course: regulatory framework for e-governance day 2 session 5: legal & policy framework for...

Course: Regulatory framework for e-Governance

Day 2

Session 5: Legal & Policy Framework for e-Governance Applications

Agenda

Need for a Regulatory Framework for e-Governance

IT Act 2000, its amendments & related provision

Role of Digital Signature Certificates (DSCs) in e-Governance

The existing Regulatory Framework may need amendments to recognise this new form of doing business

Why a Regulatory Framework?

• e-Commerce & e-Government service delivery involves:Use of Electronic Records

Electronic Transactions

Electronic Contracts

Handling of citizen data & privacy issues

Issue of Certificates electronically…

• Other e-Governance specific aspects include:Legal backing to e-Governance initiatives

Formalisation of Standards and Interoperability norms

Data Protection, Privacy and IPR issues

Mechanism for socially inclusive service delivery

Most of these issues are common also to the wider e-Commerce landscape of the country, and need to be addressed to build trust in electronic transactions

Emergence of e-Commerce

• Increased use of electronic means of transactions

• Bulk of transactions occur in G2B, B2G and B2B space

• Use of array of different technologies:

-Web-based applications

-Emails

-Instant messaging

-Mobile devices

• Importance of building a solid enabling regulatory framework for electronic

transactions is evident

Electronic Transactions: How are they different?

• Challenges posed by e-Commerce:

-Classification difficulties: the virtual goods

-New contract types: web hosting, web server etc.

-Transactions taking place in open platforms

• … but the essence of business transactions remains the same.

• Conventional law has not become obsolete...

-“On line” contracts are not different from “off line”

-Medium of a transaction is generally irrelevant for the law.

• …and nevertheless, it requires some adaptation.

Legal Obstacles to e-Commerce

• Legal concepts are based on the existence of a tangible medium:

-“instrument”, “document”, “original”, “signature”

• Legal concepts based on geographic location:

-“delivery”, “receipt”, “dispatch”, “surrender”

•Functional Equivalence needs to be established between the Manual and Electronic media used (electronic records, signatures, documents, communication)

Key Principle of IT Legislation - Functional Equivalence

• Paper-based requirements (“writing”, “record”, “signature”, “original”) specify certain purposes and functions

• Consider criteria necessary to replicate those functions and give electronic data the same level of recognition as information on paper

• A paper document signed by an individual fulfils the following criteria:

- The document can be attributed to the individual as the signature is unique to the person (authenticity, non repudiation and integrity)

• If the electronic document can replicate these functions (e.g. by use of a Digital Signature Certificate attached to the document), it is functionally equivalent to the paper document

Providing legal backing for Functional Equivalence

If certain conditions are fulfilled, the legal value of electronic transactions shall be equivalent to that of other forms of communication, such as the written form.

This can be achieved by a single enactment of Law

without having to review every single piece of existing

legislation establishing formal requirements

Indian IT Act, 2000 achieves this by defining the conditions by which equivalence can be ascertained between paper

based and electronic documents

Illustrative Example – Electronic Transactions

Individual Income tax filing - manual

• Citizen obtains the paper Income Tax Return form

• Citizen fills up details in the ITR form

• Authenticates the ITR form by affixing signature

• Submits the ITR form at the respective Income Tax office and obtains acknowledgement

Individual Income tax filing - electronic

• Citize downloads the return preparation software tool from Income Tax portal

• Income details are entered in the tool and the tool generates the ITR XML

• The XML is signed by the citizen using Digital Signature Certificate and submitted at the Income Tax portal

• The Portal provides acknowledgement of submission

• Does the Digitally signed XML submission have the same legal recognition as the paper return with handwritten signature??

• Can the acknowledgement be used as proof of IT return filing??

Yes! As long as the functional equivalence is established by law

Illustrative Example – Electronic Evidence

A terrorist attack has occurred at one of the important landmarks in the capital. The terrorists involved were gunned down by police, and laptops and hard disks were seized from them.

After inspection of the contents of the laptop and the hard disks, police have found incriminating evidence relating to the conspirators behind the attack.

Police arrests the conspirators based on the evidence collected from the electronic data, and builds a case around the evidence.

But will the evidence hold good in a Court of Law?

Yes! With the admissibility of electronic evidence under section 65B of the Indian Evidence Act, 1872.

This scenario actually happened during the Parliament attack of 2001!!

Other Principles of IT Legislation (1/2)

Technology Neutrality

- Law should address all existing technologies and those that will be developed in the future

- Equal treatment of paper-based and electronic transactions

- Equal treatment of different techniques (EDI, e-mail, Internet, telegram, telex, fax)

Law should not mention any specific technology, and should allow Rules to be drafted under the law to

provide recognition to specific technologies

(Case of electronic signatures)

Other Principles of IT Legislation (2/2)

Party Autonomy

- Primacy of party agreement on whether and how to use e-commerce techniques

- Parties free to choose security level appropriate for their transactions

EBay uses a security level for buyers which consists of username & password

Income Tax dept requires Digital Signatures for online

filing of IT returns

Other Aspects of Regulatory Framework (1/2)

• Admissibility and evidential weight of e-communication:

Evidence of record may not be excluded solely because it is in electronic

form, and evidential weight to be given according to reliability of data

• Data Protection and Privacy

Clear distinction between personal and public data

Protection for personal data

• Cyber crimes & Offences

Specifying different types of Cybercrimes

Empowerment of law enforcement agencies

Other Aspects of Regulatory Framework (2/2)

• Intellectual Property Rights:

IPR for Software, source code, patents (for hardware & software),

trademarks (in relation to domain names)

• Consumer protection:

Against invasion of privacy, spam, illegal or harmful content

• Liability and dispute settlement mechanisms

Adjudication mechanisms for cyber offences

• Jurisdiction & e-taxation

Jurisdiction for legal action and taxation

Genesis of IT Act – UNCITRAL Model Law of e-Commerce

Objectives of IT Act

Snapshot of provisions of IT Act

Admissibility of electronic records

IT Act 2000, its Amendments & related provisions

Genesis of IT Act - The UNCITRAL Model Law

• As electronic transactions extends across national boundaries, there

is a need for international harmonization in IT Laws

• The United Nations Commission on International Trade Law

(UNCITRAL) is the legal body of the United Nations system in the

field of international trade law

• UNCITRAL drafted the “UNCITRAL Model Law on Electronic

Commerce - 1996” for adoption by countries

• The e-Commerce / IT Laws of most countries are modelled on

UNCITRAL Model Law

Adoption of UNCITRAL Model Law on e-Commerce

Australia (1999), Colombia * (1999), Bahrain (2002), Dominican

Republic * (2002), Ecuador * (2002), France (2000), India* (IT Act

2000), Ireland (2000), Jordan (2000), Mauritius (2000), Mexico

(2000), New Zealand (2000), Pakistan (2000), Panama * (2001),

Philippines (2000), Republic of Korea (1999), Singapore (1998),

Slovenia (2000), South Africa* (2002), Thailand (2003), and

Venezuela (2001), United States (Uniform Electronic Transactions

Act 1999) * Except for provisions on electronic signatures

Objectives of the Model Law

• To facilitate rather than regulate electronic commerce

• To adapt existing legal requirements

• To provide basic legal validity and raise legal certainty

• Basic Principles of Model Law

• Functional Equivalence

• Media and Technology Neutrality

• Party Autonomy

Law to provide conditions for equivalence of handwritten

(manual) and electronic records, signatures etc

Law to treat all technologies on an

equal footing

Law to provide the transacting parties the

autonomy to choose to use e-Commerce and decide

security levels

IT Act, 2000

• Came into effect from October 17th, 2000 on the lines of the UNCITRAL Model Law

• India is the 12th nation in the world to adopt digital signatures

• The Act applies to the whole of India and also applies to any offence or

contravention there under committed outside India by any person irrespective of his

nationality, if such act involves a computer, computer system or network located in

India

• 90 Sections segregated into 13 Chapters and 2 Schedules

• IT Act 2000 was amended through the Information Technology Amendment Act,

2008 which came into effect from October 27, 2009

Objectives of IT Act, 2000

• Legal Recognition for transactions carried out by means of electronic data interchange

-Digital Signatures and Regulatory Regime for Digital Signatures

-Admissibility of Electronic Documents at par with paper documents

• E-Governance-Use of electronic records & digital signatures by Government & its Agencies

• Define Civil wrongs, Offences, punishments-Investigation, Adjudication of Cyber crimes

-Appeal provisions

• Amendment to the existing Acts to address IT Act provisions-Indian Penal Code & Indian Evidence Act - 1872

-Banker’s Books Evidence Act – 1891 & Reserve Bank of India Act – 1934

Exceptions to the Applicability of the Act

• a negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881;

• a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882

• a trust as defined in section 3 of the Indian Trusts Act, 1882• a will as defined in clause (h) of section 2 of the Indian Succession

Act, 1925 including any other testamentary disposition• any contract for the sale or conveyance of immovable property or any

interest in such property• any such class of documents or transactions as may be notified by the

Central Government

IT Act – Important Definitions

• "computer" means electronic, magnetic, optical or other high-speed date processing

device or system which performs logical, arithmetic and memory functions by

manipulations of electronic, magnetic or optical impulses, and includes all input,

output, processing, storage, computer software or communication facilities which

are connected or relates to the computer in a computer system or computer

network;

• "computer network" means the inter-connection of one or more computers through-

(i) the use of satellite, microwave, terrestrial lime or other communication media;

and (ii) terminals or a complex consisting of two or more interconnected computers

whether or not the interconnection is continuously maintained;

IT Act – Important Definitions

• "electronic record" means date, record or date generated, image or sound stored,

received or sent in an electronic form or micro film or computer generated micro

fiche;

• secure electronic record – where any security procedure has been applied to an

electronic record at a specific point of time, then such record shall be deemed to be

a secure electronic record from such point of time to the time of verification

Snapshot of the IT Act and its provisions - 1

Chapter Coverage

Chapter I: Preliminary • Act extends to the whole of India (Section 1)

• Exceptions to Applicability (Section 1(4))

Chapter II: Digital Signature

• Authentication of electronic records (Section 3)

• Legal Framework for affixing Digital signature by use of asymmetric crypto system and hash function (Section 3)

Chapter III: Electronic Governance

• Legal recognition of electronic records (Section 4)

• Legal recognition of digital signatures (Section 5)

• Retention of electronic record (Section 7)

• Publication of Official Gazette in electronic form (Section 8)


Chapter Coverage

Chapter IV • Attribution, Acknowledgement and Receipt of Electronic Documents

Chapter V • Security procedure for electronic records and digital signature (Sections 14, 15, 16)

Chapter VI - VIII • Licensing and Regulation of Certifying authorities for issuing digital signature certificates (Sections 17-34)

• Functions of Controller (Section 18)

• Appointment of Certifying Authorities and Controller of Certifying Authorities, including recognition of foreign Certifying Authorities (Section 19)

• Controller to act as repository of all digital signature certificates (Section 20)


Chapter Coverage

Chapter IX & XI • Data Protection (Sections 43 & 66, 66B, 66C, & 66D)

• Various types of computer crimes defined and stringent penalties provided under the Act (Section 43, 43A and Sections 66, 66B, 66C, & 66D, 67, 67A, 67B, 72, 72A)

• Appointment of Adjudicating officer for holding inquiries under the Act (Sections 46 & 47)

Chapter X • Establishment of Cyber Appellate Tribunal under the Act (Sections 48-56)

• Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and not to any Civil Court (Section 57)

• Appeal from order of Cyber Appellate Tribunal to High Court (Section 62)


Chapter Coverage

Chapter XI & XII • Interception of information from computer to computer (Section 69) & Protection System (Section 70)

• Act to apply for offences or contraventions committed outside India (Section 75)

• Investigation of computer crimes to be investigated by an officer not below the rank of an Inspector

• Network service providers not to be liable in certain cases (Section 79)

Chapter XIII • Power of police officers and other officers to enter into any public place and search and arrest without warrant (Section 80)

• Offences by the Companies (Section 85)

• Constitution of Cyber Regulations Advisory Committee who will advice the Central Government and Controller (Section 88)


Chapter Coverage

Schedule I • Amendments to the Indian Penal Code (IPC)

Schedule II • Amendments to the Indian Evidence Act, 1872

• Clauses relating to admissibility of electronic records as evidence

Schedule III • Amendments to the Banker’s Book of Evidence Act, 1891

Schedule IV • Amendments to the Reserve Bank of India Act, 1934

Schedules III and IV deleted in IT Act Amendment 2008

Overriding effect of the IT Act

• Section 81: The provisions of this Act shall have effect notwithstanding anything

inconsistent therewith contained in any other law for the time being in force.

• Only exceptions to the overriding effect of the IT Act are the Copyright Act and

Patents Act:

“Provided that nothing contained in this Act shall restrict any person from

exercising any right conferred under the Copyright Act 1957 or the Patents

Act 1970”

Authentication of Electronic Records

• Section 3: Any electronic record may be authenticated by a subscriber using a

Digital Signature

“The authentication of the electronic record shall be effected by the use of

asymmetric crypto system and hash function which envelop and transform the initial

electronic record into another electronic record”

Digital Signature Regime will be discussed in detail in the

next session

Retention of Electronic Records

Section 7: Where any law provides that documents, records or information

shall be retained for any specific period, then, that requirement shall be

deemed to have been satisfied if such documents, records or information are

retained in the electronic form, if:

•the information contained therein remains accessible so as to be usable for a

subsequent reference;

•the electronic record is retained in the format in which it was originally generated, sent

or received or in a format which can be demonstrated to represent accurately

•the details which will facilitate the identification of the origin, destination, date and time

of dispatch or receipt of such electronic record are available in the electronic record:

Digital Signatures

References in IT Act to Digital Signatures

PKI Basics & How a Digital Signature Works

Concepts of Integrity, Non repudiation, Authenticity and

Confidentiality

Digital Signature for signing and encryption

Digital Signature Regime

Controller of CAs

Certifying Authorities

Subscribers

Digital Signatures – Reference in IT Act, 2000

• Section 3: - Any subscriber may authenticate an electronic record by affixing his Digital

Signature

- The authentication to be affected by use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record

- The private key and the public key are unique to the subscriber and constitute functioning key pair

- Verification of electronic record possible using public key of the subscriber

• Section 5: Establishes equivalence of Digital and Handwritten signature

• Section 10: Confers the authority to Central Government to prescribe Digital

Signature Regime using Rules drafted under IT Act, 2000

Digital Signatures – Rights conferred on Central Govt.

• (Section 10) The Central Government may, for the purposes of this Act, by rules,

prescribe:- the type of digital signature;

- the manner and format in which the digital signature shall be affixed;

- the manner or procedure which facilitates identification of the person affixing

the digital signature;

- control processes and procedures to ensure adequate integrity, security and

confidentiality of electronic records or payments;

- any other matter which is necessary to give legal effect to digital signatures.

Specifics of IT (Certifying Authorities) Rules, 2000

• Rules brought out by Central Government as per section 10 of IT Act

- “Digital Signature shall be created and verified by cryptography that concerns

itself with transforming electronic record into seemingly unintelligible forms and

back again”;

- Public Key Cryptography to be used for creation and verification of Digital

Signatures

- Prescribes ITU X.509 version 3 standard of Digital Signatures

- Defines the Digital Signatures Regime including guidelines for Licensed

Certifying Authorities

Public Key Cryptography is..

• A form of cryptography in which each user has a private key and an

associated public key

• Distinct public / private key pairs may be used for either signing a message

or for data encryption

• Senders sign with their private key and encrypt with the recipient’s public

key.

Digital Signature Certificate is an electronic record that binds a

public key to the owner of the corresponding private key and is

signed by a trusted entity (Licensed Certifying Authority)

PKI Basics

• Any message irrespective of its length can be compressed or abridged

uniquely into a smaller length message called the Digest or the Hash

• Smallest change in the message will change the Hash value

• The user himself generates the key pair in his computer:

-Private Key, known only for the user, is used for making Digital Signature

-Public Key, which is published with the Certifying Authority is known to

everyone and is used to verify the Digital Signature

-The keys are unique to the user

What is a Digital Signature?

• Hash value of a message when encrypted with the private key of a person is his

digital signature on that e-Document

-Digital Signature of a person therefore varies from document to document

thus ensuring authenticity of each word of that document.

-As the public key of the signer is known, anybody can verify the message

and the digital signature

Electronic Document

Hash

Private Signature Key

Algorithm Signature

Message Digest

Forms part of the document

RSA Encryption

Security Services fulfilled by PKI

Service What it means How it is fulfilled

Privacy / Confidentiality

Protection against access by unintended recipients

By encryption using the recipient’s Public Key

Authenticity Proof that the sender is actually who he claims to be

By signing using the sender’s Private Key, which can be verified by the recipient using the sender’s public key

Non Repudiation Proof that the sender has actually sent the signed message

Integrity Any changes in the original signed message should be detected

Digital Signature Signing – How it Works

Electronic record

Hash

Private Signature Key

Algorithm Signature

Transmitted

Sender’s Public Signature Key

Algorithm

Digest

Digest 1 Hash

Digest 2Equal?

Yes - Good

No - Bad

A

BAnyone with access to above information can:• Confirm A’s identity: Authenticate• Confirm message is intact: Integrity• Prove A sent message: Non-repudiation

Encryption using Digital Signatures - Confidentiality

Ciphertext

B's public key B's private key

DecryptDecryptEncryptEncrypt

Plain text

A B

• A sends confidential data to B, knowing that only B can decrypt

what is sent• A encrypts with B’s public key (openly available)• B decrypts with his own private key (kept secret)

PKI Hierarchy in India

CCA

CACACA

Subscriber SubscriberRelying Party

Certificate Directory

CRL

Certificate Directory

CRL

Certifies the public key of CAs

Certifies the public key of subscribers

Requests CA for certification of sender’s public key

Signs electronic record using private key

Digital Signature Regime in India

• Controller of Certifying Authorities

Set up as per IT Act, 2000 to license and regulate the working of Certifying Authorities

Lay down standards and conditions governing Certifying Authorities and specify various forms and content of Digital Signature Certificates

Certifies by the Public Key of the licensed CAs by operating the Root Certifying Authority of India (RCAI) key

• Licensed Certifying Authorities

Agencies authorised by CCA to issue Digital Signatures Certificates to end users and to certify the public key of the subscriber

• Registration Authorities

Agencies authorized by CA for operational activities like face to face verification, registration of certificate information etc

• Subscribers

End users who apply for Digital Signature Certificates to Licensed CAs

Certifying Authorities in India

• Must be widely known and trusted

• Must have well defined Identification process before issuing the certificate

• Provides online access to all the certificates issued

• Provides online access to the list of certificates revoked (Certificate Revocation List)

• Displays online the license issued by the Controller

• Displays online approved Certification Practice Statement (CPS)

• Must adhere to IT Act/Rules/Regulations and Guidelines

Licensed CAs

- Safescrypt

- IDBRT

- NIC

-TCS

- MTNL

-GNFC

-E Mudhra CA

Maintenance of Certificate Database

Usercredentials

User’sPublicKey

CA’sName

Validationperiod

Signatureof CA

Usercredentials

User’sPublicKey

CA’sName

Validationperiod

Signatureof CA

User 1 certificate

User 2 certificate.

User 1 certificate

User 2 certificate.

DigitallySigned usingCA’sprivatekey

DigitallySigned usingCA’sprivatekey

UsercredentialsUsercredentials

User’s Publickey

User’s Publickey

Digital Signature CertificateCertificate Database

PublishCertificateRequest

Generated at the user computer

Registration Authorities

• Agencies who are authorized by CAs to carry out certain delegated responsibilities

• Basic Tasks of RAs include:

Registration of Certificate Information

Face-to-Face Registration

Remote Registration

Automatic Registration

Revocation

• The RA is subsumed in the CA, and total responsibility for all actions of the RA is vested on the CA

Private Key Protection

• A critical requirement for the success of the Digital Signature Regime is the

security of the Private Keys

• To ensure security of private keys: The key pair is generated within the device holding the private key

The key can be in a pin protected soft token residing in the user’s computer, or in USB tokens or smart cards

• Pin protected Soft Tokens: Resides in the user’s computers and hence does not offer mobility

Key resides in the encrypted form in the user’s hard disk

• USB/ Smart Card tokens: Provides mobility across computers with Smart Card reader / USB port

Key is highly secured as it is generated within the device and does not leave the device at any time

Classes of Digital Signatures

There are 4 general classes of Digital Signatures, classified as per the

level of assurance

•Class 0: Issued for demonstration / test purpose

•Class 1: Issued to individuals/ private subscribers. This class of

subscriber will authenticate only the username and the e-mail id

•Class 2: Issued to both business persons and private individuals.

This class of certificates confirms the information provided by the

subscriber

•Class 3: Issued to individuals as well as organizations. This class of

certificate is used in the e-Commerce application wherein high

assurance of certificates are required. This certificate is issued to an

individual only on their personal appearance before the CA

Digital Signatures – IT Act Amendment

• The PKI Digital Signature Regime proposed by IT Act of 2000 is

Technology specific

• This is against the global best practices as envisaged in the

UNCITRAL Model Law on e-Signatures – 2001:

Any electronic signature technology which fulfills the criteria of equivalence

between handwritten and electronic signatures, should be admissible

• Accordingly, the IT Act Amendments of 2008 provided recognition to

other electronic signature technologies, which are identified by the

Central Government

Illustrative Case: Use of DSC in Income Tax filing

• Using PKI based Digital Signatures to

enable taxpayers to file tax returns

online

• By offering an electronic alternative,

the Tax Offices have reduced return-

processing times significantly.

• Any individual having a DSC from any

Licensed CA can file the return in a

complete online process

Source: https://incometaxindiaefiling.gov.in/portal/index.do

Illustrative Case: Use of DSC in MCA21

• Online submission of documents for

company registration

• Online filing of returns and balance

sheets

• Online filing of other documents

needed for statutory compliance

• Reduction in time and cost in

transacting with the Ministry

• Reduction in administrative burden for

Ministry in receipt and processing of

documentsSource: http://www.mca.gov.in/MCA21/

Illustrative Case: Use of DSC in GoAP e-Procurement

• Online procurement workflow by

government agencies

• Online bid preparation and submission

by the bidders with digital signing at

each workflow action

• Electronic evaluation of bids

• Reduction in time and cost in

procurement

• Improvement in transparency in

procurementhttp://www.eprocurement.gov.in/

End of Session

course: regulatory framework for e-governance day 2 session 5: legal & policy framework for...

Documents

electronic transactions

electronic document

egovernance slide

communication slide

paper document slide

electronic data

evident slide

electronic media