The digilocker beta project launched by the Government of India seems to be set to introduce a precedent which is ultra-vires the Information Technology Act 2000/8.
According to the information available the Digi Locker can be used to store important documents of the public such as marks cards, PAN cards etc in e-form. They can also be submitted to authorized Government departments for various services with an “e-sign” of the document owner.
The concept of e-sign which is proposed to be adopted by technologists advising the Government appears to be not in accordance with the provisions of the Indian Information Technology Act. According to the proposal, the public and private key pair for e-sign would be generated on the CA’s systems and not under the control of the signer. This would amount to a compromise of the Private Key ab-initio.
Further, use of the private key which is known to be compromised may be considered a contravention of ITA 2008.
This web based private key generation and storage is a procedure adopted by some foreign Certifying authorities and it appears that the technology is being recommended to the Indian Government. However, this system may seriously affect the “Non Repudiation” nature of the Indian digital signature system as we know today.
Once the system is used by a Government department, it would set a precedent which will be followed by other organisations also and hence the legal status of the entire digital signature mechanism will be adversely affected.
It would be preferable if the Government pauses to think before it leaps.