Secure Electronic Records and Signatures (Sections 14–16)

Not every electronic record is created equal in the eyes of the law. The Information Technology Act, 2000 draws a sharp line between an ordinary electronic record - which merely enjoys legal recognition - and a secure electronic record, which carries a presumption of integrity that an opponent must work hard to dislodge. Sections 14 to 16, forming Chapter V of the Act, are the engine of that distinction. They tell us when a record or an electronic signature crosses over into the privileged category of "secure", who decides the technical yardstick, and why that label matters so much when the document later lands in a courtroom. This chapter unpacks the three short but consequential provisions, the subordinate Information Technology (Security Procedure) Rules, 2004 that breathe life into them, and the evidentiary presumptions in Sections 85B and 85C of the Evidence Act that make "secure" status the prize worth chasing.

The Architecture of Chapter V

Chapter V of the Information Technology Act, 2000 is one of the shortest chapters in the statute, comprising only Sections 14, 15 and 16, yet it performs a disproportionately important function. The earlier chapters establish that electronic records and electronic signatures enjoy legal recognition - see our chapter on electronic governance and on digital and electronic signatures. But recognition alone says nothing about trustworthiness. A scanned PDF emailed between strangers is a legally recognised electronic record just as much as a cryptographically sealed bank statement. Chapter V exists to grade that trustworthiness.

The drafting follows a deliberate three-step logic. Section 14 defines when an electronic record is secure. Section 15 defines when an electronic signature is secure. Section 16 hands the Central Government the power to fix the technical standard - the "security procedure" - that the first two sections silently depend upon. Read together, they create a closed loop: a record or signature is secure only if a prescribed security procedure has been applied to it, and only the executive, through delegated legislation, decides what that procedure is.

This is a classic example of the Act's technology-neutral, standards-by-reference approach. Parliament refused to freeze a particular cryptographic technique into primary legislation, knowing that today's gold-standard algorithm is tomorrow's broken cipher. Instead, it laid down the legal consequence of being "secure" and delegated the moving technical target to rules. To see how the Act handles the underlying vocabulary of records, signatures and subscribers, the reader should keep the definitions chapter close at hand.

Section 14 - Secure Electronic Record

Section 14 reads: "Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification." The provision is deceptively compact, but every phrase is load-bearing.

First, the operative trigger is the application of a security procedure - not the inherent quality of the record. A record does not become secure because it looks official or comes from a reputable source; it becomes secure only because a prescribed procedure was applied to it. Second, the statute fixes a temporal window. The secure status runs "from such point of time" (when the procedure was applied) "to the time of verification". In other words, the law vouches for the record's integrity across a defined interval, not for all eternity. If the record is altered after the security procedure is applied, verification at the later point will expose the change, and the secure status simply will not survive the check.

Third, the section uses a deeming fiction - "shall be deemed to be a secure electronic record". A deeming provision compels the court to treat the record as secure once the statutory conditions are satisfied, regardless of any residual doubt. This is the doctrinal hinge that later powers the rebuttable presumption in Section 85B of the Evidence Act. The deeming is not, however, conclusive: it operates only so long as verification at the relevant time confirms integrity, and the Evidence Act presumption it triggers is expressly rebuttable by proof to the contrary.

It is important to read Section 14 alongside attribution, acknowledgment and dispatch of electronic records. Those provisions tell us who a record is attributed to and when it is treated as sent and received; Section 14 tells us whether that record's contents can be trusted not to have been changed. The two work in tandem when a disputed e-mail or digital document is placed before a tribunal.

Section 15 - Secure Electronic Signature

Section 15, as it now stands, provides: "An electronic signature shall be deemed to be a secure electronic signature if - (i) the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and (ii) the signature creation data was stored and affixed in such exclusive manner as may be prescribed." An Explanation adds that "in case of digital signature, the 'signature creation data' means the private key of the subscriber."

The heading and text reflect a significant 2009 amendment. The Information Technology (Amendment) Act, 2009 (Act 10 of 2009), brought into force on 27 October 2009, recast the section from "Secure digital signature" to the technology-neutral "Secure electronic signature", aligning Chapter V with the Act's broader 2009 shift from a digital-signature-only regime to a wider electronic-signature framework. The substance, however, is built around two cumulative conditions, both of which must be met.

The first condition is exclusive control: the signature creation data must, at the moment of signing, have been under the exclusive control of the signatory and no one else. In the digital-signature context, this means the subscriber's private key must not have been shared, compromised or accessible to a third party. The second condition is a prescribed manner of storage and affixation: it is not enough that the signatory had exclusive control; the data must also have been stored and affixed in the exclusive manner that the rules require. This is the textual gateway through which the 2004 Rules enter - the "such exclusive manner as may be prescribed" language is a direct reference to delegated legislation under Section 16.

The interplay with the broader signature scheme is essential. As explained in the digital and electronic signatures chapter, Section 3 governs the authentication of records by digital signature using an asymmetric crypto system and hash function, while Section 3A recognises other electronic signature techniques notified by the Government. Section 15 sits one layer above: it does not ask how the signature was made, but how securely, demanding exclusive control plus a prescribed mode before the law will elevate the signature to "secure".

Section 16 - Security Procedures and Practices

Section 16 is the delegating provision. It states: "The Central Government may, for the purposes of sections 14 and 15, prescribe the security procedures and practices: Provided that in prescribing such security procedures and practices, the Central Government shall have regard to the commercial circumstances, nature of transactions and such other related factors as it may consider appropriate."

Three features deserve emphasis. First, the power is conferred for the express purpose of Sections 14 and 15 - the security procedure that makes a record or signature "secure" is whatever the Central Government prescribes under this head. This is why Sections 14, 15 and 16 cannot be read in isolation; they form an interlocking triad, with Section 16 supplying the content that the other two presuppose.

Second, the section is permissive ("may"), not mandatory, but the practical reality is that without prescribed procedures, Sections 14 and 15 would be largely inert - there would be no benchmark against which to measure security. The Government duly exercised the power through the Information Technology (Security Procedure) Rules, 2004, examined in the next section.

Third, the proviso imposes a structured discretion. In framing the procedures, the Government must "have regard to the commercial circumstances, nature of transactions and such other related factors". This is a deliberate nod to commercial pragmatism: the security expected for a low-value retail transaction need not match that for a high-value inter-bank transfer. The proviso reflects the Model Law on Electronic Commerce philosophy that security requirements should be proportionate and context-sensitive rather than uniform and burdensome. For the institutional machinery that issues and governs the certificates underpinning these procedures, see the chapter on certifying authorities and their licensing and functions.

The IT (Security Procedure) Rules, 2004

The Central Government exercised its Section 16 power through the Information Technology (Security Procedure) Rules, 2004, notified by G.S.R. 735(E) on 29 October 2004. These rules are the indispensable companion to Chapter V, because they convert the abstract phrase "security procedure" into a concrete, testable standard.

Rule 3 (Secure electronic record) provides that an electronic record shall be deemed a secure electronic record for the purposes of the Act "if it has been authenticated by means of a secure digital signature". This is a crucial linkage: under the 2004 Rules, a record's security is parasitic on the security of the signature applied to it. There is no independent record-only procedure; security flows from the signature to the record.

Rule 4 (Secure digital signature) then sets out a seven-limb test. A digital signature is a secure digital signature only if: (a) a smart card or hardware token with a cryptographic module is used to create the key pair; (b) the private key used to create the digital signature always remains within the smart card or hardware token; (c) the hash of the content is taken from the host system to the smart card or hardware token, the private key is used there to create the signature, and the signed hash is returned to the host; (d) the information in the smart card or hardware token is solely under the control of the purported signatory; (e) the signature can be verified using the public key listed in the Digital Signature Certificate issued to that person; (f) the standards in Rule 6 of the IT (Certifying Authorities) Rules, 2000 have been complied with for creation, storage and transmission; and (g) the digital signature is linked to the electronic record in such a manner that any alteration of the record would invalidate the signature.

Several insights follow. The Rules adopt a strict hardware-bound model - the private key must never leave a tamper-resistant smart card or USB hardware token, which operationalises the "exclusive control" requirement of Section 15. Limb (g) operationalises the integrity guarantee of Section 14: because the signature is cryptographically bound to the record's hash, any post-signing change breaks the signature and defeats verification. In short, the 2004 Rules translate the elegant generalities of Sections 14 and 15 into engineering specifications a security auditor can actually check.

Ordinary versus Secure: Why the Distinction Bites

It is tempting to treat "secure electronic record" as a mere technical refinement, but the legal stakes are substantial. The Act and the Evidence Act together create a graduated hierarchy. An ordinary electronic record is admissible and legally recognised, but its integrity is a fact to be proved like any other. A secure electronic record, by contrast, attracts a statutory presumption of integrity that shifts the practical burden onto the party challenging it.

The pivot is Section 85B of the Evidence Act, 1872. It provides that in any proceeding involving a secure electronic record, the court shall presume, unless the contrary is proved, that the record has not been altered since the specific point of time to which the secure status relates. It further provides that in any proceeding involving a secure digital signature, the court shall presume that the signature was affixed by the subscriber with the intention of signing or approving the electronic record. Section 85C adds a presumption that the information listed in a Digital Signature Certificate is correct, except for information specified as subscriber-unverified.

The contrast with ordinary records is stark. For an ordinary electronic record tendered as secondary evidence, the gateway is the rigorous certificate regime of Section 65B of the Evidence Act - a topic on which the Supreme Court has been demanding. In Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473, a three-Judge Bench held that a certificate under Section 65B(4) is a condition precedent to the admissibility of secondary electronic evidence, overruling the contrary view in State (NCT of Delhi) v. Navjot Sandhu, (2005) 11 SCC 600. A secure electronic record carrying its Section 85B presumption stands on noticeably firmer ground than an ordinary record fighting its way through the Section 65B gate.

Evidentiary Presumptions in Action

The presumptions in Sections 85B and 85C are rebuttable, mirroring the deeming-but-not-conclusive design of Sections 14 and 15. The phrase "unless the contrary is proved" means the opponent can lead evidence that the record was in fact altered, or that the private key was compromised, and thereby displace the presumption. What the presumption does is allocate the evidentiary burden: the proponent of a secure record need not affirmatively prove integrity from scratch; instead, the challenger must affirmatively prove tampering.

This allocation matters enormously in commercial litigation. In Trimex International FZE v. Vedanta Aluminium Ltd., (2010) 3 SCC 1, the Supreme Court held that a binding contract had been concluded through an exchange of e-mails once the parties were ad idem on all essential terms, even before a formal contract was signed. The case is a leading authority on electronic contract formation and illustrates the commercial importance of trustworthy electronic communications - the more securely those communications are recorded and signed, the more readily a court will treat them as reliable evidence of consensus.

The architecture also clarifies a common student confusion: Section 14 (the substantive deeming of a secure record) and Section 85B (the evidentiary presumption flowing from it) are two halves of the same mechanism. Section 14 tells you when a record is secure; Section 85B tells you what advantage that secure status buys you in court. Neither is self-sufficient. A record can be secure under Section 14 yet still see its Section 85B presumption rebutted by cogent contrary proof; conversely, a record that fails the Section 14 test gets no presumption at all and must prove its integrity the hard way.

The Section 65B Interface and Its Evolution

Because secure electronic records and the certificate regime under Section 65B of the Evidence Act are frequently confused, it is worth charting how the case law has matured. After Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473, made the Section 65B(4) certificate mandatory for secondary electronic evidence, a two-Judge Bench in Shafhi Mohammad v. State of Himachal Pradesh, (2018) 2 SCC 801, sought to soften the rule, holding that the certificate requirement is procedural and could be relaxed where the party tendering the evidence is not in possession of the device.

That divergence was resolved by a three-Judge Bench in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1. The Court reaffirmed Anvar, held the Section 65B(4) certificate to be a mandatory condition precedent for admitting electronic records as secondary evidence, and expressly declared that Shafhi Mohammad was wrongly decided and stood overruled on that point. The Court clarified, however, that no certificate is needed where the original device itself is produced and the owner testifies, because that is primary evidence.

How does this interlock with Chapter V? The Section 65B certificate is about admissibility of secondary electronic evidence; the secure-record presumption under Section 85B is about the weight and integrity a record carries once before the court. A secure electronic record still has to clear the relevant admissibility threshold, but once admitted it enjoys the Section 85B presumption that an ordinary record lacks. The two regimes are complementary stages, not substitutes - a point judiciary aspirants frequently misstate in answer scripts.

Technology Neutrality and the 2009 Recalibration

The single most important structural feature of Chapter V is its drift toward technology neutrality, completed by the 2009 amendment. As originally enacted, the Act recognised only the digital signature - authentication by an asymmetric crypto system and hash function under Section 3 - and Section 15 was correspondingly titled "Secure digital signature". India's regime was, in effect, wedded to one technology: public key infrastructure.

The Information Technology (Amendment) Act, 2009 changed the philosophy. It introduced Section 3A, recognising electronic signatures more broadly where they are reliable and notified in the Second Schedule, and it relabelled Section 15 as "Secure electronic signature". The genus became "electronic signature", with "digital signature" surviving as one species. The Explanation to Section 15 preserves the digital-signature link by clarifying that, for a digital signature, the signature creation data is the subscriber's private key - a sensible bridge that keeps the older PKI infrastructure firmly within the new neutral framework.

Yet a curious lag persists. While the parent provisions speak of "electronic signature", the subordinate 2004 Rules still speak in terms of "secure digital signature" and the smart-card/hardware-token PKI model. The result is that, in practice, the only fully prescribed route to a "secure" electronic signature in India remains the hardware-bound digital signature of the 2004 Rules. Aspirants should note this gap between the technology-neutral promise of the statute and the technology-specific reality of the rules - it is a favourite examiner's trap.

Comparative and International Context

Chapter V did not emerge in a vacuum. The Information Technology Act, 2000 was enacted to give effect to the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce, 1996, which the General Assembly recommended that member States consider when enacting domestic legislation. The concept of an "enhanced" or "secure" tier of electronic authentication is a recurring theme in this family of instruments.

The later UNCITRAL Model Law on Electronic Signatures, 2001 elaborated the idea of a reliable electronic signature meeting heightened criteria - exclusive control of signature creation data, linkage to the signatory, and the capacity to detect any alteration. The reader will notice that Section 15's twin conditions (exclusive control plus prescribed manner) and Rule 4's limb (g) (alteration invalidates the signature) track this international template closely. India's secure-signature concept is thus a domestic crystallisation of a globally shared standard.

The comparison is more than academic. When Indian courts interpret ambiguous provisions of the Act, the UNCITRAL framework supplies legitimate interpretive context, and the secure-record/secure-signature tier should be read as the Indian equivalent of the "qualified" or "advanced" electronic signature found in regimes such as the European Union's eIDAS framework. For the broader objectives and interpretive backdrop of the Act, the introduction chapter sets the scene, and the full subject map is available at the Information Technology Act notes hub.

Practical Significance for Commerce and Governance

For practitioners, the secure-record regime is the backbone of trust in e-commerce, e-governance and online banking. When a bank issues a digitally signed statement, when a company files a digitally signed return with the Registrar of Companies, or when a government department issues a digitally signed certificate, the underlying legal comfort comes from Chapter V read with the 2004 Rules and the Evidence Act presumptions. Institutions invest in hardware security modules and licensed Certifying Authority certificates precisely to capture the "secure" label and the evidentiary advantages it confers.

The chapter also has a defensive dimension. A litigant resisting a digitally signed document cannot simply assert that "computers can be hacked"; to displace the Section 85B presumption, the challenger must lead specific, credible evidence of compromise - that the private key was shared, that the hardware token was breached, or that the verification fails. This raises the cost of frivolous denial and protects the reliability of electronic commerce, advancing the same commercial certainty the Supreme Court protected in Trimex International FZE v. Vedanta Aluminium Ltd., (2010) 3 SCC 1.

Finally, the regime interacts with attribution. A secure electronic signature does double duty: it secures integrity (the record is unaltered) and it strengthens attribution (the record is presumed signed by the subscriber with intent). This is why Chapter V should always be studied alongside attribution, acknowledgment and dispatch of electronic records - the two chapters together answer the litigator's twin questions: who signed it, and has it been tampered with since.

Exam-Focused Takeaways

For judiciary and CLAT-PG aspirants, a few crisp points repay memorisation. One: Sections 14, 15 and 16 form Chapter V; 14 covers secure records, 15 covers secure electronic signatures, 16 is the delegating provision. Two: a secure record is deemed secure only "from the point of time the security procedure was applied to the time of verification" - the temporal window is a common one-mark question. Three: Section 15 requires two cumulative conditions - exclusive control of signature creation data and storage/affixation in the prescribed manner - and the Explanation equates signature creation data with the subscriber's private key for digital signatures.

Four: the operative rules are the IT (Security Procedure) Rules, 2004, notified by G.S.R. 735(E) dated 29 October 2004; Rule 4 lays down the seven-limb test, and the hardware-token-bound private key is its hallmark. Five: the evidentiary payoff lives in Sections 85B and 85C of the Evidence Act - rebuttable presumptions of non-alteration, of signing intent, and of certificate correctness. Six: distinguish the Section 65B admissibility line of cases - Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473, Shafhi Mohammad v. State of Himachal Pradesh, (2018) 2 SCC 801, and Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1 - from the Section 85B presumption, because they answer different questions (admissibility versus integrity). Mastering that distinction is often the difference between a competent answer and a distinguished one.