Crime Branch Advisory
The Nigerian Scam
Digital Signatures under ITA 2008-A Blunder Repeated
Source for this article as http://www.naavi.org.
Information Technology Act 2000 (ITA 2000) had prescribed Digital Signatures based on Asymmetric Crypto system and Hash system as the only acceptable form of authentication of electronic documents recognized as equivalent to "Signatures" in paper form.
When ITA 2000 had been drafted, there was a major blunder in the drafting of Section 35 subsection (3) which made it mandatory for an applicant of a digital signature certificate to enclose a "Certification Practice Statement" along with his application. Naavi.org had pointed out this blunder immediately in the article "An Embarrassing Oversight? Or.?". It however took several years to correct this by a notification by an executive order dated September 12, 2002.
Though there was a comprehensive amendment now, the subsections 35(3) and 35 (4) have not been officially corrected and the need for submission of Certification Practice Statement by a digital signature certificate applicant remains in the books.. indicating the gross negligence in the drafting of the Bill.
Now this blunder has been accompanied by more avoidable confusions.
When the Information Technology Amendment Bill 2006 was drafted on the basis of the recommendations of the so called "Expert Committee" the committee took into consideration a demand from technical community that the PKI based system made the law dependent on a single authentication technology and there was a need to make the law "Technology Neutral".
In response to this demand, the committee had tried to define an umbrella system of "Electronic Signatures" of which "Digital Signature" was one of the kind. This required replacement of the word "Digital" with the word "Electronic" at several places in the Act. Taking this into consideration, in the Information Technology Amendment Bill 2006, clause 2, a list of amendments were proposed to replace the word "Digital" with the word "Electronic" at several places in the principal act where a reference to "Digital Signature" had been made.
However, some where along the line, there were some changes made which are now appearing as anomalies in the legislation passed.
When the Bill needed further amendments based on the Standing Committee report, instead of drafting a new amendment bill, the department drafted a bill called "Information Technology Amendment Bill 2008" and introduced it in the parliament on December 15, 2008. This Bill passed certain amendments to the then pending Information Technology Amendment Bill 2006 ( Introduced on December 15, 2006) including the name clause of the resulting Act as in the Bill introduced on December 15 2006 which was changed from Information Technology Amendment Act 2006 to Information Technology Amendment Act 2008.
In this process of drafting an amendment bill for amending a pending bill which was to amend a prevalent act, some serious mistakes have crept into the Act which is now a law.
Instead of the earlier proposal to call "Digital Signature" as one type of an umbrella kind "Electronic Signature", the current draft introduced a new section 3A to define "Electronic Signatures" and retained the earlier section 3 of "Digital Signatures".
This has made "Electronic Signature" a concurrent alternative proposed by law to "Digital Signature" and both could be used for authentication of electronic documents.
As a result, the Certifying Authorities regulations also need to be accommodated for both Digital Signature as well as Electronic Signature". Either the current Certifying Authorities need to be licensed for "Electronic Signatures" also or there may be new Certifying Authorities who only apply for being Certifying Authorities for "Electronic Signatures" and not opt for having any "Digital Signature Products".
Public should also be able to "Affix digital signature" and also "Affix electronic signature" as the case may be. They can acquire two different certificates one for digital signature and the other for electronic signature and they may be from different Certifying authorities.
The law therefore needs to accommodate all these provisions. It appears that the drafting of the bill has resulted in soem confusion where by in some places the digital signature and electronic signatures are spoken of together and in some places differently. The treatment is inconsistent and gives rise to avoidable anomalies.
We shall see how the new Act addresses this issue.
The new section 3A has been introduced to define "Electronic Signatures" retaining the existing Section 3 which defines "Digital Signatures" and this section states as follows
Section 3A: Electronic Signature
(1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication
(a) is considered reliable ; and
(b) may be specified in the Second Schedule
(2) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if-
(a) the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and of no other person;
(b) the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable
(d) any alteration to the information made after its authentication by electronic signature is detectable; and
(e) it fulfills such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic signature is that of the person by whom it is purported to have been affixed or authenticated
(4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic signature or electronic authentication technique and the procedure for affixing such signature from the second schedule;
Provided that no electronic signature or authentication technique shall be specified in the Second Schedule unless such signature or technique is reliable
(5) Every notification issued under sub-section (4) shall be laid before each House of Parliament
At present no system of electronic signature has been defined in the second schedule and hence there is no change in the authentication mechanism under the Act. The present system of Digital Signatures will therefore continue for the time being and will be the only method of authentication of an electronic document.
In case the Government needs to introduce a new system, it has to notify through the Official Gazette the relevant procedure which is considered reliable. This would also require the notification to be placed before the Parliament.
Obviously the system should meet the minimum criteria of effectively establishing the authentication of a document to the person who authenticates it and also should ensure that if the document has been changed since it was signed, such alteration becomes noticeable.
If we go by the reliability of the Hash algorithms and the asymmetric cryptosytems used for the current digital signature system which are reviewed worldwide by mathematicians on a regular basis, any alternative system should also meet similar stringent standards.
In other words, if any technical solutions need to be considered as a concurrent alternative to the present PKI based system, then the system has to be not only put to extensive tests within India but also in global circles.
Additionally, the system has to be licensed in a manner similar to the manner of licensing Certifying Authorities at present. We may therefore either see the current Certifying Authorities (CAs) themselves introducing new systems or exclusive "Electronic Signature Certifying Authorities" who may seek license from the Government and function along with the current "Digital Signature Certifying Authorities".
It is therefore considered that in the near future, the digital signature system will continue to be the sole system of authentication that would be recognized by Indian law.
The need for "Digital Signature system" to continue for the time being makes the following blunders a serious legal lacuna.
In Section 2(d) of the new Act, now there is a definition of "Affixing of an Electronic Signature" as follows:
"Affixing Electronic Signature" with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of Electronic Signature;
There is however no corresponding definition of what is meant by "Affixing of a Digital Signature".
Fortunately the definition of "Digital signature" and "Digital Signature Certificate" remains under Section 2(p) and 2(q) while the definition of "Electronic Signature" and Electronic Signature Certificate" has been added under Sections 2(ta) and 2(tb).
In Sections 2 (ta) and 2 (tb), the definition of "Electronic Signature" and "Electronic Signature Certificate" is given as "includes Digital Signature" or "Digital Signature Certificate". Obviously, this does not mean that the two are same but the system used in digital signature is considered "Reliable" as per Section 3 A of the new Act.
As a result, of the inclusion of digital signature in 2(ta) and 2 (tb), the regulations regarding Certifying Authorities mentioning "Electronic Signatures" will be applicable for Digital Signatures. However regulations meant for "Digital Signatures" may not all be applicable to Electronic Signatures and their issuers.
Sections 37, 38 and 39 meant for suspension and revocation of Digital signatures will not automatically apply for Electronic signatures.
While Section 40 A specifically speaks of an intended amendment when Electronic Signature becomes a reality, similar new sections 37A,38A and 39A would also be required in such an event. Additionally many more sections where only "Digital Signature" has been mentioned need to be supported by additional sections for Electronic Signatures. In particular Section 21 which talks of licensing of Certifying Authorities itself need to be supported with a corresponding section for Electronic Signatures.
Therefore, as and when procedures for Electronic Signatures are introduced, several sections need to undergo changes. This will be another major amendment to the Act.
Some of these difficulties could have been avoided by replacing the word "Digital Signature" by the words "Digital Signature and Electronic Signature where relevant" in clause 2 of the IT Amendment Bill 2006. Now it appears perhaps that clubbing of the terms "Digital Signature" and "Electronic Signature" under Sections 2(ta) and 2 (tb) itself was avoidable.
The law could have just made an enablement of an alternative to Digital Signatures and left other things to be added as and when any new system of Electronic signature comes for consideration. At this point of time we donot know what kind of systems can substitute or work along with Digital signatures and what kind of changes would be required in the law to accommodate them.
The legal confusions these create may also affect interpretations in Indian Evidence Act and we have interesting battles of interpretations that will confuse and confound Legal and Judicial officers in Courts. If the final draft of the Bill had been debated in public space for some time rather than being hurriedly pushed through the Parliament, perhaps some of these confusions could have been avoided.