Unit 5
Security and legal aspects of ecommerce
Ecommerce suffers from treats related to security issues, online payment, data leak, duplicacy etc. Threats suffered by ecommerce are-
- Financial frauds: There are various kinds of financial fraud prevalent in the ecommerce industry like credit card fraud, debit card fraud, fake refund and return fraud where details of credit card, debit card etc. are stolen.
- E-skimming: E-skimming refers to stealing of personal information of customers like credit and debit card information, account details etc. by hackers. It is a significant security risk for ecommerce customers and threat for ecommerce websites.
- Spamming: Here the hackers send infected links via email or social media inboxes or leave links in their comments or messages on blog posts and contact forms. Once the user clicks on such links, it will direct the user to their spam websites.
- DOS (denial of service) & DDoS (distributed denial of service) Attacks: In DOS, an attacker prevents users from assessing information or services. On the other hand, in DDoS an attacker use ones computer to attack another computer. The ecommerce websites suffer losses due the DOS and DDoS.
- Malware: Hackers may design malicious software and install on IT and computer systems of customers, admins and other users without their knowledge. These programs can easily swipe any sensitive data that might be present on the infected systems and may also infect your website.
- Bots: Sometimes competitors develop special bots that can scrape website to get information about inventory and prices which are used to lower the prices in their websites in an attempt to lower your sales and revenue.
- Phishing: Here hackers send emails to the clients to trick them into revealing their sensitive information by simply presenting them with a fake copy of legitimate website or anything that allows the customer to believe the request is coming from the business.
- Brute Force Attacks: The attackers target admin panel of a ecommerce website to figure out their password by brute-force. It uses programs that establish a connection to their website and use every possible combination to crack their password.
Key takeaways Threats in ecommerce includes financial frauds, skimming, spamming, DOS, malware, bots, phishing etc. |
Security service providers provide protection to ecommerce by protecting their computers and websites from attackers. Managed Security Service Provider (MSSP) provides all kinds of security protection from attackers. Significance of MSSP in this regard are-
- The services include 24 hours monitoring for threats, firewall management, patch management, security audits and incident responses.
- In-site Consulting: It includes integration with other products, support after attack and emergency incident response.
- Perimeter management of the client’s network: It includes firewall management, and detecting threats for hardware & software.
- Managed security monitoring: It includes continuous monitoring of the network for threats.
- Penetration testing and vulnerability assessments: It includes scanning of applications and attempting to hack the application so that any vulnerabilities present will be found.
- Compliance monitoring: It includes keeping the logs for changes in the system in terms of violating the security policies.
Relevant provisions of information technology act, 2000
The provisions related to information technology are-
Legal recognition of electronic records (section 4)
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is–
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference.
Legal recognition of electronic signatures (section 5)
Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of electronic signature affixed in such manner as may be prescribed by the Central Government.
Use of electronic records and electronic signatures in Government and its agencies (section 6)
(1) Where any law provides for—
(a) the filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner;
(b) the issue or grant of any licence, permit, sanction or approval by whatever name called in a particular manner;
(c) the receipt or payment of money in a particular manner,
then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government.
(2) The appropriate Government may, for the purposes of sub-section (1), by rules, prescribe—
(a) the manner and format in which such electronic records shall be filed, created or issued;
(b) the manner or method of payment of any fee or charges for filing, creation or issue any electronic record under clause (a).
Delivery of services by service provider (section 6A)
(1) The appropriate Government may for efficient delivery of services to the public through electronic means authorise, by order, any service provider to set up, maintain and upgrade the computerised facilities and perform such other services as it may specify, by notification in the Official Gazette.
(2) The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.
(3) (3) Subject to the provisions of sub-section (2), the appropriate Government may authorise the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate e-service charges by the service providers.
(4) (4) The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section:
(5) Provided that the appropriate Government may specify different scale of service charges for different types of services.
Offences
The provisions related to offences under the IT Act, 2000 are-
Tampering with computer source documents (Sec 65)
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Computer related offences (sec. 66)
If any person, dishonestly or fraudulently, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
Punishment for sending offensive messages through communication service, etc. (section 66A)
Any person who sends, by means of a computer resource or a communication device,–
(a) any information that is grossly offensive or has menacing character; or
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device;
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.
Punishment for dishonestly receiving stolen computer resource or communication device (section 66B)
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.
Punishment for identity theft (section 66C)
Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
Punishment for cheating by personation by using computer resource (section66D)
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
Punishment for violation of privacy (section 66E)
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.
Punishment for cyber terrorism (section 67F)
(1) Whoever,–
(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by–
(i) denying or cause the denial of access to any person authorised to access computer resource; or
(ii) attempting to penetrate or access a computer resource without authorisation or exceeding authorised access; or
(iii) introducing or causing to introduce any computer contaminant,
and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70; or
(B) knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer data base that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer data base, with reasons to believe that such information, data or computer data base so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.
Secure electronic records and digital signatures
The provisions related to secure electronic records and digital signatures are-
Secure electronic record (section 14)
Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall he deemed to be a secure electronic record from such point of time to the time of verification.
Secure electronic signature (section 15)
An electronic signature shall be deemed to be a secure electronic signature if—
(i) the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and
(ii) the signature creation data was stored and affixed in such exclusive manner as may be prescribed.
Authentication of electronic records (section 3)
(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.
(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm;
(b) that two electronic records can produce the same hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.
Electronic signature (section 3A)
(1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which—
(a) is considered reliable; and
(b) may be specified in the Second Schedule.
(2) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if—
(a) the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and to no other person;
(b) the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable;
(d) any alteration to the information made after its authentication by electronic signature is detectable; and
(e) it fulfils such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic signature is that of the person by whom it is purported to have been affixed or authenticated.
(4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic signature or electronic authentication technique and the procedure for affixing such signature from the Second Schedule:
Provided that no electronic signature or authentication technique shall be specified in the Second Schedule unless such signature or technique is reliable.
(5) Every notification issued under sub-section (4) shall be laid before each House of Parliament.
Penalties and adjudication
Penalty and compensation for damage to computer, computer system, etc. (section 43)
If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,–
(a) accesses or secures access to such computer, computer system or computer network or computer resource;
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
(j) steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage; he shall be liable to pay damages by way of compensation to the person so affected.
Penalty for failure to furnish information, return, etc. (section 43)
If any person who is required under this Act or any rules or regulations made thereunder to–
(a) furnish any document, return or report to the Controller or the Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure;
(b) file any return or furnish any information, books or other documents within the time specified therefor in the regulations fails to file return or furnish the same within the time specified therefor in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues;
(c) maintain books of account or records, fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues.
Residuary penalty (section 45)
Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees.
Power to adjudicate (section 46)
(1) For the purpose of adjudging whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made thereunder which renders him liable to pay penalty or compensation, the Central Government shall appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the manner prescribed by the Central Government.
(2) The adjudicating officer shall, after giving the person referred to in sub-section (1) a reasonable opportunity for making representation in the matter and if, on such inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.
(3) No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government.
(4) Where more than one adjudicating officers are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction.
(5) Every adjudicating officer shall have the powers of a civil court.
Factors to be taken into account by the adjudicating officer (section 47)
While adjudging the quantum of compensation under this Chapter, the adjudicating officer shall have due regard to the following factors, namely:–
(a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
(b) the amount of loss caused to any person as a result of the default;
(c) the repetitive nature of the default.
Key takeaways The IT Act, 2000 provides provisions related to digital signature, digital records, punishment for offences etc. |
References
1. Kotlar, P. (2019). Marketing management (4th edition.). New Delhi, Pearson Education India.
