is welcome as
most crimes target specific individuals and it is right for individuals to sort out the situation. The
offences which have been made compoundable are: Section 66: If a person dishonestly or
fraudulently does any act which damages the computer or the computer system, he is liable to a fine of
up to five lakhs or be imprisoned for a term of up to two years. A host of new sections have been added
to section 66 as sections 66A to 66F prescribing punishment for offenses such as obscene electronic
message transmissions, identity theft, cheating by impersonation using computer resource, violation of
privacy and cyber terrorism. Section 66A: If any person sends by means of a computer resource or a
communication any content which is grossly offensive or has a menacing character or which is not true
but is sent to create nuisance, annoyance, criminal intimidation, hatred or ill will etc shall be imprisoned
for an imprisonment term which may be up to two years combined with a fine. Section 67 of the old Act
is amended to reduce the term of imprisonment for publishing or transmitting obscene material in
electronic form to three years from five years and increase the fine thereof from Indian Rupees 100,000
(approximately USD 2000) to Indian Rupees 500,000 (approximately USD 10,000). A host of new sections
have been inserted as Sections 67 A to 67C. While Sections 67 A and B insert penal provisions in respect
of offenses of publishing or transmitting of material containing sexually explicit act and child
pornography in electronic form, section 67C deals with the obligation of an intermediary to preserve
and retain such information as may be specified for such duration and in such manner and format as the
central government may prescribe. In view of the increasing threat of terrorism in the country, the
new amendments include an amended section 69 giving power to the state to issue directions for
interception or monitoring of decryption of any information through any computer resource. Further,
sections 69 A and B, two new sections, grant power to the state to issue directions for blocking for
public access of any information through any computer resource and to authorize to monitor and collect
traffic data or information through any computer resource for cyber security. Section 72: If a person is
found in possession of some confidential information like electronic record, book, register,
correspondence and he is found disclosing it to any third party without the consent of the person
concerned, then he shall be punished with imprisonment for a term which may be up to two years, or a
fine which may extend to One Lakh rupees, or with both. Section 72A: If any person while providing
services under the terms of the contract, has secured access to any material containing personal
information about another person, with the intent to cause wrongful loss or wrongful gain disclosed the
information, without the persons consent or in breach of a lawful contract, shall be punished with
imprisonment for a term which may extend to two years or with fine which may extend to five lakh
rupees or with both.

1.13 THE MEDIUM NOT THE MACHINE/DEVICE

It is important to remember that the Internet is principally a medium; which can be regulated by
regulating its layers. A law to be effective must apply to (or regulate) one or more layer that is: (a)
the physical (the wires, hardware, the device itself); (b) the digital (the code or the spectrum) or (c)
content (whether prohibited socially censored comments or proprietary material).

1.14 DATA PRIVACY AND INFORMATION SECURITY

In view of recent concerns about the operating provisions in the IT Act related to Data Protection and
Privacy in addition to contractual agreements between the parties the existing Sections (viz. 43, 65, 66
and 72A) have been revisited and some amendments/more stringent provisions have been provided for
in the Act. Notably amongst these are:

Section 43(A) is related to handling of sensitive personal data or information with reasonable security
practices and procedures. This section has been inserted to protect sensitive personal data or
information possessed, dealt or handled by a body corporate in a computer resource which such body
corporate owns, controls or operates. If such body corporate is negligent in implementing and
maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful
gain to any person, it shall be liable to pay damages by way of compensation to the person so affected.
Gradation of severity of computer related offences under Section 66 has been amended, now if an
offence is committed dishonestly or fraudulently then punishment is for a term which may extend to
two years or a fine which may extend to Rs 5 lakhs or with both; The addition of Section 72 A for
breach of confidentiality with the intent to cause injury to a subscriber. This is recognised as providing
sufficient protection under the EC Directive 20 Contractual agreements are those agreements which are
signed between parties where one party provides services on the basis of the contract signed. There is
always a provision in any contractual agreement of not to disclose any information which is imperative
for the running of the business. According to Section 72 (A) if anyone is found disclosing any information
of a third person, without his consent he shall be punished with imprisonment or a fine of Rs 500,000.
The problem remains with ambiguous phrases. For instance, the amended Section 43 (A) makes it
mandatory for companies to include reasonable security measures while handling data. What precisely
does reasonable indicate is any ones guess. We would recommend organisations to follow the
standards prescribed by the Computer Emergency Response Team (CERT). CERTs primary role is to raise
security awareness among the cyber community and to provide technical assistance and advice them to
help them recover form computer security incidents. CERT provides technical advice to System
Administrators and users to respond to computer security incidents. It also identifies trends in intruder
activity, works with other similar institutions and organisations to resolve major security issues, and
disseminates information to the cyber community. CERT also enlightens its constituents about the
security awareness and best practices for various systems and networks by publishing advice, guidelines
and other technical documents. The European Network and Information Security Agency (ENISA)
performs similar functions to the CERT. The basic regulation which established ENISA is the Regulation
(EC) No 460/2004.21

Footnotes:

20. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications) available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML>

1.15 INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO SERVE AS NATIONAL NODAL AGENCY

The new amended Act of 2006 provides for an Indian Computer Emergency response team to act as a
central agency in respect of Critical Information Infrastructure 22 for coordinating all actions relating to
information security practices, procedures, guidelines, incident prevention, response and reporting.23
Cert has been operational since January 2004. The main motive for setting up such a team is to avoid
malafide worms from our system. In todays world where most of the work is done by the computers,
our entire efficiency and national data was initially risked and left to be tampered by the malicious
hackers. To avoid any such problems the cert was set up. CERT-In is the national nodal agency for
responding to computer security incidents as and when they occur. In the recent Information
Technology Amendment Act 2008, CERT-In has been designated to serve as the national agency to
perform the following functions in the area of cyber security:- 1. Collection, analysis and dissemination
of information on cyber incidents. 2. Forecast and alerts of cyber security incidents 3. Emergency
measures for handling cyber security incidents 4. Coordination of cyber incidents response activities 5.
Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security
practices, procedures, prevention, response and reporting of cyber incidents. 6. Such other functions
relating to cyber security as may be prescribed.24 Whenever a new technology arrives, its misuse is not
long in following - the first worm in the IBM VNET was covered up. Shortly later a worm hit the Internet
on the 3 November 1988, when the so-called Morris Worm paralyzed a good percentage of it. This led to
the formation of the first Computer Emergency Response Team at Carnegie Mellon University under U.S.
Government contract.25 The Indian Computer Emergency Response Team (CERT-In) is assisting the
Department of Information Technology in putting in place a national cyber security strategy and a
national information security governance policy. CERT-In explains how an organization seeks to ensure
the safety and security of the Indian cyber space The purpose of CERT-In is to become the nation's most
trusted referral agency for responding to computer security incidents as and when they occur.26 With
the increasing use of IT, there is an increasing reliance on inter-dependant and cyber supported
infrastructure. Technological advances have created new vulnerabilities to equipment failure, human
error, weather and natural causes, and intentional physical and cyber attacks. Since the threats to
critical national IT infrastructure through these vulnerabilities are likely to have a crippling effect on the
economy as also safety and well-being of society, addressing them will increasingly require coordinated
efforts between the government and the private sector, both within the country as well as across other
bodies around the world. In view of this, it was felt necessary to establish CERT-In to ensure the safety
and security of the Indian cyber space.27 The Department of Information Technology, Ministry of
Communications and Information Technology, Government of India, has established the Indian
Computer Emergency Response Team (Cert-In). As part of the CERT-In, each sector needs to set up a
Sub-Cert and IDRBT is the Sub-Cert for the Indian Banking and Financial Sector. 1.16 BASIC ROLE OF
CERT28 Role of CERT-In Computer Security Incident Response (Reactive) Computer Security
Incident Prevention (Proactive) Security Quality Management Services Information Exchange With
sectorial CERTs (CSIRTs), CIOs of Critical Infrastructure, organizations, ISPs, Vendors International
Collaboration Member of FIRST Member of APCERT Research Partner- APWG Functional
relationship with US-CERT and CERT/CC

Footnotes:

21. See REGULATION (EC) No 460/2004 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 10
March 2004 establishing the European Network and Information Security Agency available at
<http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:077:0001:0011:EN:PDF>

22. Information infrastructures form an essential part of critical infrastructures. In order effectively to
protect critical infrastructures, therefore, countries must protect critical information infrastructures
from damage and secure them against attack. Effective critical infrastructure protection includes
identifying threats to and reducing the vulnerability of such infrastructures to damage or attack,
minimizing damage and recovery time in the event that damage or attack occurs, and identifying the
cause of damage or the source of attack for analysis by experts and/or investigation by law
enforcement. G8 Principles for Protecting Critical Information Infrastructures (Adopted by the G8
Justice & Interior Ministers, May 2003) available at
<http://www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf> 23 Section 70 A of the
Act.

24. http://www.cert-in.org.in/

25. http://en.wikipedia.org/wiki/Computer_emergency_response_team 26
http://www.inclusion.in/index.php?option=com_content&view=article&id=427 27
http://www.inclusion.in/index.php?option=com_content&view=article&id=427 28
http://www.itu.int/ITU-D/cyb/events/2009/hyderabad/docs/rai-role-of-cert-in-sept-09.pdf

1.16.1 REPORTING

1. Central point for reporting incidents:- the following information should be given while reporting
about any incident time of occurrence information regarding affected system symptoms observed
relevant technical information such as security system deployed, actions taken to mitigate the damage.
2. Database of incidents.

1.16.2 ANALYSIS

1. Analysis of trends and patterns of intruder activity 2. Develop preventive strategies for the whole
constituency. 3. In-depth look at an incident report or an incident activity to determine the scope,
priority and threat of the incident.

1.16.3 RESPONSE

1. Incident response is a process devoted to restoring affected systems to operation 2. Send out
recommendations for recovery from, and containment of damage caused by the incidents. 3. Help the
System Administrators take follow up action to prevent recurrence of similar incidents.

1.16.4 REPORTING OF VULNERABILITY Vulnerability is a bug which enables a hacker to bypass security
measures. Any such act which is done with a bonafide intention or malafide intention should be
reported to cert-in quickly before it is too late. 1.16.5 OTHER SIGNIFICANT ROLES29.

Footnotes:

29. http://www.cert-in.org.in/

1.16.5.1 REACTIVE

1. Provide a single point of contact for reporting local problems- The entire cert program is run and
managed by the Indian government. Its main role is to safe guard the interest of people in the country
and to secure the important national data from letting it go into wrong hands before they do something
unfriendly.
2. Assist the organizational constituency and general computing community in preventing and handling
computer security incidents:-Like we have already discussed that with every new invention in this world
a thread follows. The thread could also be in the face of vulnerability. Hence to avoid such catastrophic
incident to take place, the threat of vulnerability should be stopped. 3. Share information and lessons
learned with CERT/CC, other CERTs, response teams, organizations and sites:- As in the reporting of such
information is concerned, it is quite evident that the more information about any worm or about any
misshaping is given to cert, the lesser will be its impact on future endeavours. 4. Incident Response:-
Incident response can be given to the team as soon as possible by any intervention of such type is met.
To avoid any such possibility to breach our secure internet system is fatal to us. 5. Provide a 24 x 7
security service:- CERT provides a 24 /7 security system so that threat can never dismantle the main
server, or to prevent any attacker for any evil move. 6. Offer recovery procedures:- There are many
procedures and guidelines which are given in the home page of cert. using those and new upgraded law
we can seek for recovery procedures.

1.16.5.2 PROACTIVE

1. Issue security guidelines, advisories and timely advise- there are many guidelines that are actively
working across the system to actually enable a shield to avoid and prevent any misuse. Few of them are
CISG 2010-01, CISG 2011-3, CISG 2011-2. 2. Vulnerability analysis and response- for any kind of
vulnerability response the first and the foremost thing is to be done is to inform the cert. they have the
technology and authority to track down as such vulnerable person, who hacks in the system for doing
something unfriendly. 3. Risk Analysis- the chances of risk in such a situation is extreme. 4. Profiling
attackers- the cert have more or less the profiles of the main attacker who could come out with a plan
to disrupt the free flow of the cyber system of the country. To avoid this profile of each attacker is kept
so that in case the team can need it. 5. Conduct training, research and development: The team has
under gone various training programs in which they are taught how to eradicate the problem. In lieu of
such eradication many new programs are also made along to fight the day to day problems. 6. Interact
with vendors and others at large to investigate and provide solutions for incidents:-the team is highly
qualified to take cognizance of the cyber offence and can discuss the gravity of the offence and can
direct to investigate the same.

1.17 CYBER CRIME, EVIDENCE AND PUNISHMENT

The Act provides for essentially economic offences or crimes in the medium that are linked to economic
loss or detriment. The Government would do well to take a proverbial leaf from the OECD Guidelines for
the Security of Information Systems and Networks30 and the Council of Europes Convention on
Cybercrime.31 Social offences like pornography when included are superfluous due to the existing
provisions in the Indian Penal Code covering pornography. Though pornography has not been defined
under the code, section 292 clearly states that a book, pamphlet, paper, writing, drawing, painting
representation, figure or any other object, shall be deemed to be obscene if it is lascivious or appeals to
the prurient interest or if its effect, Neither has the language or expression changed from 1860, the
year when the Indian Penal Code came into force. The inclusion of a provision banning child
pornography could well be a case of over legislation considering the existing blanket ban on
pornography per se; both in the Information Technology Act, 2000 (section 67) as well as the Indian
Penal Code, 1860 (section 292). A fresh Section 68(A) has been proposed for providing modes and
methods for encryption for secure use of the electronic medium. This is a welcome guidance. Section 69,
related to power to issue directions for interception or monitoring or decryption of any information
through any computer resource, has been amended to take care of the concerns of the Ministry of
Home Affairs which include the safety, sovereignty, integrity of India, defence of India, to maintain
friendly relations with other nations and preventing incitement to the commission of any cognizable
offence. A new section 79 A32 (Examiners of Electronic Evidence) has been added to notify the
examiners of electronic evidence by the Central Government. This will help the Judiciary/Adjudicating
officers in handling technical issues. Section 79 has been revised to bring-out explicitly the extent of
liability of intermediary in certain cases. The EU Directive on E-Commerce 2000/31/EC issued on June
8th 2000 has been used as a guiding document.33

Footnotes:

30. See OECD Guidelines for the Security of Information Systems and Networks available at
<http://www.oecd.org/dataoecd/16/22/15582260.pdf>

31. Convention on Cybercrime available at

<http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>

32. Section 79A The Central Government may, for the purposes of providing expert opinion on
electronic form evidence before any court or other authority specify, by notification in the Official
Gazette, any Department, body or agency of the Central Government or a State Government as an
Examiner of Electronic Evidence.

33. See Section 4 Article 12 of EU Directive on E-Commerce 2000/31/EC issued on June 8th 2000
available at
<http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc
=32000L0031&model=guichett>

1.18 OTHER AMENDMENTS

The term digital signature has been replaced with electronic signature. Communication Device
has been defined as cell phones, personal digital assistance or combination of both or any other device
used to communicate, send or transmit any text video, audio or image. Cyber caf has been defined
as any facility from where the access to the internet is offered by any person in the ordinary course of
business to the members of the public. A new definition has been inserted for intermediary.
Intermediary with respect to any particular electronic records, means any person who on behalf of
another person receives, stores or transmits that record or provides any service with respect to that
record and includes telecom service providers, network service providers, internet service providers,
web-hosting service providers, search engines, online payment sites, online-auction sites, online market
places and cyber cafes, but does not include a body corporate referred to in Section 43A. A new
section 10A has been inserted to the effect that contracts concluded electronically shall not be deemed
to be unenforceable solely on the ground that electronic form or means was used. The damages of Rs.
One Crore (approximately USD 200,000) prescribed under section 43 of the earlier Act for damage to
computer, computer system etc has been deleted and the relevant parts of the section have been
substituted by the words, he shall be liable to pay damages by way of compensation to the person so
affected. A proviso has been added to Section 81 which states that the provisions of the Act shall
have overriding effect. The proviso states that nothing contained in the Act shall restrict any person
from exercising any right conferred under the Copyright Act, 1957 1.19 DRAWBACKS OF THE NEW
LEGISLATION The amendments ignore existing international classifications of cyber crimes. The Council
of Europes Convention on Cybercrime34 identifies the following as offences which should be
incorporated into substantive criminal law; some of the provisions are particularly relevant, which are: I.
Computer-related offences Computer-related fraud (Art. 8) II. Content-related offences Racial hatred,
obscenity, amongst other classifications III. Offences related to infringements of copyright and related
rights Offences related to infringements of copyright and related rights (Art. 10).

Footnotes:

34. See Convention on Cybercrime available at

<http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>

1.20 TOWARDS A PRIVACY REGIME?

While the amended version of the Act strengthens provisions on confidentiality and data privacy; the
inclusion of a solitary provision on data privacy is quite in contrast to Europe where data protection
provisions are enshrined in Directives at the EU level and in national legislation. In fact, data protection
is sine qua non for aspirant members to the European Union, and also for companies who receive data
from the EU. Data subjects must have rights enshrined in explicit rules with a detailed enforcement
mechanism rather than rather than relying on a lone section to do the task elsewhere performed by an
entire Act! A detailed data protection law is needed; not merely for the ITES industry but for the citizens
of India. The right to know balanced with the right to privacy is the hallmark of a democracy.

1.21 LEGALESE AND LEGAL DRAFTING: CONTROVERSIAL PROVISIONS IN THE ACT

The Information Technology Act, [the Act] as in the case of all legislation, is supposed to be for every
citizen, especially the non-specialist, its language should be comprehensible to anyone who is likely to
be affected by it either as one who provides any services or conducts any business or as a consumer
who avails of any services or supplies through the electronic medium. The danger of being enveloped in
long and torturous sentences and unnecessary jargon seems to manifest itself in the Act. It will be no
exaggeration to say that the following provisions of the Explanation to sub-section (2) of section 3 will
need a lot of explanation and will not serve any purpose in the present form: For the purpose of this
sub-section, hash function means an algorithm mapping or translation of one sequence of bits into
another, generally smaller set, known as hash result such that an electronic record yields the same
hash result every time the algorithm is executed with the same electronic record as its input making it
computationally infeasible. (a) to derive or reconstruct the original electronic record from the lash
result produced by the algorithm; (b) that two electronic records can produce the same lash result using
the same algorithm. Section 40, unfortunately, is no better: Where any digital signature certificate,
the public key of which corresponds to the private key of that subscriber which is to be listed in the
digital signature certificate, has been accepted by the subscriber, then, the subscriber shall generate the
key pair by applying the security procedure.

1.22 LIABILITY FOR CARRIAGE AND CONTENT 1.22.1 A "LOOK" AT THE EU POSITION Directive
2000/31/EC of the European Parliament and of the Council of June 8 2000 on Certain Legal Aspects of
Information Society Services, in Particular Electronic Commerce, in the Internet Market The largest
development involves the European Commissions adoption on June 8th of its Electronic Commerce
Directive, which aims to remove barriers to e-commerce35. The Directive includes various provisions
affecting search engines such as: (i) a company providing information society services (e.g. selling
goods or providing information on line) will be subject to the law of the Member State in which it is
established, irrespective of where the recipient of the service is based (the country of origin" principle);
(ii) Internet service providers (ISP) receive some exemption from liability for infringing material
transmitted over their systems by third parties, provided certain conditions are met; (iii) unsolicited
commercial e-mail (spam) must be clearly identifiable as such, and companies sending this kind of e-
mail must regularly consult any relevant opt-out registers. The Indian Act makes a distinction between
an access provider who provides access and the content provider who provides the content for the sake
of determining liability. It establishes that a network service provider is not subject to criminal or civil
liability for third party material for which or to which the provider merely provides access. Network
service providers will continue to be liable for their own content, or third party content that they adopt
or approve of36. Indian Information Technology Act immunises Internet Service Providers against
liability arising out of any distressing content or defamatory statements or such content that is likely to
violate any law. By reducing the liability of service providers, the Act ensures that they are not penalised
for content, which is beyond their control. The primary issue is whether Section 292 IPC could be
invoked for a Web site search results issue. Section 292 defines obscenity. However, it says that a book,
pamphlet, paper, writing, drawing, painting, representation, figure or any other object, shall be deemed
to be obscene if it is lascivious or appeals to the prurient interest, or (where it comprises two or more
distinct items) the effect of any one of its items, is, if taken as a whole, tends to deprave and corrupt
persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it. The controversy is as to how define the words "any other object". Section
292 (1) IPC describes of a book, pamphlet, paper, writing, drawing, painting, representation, figure or
any other object. All the objects defined under Section 292 are corporeal and material in nature. Can we
interpret the word any other object in such a broad manner such as to include anything and everything
in Cyberspace? Can any other object also mean a virtual object? These issues are very complicated. And
any attempt to apply the provisions of Section 292 IPC to cyber world is an exercise fraught with
difficulties.

Footnotes:

35. Member States have until 16 January 2002 to implement the provisions of the Directive into their
national laws.

36. A survey of Latin American countries reveals that at least Brazil, Ecuador, El Salvador, Uruguay and
Venezuela have pending legislation and/or regulations pertaining to electronic commerce, though none
of these pending rules would specifically address a search engines liability for trademark infringement.

1.22.2 OVER/UNDER-RIDING REGULATORY ISSUES:

(a) licensing of cross-border telecom systems: a perspective on the Indian regulatory impasse on
telecom. The Indian Telecom Authorities are undecided on the issues of whether to allow voice over
telephony, in the light of resistance from the Department of Telecommunications (DoT). (b) Encryption:
testing 'legality' in India. A study in the light of section 14 of the Indian Information Technology Act,
2000. Is encryption allowed under Indian law? The government says no, but the 'Act' appears to say
yes. As per government policy as evidenced from periodic notices and circulars, encryption is illegal in
India; however the Act seems to say otherwise. As would appear from a reading of section 14 of the
legislation. Laws are in existence in India that can be interpreted to read that transmission of data with
any form of encryption is illegal. Onus of prevention is upon the service provider concerned. However,
much of current Internet technology, including secure Web servers, PGP encrypted Email, and Virtual
Private Networks, are based on encryption. Prevention may be technically impossible, and this could be
used as grounds for revocation of a Private ISP license. (c) Data protection: the 'absence' of regulatory
or legal norms and the impact on business in India. There is no specific legislation in India for the
protection of data. Unlike, the United Kingdom, India does not have legislation, except that the
protection accorded to electronic data in the Act, juxtaposed with other legislation can point towards
solution.

1.22.3 ARE ONLINE CONTRACTS BINDING? The problem with an online contract arises from the
question of how to enforce a contract that does not have a document backing it and how this contract is
to be proved in court. The issue is dealt with in a detailed chapter on Electronic Contracts.

1.22.4 REQUIREMENT OF DOCUMENTS

Contracts that are written and signed are more certain and therefore easier to enforce. This is due to
the fact that a document lends some degree of authenticity as to the contract formation and facilitates
easier enforcement of the same. Documents are also required for evidence purpose Section 64 of the
Indian Evidence Act, 1872; (the Evidence Act) states that documents must be proved by primary
evidence except in the cases specifically provided for. The contents of any document which have to be
proved have to be proved by the original of the document itself being produced in Court, except in a few
limited instances. If a computer printout or any information, which is visible on the screen of the
computer, is included in the definition of document, the question arises as to what is an original with
respect to computer printout, or information contained in a computer. The Evidence Act lay emphasis
on original documents as once any information is reduced to actual physical fixation in the conventional
sense; it is difficult to alter it. On a thorough examination it is possible to identify any alteration to an
original of a document. The Indian Act seeks to resolve this issue by stating that where the law requires
any record to be presented in original form, that requirement is satisfied by an electronic record if there
exists reliable assurance as to the integrity of the record and where it is required that a record be
presented, that record is capable of being displayed to the person to whom it is being presented.

1.23 FORMATION OF ONLINE CONTRACTS

Under the Indian Contract Act, 1872, the acceptance of a valid offer results in a valid contract. It is
crucial to know when a contract is concluded online and whether any difference exists between contacts
concluded by traditional modes, such as via post. Section 4 deals with the rule regarding completion of
communication of acceptance. The communication of acceptance is complete as against the offeree,
when it reaches the knowledge of offeror. But the Supreme Court has held that in the case of
communication by oral means, by telex or by telephone an acceptance is communicated only when it is
actually received by the offeror. This question has to be addressed in the case of e-commerce, where
more often than not, acceptance is made via email or by pressing the Accept or Buy icons. The question
that would arise is when the acceptance has been conveyed, i.e. is it: a) when the email was sent; or b)
when it was received by addressee; or c) when it reaches the host computer which provides the email
facility to the addressee. As seen earlier, where the communication is by instantaneous means the
court has held that the acceptance is communicated only when the communication remains open.
Would the acceptance be deemed to have been communicated at the place where the offeree clicks the
Accept icon (as the action of clicking the icon is done on the offerees computer)? Or would be
deemed to have been communicated where the server (which actually hosts the Accept icon) is
located? Or would it be the place where the offeror actually reads the acceptance on his computer
(which can be at different place than the location of the server)? In Germany, judicial practice has
established that a message sent by email is deemed to be received when it reaches the host computer
of the addressee (if the addressee has published the email address on his visiting card or letterhead or
otherwise makes it publicly known.) In South Africa, when the acceptance is by way of post, the
contract will be concluded at the time when, and at the place from where, the acceptance is posted.
This is known as the expedition theory. Where the acceptance is notified by means of fax or telegram,
the contract is concluded at the time and place where the offeror learns of the acceptance. This is called
the information theory. According to the law firm, Werksmans Attorney, acceptance via email would
be based on the information theory. The Indian Act deals with the issue as to when the receipt and
dispatch of electronic records take place. According to it, a dispatch of an electronic record is deemed to
take place when it reaches an information system outside the control of the person who sent the
electronic record and is deemed to be received when it is received by, or reaches an information system
designated by, the person whom it is sent. This is to be read with existing Indian law and the correct
position interpreted. The Indian Act specifically excludes from its purview contracts relating to the
creation and execution of wills, execution of negotiable instruments, acts relating to declaration of trust
and power of attorney, immovable property, titles for movable and immovable property, etc.

1.24 ELECTRONIC PAYMENT SYSTEMS

These systems are considered very secure since it is not possible for third parties to obtain these details
and misuse them. Visa & MasterCard have developed a system for online payment called Secure
Electronic Transaction (SET).

1.24.1 ELECTRONIC CASH

Electronic Cash is more secure and anonymous than credit cards when making payments for
transactions. It is specifically useful for small transactions.

1.24.2 ELECTRONIC CASH PAYMENT MECHANISM OPEN BANK-ISSUER MODEL (INTERNATIONAL)

Anyone wishing to use electronic cash can purchase a certain number of units from a member bank for a
particular value in a local currency. He or she can then use it for making payments over the Internet. The
receiver of electronic cash can either use it for making similar payments over the Internet or redeem it
at any member bank for his countrys own currency. India should start thinking and debating on
introducing electronic cash or something similar to it. If any party to the transaction is a foreign party,
the Exchange Control Regulations will also come into picture.

1.25 SECURITY

Security is the single biggest obstacle for the growth of e-commerce. There are basically two kinds of
security problems according to a survey, teenage hacking accounts only for 7% of reported violations,
while infiltration by competitors account for 39% of the violations. Under the Indian Telegraph Act,
1885, if any person with intention to prevent or obstruct the transmission or delivery of any message,
or to intercept or to acquaint himself with the contents of any message, or to commit mischief damages,
removes tampers with or touches any battery, machinery, telegraph line, post or any other thing
whatever, being part of or used in or about any telegraph or in the working thereof, he shall be
published with imprisonment for a term which may extend to three years or with fine or both. There is
a possibility that any attempt of hacking could be punishable under this section.

1.26 SECURING ELECTRONIC TRANSACTIONS

One of most important conditions for e-commerces survival is the ability to safeguard all electronic
transactions. Unless an electronic transaction is secure it would be difficult to determine its authenticity.
Also, users will be hesitant to send confidential information over the net. Existence of safeguards and an
assurance that such transmissions are foolproof will go a long way towards boosting e-commerce. The
most common way of protecting electronic transactions is through cryptography (i.e. encryption
techniques). Cryptography uses sophisticated mathematical algorithms, particularly a technology known
as asymmetric cryptography. Cryptography can be differentiated between the following: Use of
cryptography for confidentiality of a message; and. Use of cryptography in digital signatures.