Indian Cyber Crime laws

If your mixer-grinder refused to start one day despite your best efforts, and knowing that you haven’t fiddled around with any critical piece of the machinery, would you keep trying to start it, or approach an electrician? What would you do when he tells you that you’ve been sold a defective piece? Wouldn’t your first thought be to take the device back to the outlet where you bought it from, and demand a replacement or a refund?


How is cybercrime policed in the Indian context and what laws govern Indian cyberspace

A real-world scenario

If your mixer-grinder refused to start one day despite your best efforts, and knowing that you haven’t fiddled around with any critical piece of the machinery, would you keep trying to start it, or approach an electrician? What would you do when he tells you that you’ve been sold a defective piece? Wouldn’t your first thought be to take the device back to the outlet where you bought it from, and demand a replacement or a refund?

But when your spreadsheet software (which you have purchased legally) continues to crash throughout the day, regardless of the file you open, the setting you tweaked, or the programs you closed to free up memory, do you ever think about asking the software company for a refund? What causes this distinction between our experiences with offline and online products and services?


You would have noticed, as you try to install any software, that it asks you to read its “Terms and Conditions” (T&C), and indicate that you accept them by clicking on check box. You simply cannot install the software without accepting the T&C. But how many of us even view the T&C, leave along actually reading the 1000 word manuscripts?

One prime difference lies in the fact that we have seen stuff like home appliances and electronic goods for the past five decades, while the computer and internet have been with us only since the last twenty years, cyber laws are an even newer kid on the block.

The Internet: Its everywhere...

The fact that the internet pervades most aspects of our lives today, means that an increasing number of people have a parallel electronic existence. With millions of individuals interacting with each other, consuming online services, performing monetary transactions, and building viewpoints through cyberspace, monitoring, controlling, and policing the internet has become one of the prime concerns of almost all governments worldwide. The anonymous, decentralized and instantly “live” nature of the internet makes it that much tougher to assign responsibility, draw up jurisdictions, and effectively resolve genuine grievances. Increasing cases of criminal activities being conducted through this medium have been a growing concern and need to be tackled efficiently if we are ever to harness the true potential of the internet and convince even the most reluctant individuals in being connected to it.

A law behind every move you make

Every activity in the real world (e.g., buying a ticket, paying for groceries, signing an employment contract, etc.) has a legal underpinning. We rarely, if ever, consider the legal ramifications of our offline activities, because we are seldom the victims of a crime of fraud and resort to using the legal infrastructure (police, lawyers, courts) to resolve our grievances.

The same applies to any online activity. The underlying thought behind every email we reply to, every twitter post we re-tweet, every net-banking transaction we perform, or every news article we read is that it is “legal” to do so. So what happens when someone does something illegal online. But even prior to that, how do we know whether something is really illegal.

What are cyberlaws?

“Cyberlaw or Internet law is a term that encapsulates the legal issues related to use of the Internet. It is less a distinct field of law than intellectual property or contract law, as it is a domain covering many areas of law and regulation.” (source: Wikipedia) Cyberlaws, same as any other branch of law, help define what is legal and illegal, and stipulate mechanisms to detect, convict and punish offenders, and protect electronic property and its rightful use.

Cyberlaws pertain to diverse aspects of the electronic world such as:


  • software licences, copyright and fair use

  • unauthorized access, data privacy and spamming

  • export of hardware and software

  • censorship

  • computerized voting

IT Act, 2000 and IT (Amendment) Act, 2008

These two pieces of legislation form the bedrock of cyberlaw infrastructure in India.

The Information Technology (IT) Act, 2000 was passed by the Indian Parliament in May 2000 and came into force in October of the same year. Its prime purpose is to provide the legal infrastructure for e-commerce in India. It was the first legal instrument to provide legal sanctity to electronic records and contracts expressed through electronic means of communication.


The act was later amended in December 2008 through the IT (Amendment) Act, 2008. Some of their salient points are:


  • Digital Signatures: Electronic records may be authenticated by a subscriber by affixing digital signatures; further, the signature may be verified using the public key provided by the subscriber


  • Certifying Authorities: domestic and foreign certifying authorities (which provide digital signature certificates) are recognized by the law; a “Controller of Certifying Authorities” shall supervise them


  • Electronic governance: Documents required as per law by any arm of the government may be supplied in electronic form, and such documents are to be treated the same as handwritten, typewritten or printed documents


  • Offences and Penalties: An Adjudicating Officer shall judge whether a person has committed an offence in contravention of any provision of the IT Act, 2000; the maximum penalty for any damage to computers or computer systems is a fine up to `1 crore


  • Appellate Tribunals: A Cyber Regulations Appellate Tribunal shall be formed which shall hear appeals against orders passed by the Adjudicating Officers


  • Investigation: Offences shall only be investigated by a police officer of the rank of the Deputy Superintendent of Police or above (amended to the rank “Inspector” or above by the IT (Amendment) Act, 2008)


  • Amendments to other laws: Other acts such as the Indian Penal Code, 1860, the Indian Evidence Act, 1872, the Bankers’ Books Evidence Act, 1891, the Reserve Bank of India Act, 1934 were to be amended to align them with the IT Act


  • Network Service Providers: Intermediaries in the data transmission process, such as Internet Service Providers, are not liable in certain cases, so long as the intermediary expeditiously acts to prevent the cybercrime on getting such instruction from the Government or its agency.


Why were these laws enacted?

As a result of the technological advancements in the IT industry, computers and internet became accessible to the common man in our country quite rapidly. Like any technology, IT too met with two kinds of people -- the users and the abusers. While cases of hacking came to light and identity, privacy and information security was found to be increasingly compromised by the new IT revolution, the need was felt for law and order mechanism in the electronic world too.

What offences are covered under these laws?

One viewpoint considered when drafting the IT Amendment Act, 2008, was that it should be a comprehensive piece of legislation with minimal dependence on other penal laws. Although this recommendation seems to have been overlooked, several new offences have been defined in the 2008 version. The two IT Acts together define the below offences and also recommend punishments for each of them:

1. Hacking

It is not defined in either of the IT Acts, which in itself may have considerably weakened the cybercrime legislation in India.

2. Data theft

This offence is defined as copying or extracting information from a computer system without the owners, including computer theft and theft of digital signals during transmission.

3. Identity theft (including Password Theft)

As per the IT (Amendment) Act 2008, this offence is defined as fraudulently or dishonestly making use of the electronic signature, password, or any other unique identification feature of a person.

4. Email spoofing

This is commonly used by hackers to hide the actual email address from which phishing and spam message are sent. It may also be used in conjunction with other fraudulent methods to trick users into providing personal/ confidential information.

5. Sending offensive messages

The IT Act defines this offense as sending offensive or false information for the purpose of causing hatred, ill will, etc.

6. Voyeurism

This is defined as publishing/transmitting of “compromising” images/ videos of a person without his/her consent.


7. Child pornography

This covers offences against all individuals who have not completed 18 years of age. Despite being one of the most serious offences, it does not attract any severe punishment

8. Cyber terrorism

The addition of this offence was a major difference between the two IT Acts. Cyber terrorism is described in fair detail as denying access to a computer, attempting to access a computer resource without authorization, or contaminating a computer system.


While all other offences are punishable by imprisonment up to 3-5 years and/or a fine of up to `3-5 Lakh, an individual convicted of cyberterrorism is punishable by imprisonment for life.

Who enforces the law? Where do I file a complaint?

What should you do if the password to your email account is stolen? Or if everyone on your Facebook friends list are receiving spam messages from your account? You may start by filing a complaint with the local police station. A major positive of the IT (Amendment) Act, 2008 over the original IT Act, 2000 was that police officers of the rank of “Inspector” or above were empowered to investigate cyber crimes, as against the rank of “Deputy Superintendent of Police” or above required by the original Act. This would have, at least theoretically, considerably increased the bandwidth of enforcement agencies in handling cybercrimes. However, try not to cross any fingers or toes hoping that you’d get your email account back, as you shall see in the next section.

Here are some examples of cybercrime-fighting infrastructure set up in different parts of India:

1. India’s first exclusive cybercrime enforcement setup was the Cyber Crime Police Station set up in Bangalore

2. This was followed up by a similar police station in Andhra Pradesh, which functions from Hyderabad city and has statewide jurisdiction

3. Cyber Crime Investigations Cells have also been set up by police departments of Mumbai, Kolkata and Tamil Nadu

Have these laws really helped us?

The conviction rate for cybercrimes in India has been less than 10 convictions in the last 12 years since the IT Act came into force (http://dgit.in/ UVeIT8). Further, there have been zero convictions after IT (Amendment) Act, 2008 was implemented.

A serious drawback of current cybercrime legislation is that all offences, except cyber terrorism, are bailable. This allows ample leeway for guilty individuals to destroy all electronic evidence of their crimes as soon as they have attained bail. This “non-serious” approach to cyber crime has led to most people as well as enforcement agencies losing faith in the legislation itself, and contributed to the extremely low conviction rate. One cannot really blame the inspector at your neighbourhood for not being too keen on registering a cyber crime case, now can we?

Prominent cybercrime cases:

1. First conviction for a cybercrime in India

A call center employee at Noida had gained access to to an American citizen’s credit card information and used the same to purchase a color television and a cordless phone through a Sony Entertainment website catering to NRIs. A month after the items were delivered to the individual, Sony Entertainment was informed by the credit card agency that the card owner had denied making the purchase. Luckily, digital photographs taken at the time of delivery were evidence enough for the CBI to convict the individual under several sections of the Indian Penal Code.

2. First conviction under the IT Act, 2000

Obscene and defamatory messages regarding a divorced woman were posted on a Yahoo message group, which resulted in phone calls to the woman in the belief that she was soliciting. Investigating based on a complaint made by the victim in February 2004, the police traced the source of the message to a Mumbai resident who was a family friend of the victim. He had resorted to harassing the victim as she had rejected his marriage offer. The accused’s lawyers argued that the offending messages might have been sent by either the victim’s ex-husband or by the victim herself in order to implicate the accused, and that the documentary evidence was not sustainable under the Indian Evidence Act. However, the court found the accused guilty based on the statements by the Cyber Cafe owner where the messages originated as well as expert witness provided by Naavi. The accused was sentenced to rigorous imprisonment for 2 years and find `5000.

3. Hackers deface the official website of the

Maharashtra Government

The website http://www.maharashtra government.in, which contains details about government departments, circulars, reports, and several other topics, was hacked on 20 September 2007. Sources believed the hackers to be from Washington, USA, although, the hackers identified themselves as “Hackers Cool Al-Jazeera” and claimed they were based in Saudi Arabia, which authorities believe might be a red herring to throw investigators off their trail. Deputy Chief Minister and Home Minister R.R. Patil stated that, if needed, the government would seek help of private IT experts to find the hackers.

4. Online credit card scam solved; three held guilty

A bank employee who had access to credit card details of the banks customers used them along with two other individuals to book tickets online and sell them to third parties. According to the information provided by the police, the scam was detected when one of the customers received an SMS alert for purchasing an airline ticket even though he had the card on him and had not used it. The alert customer immediately informed the bank who then involved the police. Eight days investigation by Cyber Cell head DCP Sunil Pulhari, PI Mohan Mohadikar, and A.P.I Kate resulted in the arrests of the three involved.

5. Murder solved with aid from MySpace

The murder of a high school football player was solved when police found the prime suspect in a picture posted on a street gang’s MySpace page.

Whose law applies?

A hacker sitting in Iceland may use a proxy in Thailand to hack into servers of the London Stock Exchange. Which country’s cyberlaws apply in this instance? The decentralized nature of the crime makes it that much tougher to demarcate jurisdiction, further compounded by that fact that cyberlaws are not consistent across nations (what may be a cybercrime in India may be perfectly legal in Sri Lanka). For instance, the provisions of the Indian IT Act, 2000 applies, not only to the whole of India, but also to offences committed outside outside Indian territory, provided the offence involved a computer, computer system, or computer network located in India.

Where do we go from here?

Given the extreme pace at which internet users are increasing, the potential for cybercrime expands daily. Hence there can never be a perfect IT Act or cybercrime law which will cover all possible offences. IT laws need to be updated frequently, with more creative and inventive responses from the organisations under threat.

The laws and enforcement infrastructure also made aware to the general public. This also called for international co-ordination between enforcement agencies and shared jurisdictions wherever required. Piecemeal security solutions designed for individual threats are giving way to strategically deployed systems aimed to counter multiple threats.

Organisations should also consolidate their security mechanisms into a commonly managed appliance, instead of installing and maintaining disparate devices. These measures combined with greater user education are the best safeguard against the future of cyber-criminal activities.


1. The Information Technology (Amendment) Act, 2008 http://www.naavi.org/ita_2008/index.htm

2. Types of Cyber Crimes & Cyber Law in India, Prashant Mali, CSIC (http:// dgit.in/WCyNDA)

3. http://www.cyberlawsindia.net/

4. http://dgit.in/UVeIT8


DMCA.com Protection Status