Internet is a system of inter-connected computer networks and is today’s significant platform of information and transmission. Its far-flung utilisation has led to its entrance in the sphere of trade and commerce . The government of India has passed the Information Technology Act with a view of taking the benefit of digital technology and new emerging communication system. Business transactions are being made with the help of computers. Business community as well as individuals are increasingly using computers to create, transmit and store information in the electronic form instead of traditional paper documents .

Meaning Of Digital Signatures

Like the pen and paper method, a digital signature attaches the identity of the signer to the document. Digital signature provides a viable solution for creating legally enforceable electronic records closing the gap in going fully paperless by completely eliminating the need to print documents for signing. Digital signature enabled the replacement of slow and expensive paper based approval processes with fast and fully digital ones. [1]

Electronic signature was defined in the Information technology ( Amendment ) Act, 2008 . Whereas the earlier Information technology Act ,2000 covered in detail about digital signature defining it and elaborating the procedure to obtain the digital signature certificate and giving it legal validity.

Digital signature was defined as “authentication of electronic record” as per procedure laid down in section 3, which discussed the use of asymmetric crypto system and the use of public key infrastructure and hash function, etc . This was criticised to be technology dependent i.e relying on the specific technology of asymmetric crypto system and the hash function generating a pair of public and private key authentication, etc.

Thus , chapter II which was originally ‘Digital signature’ was renamed as ‘Digital signature and electronic signature’ in Information Technology ( Amendment ) Act, 2008 thus introducing technological neutrality by adoption of electronic signatures as legally valid mode . [2]

Meaning Of Certifying Authorities

Internet is a open system of communication which has its own set of problems, these problems relate to the integrity, confidentiality and authentication of communication channels and processes . so a system of identity authentication is thus required , which is done by trusted third party which is referred to as ‘ certifying authority’ whose function is to verify and authenticate the identity of subscriber . [3]

According to Section 2 (1) (g) of the Information technology Act,2000 ‘certifying authority is a person who has been granted a licence by the controller of certifying authority to issue electronic signature certificates to the subscribers’.

In general , a certifying authority is a body either public or private that seeks to fill the need for trusted third party services in the e-commerce by issuing digital signature certificates. The role played by the certifying authorities is similar to that of a notary public in the real world. A notary attests that the person who signs the documents is really that person . Similarly, a certifying authority grants digital signature certificates to subscribers after proper identification and verification.[4]

Appointment Of Controller And Other Officers

The central government may appoint controller of certifying authorities after notifying the official gazette. They may also appoint Deputy controllers and assistant controllers as it deems fit.

The controller discharge his responsibilities subject to the general control and directions of the central government . The Deputy controllers and Assistant controllers shall perform the functions assigned to them by the controller under general superintendence and control of the controller . [5]

Role Of Controller In Issuing Digital Signature Certificates

Licence to issue electronic signature certificate:
Any person may approach the controller for a licence to issue electronic signature certificates including digital signature certificates. A controller can issue a licence only if the applicant fulfils all the requirements with respect to qualification ,expertise, manpower, financial resources and also infrastructure facilities for the issuance of digital signature certificates. [6]

And the licence granted is valid for a period of 5 years from the date of issue and the said licence is not transferrable and heritable. [7]


Application for licence:
An application can be made for obtaining a licence to operate a certifying authority. Requirements need to be fulfilled by the applicant for issue of licence to operate certifying authority . The form for application for grant of a licence to operate as a certifying authority that is required to be submitted to the controller and every application for issue of licence shall be accompanied by:

1. A certification practice statement.
2. A statement including the procedures with respect to identification of the applicant.
3. Payment of fees, not exceeding 25 thousand rupees.[8]

Renewal of licence:
An application for renewal of licence shall be in such a form , accompanied by such fees which should not exceed 5 thousand rupees and renewal of licence shall be made not less than 45 days before the date of expiry of the period of licence . Further, the application for renewal of licence may be submitted in the form of electronic record.[9]

Procedure for grant or rejection of licence:
The controller may on receipt of an application after considering the documents accompanying the application and such other factors, he may grant the licence or reject the application. [10]

The controller may within 4 weeks from the date of receipt of the application examine the documents and information accompanying the application before he grants the licence or rejects the application. [11]

The controller has been empowered to refuse the grant or renewal of a certifying licence if:

1. The applicant has not provided the controller with such information relating to its business as the controller may require.
2. The applicant or any trusted person has convicted, whether in India or out of India
3. A certifying authority commits breach of or fails to observe and comply with ,the procedure and practices as per the certification practice statement.
4. A certifying authority fails to conduct or does not submit, the returns of thr audits ,etc.

However the principles of natural justice would be followed before rejection unless the applicant is given a reasonable opportunity of presenting his case . [12]

Suspension of licence:
The controller after making an inquiry if he feels that the certifying authorities , has:

1. Made a statement , in relation to the application for the renewal of licence is false or incorrect.
2. Failed to comply with the terms and conditions subject to which the licence was granted
3. Failed to maintain procedures and standards.
4. Contravened any of the provisions of the Act, rule, regulation or order made thereunder , can revoke the licence. [13]

Powers And Functions Of The Controller:

Some of the powers of the controller mentioned under the Act are as follows:

1. Recognition of foreign certifying authorities:
   Section 19 of the IT Act gives the power to the controller to recognise any certifying authorities for the purposes of the Act. Once the foreign certifying authority is recognised by the controller , the digital signature certificates issued by such certifying authority shall be valid for the purpose of the Act, such recognition can be withdrawn or revoked by the controller in case there are any contravention of any conditions and restrictions subject to which the recognition was granted to the foreign certifying authority.
    
2. Power to delegate:
   Section 27 of the IT Act provides that , the controller may authorise the Deputy controller, assistant controller or any officer to exercise of any of the powers of the controller. However such delegation should be made in writing. But his quasi judicial power to resolve any dispute between certifying authorities and subscribers cannot be delegated.
    
3. Power to investigate contraventions:
   Section 28 of the IT Act provides that , the controller or any other officer authorised by him shall take up for investigation any contraventions of the provisions of the Act, rules or regulations.
    
4. Access to computers and data:
   During the course of investigations the controller requires certain powers to be able to gather evidence, for this purpose searching of computer systems is required , so under section 29 of the IT Act the controller has been given the power to have access to any computer system , any apparatus , data or any other material connected with such system if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made , has been committed.
    
5. Power of controller to give directions:
   To ensure compliance of provisions of the Act , rules or regulations made under the controller has been authorised to give directions to certifying authorities, section 68 (1) empowers the controller to give such directions by way of an order. [14]

Functions Of The Controller

The functions of the controller have been enumerated under section 18 of the Act . These functions basically relate to certifying authorities or digital signature certificate. It is the controller’s duty to regulate and control almost each and every activity of the certifying authorities and to ensure their smooth working and functioning from its very inception to even resolving of disputes. In general , the controller has the power to exercise supervision over the activities of the certifying authorities.

In specific the controller can lay down the standards to be maintained by the certifying authorities, specify the conditions subject to which the certifying authorities shall conduct their dealings with the subscribers, specify the form and manner in which accounts shall be maintained by the certifying authorities, specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid by them, facilitating the establishment of any electronic system by a certifying authority either solely or jointly with other certifying authorities and the regulations of such systems, laying down the duties of the certifying authorities and maintaining database containing the disclosure record of every certifying authorities containing such particulars, which shall be accessible to public.

The controller also has the function of specifying the form and the content of a digital certificate and the key as also specifying the contents of the written, printed or visual materials and advertisements that may be distributed or used in respect of a digital signature certificate and the public key.[15]

Conclusion
The office of the controller of certifying authority is a fulcrum on which the information technology Act, 2000 operates. It has a statutory role to identity, apply and draw awareness regarding the application of specific form of technology. Furthermore it establishes functional attributes for certifying authorities. And the IT Act also provides for the controller of certifying authorities to licence and regulate the working of certifying authorities.

The controller of certifying authority being the highest administrative body recognised under the Act has been given a lot of importance .

Footnotes:

• The Information technology Act, 2000 available at https://www.indiacode.nic.in/ bitstream/123456789/1999/3/A2000-21.pdf
• The Information technology( certifying authorities ) rules https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28Certifying%20Authority%29.pdf

End-Notes:

1. https://www.legalbites.in/digital-signature-electronic-signature/ last cited on 07-04-2021
2. Umrav singh ‘cyber laws in India’ (May 2016 ) , available at https://www.researchgate.net/publication/303522263_Cyber_Laws_in_India , last cited on 08 -04-2021
3. Vakul Sharma ‘ Information technology : law and practice’ ( lexis nexis , Haryana , 6th edn , 2019)
4. Gupta and Agarwal ‘cyberlaws’ ( premier publishing company , Allahabad, 2012 ) p. 469
5. Section 17 of the Information Technology Act, 2000
6. Section 21 of the Information Technology Act, 2000
7. Rule 13 of the Information technology ( certifying authorities ) Rules, 2000.
8. Section 22 of the Information Technology Act, 2000.
9. Section 23 of the Information Technology Act, 2000
10. Section 24 of the Information Technology Act, 2000
11. Rule 16 of the Information technology ( certifying authorities ) Rules, 2000
12. Supra note 4 , at page 239
13. Section 25 of the Information Technology Act, 2000
14. Devashish baruka ‘purview of Information technology Act, 2000’ available at http://14.139.60.114:8080/jspui/bitstream/123456789/722/18/Purview%20of%20the%20Information%20Technology%20Act%2C%202000.pdf last cited on 08 -04-2021
15. Ibid
    
    Award Winning Article Is Written By: Mr.Naveen B Talawar
     

    Authentication No: MA34185107161-28-0521