The primary cybercrime in India involves sharing explicit content online,
against the law under Section 67 of the Information Technology Act, 2000.
Hacking ranks second, punishable under Section 66 of the same Act. The FBI is
the top agency globally for handling cybercrime, with a dedicated team. In
India, the Central Bureau of Investigation and State cybercrime units like
Mumbai Cyber Crime Cell are well-equipped too.
Though Indian agencies have
expertise in some areas, continuous training is vital. A comprehensive plan is
needed to address cybercrimes. Cybercrime regulation is often overshadowed by
other police tasks, leading to a lack of effort in building a robust system.
Dedicated cybercrime police stations in cities are necessary. The IT Act of 2000
also modified the Indian Penal Code. Notably, the word 'document' changed to
"document or electronic record," and a new crime about creating false electronic
records was introduced.
Reporting cybercrimes in India is a cumbersome process, demanding effort from
complainants. Simplifying legal assistance and expediting processes is crucial.
Cybercrimes often attract media attention in India, and companies hesitate to
report due to reputational risks. Some companies effectively counter
cybercriminals, by employing cyber experts. Many people in India, even
experienced internet users, are unaware of cybercrimes they might commit or be
victims of. The IT Act of 2000 is seen as complex, leading some to avoid it.
enforcement officers and courts in India need more education about cyber law due
to its specialized nature. As cybercrimes increase, training judges to handle
these cases is vital. While few cybercrimes reach court now, it's expected to
rise. Judges handling cybercrime cases must understand the details, trial
process, and technical aspects like electronic evidence and information storage.
Objectives of IT Act, 2000
The Information Technology Act, 2000 (IT Act 2000) is a piece of legislation in
India that was enacted to give legal recognition to electronic commerce and
facilitate e-governance. It has several key goals and objectives:
Offences under IT Act, 2000
- Legal Recognition of Electronic Transactions: The IT Act 2000 aimed to provide legal recognition to electronic documents and digital signatures, making them equivalent to their paper-based counterparts. This was important for the growth of e-commerce and electronic transactions.
- Regulation of Cybercrime: The Act also addressed various forms of cybercrimes and provided legal mechanisms to investigate and prosecute individuals or entities involved in activities such as hacking, data theft, and online fraud.
- Digital Signatures and Certificates: The Act established provisions for the use of digital signatures and digital certificates, which are crucial for ensuring the authenticity and integrity of electronic documents and transactions.
- Data Protection and Privacy: While the IT Act 2000 did not have comprehensive provisions for data protection and privacy at the time it was enacted, it laid the foundation for subsequent amendments in this area. This includes developments like the IT Rules in 2011 and 2021.
- Promotion of E-Governance: The Act aimed to promote e-governance by providing legal recognition to electronic records and facilitating government transactions through electronic means.
- Cybersecurity: Recognizing the importance of cybersecurity, the IT Act established provisions for securing computer systems and networks. It included measures such as appointing Computer Emergency Response Teams (CERTs) to respond to cyber threats.
- Facilitation of E-Commerce: The Act provided a legal framework for electronic contracts and transactions which were essential for fostering growth in e-commerce in India. The act also addressed issues related to online payment systems and the liability of intermediaries (which act as connecting buyers and sellers). These provisions have significantly contributed to shaping India's digital landscape by promoting secure electronic transactions while addressing concerns related to cybercrimes and data protection.
- Jurisdictional Clarity: The Act provided clarity on the jurisdiction of different authorities and courts regarding electronic transactions and cybercrimes. This helped simplify legal procedures and improve enforcement efforts.
The main law safeguarding against cybercrimes in India is the Information
Technology Act, 2000 particularly Chapter XI listing various offences.
The offences are: Tampering with Computer Source Code (Section 65), Computer
Related Offences (Section 66), Sending offensive messages through Communication
service, etc (Section 66A), Dishonestly receiving stolen computer resource or
communication device (Section 66B), Identity Theft (Section 66C), Cheating by
impersonation by using computer resource (Section 66D), Violation of Privacy
(Section 66E), Cyber Terrorism (Section 66F), Publishing or transmitting obscene
material in electronic form (Section 67), Publishing or transmitting of material
containing sexually explicit act, etc... in electronic form (Section 67-A),
Publishing or transmitting of material depicting children in sexually explicit
act etc., in electronic form (Section 67B), Intermediary intentionally or
knowingly contravening the directions about Preservation and retention of
information (Section 67C), Failure to comply with the directions given by
Controller(Section 68), Failure to assist the agency referred to in sub section
(3) in regard interception or monitoring or decryption of any information
through any computer resource(Section 69), Failure of the intermediary to comply
with the direction issued for blocking for public access of any information
through any computer resource(Section 69A), Intermediary who intentionally or
knowingly contravenes the provisions of sub-section (2) in regard monitor and
collect traffic data or information through any computer resource for cyber
security (Section 69B), Any person who secures access or attempts to secure
access to the protected system in contravention of provision of Sec. 70(Section
70), Indian Computer Emergency Response Team to serve as national agency for
incident response. Any service provider, intermediaries, data centres, etc., who
fails to prove the information called for or comply with the direction issued by
the ICERT(Section 70B), Misrepresentation to the Controller to the Certifying
Authority(Section 71), Breach of Confidentiality and privacy (Section 72),
Disclosure of information in breach of lawful contract (Section 72A), Publishing
electronic Signature Certificate false in certain particulars(Section 73) and
Publication for fraudulent purpose (Section 74). Penalties range from 1 to 10
years of imprisonment or even life imprisonment and fines from Rs. 1 lakh to Rs.
Shortcomings in IT Act, 2000
Indian cyber law, while comprehensive, has some notable loopholes that can
hinder its effectiveness in addressing modern digital challenges:
Lack of Specific Definitions:
The lack of clear and precise definitions for
terms such as "cyber terrorism," "data breach," and "cyber threat" creates
confusion when interpreting and enforcing laws related to these issues.
The complex nature of determining jurisdiction in cybercrime cases that span multiple countries often leads to delays and
inefficiencies in investigations and prosecutions.
Some provisions in the Information Technology Act, 2000 are
outdated and struggle to address the rapid technological advancements in the
The penalties prescribed for certain cybercrimes might
not act as strong deterrents, particularly in cases of hacking, data theft, and
Challenges in Attribution:
Tracing the source of cyber attacks and accurately
attributing them to individuals or groups can be difficult, often making it hard
to bring perpetrators to justice.
Ambiguity in Intermediary Liability:
The responsibility of online platforms for
content created by users is often ambiguous, resulting in inconsistent
interpretations and accountability for harmful content.
In India, cyber law does not establish a comprehensive
framework for safeguarding personal data and privacy, raising concerns about the
collection, processing, and potential misuse of individuals' information.
Inadequate International Cooperation: given the transnational nature of
cybercrimes, there is a deficiency in robust international cooperation
mechanisms that would enable efficient information sharing and collaboration
among nations. More than 60% companies/authorities/organizations are located
abroad and they either make unnecessary delay in sending required information,
which are urgently required for carrying out investigation, or ask the Law
Enforcement Agencies here to send requisition through MLAT or Letter Rogatory,
which is a time-consuming process.
Slow Legal Processes:
The legal system's pace often doesn't match the urgency of cybercrimes, resulting in delayed justice and potential evidence loss.
Limited Technical Expertise:
The law enforcement agencies' limited technical
expertise can hinder efficient investigation and prosecution of complex cybercrimes. Some provisions in the law, such as those related to defamation and
online speech can potentially be misused to suppress freedom of expression.
Vague Liability for Platforms:
The law doesn't clearly define the
responsibilities of online platforms in moderating content, leading to arbitrary
takedowns and censorship.
Inadequate Protection for Critical Infrastructure:
There's a need for stronger
regulations safeguarding critical infrastructure from cyber threats, as the
current provisions might not be sufficient.
Section 66A (Amended in 2008, Struck Down in 2015):
This section criminalized the sending of offensive messages online, but its
vague wording led to potential misuse and violation of freedom of speech. It
lacked clarity on what constituted an "offensive" message, leading to arbitrary
arrests and harassment. The Supreme Court of India struck down this section in
2015, declaring it unconstitutional for being overly broad and ambiguous.
Section 43 and Section 66:
These sections dealt with unauthorized access and hacking, but their penalties
were considered inadequate compared to the severity of cybercrimes. They lacked
the necessary deterrence factor to discourage cybercriminals effectively. Over
time, these sections were amended to include higher penalties and stricter
punishments to address this weakness.
Section 79 (Intermediary Liability):
While this section provides a safe harbor to intermediaries from liability for
user-generated content, it lacks detailed guidelines on how intermediaries
should respond to takedown requests and complaints about illegal content. This
has resulted in inconsistent enforcement and challenges in defining intermediary
responsibilities. The IT Rules 2021 were introduced to provide more
comprehensive guidelines for intermediaries, but concerns remain about potential
censorship and surveillance.
Section 65 and Section 66C (Amended in 2008):
These sections dealt with hacking with the intent to cause harm, and creating or
distributing computer viruses. However, the intent requirement was considered
problematic, as proving malicious intent could be challenging in certain cases,
hindering effective prosecution. The intent requirement was subsequently removed
through an amendment to facilitate easier prosecution of cybercriminals.
Section 69 (Monitoring and Surveillance):
This provision grants the government authority to intercept and monitor
electronic communications in the interest of national security. However, critics
have expressed concerns about potential abuse of this power for surveillance
purposes, potentially compromising individual privacy. The lack of strong
oversight mechanisms and transparency provisions has led to debates about
striking a balance between security and privacy.
Section 79A (Immunity for Intermediaries):
This section deals with the exemption of liability of intermediaries in certain
cases, but it doesn't provide explicit protection against criminal liability.
This could deter intermediaries from taking proactive actions against illegal
content. The IT Rules 2021 aimed to address some of these concerns by
introducing provisions for traceability and removal of unlawful content.
Section 43A and Section 72A (Data Breach and Privacy):
These sections address compensation for improper disclosure of personal
information and unauthorized disclosure of information by an intermediary,
respectively. However, the provisions lack comprehensive data protection
measures and guidelines for preventing and addressing data breaches. The
upcoming Personal Data Protection Bill aims to address these weaknesses by
introducing a more comprehensive framework for data protection.
Section 67 (Punishment relating to Publishing/Transmitting Obscene Material in
This particular section of the law prohibits the transmission of material deemed
obscene or lascivious. However, it's important to note that terms like "obscene"
and "lascivious" are subjective and can be interpreted differently by different
individuals. The lack of clarity in defining what constitutes "obscene" content
can lead to subjective interpretations and potential misuse, resulting in
censoring legitimate content or expression. Courts have had to individually
interpret and clarify the scope of this section, but concerns about ambiguity
Section 72 (Breach of Confidentiality and Privacy):
This section deals with the breach of confidentiality and privacy, but its scope
is limited to unauthorized access to computer material. It may not cover broader
privacy violations that can occur in the digital realm. The legal definition of
privacy-related offenses remains somewhat limited, potentially leaving certain
privacy breaches unaddressed.
Section 89 (Retention of Electronic Records by Government Agencies):
While this section allows government agencies to require any person to retain
specified electronic records, it lacks clear guidelines for data retention
periods, which can lead to ambiguity and potential misuse. Clearer guidelines
for data retention could help prevent abuse of this provision and safeguard
Compounding of Offences under IT Act, 2000
In accordance with the Information Technology Act of 2000, there is a provision
known as "Compounding of Offences" under Section 77-A. This provision allows for
the resolution of certain offenses outside of court.
Here are the key details:
Who Can Compound Offences: Competent courts can grant permission for offenses to
be compounded under this act. However, offenses that carry a punishment of life
imprisonment or more than three years are not eligible for compounding.
When Offences Cannot Be Compounded: Offences cannot be compounded if:
How to Apply for Compounding:
- The accused has a prior conviction that could lead to a higher or different punishment.
- The offence affects the socio-economic conditions of the country.
- The offence involves a victim who is a child under 18 years of age.
- The offence involves a victim who is a woman.
To apply for compounding under this Act,
individuals accused of an offense can submit an application in court. This will
temporarily pause the trial process, and specific provisions of the Criminal
Procedure Code (Sections 265-B and 265-C) will come into play. Simply put,
"compounding of offenses" refers to a situation where both the accused and the
victim agree to resolve a less serious cybercrime outside of court, subject to
judicial approval. However, it's important to note that this option is not
available for more serious offenses, repeat offenders, offenses with significant
societal or economic consequences, or crimes against children and women.
Future of IT Act, 2000
The potential future directions and considerations for the IT Act 2000 are
Amendments and Evolving Technology:
The IT Act 2000 may undergo further
amendments to adapt to the rapidly evolving technology landscape. The IT Act may
need to be updated to address emerging technologies like blockchain and
artificial intelligence, as well as new forms of cybercrimes and digital
Data Protection and Privacy:
India has been considering a comprehensive
data protection law called the Personal Data Protection Bill. If enacted, it
could have a significant impact on how data is handled and protected in the
country, potentially requiring changes to the IT Act.
Cyber security Enhancements:
Given the increasing importance of data
protection and privacy, there is a need for stronger provisions for cyber
security in the IT Act. This includes measures for incident response, threat
mitigation, and enhancing overall cyber security defenses against growing cyber
The debate around intermediary liability and the
responsibilities of online platforms is ongoing. The government may revisit and
clarify these provisions to strike a balance between free expression and holding
platforms accountable for harmful content.
As cybercrimes often cross borders, the IT Act
may see changes to enhance international cooperation and coordination in
investigating and prosecuting cyber criminals.
Digital Economy Promotion:
The IT Act will likely continue to support the
growth of India's digital economy by providing a legal framework for e-commerce,
electronic contracts, and e-governance.
Digital Inclusion and Access:
Efforts to ensure digital inclusion and
access for all citizens may lead to amendments or initiatives that aim to bridge
the digital divide and provide equal opportunities for digital participation.
Legal Challenges and Court Interpretations:
Court decisions and legal
challenges may further shape the interpretation and enforcement of the IT Act.
These could set precedents and influence future amendments.
Public Awareness and Education:
Ongoing efforts to educate the public and
businesses about their rights and responsibilities under the IT Act may continue
to be a focus area. As it is not very tough to commit crime using electronic
gadgets (one SIM card in the name of other and one resold mobile phone are
sufficient) and as it involves anonymity hence it is difficult/time taking
process to detect any crime if committed using cyber space. Hence, Public
Awareness and Education are very important.
The future of the IT Act, 2000 will rely on several factors, including
advancements in technology, legislative priorities, feedback from the public and
industry, and the changing needs of our digital society.
While it is important to recognize that the IT Act has its limitations, it has
also undergone amendments and updates over time to address some of these
weaknesses. In order to overcome these shortcomings, there is a growing need to
update and amend existing cyber laws in line with the ever-evolving digital
This entails enhancing technical expertise among law enforcement agencies and
establishing international cooperation mechanisms to effectively combat
cybercrimes. Additionally, discussions and debates continue about how to balance
legal frameworks with technological advancements and individual rights in the
Since its enactment, the IT Act 2000 has been amended several times to address
emerging challenges in the digital and cyber security landscape. It remains a
critical piece of legislation in India's efforts to regulate and promote the
digital economy while ensuring cyber security and protecting the rights of
individuals and organizations engaged in electronic transactions.