This article is written by Uday Bhatia, a third-year student currently pursuing BBA LLB Hons from Vivekananda Institute of Professional Studies (affiliated to Guru Gobind Singh Indraprastha University, New Delhi) This article covers the types, legal validity (International & under Indian law), penal provisions & its dynamic & evolutionary nature in context to landmark precedents & contemporary issues sub judice.
The concepts of E-signatures and digital signatures are results of gaining eminence of revolution of information technology which embarked its journey from the late 18th century. Many states with evolving times have given due recognition to its applicability & operationality in their jurisdictions.
In the US, before the proclamation of the “American Civil War” in 1861, the usage of the Morse Code had been primarily for espionage purposes but was also intended for the enforceability of contracts. The first landmark judgment accepting the enforceability of telegraphic messages as electronic signatures was observed by the New Hampshire Supreme Court.
Thereafter there has been a flurry of modern legislation in western states such as in Canada, US, Russia, China, Australia, New Zealand, Japan, Singapore, UK & gradually all across the globe.
In 1996 the United Nations with a majority passing resolution enacted UNCITRAL Model Law on Electronic Commerce. In 2001, UNCITRAL Model Law on Electronic Signatures was passed which has been adopted by 30 states in their jurisdictions. The most recent step towards the international recognition of E-signature is the United Nations Convention on the Use of Electronic Communications in International Contracts, 2005, which gives the option to the contracting parties to give effect to the agreement by E-signature subject to the condition that a reliable method is used to identify & indicate the intention of the parties.
The first agreement signed electronically by two sovereign nations was a Joint Communiqué recognizing the growing importance of the promotion of electronic commerce, signed by the United States and Ireland in 1998.
What is an Electronic Signature?
It is evident that the cognizance of the concept of E-signature has sprouted in different modern state legislations, giving meaning & moulding its definition to be accustomed to its socio-political structural norms. Below are a few definitions devised by foreign legislative assemblies.
- An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
- A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
- A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.
- Section 106, Electronic Signatures in Global and National Commerce Act defines an electronic signature for the purpose of US law as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
- Section 7, Part II, Electronic Communications Act, 2000 defines an electronic signature is so much of anything in electronic form as —
(a) is incorporated into or otherwise logically associated with any electronic communication or electronic data; and
(b) purports to be used by the individual creating it to sign.
- In simple words E-signature can be defined as symbols or other data or jointly combined in a digital form, affixed or attached to an electronically transmitted document so as to authenticate & verify the sender’s identity & his intent on the signed document.
- Albeit, the definition under Section 2(1)(ta), Information Technology Act, 2000 as follows:
“Electronic signature” means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature.
Digital Signature v/s Electronic Signature
Digital signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provision of Section 3, IT Act, 2000.
- Whereas E-signature is affixing or attachment of symbols or other data or combined together, although in digital form, without any encryption, in any electronic document.
- The subscriber can authenticate an electronic record by affixing his digital signature, which shall be effected by the use of the asymmetric crypto system and hash function, enveloping & transforming the initial electronic record into another.
An algorithm mapping or translation of one sequence of bits into another, generally smaller such that the electronic record yields the same result with the execution of the algorithm with the same electronic record which is known as hash result. Therefore, in order to cure the computational infeasibility:
- An Original electronic record is derived from the hash result produced by the algorithm.
- Producing the same hash result using the algorithm, using the two electronic records.
- Digital signatures fulfil the same purpose as that of electronic signature, to authenticate the identity & further his/her intention to acknowledging the consent & awareness of contents of the impugned document. It is basically concealed, to be precise encrypted, in cryptographic content for simplifying its usage, as it becomes more convenient by ensuring a secured, user-friendly process & end-to-end privacy.
E-Signature Provisions under the Indian Evidence Act, 1872
The recognition of applicability & legal enforceability of E-signature is governed elaborately under varied provisions.
- Section 85B: Presumption as to the authenticity, integrity & secureness of the electronic records & E-signature, unless contrary is proved.
ii. Section 22A: Oral admissions as to the contents of the electronic record are relevant only if its genuineness is not in question.
iii. Section 65B: Admissibility of the electronic record & its contents as original & direct evidence subject to the conditions:
- The computer output (electronic record) containing the information was produced by the computer during the period where it was used to store or process the information for the activities it was regularly carried on by the person having lawful authorization over the use & control over the computer.
- During the impugned period, the information so contained in the electronic record being derived was such that it was regularly fed into the computer in the ordinary course of the said activities.
- During the substantial part of the impugned period, such computer should be operating properly & if not operating properly during the said period then it shall not affect the accuracy of the electronic record or its contents.
- The information or contents derived from the electronic record from such information which was originally fed into the computer in the ordinary course of the said activities.
- Section 85A: The court recognizes the validity of the electronic record on the same footing of physical documentary agreements, containing the E-signature of the parties affixed on it.
Provisions Recognizing the E-Signature or Digital Signature under the Information Technology Act, 2000
- A subscriber (means a person in whose name an electronic signature certificate is issued) may authenticate any electronic record either using an electronic signature or an electronic authentication technique under Section 3A, IT Act, 2000 which is:
- In accordance with the Second Schedule
The electronic signature or electronic authentication technique shall be considered reliable if
- The signature creation data or authentication data is linked “only” to the signatory or to the authenticator, as the case may be, in reference to their intended use;
- The signature creation data or authentication data were “only” at the control of the signatory or the authenticator, at the time of signing or authentication, as the case may be & not in any other person.
- Any alteration to the electronic signature made after affixing such signature should be detectable;
- Any alteration to the information made after its authentication by electronic signature should be detectable; &
- Fulfils any other conditions as specified.
- The legal recognition of electronic signatures has been bestowed to the E-signature, by bringing the status at par with a physical mode of authentication.
- The validity of the contents & information of any documentary evidence shall be authenticated bearing or affixed with the signature(his / her handwritten signature or any mark) of the person related or with the electronic signature affixed of the party or parties related, in accordance to the manner as prescribed by the central government.
Procedure of making E-Signature
Public Key Infrastructure:
It is an arrangement of a set of rules or a policy formulated to regulate the hardware & software & their procedures for the administration (creation, management, distribution, storage & revocation) of a public key, private key & certifying authority issuing digital certificates.
1. Public Key
It involves a key, (which acts as a substitute for password) shared with the public (generally with identities of entities of an organization or specific group) in order to verify the signer’s electronic signature. According to Section 2(zd), IT Act, 2000 it means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate.
2. Private Key
Here the key is only for the use & access of the signer of E-documents. According to Section 2(zc), IT Act, 2000 means the key of a key pair used to create a digital signature.
- Every subscriber shall practice reasonable care to retain control of the private key corresponding to the public key listed in his digital signature certificate and take all steps to prevent its disclosure.
- If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations.
- It is to be noted that the subscriber shall be liable till the point where he has informed the Certifying Authority that the private key has been compromised.
3. Certifying Authority
It is the regulatory body that administers the registration, issuance, renewal, suspension, & revocation of the digital certificates.
- Under Section 2(1)(g), IT Act, 2000, it refers to a person who has been granted a license to issue electronic certificates. It is implied here that the process of certification is permitted to be outsourced & executed by third party Validation Authorities.
- The process of obtaining the license involves an application to be made to the Controller which is subject to the requirements such qualification, expertise, manpower, financial resources and other infrastructure facilities under Section 21, IT Act, 2000. The license granted shall be
- a) Valid to such period as prescribed by the central government
- b) Not transferable or heritable
- c) Subject to such other terms & conditions by regulations.
- After submission of the application the documents accompanying the application shall be considered and on such other factors, grant the licence or reject the application, as it deems fit. Provided, the applicant shall be given an opportunity of being heard to present its case, on the rejection of the application, under Section 24, IT Act, 2000.
- The process for obtaining digital certificates involves making an application (containing certification practice statement or not then such particulars to that effect by regulations) to certifying authorities in such form, manner & fees not exceeding Rs. 25000/- as prescribed by the Central Government under Section 35, IT Act, 2000.
- On the receipt of the application, considering the certification practice statement or not then such particulars & making necessary enquiries shall either grant the electronic signature (digital) certificate or reject the application, as it deems it fit.
- Provided the applicant shall be given an opportunity of being heard to present its case, on the rejection of the application.
- A Certifying Authority while issuing a Digital Signature Certificate shall certify that-
- Ensuring complying of the provisions of the IT Act, 2000 & the rules & regulations made thereunder;
- Publication of the digital signature certificate or otherwise making it available to the person relying on it;
- Subscriber should hold the private key corresponding to the public key, listed in the digital signature certificate, capable of creating a digital signature & verifying the digital signature affixed by the private key, which is held by the subscriber;
- Subscriber’s public key and private key should constitute a functioning key pair;
- Accuracy of the information contained in the digital signature certificate.
- That there is no knowledge of any material fact, which would adversely affect the reliability of the representations if it had been included in the digital signature certificate.
- The purpose of the technique is to succour & smoothen the electronic transfer of information which is prevalent & constitutes the core of network-based activities such as E-Commerce, internet banking and confidential email.
- Secondly, it is most suitable & apposite for such activities wherein, simple passwords turn out to be inadequate authentication tools & thereby a more rigorous proof is necessitated in order to prove the identity & further their free consent & validate the information so transferred electronically.
II. Symmetric encryption
It is one of the oldest & common types of encryption methodology used. It consists of 5 main pillars, integrated into a process, from encryption to decryption of the message:
i. Plaintext: it refers to the original, simple text, comprehendible to a reasonable man.
ii. Encryption Algorithm: it operates on the plaintext & converts it into an unreadable format.
iii. Secret key: it converts the scrambled & ciphered text into the Plaintext, as the key holds the information of all the switches and substitutions made to the original plain text
iv. Ciphertext: it refers to the scrambled, jumbled text which is unreadable. It may be in the form of a stream of data, numerals, alphabets, alpha-numerals, characters or a combination of them
v. Decryption Algorithm: it refers to the environment only in which the secret key could perform the decoding function i.e. the substitutions & switches necessary to be done on the Ciphertext in order to convert it into simplified, original Plaintext.
Figure 1: Symmetric Encryption Method
- Symmetric encryption or cryptography is typically used for bulk encryption or encrypting large amounts of data, such as database encryption.
- In the case of a database, the secret key might only be available to the database itself to encrypt or decrypt, which is the foremost & major drawback of this encryption method.
- Symmetric cryptography is widely used in:
Payment applications, such as card transactions where personal, sensitive information needs to be protected to prevent identity theft, phishing, cheating.
Validating the original identity of the sender.
III. Asymmetric Crypto Method
- It is a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature;
- This encryption method is a result of complex activities that require a higher degree of caution & security, due to the transmission of sensitive information. This method uses pair keys, unlike the symmetric method, where the public key shared with certain entities (designated receivers) & the other key being the private one is kept secret. Either of the keys can be used for encrypting or decrypting. Only the user or computer that generates the key pair has access to the private key.
- Generally, the process entails that the sender of the Plaintext procures the public key of the receiver, who then encrypts it by employing an asymmetric encryption algorithm to create the Ciphertext. The receiver then receives the Ciphertext & decrypts it by employing an asymmetric decryption algorithm & converting the same into Plaintext.
- The process could be other way around as well, where the receiver holds the private key for decrypting the Ciphertext & the sender in fact holds the public key for encrypting the Plaintext.
- This method, in contrast to the Symmetric method, is highly complex & technical but ensures the confidentiality of especially sensitive data, integrity as to the user’s identity & its free & valid consent, authenticity relating to the originality of the message delivered and non-repudiability in context with the bearing of an electronic or digital signature of the signer acts like estoppel, who later can’t deny it for claiming any defence.
Offences relating to e-signature
A. Section 463: Making a false document:
Where there are reasons to believe that any person who has either fraudulently or dishonestly made, signed, sealed, executed, transmitted a document or electronic record or its part thereof affixed with electronic signature.
Secondly, who without lawful authority, alters any document or an electronic record or materially its part thereof, executed or affixed with electronic signature either by himself or by any other person, whether such person is alive or dead at the time of such alteration.
- Thirdly, who dishonestly or fraudulently causes any person to sign, seal, execute or alter a document or an electronic record or to affix his or her electronic signature on any electronic record knowing that such person:
- being unsoundness mind or intoxicated cannot; or
- that by means of deception;
by virtue of it he or she being unaware of the contents of the document or electronic record or the nature of such alteration.
B. Section 66C: Punishment for identity theft
It states that any person who, fraudulently or dishonestly makes use of
- The electronic signature;
- Password; or
- Any other unique identification feature of any other person;
shall be punished with imprisonment for a term which may extend to three years and shall be liable to fine which may extend to Rupees one lakh.
C. Section 71: Penalty for misrepresentation
It states that any person who misrepresents or suppresses any material fact from the Controller or the Certifying Authority so as to obtain any licence or electronic signature certificate, as the case may be, shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rupees one lakh, or with both.
D. Section 73: Penalty for publishing electronic signature certificate false in certain particulars
- It states that no person shall publish any electronic signature certificate or make it available to any other person having the knowledge that–
(a) The Certifying Authority listed in the certificate has not issued it; or
(b) The subscriber listed in the certificate has not accepted it; or
(c) The certificate has either been revoked or suspended, until & unless such publication is for the purpose of verifying an electronic signature created prior to such revocation or suspension.
- Any person who contravenes the above provisions shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rupees one lakh, or with both.
E. Section 74: Publication for Fraudulent purpose
It states that any person who knowingly creates, publishes or makes available any electronic signature certificate for any
- Fraudulent; or
- Unlawful purpose;
shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rupees one lakh, or with both.
Berkson v. Gogo LLC
The facts of the case are that the defendant (Gogo LLC) provides in-flight Wi-Fi to travellers in a variety of airports and airlines. The plaintiff Adam Berkson and Kerry Welsh sued the defendant claiming that the defendant unjustly benefited itself, by misleading the customers into purchasing a service that used to charge the customer’s credit card, on an automatically-renewing monthly basis, without adequate notice. The defendant charged the plaintiffs, Berkson & Welsh between $35 to $40 each month for 3 & 16 month respectively. The defendant initiated arbitration proceeding online “terms and conditions” agreement against the plaintiff.
- Whether the plaintiffs were bound by the online “terms & conditions” of the agreement on the website?
- Whether the plaintiffs together lawfully institute a class-action suit?
The US district court observed & explained the concept of the click-wrap agreements. These agreements basically require the click the “accept” button to the “terms & conditions” before entering into a transaction. These sorts of agreements are enforceable because it would then become tedious for the company to engage in litigation with each end-user.
Thus, these types of contracts are generally referred to as “contract of adhesion”, which is based on the complete discretion of the user to enter. The assent that an end-user gives to such agreements is “manifested”, as it involves the user to read through the elaborate scroll of “terms & condition”.
In the context of this case, the court held the contention of the defendant in negative, noting that the “terms & conditions” mentioned on the website was not displayed in desirable -manner, i.e. in large font, all caps, or in bold letters, inconspicuous place, to be easily noticeable. It was merely projected through a hyperlink & doesn’t amount as such of complete disclosure & thereby can’t make the plaintiff bound by it.
Moreover, the defendant didn’t email the or courier the copy of “terms & conditions” to the users, thus further bolstering the argument of insufficient notice to the plaintiffs
Answering the second issue the court held that even though one of the plaintiffs received the reimbursement of “full amount of claim”, it doesn’t qualify as “full refund”, even considering the fact that the credit card company has reimbursed the unauthorized bank charges upon such use to the one of the plaintiffs.
The court has observed the rule for plaintiffs purporting to represent a class, establishes the claims of the case or dispute, none of the plaintiffs can seek relief for himself or on behalf of any other member. Albeit, it may be possible in a punitive class action, if the plaintiff alleges:
- a) That he himself has personally suffered some actual injury as a result of the putatively illegal conduct of the defendant; &
- b) That such putatively illegal conduct has raised the same set of concerns & have allegedly caused the injury to the other members of the same class, by the same class of defendants.
Zakuski v General American
This is a landmark case in the field of E-signature, as it helps to resolve a major conundrum.
The plaintiff’s son (Doctor Z) has purchased an insurance policy in the name of the plaintiff (his mother), but as soon as remarried, he changed the beneficiary’s name to his second wife, to other policies as well & soon after which the doctor Z, expired.
The procedure of changing the name of the designated beneficiary can be performed & instructed to the company, General American (defendant) along with the requisite details such as policy number, Social Security number, and mother’s maiden name, upon which the company sends an email confirmation of the change.
It was alleged that someone enrolled in the defendant’s company provided all the necessary information & detailed & maliciously changed the beneficiary’s name to the second wife, thus sending the alert email of confirmation. Be aggrieved by this action, the plaintiff sued for the claim of insurance proceeds, claiming that the company’s security policies were compromised & the defendant can’t make sure that it was the plaintiff’s son who actually signed to validify the change.
The second wife, on the other hand, claimed in the affidavit that she hadn’t made any change.
How to make sure that it was the original signer ‘s signature only affixed on the document?
In the summary judgement & in the court of appeals, upheld the contention of the defendant, laying emphasis to Michigan’s UETA (Uniform Electronic Transactions Act) implementation, observing that an E-signature could be attributed by employing “reasonable means.” They ruled in the favour of defendant on the basis of evidence bundle, that only required service personnel of the company knew about the requisite information for change of beneficiary’s name, an alert email, acknowledgement confirming the change of beneficiary’s name was duly sent, the affidavit of second wife’s denial of any foul-play, overshadowed the claim of the plaintiff, which was not supported by any major evidence.
Moreover, the court observed that in the process of electronic signature reasonably involves sufficiently more security measures & that the process physical signature & E-signature doesn’t differ much.
Law around E-Aadhaar
- E-Aadhaar is basically a password protected electronic copy of Aadhaar, which is digitally signed by the competent authority of the Unique Identification Authority of India (UIDAI), it substitutes the execution of documents by physical signature by E-signature (E-Aadhaar).
- The Aadhar project was initiated by the government of India in 2009, to address the issue of leakages of the benefits of various governments welfare benefits & schemes such as subsidies and services, such as a ration card, driving license or voter id, sapped by the bureaucratic corruption & red-tapeism & thus diluted the purported results to be yielded.
- It was envisaged as a biometric-based unique identity number, to identify the real & eligible beneficiary. It is considered to be more secure & reliable as it uses a person’s unique biometrics such as iris scans, fingerprints to authenticate the true identity of the beneficiary.
- The process of obtaining the Aadhaar number involves grossly two categories of information & details:
(i) Biometric information (photograph, 10 fingerprints, scans of both irises); &
(ii) Demographic information (name, date of birth, gender, residential address) to the
UIDAI, which is stored by the Central Identities Data Repository.
- There has been a lot of clamour, uncertainty building a controversy regarding the secureness of electronic mechanism of Aadhaar. This is because there is a significant exposure of personal, sensitive information of the persons. Approximately 27 organizations which are termed as “Authentication Service Agents” (ASA’s) which have direct access to the Aadhaar database & in totality 254 such organizations have permission to use databases for identity verification. These include such organizations as well who don’t have direct permission to access the database., thus have to seek assistance from ASA’s.
- Nevertheless, there are several provisions to ensure the protection of such sensitive data from any misuse by any third party.
- It prohibits UIDAI & its officers from sharing a person’s identity information and authentication records with anyone.
- It also forbids a person authenticating another person’s identity from collecting or using their information without their consent.
- Miscellaneous protections: include prohibitions against publicly displaying a person’s Aadhaar number and sharing of a person’s fingerprints and iris scans with any third person, with stringent civil & criminal penalties on violation of the provisions of the act.
- However, the Act permits information to be disclosed in cases involving interest of national security or on the order of a court not inferior to the High Court.
- In 2016, Parliament enacted the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. to emboss the legislative sanction to this project. The act allowed both the central & state government, as well as the private entities to use Aadhaar for authentication purposes.
- In 2017, the Parliament passed the Finance Act, 2017, amending the Section 139AA, Income Tax Act 1961 & making Aadhaar mandatory for filing income tax returns & applying for PAN.
- Under the Aadhaar Act, it entitles the government & permitted private entities to obtain biometric & demographic information to verify the identity of the person. Such information collected, is stored in a central database & is argued that it leads to the creation of a “surveillance state.”
Whether the various mandatory provisions of the Aadhaar Act, 2016 intended for a better governance mechanism to offer varied welfare benefits to the citizens is constitutional on the touchstone of right to privacy?
The Hon’ble Supreme Court with a majority (3:2) ruled most of the provisions of the Aadhaar Act, 2016 serves legitimate aim & thus constitutional not to be violating the reasonable exception of right to privacy which is envisaged as one of the vital rights under Article 21 of the Constitution of India
It formulated a proportionality test to examine as to what constitutes violation of right to privacy, which is any law that is just, fair & reasonable, rather than adopting a strict scrutiny approach. The proportionality test proposes that the laws. The test includes 4 aspects of consideration:
- Legitimate goal: measuring that the right inhibiting, must have a legitimate goal.
- Rational nexus: aim should be such that it should meet the object sought to be achieved
- Necessity: there must not be any less but equally effective alternative.
- Balancing: the measure must not have a disproportionate impact on the right holder, weighing the personal autonomy of an individual with the community interest.
The following provisions were held to be valid:
- The provision intended to provide government welfare schemes & beneficial services such as subsidies, etc from the Consolidated Funds of India under Section 7 of the Act, were to be held valid on the basis of proportionality test.
- The provision under Section 57 of the Act, allowing the government entities, body corporates and private entities to use the Aadhaar number for publishing the identity of an individual for any purpose, pursuant to any law or contract were held to be invalid. The terms “any purpose” bestows an unreasonably wide ambit which is not limited by any criteria, susceptible to abuse of power.
Secondly, the citizens may be compelled to give consent for using their Aadhaar numbers under “any contract”, in high probabilities exposing it for unjustified purposes. Thirdly, such compulsion to give their ‘free consent’ is likely to be commercially exploited, especially with the mandatory directions of the government of “Know-Your-Customer” (e-KYC) authentication requirements.
iii. The mandatory requirement of linking the PAN with Aadhaar number for filing of IT returns was held to be valid as to sought to achieve legitimate objective of eliminating tax fraud, tax evasion causing loss to the exchequer eliminating multiple identities used for this purpose.
- The mandatory requirement of linking the bank accounts & phone numbers with the Aadhaar numbers was held to be unconstitutional, as it failed the proportionality test, lacking any real, legitimate objective that it sought to achieve constraining the privacy of individuals.
- It directed the central government to amend the Section 33 of the Act, which being a ‘sensitive & dicey’ exception vulnerable to unwarranted & unmerited use, to the disclosure of identity information or authentication records, for the purpose of national interest by the government officer being a Secretary or by order of the judge of a district court. The 2019 amendment in the Act, thus made required changes, that the information for the purpose of disclosure for national interest shall be performed by a person not below the rank of Joint Secretary & by the order not below the judge of a High Court.
- Under Section 47, the cognizance of offences can only be done on a complaint made by the authority or any officer or person authorised by it is concerned. Thus, directed an insertion by amending the procedure.
Contemporary Issues: Sub Judice
- The Hon’ble Supreme Court of India in a landmark case, which is described as “watershed movement of online speech” determined the constitutional validity of the controversial provisions of the IT Act.
- It struck down Section 66A which proscribes for disseminating offensive messages using computer resources or a communication device on the ground that it fails the constitutional test under Article 19, not fitting under the “reasonable restriction” of public order, to limit the freedom of speech & expression. This provision is associated with Section 79, which obliges the intermediaries to “remove the offensive or objectionable content” & duly notifying the appropriate governmental agency only upon “actual knowledge”.
- The failure in the form of any connivance or abetment or neglect to perform such duty would ensue incrimination. Albeit, the court upheld the constitutional validity of Section 69A, acting as an armour for the government, in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence, observing that it ambit is reasonably narrow, on the basis of limited & genuine grounds of exigency.
- Recently, a petition is questioning the constitutional validity of linking the social media accounts with Aadhaar numbers on various grounds such as to eliminate the spread of fake news, especially when it plays a crucial role in elections.
- Then there is a petition in the Hon’ble Supreme Court demanding the court to define the role of the intermediaries under Section 69, IT Act, 2000. Two questions are presented to confront the government’s stand, whether intermediaries are obliged to decrypt the information in their possession? & Whether the government can set up its own decryption agencies? Section 69 of IT Act, 2000 provides ‘all facilities & technical assistance’.
- The conundrum which provokes here is that whether assistance amounts to obligation to decrypt & even if it does, are the companies such as WhatsApp & Facebook have the competency & wherewithal to conduct the decryption.
- According to Rule 2(g) Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 defines decryption as allowing access to the encrypted information to the extent possible or facilitation of encrypted information into intelligible one. Rule 13 states that the information requisitioned for decryption shall be limited to the extent the information is encrypted or over which intermediary has control over the decryption key. Rule 17 provides for decryption key or decryption assistance under the decryption direction.
- Hence, it is becoming a bone of contention to argue upon, as by employing the golden rule of interpretation, the intermediaries are only required to provide mere decryption assistance & in fact not providing the “decrypted information.”
- Getting onto the second issue, rule 4, authorises any competent government agency to intercept, monitor or decrypt information, in lieu of it the government has by the order of Ministry of Home Affairs authorised 10 security & intelligence agencies including Research & Analysis Wing, Intelligence Bureau, National Intelligence Agency, Commissioner of Police, Delhi, etc. However, such power is under control & restrictions. Rule 11 prescribes for only 60 days period for interception or monitoring or decryption which is extendable to a total period not exceeding 180 days.
- The electronic medium of authentication is fairly a new & dynamic mechanism providing ease of convenience, utility & secureness from intervention of third parties & originality of the identity of the user. Its birth is a result of development in the technology era from late 90’s & with major propulsion in the last 2 decades.
- The evolving times & in the constant search of finding new solutions to the contemporary issue with new inventions & innovations, has surely given a boost to the creation & advancement of sophisticated apparatuses, but poses a difficult challenge to the ‘personal freedom & autonomy’ of individuals, creation of surveillance states, banking frauds, etc. These issues can’t be taken for granted & thus requires a robust redressal framework.
- With the degree of volatility & evolving nature of the society, technological advancement has turned out to be a “necessary evil” at the risk of infringing privacy of individuals. The government has proactively taken a step to ensure these rights by introducing the Personal Data Protection Bill, 2018 passed by the Lok Sabha governing the government, companies incorporated in India, and foreign companies to specific & vital purposes only.
- Nevertheless, there is a constant tussle of balancing the national interests vis-à-vis individual interests. While on the other hand, the argument for conducting the act of surveillance subject to judicial review for weeding out cyber-crimes, anti-national activities, incitement of war & other illegal acts, the role of daring judiciary becomes quintessential to adjudicate this catch-22 situation.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.