Information Technology Act 2000 (ITA 2000) had prescribed Digital
Signatures based on Asymmetric Crypto system and Hash system as the only
acceptable form of authentication of electronic documents recognized as
equivalent to "Signatures" in paper form.
When ITA 2000 had been drafted, there was a major blunder in the drafting
of Section 35 subsection (3) which made it mandatory for an applicant of a
digital signature certificate to enclose a "Certification Practice
Statement" along with his application. Naavi.org had pointed out this
blunder immediately in the article
"An
Embarrassing Oversight? Or…?".
It however took several years to correct this by a notification by an
executive order dated September 12, 2002.
Though
there was a comprehensive amendment now, the subsections 35(3) and 35 (4)
have not been officially corrected and the need for submission of
Certification Practice Statement by a digital signature certificate
applicant remains in the books.. indicating the gross negligence in the
drafting of the Bill.
Now this blunder has been accompanied by more
avoidable confusions.
When the
Information Technology Amendment Bill 2006 was drafted on the basis of the
recommendations of the so called "Expert Committee" the committee took
into consideration a demand from technical community that the PKI based system
made the law dependent on a single authentication technology and there was
a need to make the law "Technology Neutral".
In response to this demand, the committee had tried to define an umbrella
system of "Electronic Signatures" of which "Digital Signature" was one of
the kind. This required replacement of the word "Digital" with the word
"Electronic" at several places in the Act. Taking this into consideration,
in the Information Technology Amendment Bill 2006, clause 2, a list of
amendments were proposed to replace the word "Digital" with the word
"Electronic" at several places in the principal act where a reference to
"Digital Signature" had been made.
However, some where along the line, there were some changes made which are
now appearing as anomalies in the legislation passed.
When the Bill needed further amendments based on the Standing Committee
report, instead of drafting a new amendment bill, the department drafted a
bill called "Information Technology Amendment Bill 2008" and introduced it
in the parliament on December 15, 2008. This Bill passed certain amendments
to the then pending Information Technology Amendment Bill 2006 ( Introduced
on December 15, 2006) including the name clause of the resulting Act as in
the Bill introduced on December 15 2006 which was changed from Information Technology Amendment
Act 2006 to Information Technology Amendment Act 2008..
In this process of drafting an amendment bill for amending a pending bill
which was to amend a prevalent act, some serious mistakes have crept into
the Act which is now a law.
Instead of the earlier proposal to call "Digital Signature" as one
type of an
umbrella kind "Electronic Signature", the current draft introduced a new
section 3A to define "Electronic Signatures" and retained the earlier
section 3 of "Digital Signatures".
This has made "Electronic Signature" a concurrent alternative proposed by
law to "Digital Signature" and both could be used for authentication of
electronic documents.
As a result, the Certifying Authorities regulations also need to be
accommodated for both Digital Signature as well as Electronic Signature".
Either the current Certifying Authorities need to be licensed for
"Electronic Signatures" also or there may be new Certifying Authorities who
only apply for being Certifying Authorities for "Electronic Signatures" and
not opt for having any "Digital Signature Products".
Public should also be able to "Affix digital signature" and also "Affix
electronic signature" as the case may be. They can acquire two different
certificates one for digital signature and the other for electronic
signature and they may be from different Certifying authorities.
The law therefore needs to accommodate all these provisions. It appears
that the drafting of the bill has resulted in soem confusion where by in
some places the digital signature and electronic signatures are spoken of
together and in some places differently. The treatment is inconsistent and
gives rise to avoidable anomalies.
We shall see how the new Act addresses this issue.
The new section 3A has been introduced to define "Electronic
Signatures" retaining the existing
Section 3 which defines "Digital Signatures" and this section states as
follows
Section 3A: Electronic Signature
(1) Notwithstanding anything contained in section 3, but subject to
the provisions of sub-section (2), a subscriber may authenticate any
electronic record by such electronic signature or electronic authentication
(a) is considered reliable ; and
(b) may be specified in the Second Schedule
(2) For the purposes of this section any electronic signature or
electronic authentication technique shall be considered reliable if-
(a) the signature creation data or the
authentication data are, within the context in which they are used,
linked to the signatory or, as the case may be, the authenticator and
of no other person;
(b) the signature creation data or the
authentication data were, at the time of signing, under the control of
the signatory or, as the case may be, the authenticator and of no other
person;
(c) any alteration to the electronic signature made
after affixing such signature is detectable
(d) any alteration to the information made after its
authentication by electronic signature is detectable; and
(e) it fulfills such other conditions which may be
prescribed.
(3) The Central Government may prescribe the procedure
for the purpose of ascertaining whether electronic signature is that of
the person by whom it is purported to have been affixed or authenticated
(4) The Central Government may, by notification in the
Official Gazette, add to or omit any electronic signature or electronic
authentication technique and the procedure for affixing such signature
from the second schedule;
Provided that no electronic signature or
authentication technique shall be specified in the Second Schedule
unless such signature or technique is reliable
(5) Every notification issued under
sub-section (4) shall be laid before each House of Parliament
At present no system of electronic signature has been
defined in the second schedule and hence there is no change in the
authentication mechanism under the Act. The present system of Digital
Signatures will therefore continue for the time being and will be the only method of
authentication of an electronic document.
In case the Government needs to introduce a new
system, it has to notify through the Official Gazette the relevant
procedure which is considered reliable. This would also require the
notification to be placed before the Parliament.
Obviously the system should meet the minimum criteria
of effectively establishing the authentication of a document to the person who
authenticates it and also should ensure that if the document has been changed
since it was signed, such alteration becomes noticeable.
If we go by the reliability of the Hash algorithms and
the asymmetric cryptosytems used for the current digital signature
system which are reviewed worldwide by mathematicians on a regular
basis, any alternative system should also meet similar stringent
standards.
In other words, if any technical solutions need to be
considered as a concurrent alternative to the present PKI based
system, then the system has to be not only put to extensive tests within
India but also in global circles.
Additionally, the system has to be licensed in a
manner similar to the manner of licensing Certifying Authorities at
present. We may therefore either see the current Certifying Authorities
(CAs) themselves introducing new systems or exclusive "Electronic
Signature Certifying Authorities" who may seek license from the Government
and function along with the current "Digital Signature Certifying
Authorities".
It is therefore considered that in the near future,
the digital signature system will continue to be the sole system of authentication
that would be recognized by Indian law.
The need for "Digital Signature system" to continue
for the time being makes the following blunders a serious legal lacuna.
In Section 2(d) of the new Act, now there is a
definition of "Affixing of an Electronic Signature" as follows:
"Affixing Electronic Signature" with its
grammatical variations and cognate expressions means adoption of any
methodology or procedure by a person for the purpose of authenticating
an electronic record by means of Electronic Signature;
There is however no corresponding definition of what is
meant by "Affixing of a Digital Signature".
Fortunately the definition of "Digital signature" and
"Digital Signature Certificate" remains under Section 2(p) and 2(q)
while the definition of "Electronic Signature" and Electronic Signature
Certificate" has been added under Sections 2(ta) and 2(tb).
In Sections 2 (ta) and 2 (tb), the definition of
"Electronic Signature" and "Electronic Signature Certificate" is given as
"includes Digital Signature" or "Digital Signature Certificate".
Obviously, this does not mean that the two are same but the system used in
digital signature is considered "Reliable" as per Section 3 A of the new
Act.
As a result, of the inclusion of digital signature in
2(ta) and 2 (tb), the regulations regarding Certifying
Authorities mentioning "Electronic Signatures" will be applicable for
Digital Signatures. However regulations meant for "Digital Signatures" may
not all be applicable to Electronic Signatures and their issuers.
Sections 37, 38 and 39 meant for suspension and
revocation of Digital signatures will not automatically apply for
Electronic signatures.
While Section 40 A specifically speaks of an intended
amendment when Electronic Signature becomes a reality, similar new sections
37A,38A and 39A would also be required in such an event. Additionally many
more sections where only "Digital Signature" has been mentioned need to be
supported by additional sections for Electronic Signatures. In particular
Section 21 which talks of licensing of Certifying Authorities itself need
to be supported with a corresponding section for Electronic Signatures.
Therefore, as and when procedures for Electronic
Signatures are introduced, several sections need to undergo changes. This
will be another major amendment to the Act.
Some of these difficulties could have been avoided by
replacing the word "Digital Signature" by the words "Digital Signature and
Electronic Signature where relevant" in clause 2 of the IT Amendment Bill
2006. Now it appears perhaps that clubbing of the
terms "Digital Signature" and "Electronic Signature" under Sections 2(ta)
and 2 (tb) itself was avoidable.
The law could have just
made an enablement of an alternative to Digital Signatures and left other
things to be added as and when any new system of Electronic signature comes
for consideration. At this point of time we donot know what kind of systems
can substitute or work along with Digital signatures and what kind of
changes would be required in the law to accommodate them.
The legal confusions these create may also
affect interpretations in Indian Evidence Act and we have interesting
battles of interpretations that will confuse and confound Legal and
Judicial officers in Courts. If the final draft of the Bill had been
debated in public space for some time rather than being hurriedly pushed
through the Parliament, perhaps some of these confusions could have been
avoided.
Naavi
January 19, 2009
Other Articles on ITA 2008
