|
(Part VI TO XIII) |
PART VII -- DUTIES OF CERTIFICATION AUTHORITIES
28. Trustworthy System
29.
Disclosure by Certification Authorities
30.
Issuing of Certificate
31.
Representations upon Issuance of Certificate
32.
Fiduciary Relationship
33.
Financial Responsibility
34.
Suspension of Certificate
35.
Revocation of Certificate
PART VIII -- DUTIES OF SUBSCRIBERS
36. Generating a Key Pair
37.
Obtaining a Certificate
38.
Acceptance of Certificate
39.
Control of Private Key
40.
Initiating Suspension or Revocation
PART IX -- REGULATION OF CERTIFICATION AUTHORITIES AND REPOSITORIES
41. Appointment of Controller and Other Officers
42.
Recognition of Foreign Certification Authorities
43.
Recommended Reliance Limit
44.
Liability Limits for Licensed Certification Authorities
45.
Recognition of Repositories
46. Liability of
Repositories
PART X -- GOVERNMENT USE OF ELECTRONIC RECORDS AND SIGNATURES
47. Acceptance of Electronic Filing and Issue of Documents
PART XI -- LIABILITY OF NETWORK SERVICE PROVIDERS
48. Liability of Network Service Providers
49. Offenses
50.
Penalties
51.
Forfeiture
52. Obligation of Confidentiality
53.
Offense by Body Corporate
54.
Controller May Give Directions For Compliance
55.
Power to Investigate
56.
Access to Computers and Data
57.
Production of Documents, Data, Etc.
58.
General Penalty
59.
Sanction for Prosecution
60.
Power to Exempt
61.
Power of Central Government to make rules
62.
Power to remove difficulties
PART VII - DUTIES OF CERTIFICATION AUTHORITIES
28. Trustworthy System. Except as otherwise conspicuously set forth in its certification practice statement, a certification authority and a person maintaining a repository must:
(a) maintain and utilize trustworthy systems and operate in a trustworthy manner in performing its services;
(b) possess the reliability necessary for offering certification services;
(c) employ personnel which possess the expert knowledge, experience and qualifications necessary for the offered services;
(d) record and retain records of all relevant information concerning a certificate for an appropriate period of time, in particular to be able to provide evidence of certification in the context of a dispute or lawsuit; and
(e) publish all relevant information concerning the proper and secure use of certification services and established procedures for complaints and dispute resolution and settlement.
Source: UNCITRAL Draft Rules, Article 1.
Comments: Maintaining operations and performing services in a trustworthy manner is fundamental to the integrity of the certificate and digital signature process. This section recognizes that the degree of security should be determined according to a reasonableness standard in light of the factors set forth in the definition of trustworthy systems. This section also acknowledges that there may be situations in which persons desire to use certificates not created or maintained pursuant to trustworthy systems, such as for low cost, and allows them to do so as long as appropriate disclosure of that fact is clearly stated in the certification practice statement.
29. Disclosure by Certification Authorities.
(a) A certification authority shall disclose the following:
(i) its certificate that contains the public key corresponding to the private key used by that certification authority to digitally sign another certificate (defined for purposes of this section as a certification authority certificate);
(ii) any relevant certification practice statement;
(iii) notice of any revocation or suspension of its certification authority certificate; and
(iv) any other fact that materially and adversely affects either the reliability of a certificate that the authority has issued or the authority’s ability to perform its services.
(b) In the event of an occurrence that materially and adversely affects a certification authority’s trustworthy system or its certification authority certificate, the certification authority shall act in accordance with procedures governing such an occurrence specified in its certification practice statement or, in the absence of such procedures, use reasonable efforts to notify any person who is known to be or reasonably foreseeably will be affected by that occurrence.
Source: Singapore Electronic Transactions Act ?28.
Comments: This section imposes a disclosure obligation upon a certification authority in order to facilitate the use of digital signatures.
30. Issuing of Certificate. A certification authority may issue a certificate to a prospective subscriber only after the certification authority has received a request for issuance from the prospective subscriber and
(a) if it has a certification practice statement, complied with all of the practices and procedures set forth in such certification practice statement including procedures regarding identification of the prospective subscriber; or
(b) in the absence of a certification practice statement addressing these issues, or if the parties involved have not entered into an agreement specifically providing otherwise, confirmed by itself or through an authorized agent that the following is the case:
(i) the prospective subscriber is the person to be listed in the certificate to be issued;
(ii) if the prospective subscriber is acting through one or more agents, the subscriber authorized the agent to have custody of the subscriber’s private key and to request issuance of a certificate listing the corresponding public key;
(iii) the information in the certificate to be issued is accurate;
(iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(v) the prospective subscriber holds a private key capable of creating a digital signature; and
(vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.
Source: Singapore Electronic Transactions Act ?29.
Comments: This section imposes only two requirements on the certification authority before issuing a certificate to be used for the purpose of verifying digital signatures: (1) a certificate can be issued only in response to a request from the prospective subscriber; and (2) the certification authority must comply with whatever certificate issuance practices it specifies in its certification practice statement. If a certification authority does not publish a certification practice statement, or enter into a contract with a relying party to address these issues, then Section 30(b)imposes a default standard for subscriber authentication.
The intent of this section is to allow certification authorities maximum flexibility in the efforts they undertake to verify subscriber identity, so long as the verification procedures that will be employed are clearly disclosed in advance.
31. Representations Upon Issuance of Certificate.
(a) By issuing a certificate, a certification authority represents, to any person who reasonably relies on the certificate or a digital signature verifiable by the public key listed in the certificate, that the certification authority has processed, approved and issued, and will manage and if necessary suspend or revoke the certificate, in accordance with any applicable certification practice statement incorporated by reference in the certificate, or of which the relying person has notice.
(b) In the absence of such a certification practice statement, the certification authority represents that it has confirmed the following:
(i) the certification authority has complied with all applicable requirements of this Act and other appropriate authority in issuing the certificate and, if the certification authority has published the certificate or otherwise made it available to such relying person, that the subscriber listed in the certificate has accepted it;
(ii) the subscriber identified in the certificate holds the private key corresponding to the public key listed in the certificate;
(iii) the certification authority has verified the identity of the subscriber to the extent stated in the certificate or its applicable certification practice statement or, in lieu thereof, that the certificate authority has reasonably verified the identity of the subscriber;
(iv) the subscriber’s public key and private key constitute a functioning key pair;
(v) all information in the certificate is accurate, unless the certification authority has stated in the certificate or incorporated by reference in the certificate a statement that the accuracy of specified information is not confirmed; and
(vi) that the certification authority has no knowledge of any material fact which if it had been included in the certificate would adversely affect the reliability of the representations in this section.
(c) Where there is an applicable certification practice statement which has been incorporated by reference in the certificate, or of which the relying person otherwise has notice, subsection (b) shall apply to the extent that the representations are not inconsistent with the certification practice statement.
(d) Certification authorities shall keep and maintain as current a publicly accessible Electronic register of certificates issued, indicating the time when any individual certificate expires or when it was suspended or revoked.
(e) Notwithstanding subsection (a) through (d), if a certification authority issued the certificate subject to the laws of another jurisdiction, the certification authority makes all warranties and representations, if any, otherwise applicable under the law governing its issuance.
Source: UNCITRAL Draft Rules, Article 10.
Comments: This section recognizes that there will be varying types of certificates based on differing levels of identification and authentication of prospective subscribers, and thus provides that the only representations made are that it has issued the certificate in accordance with any applicable certification practice statement and any requirements or representations imposed by the law of the state or country under which the certificate was issued.
The reference to laws of another jurisdiction is intended to give relying parties the benefit of any statutory requirements relating to the issuance of the certificate that are imposed by the law of the state or country under which the certificate originally was issued.
(a) A certification authority is a fiduciary to a subscriber where a certification authority holds that subscriber’s private key or where provided by contract among the parties involved.
(b) A certification authority is not otherwise a fiduciary to a subscriber and is not a fiduciary to any relying party, except where otherwise expressly provided by contract or law.
Source: ABA Digital Signature Guidelines ?2.4.
Comments: A certification authority typically provides services at arm’s length and does not create a special trusted relationship with its subscribers or relying parties, except where the certification authority holds the private key of a subscriber or where otherwise provided by agreement or law.
33. Financial Responsibility. A certification authority must have sufficient financial resources:
(a) to maintain its operations in conformity with its duties; and
(b) to be reasonably able to bear its risk of liability to subscribers and other relying parties relying on certificates issued by the certification authority and digital signatures verifiable by reference to public keys listed in such certificates.
Source: ABA Digital Signature Guidelines ?3.3.
Comments: A certification authority’s overall risk of liability largely will be a function of (1) its success in implementing a trustworthy system and utilizing the services of competent, conscientious personnel, (2) the number of certificates outstanding, and (3) the amounts at stake in transactions in which issued certificates are used, all evaluated in light of any applicable limits upon legal liability and recommended reliance limits. The certification authority can manage factors (1) and (2), but can do little in most cases to manage its risk in regard to factor (3).
Financial responsibility may be assured through security arrangements such as surety bonds or standby letters of credit, or perhaps through liability insurance.
34. Suspension of Certificate.
(a) Unless the certification authority and the subscriber agree otherwise, the certification authority that issued a certificate shall suspend the certificate as soon as possible after receiving a request by a person whom the certification authority reasonably believes to be one of the following:
(i) the subscriber listed in the certificate;
(ii) a person duly authorized to act for that subscriber; or
(iii) a person acting on behalf of that subscriber, who is unavailable.
(b) Except as otherwise specifically provided in its certification practice statement, or unless the certification authority and the subscriber agree otherwise, a certification authority that issued a certificate shall suspend the certificate as soon as possible after confirmation by the certification authority that:
(A) a material fact represented in the certificate is false;
(B) a material requirement for issuance of the certificate was not satisfied;
(C) the certification authority’s private key or trustworthy system was compromised in a manner materially affecting the certificate’s reliability; or
(D)the subscriber’s private key has been compromised.
(c) Immediately upon suspension of a certificate by a certification authority, the certification authority shall notify the subscriber and relying parties in accordance with its certification practice statement or, in the absence of such statement, shall promptly notify the subscriber, promptly publish a signed notice of the suspension in the repository specified in the certificate for publication of notice of suspension, and otherwise disclose the fact of suspension on inquiry be any relying party. Where one or more repositories are specified, the certification authority shall publish signed notices of the suspension in all such repositories.
Source: UNCITRAL Draft Rules Article 14.Comments: A provision on suspension of certificates was added by the UN Working Group at its thirty-first session.
(a) Except as otherwise specifically provided in its certification practice statement, or unless the certification authority and the subscriber agree otherwise, a certification authority shall revoke a certificate that it issues upon the occurrence of the following:
(i) receiving a request for revocation by the subscriber named in the certificate, and confirming that the person requesting revocation is the subscriber or is an agent of the subscriber with authority to request the revocation;
(ii) receiving a certified copy of the subscriber’s death certificate, or upon confirming by other verifiable evidence that the subscriber is dead;
(iii) upon presentation of documents effecting a corporate dissolution of the subscriber or upon confirming by other verifiable evidence that the subscriber has been dissolved or has ceased to exist; or
(iv) confirmation by the certification authority that of the following events has occurred, provided that no such revocation may be made until the subscriber has had a reasonable opportunity for a hearing:
(A) a material fact represented in the certificate is false;
(B) a material requirement for issuance of the certificate was not satisfied;
(C) the certification authority’s private key or trustworthy system was compromised in a manner materially affecting the certificate’s reliability; or
(D)the subscriber’s private key has been compromised.
(b) Upon effecting such a revocation, the certification authority shall immediately provide notice as follows:
(i) immediately upon revocation of a certificate by a certification authority, the certification authority shall promptly notify the subscriber listed in the revoked certificate (if not deceased, dissolved or ceased to exist) and any relying parties in accordance with its certification practice statement or, in the absence of such statement, shall promptly notify the subscriber, promptly publish a signed notice of the revocation in the repository specified in the certificate for publication of notice of revocation, and otherwise disclose the fact of revocation on inquiry by a relying party; and
(ii) where one or more repositories are specified, the certification authority shall publish signed notices of the revocation in all such repositories.
Source: UNCITRAL Draft Rules, Article 13.
Comments: This section and the preceding section set forth a default standard governing suspension and revocation of certificates.
PART VIII -- DUTIES OF SUBSCRIBERS
(a) If the subscriber generates the key pair whose public key is to be listed in a certificate issued by a certification authority and accepted by the subscriber, the subscriber shall generate that key pair using a trustworthy system.
(b) This section shall not apply to a subscriber who generates the key pair using a system approved by the certification authority.
Source: Singapore Electronic Transactions Act ?36.
37. Obtaining A Certificate. All material representations made by the subscriber to a certification authority for purposes of obtaining a certificate, including all information known to the subscriber and represented in the certificate, shall be accurate and complete to the best of the subscriber’s knowledge and belief, regardless of whether such representations are confirmed by the certification authority.
Source: Singapore Electronic Transactions Act ?37.
Comments: This section sets forth the general obligation of the subscriber to provide accurate and complete information to a certification authority when seeking to obtain a certificate.
38. Acceptance of Certificate.
(a) A subscriber shall be deemed to have accepted a certificate if that subscriber:
(i) publishes or authorizes the publication of a certificate in one of the following ways:
(A) to one or more persons; or
(B) in a repository; or
(ii) otherwise demonstrates approval of a certificate while knowing or having notice of its contents.
(b) By accepting a certificate issued by a certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate as follows:
(i) that the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;
(ii) that all material representations made by the subscriber to the certification authority and material to the information listed in the certificate are true; and
(iii) that all information in the certificate that is within the knowledge of the subscriber is true.
Source: Singapore Electronic Transactions Act ?38.
Comments: Acceptance of a certificate by a subscriber may be expressed or implied, and can occur in a variety of ways. For example, acceptance can occur when the subscriber publishes the certificate in a repository or when the subscriber provides copies of the certificate to one or more persons. Factors to be considered in determining whether a subscriber has accepted a certificate include whether the subscriber has specifically requested issuance of the certificate; whether the subscriber has expressly approved the certificate, or not acknowledged it in any way; whether the subscriber has knowledge that the certificate is available to potential relying parties; the reasonableness of reliance upon the certificate; and the foreseeability of such reliance.
(a) By accepting a certificate issued by a certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key corresponding to the public key listed in such certificate and to prevent its disclosure to any person not authorized to create the subscriber’s digital signature.
(b) Such duty shall continue during the operational period of the certificate and during any period of suspension of the certificate.
Source: Singapore Electronic Transactions Act ? 39.
Comments: This section imposes a higher duty of care upon a subscriber than is currently imposed on the holder of a credit card, ATM card or other such item. Persons who intentionally or negligently disclose their private keys, with or without fraudulent intent, should be held to a higher standard than those responsible for an involuntary disclosure.
If a private key is compromised, and a certificate has been issued listing the corresponding public key, the appropriate corrective action is to revoke the certificate or to suspend the certificate without delay until revocation or other corrective action can be taken.
40. Initiating Suspension or Revocation. A subscriber who has accepted a certificate shall as soon as possible notify the issuing certification authority and request said authority to suspend or revoke the certificate if the private key corresponding to the public key listed in the certificate has been compromised.
Source: Singapore Electronic Transactions Act ? 40.
Comments: A fundamental premise underlying use of a digital signature is that the private key used to create the digital signature is under the control of the subscriber. Because of this, and the fact that a relying party has no ability to determine who actually used the private key to digitally sign an Electronic record, this section imposes on the subscriber the obligation to take steps to revoke the certificate promptly in the event the private key is compromised.
PART IX -- REGULATION OF CERTIFICATION AUTHORITIES AND REPOSITORIES
41. Appointment of Controller and Other Officers
(a) The Central Government shall appoint a Controller of Certification Authorities for the purpose of this Act and, in particular, for the purposes of licensing, certifying, monitoring and overseeing the activities of certification authorities.
(b) The Controller may, after consultation with the Central Government, appoint such number of Deputy and Assistant Controllers of Certification Authorities and officers as the Controller considers necessary to exercise and perform all or any of the powers and duties of the Controller under this Act or rules made under this Act, except for the Controller’s power to direct compliance as set forth in Section 54 of this Act.
(c) The Controller, the Deputy and Assistant Controllers and officers appointed by the Controller under Section 41 shall exercise, discharge and perform the powers, duties and functions conferred on the Controller under this Act or any rules made under this Act, subject to such written directions as may be issued by the Central Government to the Controller and subject to Section 54 of this Act.
(d) The Controller shall maintain a publicly accessible database containing a certification authority disclosure record for each certification authority which shall contain all the particulars required under the rules made under this Act.
(e) The Controller may investigate complaints or other information indicating violations of rules adopted under this Act, and may refer for prosecution any suspected or alleged violations to the appropriate government agency.
(f) In the application of the provisions of this Act to certificates issued by the Controller and digital signatures verified by reference to those certificates, the Controller shall be deemed to be a certification authority.
(g) The Controller, the Deputy, Assistant Controller and officers appointed by the Controller shall be deemed to be public servants for the purposes of the Penal Code.
(h) In exercising any of the powers under this Act, any officer appointed by the Controller shall on demand produce to the person against whom he is acting the authority issued to him by the Controller.
Source: Singapore Electronic Transactions Act ??41 and 50.
42. Recognition of Foreign Certification Authorities
(a) Certificates issued by a foreign certification authority, and signatures and records complying with the laws of another jurisdiction relating to digital or other Electronic signatures, are recognized as legally equivalent to certificates issued by certification authorities operating under this Act, and to the signatures and records complying with this Act, if the laws of the other jurisdiction and the practices of the foreign certification authority require a level of reliability at least equivalent to that required for such certificates, records and signatures under this Act.
(b) Notwithstanding the preceding paragraph, the Controller and parties to commercial and other transactions may specify that a particular certification authority, class of certification authorities or class of certificates must be used in connection with messages or signatures submitted to them.
(c) The determination of equivalence described in subsection (a) may be made by a published determination of the Controller in the Official Gazette or through bilateral or multilateral agreement with other jurisdictions. The determination of equivalence, shall be made with regard to the following factors:
(i) financial and human resources, including existence of assets within jurisdiction;
(ii) trustworthiness of hardware and software systems;
(iii) procedures for processing of certificates and applications for certificates and retention of records;
(iv) availability of information to subscribers identified in certificates and to potential relying parties;
(v) regularity and extent of audit by an independent body;
(vi) the existence of a declaration by the jurisdiction, an accreditation body or the certification authority regarding compliance with or existence of the foregoing;
(vii) susceptibility to the jurisdiction of the courts of the enacting jurisdiction; and
(viii) the degree of discrepancy between the law applicable to the liability of the certification authority and the law of the enacting jurisdiction.
Source: UNCITRAL Draft Rules, Chapter III, Article 19.
Comments: This section provides maximum flexibility to the Controller to determine which foreign regulatory schemes to recognize, and provides guidelines and criteria to be used in making that determination.
43. Recommended Reliance Limit
(a) A certification authority may, in issuing a certificate to a subscriber, specify a recommended reliance limit in the certificate.
(b) The certification authority may specify different limits in different certificates as it deems appropriate.
Source: Singapore Electronic Transactions Act ?44.
Comments: This section provides maximum flexibility to the Controller in setting reliance limits for different certificates issued.
44. Liability Limits for Certification Authorities. Unless a certification authority expressly waives the application of this section, a certification authority shall not be liable for the following:
(a) For any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the false or forged digital signature, the certification authority complied with the requirements of this Act and applicable regulations; and
(b) For an amount in excess of the amount specified in the certificate as its recommended reliance limit for either:
(i) a loss caused by reliance on a misrepresentation in the certificate of any fact that the certification authority is required to confirm; or
(ii) intentional or knowing failure to comply with any provisions of this Act in issuing the certificate, unless such failure to comply was done intentionally or knowingly.
Source: Singapore Electronic Transactions Act ?45.
Comments: This section limits certification authorities’ potential exposure to liability in connection with any losses associated with the use of digital signatures. In particular, it eliminates liability in cases where a false or forged digital signature is executed and relied upon, notwithstanding the certification authorities’ compliance with the requirements of this Act.
45. Recognition of Repositories.
(a) The Controller may recognize one or more repositories after determining that a repository to be recognized satisfies the requirements prescribed in the regulations made under this Act.
(b) The Controller shall publish a list of recognized repositories in such form and manner as he may determine.
Source: Malaysia Digital Signature Act ?68.
46. Liability of Repositories.
(a) Notwithstanding any disclaimer by the repository or any contract to the contrary between the repository and a certification authority or a subscriber, a repository shall be liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate, if loss was incurred more than one business day after receipt by the repository of a request to publish notice of the suspension or revocation, and the repository had failed to publish the notice when the person relied on the digital signature.
(b) Unless waived, a recognized repository or the owner or operator of a recognized repository:
(i) shall not be liable for failure to record publication of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;
(ii) shall not be liable under subsection (a) in excess of the amount specified in the certificate as the recommended reliance limit;
(iii) shall not be liable under subsection (a) for:
(A) punitive or exemplary damages; or
(B) damages for pain or suffering;
(iv) shall not be liable for misrepresentation in a certificate published by a certification authority;
(v) shall not be liable for accurately recording or reporting information which a certification authority, a court or the Controller has published as required or permitted under this Act, including information about the suspension or revocation of a certificate; and
(vi) shall not be liable for reporting information about a certification authority, a certificate or a subscriber, if such information is published as required or permitted under this Act or is published by order of the Controller in the exercise of his powers under this Act.
Source: Malaysia Digital Signature Act ?69.
PART X – GOVERNMENT USE OF Electronic RECORDS AND SIGNATURES
47. Acceptance of Electronic Filing and Issue of Documents.
(a) Any department or ministry of Central Government, State Government or a statutory corporation under Central or State Government that, pursuant to any enactment:
(i) accepts the filing of documents or requires that documents be created or retained;
(ii) issues any permit, license or approval; or
(iii) provides for the method and manner of payment, may, notwithstanding anything to the contrary in such enactment:
(A) accept the filing of such documents, or the creation or retention of such documents, in the form of Electronic records;
(B) issue such permit, license or approval in the form of Electronic records; or
(C) make such payment in Electronic form.
(b) In any case where a department or ministry of Central Government, State Government or a statutory corporation under Central or State Government decides to perform any of the functions in subsection (a)(i), (ii), or (iii), such agency may specify:
(i) the manner and format in which such Electronic records shall be filed, created, retained or issued;
(ii) where such Electronic records are required to be signed, the type of Electronic signature required (including, if applicable, a requirement that the sender use a secure Electronic signature);
(iii) the manner and format in which such signature shall be affixed to the Electronic record, and the identity of or criteria that shall be met by any certification authority used by the person filing the document;
(iv) control processes and procedures as appropriate to ensure adequate integrity, security and confidentiality of Electronic records or payments; and
(v) any other required attributes for Electronic records or payments that are currently specified for corresponding paper documents.
(c) Nothing in this Act shall by itself compel any department or ministry of the Central Government, State Government or a statutory corporation under Central or State Government to accept or issue any document in the form of Electronic records.
Source: Singapore Electronic Transactions Act ?47.Comment: The section empowers the government to accept the Electronic filing of documents. The section also allows a government entity to determine the procedures for filing information electronically. Note that this section does not require government entities to accept Electronic filings.
PART XI -- LIABILITY OF NETWORK SERVICE PROVIDERS
48. Liability of Network Service Providers.
(a) A network service provider shall not be subject to any civil or criminal liability under any rule of law in respect of third party material in the form of Electronic records to which such provider merely provides access if such liability is founded on:
(i) the making, publication, dissemination or distribution of such materials or any statement made in such material; or
(ii) the infringement of any rights subsisting in or in relation to such material.
(b) Nothing in this section shall affect:
(i) any obligation of the network service provider founded on principles of contract law;
(ii) the obligation of a network service provider as such under a licensing or other regulatory regime established under any enactment for the time being in force; or
(iii) any obligation imposed under any enactment for the time being in force or by a court to remove, block or deny access to any material;
(iv) the provisions of Section 52 of this Act.
(c) Nothing in clause (a) of this section shall render a network service provider immune from liability for any violation of law for the time being in force (including provisions of this Act) committed intentionally or knowingly.
Source: Singapore Electronic Transactions Act ?10.
Comment: The protection afforded by this section is intended to encompass Internet access and service providers, as well as providers of online services and providers of telecommunications services necessary to access the Internet or other interactive computer services. The liability of network service providers has been extremely controversial in the United States and other countries. A statute enacted in the United States in 1996, the "Communications Decency Act," included language protecting providers of Internet access from liability as publishers for statements published online by system subscribers or other third-parties. Although the portions of the Communications Decency Act governing indecent material were subsequently found unconstitutional by the United States Supreme Court, the provisions protecting access providers have been held, in several U.S. cases, to protect Internet service and access providers from liability for defamation based upon statements published online by service subscribers. In addition, several statutes currently pending in the United States would, under some circumstances, protect Internet service providers from contributory liability for copyright infringement based on third party activities. In protecting access providers from liability, the courts in the United States have cited the difficulty of screening transmissions on an interactive computer service, as well as the fear of inhibiting the development of Internet communications by imposing liability on network service providers for activities over which they have little control. These principles have been recognized in the International community as well. During the WIPO Diplomatic Convention to adopt new copyright treaties conducted in Geneva in 1996, draft provisions of the treaties that would have imposed liability on Internet service providers and other network operators were deleted from the final drafts of the treaties. Of course, network service providers should not be immunized from intentional acts that are in violation of the law.
49. Computer Crime. For the purpose of this Act, any person who commits any of the following acts is guilty of an offense of computer crime:
(a) Intentionally accesses, damages or conceals, or attempts to access, damage or conceal, temporarily or permanently, any computer data base, computer, information system or computer network, without permission from the owner, in order to either:
(i) wrongfully control, obtain, make use of or prevent others from deriving the benefits of money, property, data or Electronic records;
(ii) copy or destroy any data or Electronic records;
(iii) use or disrupt any functions of computers, computer networks or information systems; or
(iv) commit any act that is an offense under the Indian Penal Code.
(b) Knowingly, and with the intent to defraud, obtains or attempts to obtain any computer services by false representation, false statement or unauthorized charging to the account of another, by installing or tampering with any facilities or equipment, or by any other means.
(c) Intentionally or recklessly introduces or allows the introduction of any computer virus into any computer, computer system or computer network without permission of the owner.
Comments: This section provides for the enumeration of various acts that shall be considered computer crimes. Fundamental to the approach taken in this section is the recognition that the Indian Penal Code, 1860 already enumerates a wide variety of crimes that include acts committed through or in connection with computers. For, example, the Indian Penal Code covers all acts of larceny, without any limitations regarding the means by which the larceny is committed. If the larceny takes the form of manually stealing goods from a store or stealing money from a remote bank account through use of a computer, the law treats either act as the same for purposes of classification as larceny. Thus, the fact that a crime is committed by computer does not limit the applicability of the Indian Penal Code in most instances. This section, therefore, does not attempt to identify all criminal acts involving computers, at least in instances where such acts already would be considered crimes under the Indian Penal Code. Instead, this section merely acknowledges that any act that is considered criminal under the Penal Code may also be called a computer crime when computers are involved.
In addition, this section specifies certain acts as computer crimes when the Indian Penal Code appears not to apply. In particular, the introduction of viruses into computers and the appropriation or disruption of computer services are unique to the computer environment and do not appear to be covered by the Penal Code. It can be argued that the use of fraud in obtaining computer services could be covered by the Penal Code; however, to the extent that intangible "goods" are being received or altered or the means of access to the services is through cyberspace, the applicability of the Penal Code is unclear. Similarly, although this section makes criminal the act of interfering with another’s rights to money or property, which if in a tangible form could be covered by the Penal Code, the advent of cybercash and digital property require new computer crimes to be established. Additionally, the unauthorized copying, controlling or damaging of intangible goods (data, Electronic records) appears to be beyond the scope of the Penal Code and, therefore, a provision regarding these acts has been incorporated into this section.
(a) Any person who commits the offense of computer crime as set forth in the provisions of Section 49(a) of this Act is punishable as follows:
(i) For the first offense that does not result in damage, by imprisonment up to 1 year or by a fine not to exceed Rs. 1,00,000 or both;
(ii) For second or subsequent offenses, or in cases where damage occurs, by imprisonment up to three years or by a fine up to Rs. 2,00,000, or by both, and if government or public property is injured, by imprisonment up to three years or by a fine up to Rs. 5,00,000 or both;
(b) Any person who commits offense as under Section 49(b) of this Act shall be punishable as follows :
(i) For the first offense which does not result in damage, and where the value of the computer services used does not exceed Rs. 10,000, by a fine not exceeding Rs. 1,00,000, or by imprisonment not exceeding one year, or by both.
(ii) For any offense which results in damage of an amount greater than Rs. 1,00,000 or in an damage, or if the value of the computer services used exceeds Rs. 10,000, or for any second or subsequent violation, by a fine not exceeding Rs. 2,00,000, or by imprisonment up to three years, or by both.
(c) Any person who commits offense as per Section 49(c) of this Act is punishable as follows :
(i) For a first offense which does not result in damage, an infraction punishable by a fine not exceeding Rs. 10,000.
(ii) For any offense which results in damage in an amount not greater than Rs. 50,000, or for a second or subsequent violation, by a fine not exceeding Rs. 1,00,000 or by imprisonment not exceeding one year, or by both.
(iii) For any offense which results in damage in an amount greater than Rs. 50,000, by a fine not exceeding Rs. 2,00,000, or by imprisonment up to three years, or by both.
(d) Notwithstanding anything contained in the Code of Criminal Procedure, 1973, all offenses under this Act shall be bailable, noncognizable, and triable exclusively by the Chief Metropolitan Magistrate, Additional Chief Metropolitan Magistrate, Chief Judicial Magistrate or Additional Chief Judicial Magistrate.
Comments: This section provides criminal penalties for the offenses enumerated in Section 49. Some leniency was provided in cases of first offenses where no damage occurred as a result of the criminal act. On the other hand, additional fines were imposed in cases where governmental or public property is damaged. As indicated in the commentary to Section 49, the Indian Penal Code already provides for penalties in the case of many criminal acts without regard to whether a computer is involved. Therefore, this section specifies that nothing in this Act should be construed to abrogate any penalties that may be applicable under the Penal Code.
(a) Any person who commits the offense of computer crime as set forth in Section 49 of this Act shall forfeit, according to the provisions of this section, any monies, profits or proceeds, and any interest or property which the sentencing court determines he has acquired or maintained, directly or indirectly, in whole or in part, as a result of such offense. Such person shall also forfeit any interest in, security, claim against or contractual right of any kind which affords him a source of influence over any enterprise which he has established, operated, controlled, conducted or participated in conducting, where his relationship to or connection with any such thing or activity directly or indirectly, in whole or in part, is traceable to any item or benefit which he has obtained or acquired through computer fraud.
(b) Any computer, computer system, computer network or any software or data, owned by such person, which is used during the commission of any public offense described in Section 49 or any computer, owned by the person, which is used as a repository for the storage of software or data illegally obtained in violation of Section 49 shall be subject to forfeiture under orders of the Court ordering his conviction.
Comments: This section provides for the forfeiture of any benefits derived by any criminal offended as a result of the commission of any computer crime, as well as the forfeiture of any computers or related apparatus used in the commission of such crime.
(a)Obligation of Confidentiality.
(i) Except where compelled by any court of law or pursuant to any law for the time being in force, no certification authority, Controller or network service provider, or their respective agents or employees, that have obtained access to any material, shall disclose such material to any other person without the prior consent of the owner of such material, except in cases where such disclosure is being made for the purpose of protecting his interest or for such other purpose as may be prescribed.
(ii)Except where compelled by any court of law or pursuant to any law for the time being in force, no person who has obtained unauthorized access to any Electronic record shall intentionally or knowingly disclose such record or its contents to any other person. The provisions of this section shall be without prejudice to any liability which such person may have incurred by reason of the unauthorized access.
(b) Penalty for Breach of Confidentiality.
(i) Any network service provider who intentionally, knowingly or negligently contravenes subsections (a) shall be (A) enjoined by a court from acting as a network service provider for a period not to exceed three (3) months, or (B) liable in damages sustained by the owner, such damages to amount to no less than Rs. 10,000, or (C) both.
(ii) Any person other than a network service provider who intentionally contravenes subsection (a) shall be guilty of an offense and shall be liable upon conviction to imprisonment not to exceed 6 months or fines not to exceed Rs. 50,000 or to both.
Explanation: In this section, "material" includes any Electronic record, book, register, correspondence, information or document.
Source: Singapore Electronic Transactions Act ?48.
Comments: This section protects the confidentiality of Electronic records and related materials obtained pursuant to this Act, and provides for penalties in cases where confidentiality is breached.
53. Offense by Body Corporate. Where an offense under this Act or any rules made under this Act is committed by a body corporate and such offense is proved to have been committed with the consent or connivance of, or is proved to be attributable to, any act or default on the part of any director, manager, secretary or other similar officer of the body corporate, he as well as the body corporate, shall be guilty of that offense and shall be liable to be proceeded against and punished accordingly.
Source: Singapore Electronic Transactions Act ?49.
Comments: This section provides for the criminal liability of corporations and their officers in cases where corporate officers contravene provisions of this Act.
54. Controller May Give Directions for Compliance.
(a) The Controller may direct, by notice in writing, a certification authority or any officer or employee thereof to take such measures or stop carrying on such activities as are specified in the notice, if such action is necessary to ensure compliance with the provisions of this Act or any rules made under this Act.
(b) Any person who fails to comply with any direction specified in a notice issued under subsection(a) shall be guilty of an offense and shall be liable on conviction to imprisonment for a term not exceeding 1 year or a fine not exceeding Rs. 1,00,000 or both.
Source: Singapore Electronic Transactions Act ?51.
Comments: This section is designed to provide enforcement authority to the Controller over certification authorities and provide penalties in cases of noncompliance with issued orders.
(a) The Controller or an authorized officer may investigate, pursuant to a written order issued by the Controller or the officer, the activities of a certification authority in relation to its compliance with this Act and any rules made under this Act.
(b) For the purposes of subsection (a), the Controller may in writing issue an order to a certification authority to further its investigation.
(c) The Controller or an authorized officer may make reasonable inquiry, pursuant to a written order, of any person reasonably believed to have relevant information in connection with the commission of any offense under this Act.
Source: Singapore Electronic Transactions Act ?52.
Comments: This section provides power to the Controller to investigate the activities of certification authorities, essentially for the purpose of compliance auditing.
56. Access to Computers and Data. The Controller or an authorized officer shall:
(a) be entitled at any time reasonable under the circumstances to:
(i) have access to, inspect and check the operation of any information system and any associated apparatus or material which he has reasonable cause to suspect is or has been in use in connection with any offense under this Act;
(ii) use or caused to be used any such information system to search any data contained in or available to such information system; or
(b) be entitled to require:
(i) the person by whom or on whose behalf the Controller or authorized officer has reasonable cause to suspect the computer is or has been so used; or
(ii) any person having charge of, or otherwise concerned with the operation of, the computer, apparatus or material, to provide him with such reasonable technical and other assistance as he may require for the purposes of subsection (a).
Source: Singapore Electronic Transactions Act ?53.
Comments: This section empowers the Controller or his agent to have access to and inspect any information system or associated apparatus that is reasonably suspected of having been used in connection with any offenses under this Act. Additionally, it requires technical cooperation from persons having charge of such information system or associated apparatus.
57. Production of Documents, Data, etc. The Controller shall, for the purposes of the implementation of this Act, have power to do all or any of the following:
(a) require, by a written order, the production of records, accounts, data and documents kept by a certification authority and to inspect, examine and copy any of them;
(b) require, by a written order, the production of any document from any person reasonably in relation to any offense under this Act or any regulations promulgated under this Act.
Source: Singapore Electronic Transactions Act ?55.
Comments: This section empowers the Controller to request the production of documents for the purpose of auditing a certification authority for compliance, as well as for the purpose of making reasonable inquiry in connection with any offense under this Act.
58. General Penalty. Any person who (a) contravenes any provision of this Act or (b) fails to comply with any notice or written order lawfully issued under this Act, shall be guilty of an offense and, if no penalty is provided in this Act for such offense, shall be punished with imprisonment for a term not exceeding 6 months or a fine not exceeding 1,00,000 or both.
Source: Singapore Electronic Transactions Act ?56.
Comments: This section provides for penalties in cases where no penalties otherwise have been provided in this Act or the Penal Code.
59. Sanction for prosecution. No prosecution in respect of any offense under this Act or any rule made under this Act shall be instituted except by or with the previous sanction of the Central Government.
Source: Singapore Electronic Transactions Act ?57.
60. Power to Exempt. The Central Government may by notification published in the Official Gazette, exempt, in the public interest, any person or class of persons from all or any of the provisions of this Act or any rules made under this Act.
Source: Singapore Electronic Transactions Act ?60.
Comments: This provision allows the Central Government to exempt persons from the Act in cases of public interest.
61. Power of Central Government to make rules.
(a) The Central Government may make rules, by notification in the Official Gazette, to carry out the purposes of this Act.
(b) Without prejudice to the generality of the power conferred by clause (a), the rules made thereunder may provide for all or any of the following matters:
(i) to define when a digital signature qualifies as a secure Electronic signature consistent with the provisions of this Act;
(ii) to ensure the quality of repositories and the services they provide;
(iii) licensing of certification authorities and their authorized representatives and matters incidental thereto;
the activities of certification authorities, including the manner, method and place of soliciting business, and the conduct of such solicitation, if any.
(v) the standards to be maintained by certification authorities;
(vi) prescribing the appropriate standards with respect to the qualifications, experience and training of applicants for any certification authority or for their employees;
(vii) prescribing the conditions for the conduct of business by a certification authority;
(viii) providing for the content and distribution of written, printed or visual material and advertisements that may be distributed or used by a person in respect of a digital certificate or key;
(ix) prescribing the form and content of a digital certificate or key;
(x) prescribing the particulars to be recorded in, or in respect of, accounts kept by certification authorities;
(xi) providing for the appointment and remuneration of an auditor appointed under the regulations and for the costs of an audit carried out under the regulations;
(xii) providing for the establishment and regulation of any Electronic system by a certification authority, whether by itself or in conjunction with other certification authorities, and for the imposition and modification of such requirements, conditions or restrictions as the Controller may deem appropriate;
(xiii) the manner in which a certification authority conducts its dealings with its customers, conflicts of interest involving the certification authority and its customers, and the duties of the certification authority to its customers with respect to digital certificates;
(xiv) prescribing any forms for the purposes of the rules; and
(xv) prescribing fees to be paid in respect of any matter or thing required for the purposes of this Act or the rules.
(c) Rules made under this section may provide that a contravention of a specified provision shall be an offense and may provide penalties not exceeding a fine of Rs. 50,000.
(d)Every rule made by the Central Government under this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised of in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or both Houses agree that the rule should not be made, the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule.
(e) All rules made by the Central Government under this Act shall be published in the Official Gazette.
Source: Singapore Electronic Transactions Act ?42.
Comments: This section authorizes the Central Government to adopt rules necessary and appropriate to implement the provisions of this Act. In drafting such rules, appropriate consideration should be given to the goal of this Act to be flexible and technologically neutral. Given the rapid pace at which technology develops, overly prescriptive rules are inappropriate. For example, a requirement that Certification Authorities’ employees receive training in the use of specific technologies may not be appropriate, and broader language that permits flexibility in training requirements based upon the available state of technology would be preferred.
In developing rules regarding when a digital signature qualifies as a secure Electronic signature, due consideration should be given to making such rules as flexible and technologically neutral as possible in order to accommodate rapidly evolving digital signature technologies.
In developing rules regarding the quality of repositories and their services, due consideration should be given to ensuring that the repositories maintain secure and reliable record management systems. The ISO 9000 guidelines for quality management may be a useful guideline for establishing quality control procedures for repositories.
In developing rules for licensing Certification Authorities, care should be taken to avoid, where possible, imposing specific technical requirements upon applicants. Some key factors, however, that should be considered in licensing Certification Authorities are: the financial capabilities of the applicant, the familiarity of the applicant with digital signatures, the capabilities of the applicant to manage volumes of information (i.e,, certificates and related information) effectively, and the integrity of the applicant as a potential fiduciary for subscribers.
In developing rules governing the activities of certification authorities, particularly in regard to solicitation of business, due regard should be given to the provisions in the Advocates Act, 1961 and the Medical Council Act, 1956 regarding solicitation by advocates and members of the medical profession. In general, rules governing the activities and conduct of business of certification authorities should require certification authorities to at all times engage in ethical conduct.
In developing rules governing the standards to be maintained by certification authorities, due consideration should be given to establishing quality control guidelines for all activities of such authorities. The ISO 9000 quality assurance guidelines may be a source of reference.
In developing rules for the content and distribution of materials that may be distributed by a person in respect of a digital certificate or key, due consideration should be given to the need for keeping private keys confidential.
In developing rules prescribing the form and content of a digital certificate or key, consideration should be given to providing flexibility for the use of a variety of available digital signature technologies.
In developing rules for the appointment and remuneration of an auditor, due consideration should be given to the qualifications of an auditor, including the auditor’s familiarity with digital signature technology and the need for keeping audited information confidential as appropriate.
In developing rules providing for the establishment and regulation of any Electronic system by a certification authority, and for the imposition and modification of such requirements, conditions or restrictions as the Controller may deem appropriate, due consideration should be given to permitting maximum flexibility to the certification authorities so long as basic rules regarding the conduct of certification authorities are followed.
In developing rules prescribing the manner in which a certification authority conducts its dealings with customers, due consideration should be given to the fact that the certification authority will have a fiduciary duty to subscribers with respect to its retention of private keys.
Of course, in the development of other rules, the Central Government should consider those issues that it deems necessary and appropriate. An area in which additional rules may be appropriate relates to the development of licensing requirements for network service providers.
62.Power to remove difficulties. If any difficulty arises in giving effect to the provisions of this Act, the Central Government may by an order published in the Official Gazette make such provisions as necessary for the purpose of removing the difficulty. No such order shall be made after two years from the commencement of this Act.