Information Technology Law
The Information Technology Act, 2000 is India’s primary law governing electronic commerce, digital signatures, cyber crimes, and data protection. This paper studies the IT Act in full — from legal recognition of electronic records to civil and criminal liabilities, intermediary liability, cyber security, e-contracts, domain name disputes, and jurisdictional issues in cyberspace. It also covers applicability of other laws (Contract Act, Trade Marks Act, Evidence Act) in the digital environment.
- IT Act, 2000 — Introduction & Definitions
- E-Records, Digital & Electronic Signatures
- PKI & Certifying Authorities
- Civil Liabilities (S.43, S.43A)
- Criminal Liabilities (Ss.65–67B)
- Electronic Evidence (Ss.65A–65B Evidence Act)
- Intermediary Liability (S.79)
- Cyber Security & Free Speech (S.66A, Shreya Singhal)
- E-Contracts & Domain Name Disputes
- Jurisdiction in Cyberspace
📋 Table of Contents
- Introduction to IT Law and the IT Act, 2000
- Legal Recognition & Authentication of Electronic Records
- Civil Liabilities
- Criminal Liabilities – Cyber Crimes
- Admissibility of Electronic Evidence – Ss.65A, 65B Evidence Act
- Intermediary Liability – S.79
- Cyber Security and Free Speech
- E-Contracts
- Trade Marks and Domain Names in Cyberspace
- Jurisdiction in Cyberspace
- Case Laws Summary
- Important Questions for Exam
- Quick Revision Summary
I. Introduction to IT Law and the IT Act, 2000
1.1 Nature of Cyberspace and E-Commerce
Cyberspace is a notional/virtual environment in which communication over computer networks occurs. It is borderless — transcending territorial, national, and jurisdictional boundaries. Cyberspace includes the internet, intranets, email systems, and all digital communication networks.
E-Commerce refers to commercial transactions conducted electronically over computer networks. Types:
- B2B (Business to Business): Trade between companies (e.g., Alibaba wholesale platform)
- B2C (Business to Consumer): Retail sale to end users (e.g., Amazon, Flipkart)
- C2C (Consumer to Consumer): Peer transactions (e.g., OLX, eBay)
Key challenges of regulating cyberspace: anonymity of users, borderless nature, speed of communication, difficulty of evidence collection, multi-jurisdictional enforcement, and rapid technological change.
1.2 Object and Scope of the IT Act, 2000
The Act aims to:
- Provide legal recognition to electronic records and digital signatures
- Remove the requirement of physical “writing” and “signature” for legal validity (facilitating e-commerce)
- Provide a regulatory regime for Certifying Authorities and digital signature certificates
- Create civil and criminal liabilities for contraventions
- Make consequential amendments to the Indian Penal Code, Indian Evidence Act, Bankers’ Books Evidence Act, and RBI Act
Applicability (S.1(4)): The Act does NOT apply to: (i) a negotiable instrument (other than a cheque) as defined in S.13 of the Negotiable Instruments Act; (ii) a power of attorney as defined in S.1A of the Powers of Attorney Act; (iii) a trust as defined in S.3 of the Indian Trusts Act; (iv) a will as defined in clause (h) of S.2 of the Indian Succession Act; (v) any contract for the sale or conveyance of immovable property or any interest in such property.
Overriding effect (S.81): The IT Act overrides any other law to the extent of inconsistency.
1.3 Key Definitions – S.2
Any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or related to the computer in a computer system or computer network.
The interconnection of one or more computers or computer systems or communication devices through the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and terminals or a complex consisting of two or more interconnected computers or communication devices whether or not the interconnection is continuously maintained.
Computer resource means computer, computer system, computer network, data, computer database or software.
A device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions.
Cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image.
With respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.
| Section | Term Defined | Key Point |
|---|---|---|
| S.2(1)(i) | Computer | Broad definition — any electronic data processing device |
| S.2(1)(j) | Computer Network | Interconnection of computers via any communication medium |
| S.2(1)(k) | Computer Resource | Computer + system + network + data + software |
| S.2(1)(l) | Computer System | Device/collection performing logic, arithmetic, communication |
| S.2(1)(ha) | Communication Device | Mobile phones, PDAs, any text/video/audio transmitting device |
| S.2(1)(p) | Digital Signature | Authentication using asymmetric cryptosystem + hash function |
| S.2(1)(ta) | Electronic Signature | Broader than digital signature — any authenticated electronic method |
| S.2(1)(v) | Information | Data, messages, text, images, sound, voice, codes, programs, databases |
| S.2(1)(w) | Intermediary | ISP, search engines, e-commerce platforms, cyber cafes |
Facts: Syed Asifuddin, an employee of Tata Indicom, was accused of tampering with mobile handsets to make them work on rival networks. The question was whether a mobile handset is a “computer” under the IT Act.
Issue: Is a mobile handset a “computer” under S.2(1)(i) of the IT Act? Does tampering with source code of a mobile constitute an offence under S.65?
Held: The AP HC held that a mobile phone is a “computer” under the wide definition in S.2(1)(i) of the IT Act. Tampering with the ESN (Electronic Serial Number) of the mobile handset (which is essentially computer source code) constitutes an offence under S.65. The court convicted the accused.
II. Legal Recognition & Authentication of Electronic Records
2.1 Legal Recognition of Electronic Records – Ss.4–5
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is rendered or made available in an electronic form and accessible so as to be usable for a subsequent reference.
Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is authenticated by means of an electronic signature affixed in such manner as may be prescribed by the Central Government.
These two sections are the cornerstone of e-commerce law — they remove the traditional requirement of physical writing and physical signature. An email, a PDF, or a digital record now satisfies the “writing” requirement; an electronic signature satisfies the “signature” requirement.
2.2 Digital Signatures and the Asymmetric Cryptosystem
Authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of S.3.
How Digital Signatures Work — Asymmetric Cryptosystem:
- Each user has a Key Pair: a Private Key (kept secret) and a Public Key (publicly available).
- The sender uses a Hash Function (S.3) to generate a fixed-length “message digest” from the message.
- The sender encrypts the message digest with their Private Key — this is the digital signature.
- The recipient uses the sender’s Public Key to decrypt the digital signature and verify the message digest.
- If the decrypted digest matches the hash of the received message, the message is authentic and unaltered.
Functions served: Authentication (proves sender’s identity), Integrity (message not altered), Non-repudiation (sender cannot deny signing), Confidentiality (if message also encrypted).
| Basis | Digital Signature | Electronic Signature |
|---|---|---|
| Section | S.2(1)(p), S.3 | S.2(1)(ta), S.3A |
| Mechanism | Uses asymmetric cryptosystem + hash function | Broader — any reliable electronic method of authentication |
| Certificate required | Yes — Digital Signature Certificate from Certifying Authority | May or may not require a certificate |
| Legal status | High — mathematically verifiable | Recognised but reliability depends on method used |
| Example | PKI-based signature (DSC used for tax filings, MCA filings) | OTP-based authentication, biometric authentication |
| Added by | Original IT Act, 2000 | IT (Amendment) Act, 2008 |
2.3 Electronic Signatures – S.3A (Inserted by Amendment Act, 2008)
S.3A recognises a broader category of “electronic signatures” beyond the asymmetric cryptosystem-based digital signatures. Any method of authentication can qualify as an electronic signature if it is reliable and meets the standards prescribed by the Central Government. This includes OTP-based authentication, biometric signatures, and other methods.
2.4 Public Key Infrastructure (PKI) – Ss.17–26
The PKI is the framework for managing digital certificates and public keys. Under the IT Act:
- Controller of Certifying Authorities (CCA) (S.17): Apex regulatory authority — appointed by Central Government to supervise Certifying Authorities and their Digital Signature Certificates.
- Certifying Authorities (CAs) (S.24): Licensed organisations that issue Digital Signature Certificates (DSCs). They verify the identity of applicants before issuing a DSC. E.g., eMudhra, NSDL e-Governance, (n)Code Solutions.
- Digital Signature Certificate (DSC) (S.35): Issued by a CA, contains: subscriber’s public key, subscriber’s identity details, validity period, CA’s digital signature. Functions as an electronic identity card.
- Suspension & Revocation (Ss.37–38): CAs can suspend or revoke DSCs in specified circumstances (e.g., compromise of private key, misrepresentation).
- Offences (Ss.73–74): Publishing a false DSC or DSC for fraudulent purposes are criminal offences.
CCA (Root) → Certifying Authorities (e.g., eMudhra) → Subscribers (individuals/companies with DSCs)
This hierarchy of trust ensures that a digital signature can be traced back to a verified identity through the chain of certificate authorities.
2.5 Attribution, Acknowledgment and Despatch – Ss.11–13
- S.11 — Attribution: An electronic record is attributed to the originator if it was sent by the originator himself, by a person authorised by the originator, or by an information system programmed by the originator to operate automatically.
- S.12 — Acknowledgment: If the originator has not agreed with the addressee that acknowledgment is necessary, the contract is not conditional on acknowledgment. But if originator has requested acknowledgment, he may treat the message as not sent until he receives acknowledgment.
- S.13 — Despatch: An electronic record is despatched when it enters a computer resource outside the control of the originator. It is received when it enters the computer resource of the addressee. Time and place of despatch is the location of the originator’s computer resource.
III. Civil Liabilities
3.1 Damage to Computer/Computer System – S.43
If any person without permission of the owner or any other person in charge of a computer, computer system or computer network:
(a) accesses or secures access to such computer, computer system or computer network or computer resource;
(b) downloads, copies or extracts any data, computer database or information;
(c) introduces or causes to be introduced any computer contaminant or computer virus;
(d) damages or causes to be damaged any computer, computer system, computer network, data, computer database or any other programmes;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer resource;
(g) provides any assistance to any person to facilitate access in contravention of this section;
(h) charges the services availed of by a person to the account of another person;
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously;
(j) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code…
he shall be liable to pay damages by way of compensation to the person so affected.
S.43 creates civil liability — compensation payable. The corresponding criminal offence is S.66, which makes the same acts offences punishable with imprisonment and fine. S.43 is the civil remedy; S.66 is the criminal remedy for the same acts.
Facts: A husband (Vinod Kaushik) accessed his wife’s and daughter’s email accounts without their knowledge or permission, read their emails, and used the information in matrimonial proceedings.
Issue: Does accessing someone else’s email account without permission constitute a violation under the IT Act? Is such evidence obtained admissible?
Held: The Delhi HC held that accessing another person’s email account without their permission is an offence under the IT Act (S.43 for civil liability, potentially S.66 for criminal). Such unauthorised access violates the right to privacy. Evidence obtained by illegal access to email may not be admissible. The court directed that no adverse inference be drawn from such illegally obtained information.
3.2 Data Protection – S.43A, Sensitive Personal Data Rules
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Sensitive Personal Data or Information (SPDI Rules, 2011): Passwords, financial information (bank accounts, credit/debit cards), physical/physiological/mental health condition, sexual orientation, medical records, biometric information, and any details relating to the above.
Reasonable Security Practices: The body corporate must have a comprehensive documented information security programme and security standards such as IS/ISO/IEC 27001. If they comply with such standards and still suffer a breach, liability may be limited.
Facts: Sanjay Dhande complained that ICICI Bank and Vodafone negligently allowed someone to obtain a duplicate SIM of his mobile number (SIM swap fraud), using which the fraudster conducted unauthorised transactions from his bank account.
Issue: Whether ICICI Bank and Vodafone were liable under S.43A for negligently failing to protect sensitive personal data and failing to implement reasonable security practices.
Held: The Adjudicating Officer held that both ICICI Bank and Vodafone were negligent in their security procedures. Vodafone issued a duplicate SIM without adequate verification; ICICI Bank allowed OTP-based transactions without adequate safeguards. Both were ordered to pay compensation to the complainant under S.43A.
3.3 Online Defamation
Online defamation involves publishing false statements on digital platforms (email, social media, websites, blogs) that damage a person’s reputation. The law governing online defamation includes:
- Ss.499–500 IPC: Defamation — applicable to online statements (courts have applied IPC defamation provisions to email defamation).
- S.66A IT Act: Was used for online defamation but was struck down by the Supreme Court in Shreya Singhal v. Union of India (2015) as unconstitutional.
- Civil remedy: Action for damages in a civil court.
Facts: Jogesh Kwatra, a disgruntled employee of SMC Pneumatics, sent defamatory and obscene emails to SMC’s bosses worldwide, impersonating the company’s managing director and making false and derogatory statements.
Issue: India’s first case of cyber defamation — whether an injunction could be granted for email-based defamation.
Held: The Delhi District Court granted an ex-parte injunction restraining the defendant from sending such emails. This was India’s first cyber defamation case — courts applied civil defamation principles to email-based false and defamatory statements. The court held that online defamation is actionable in India.
3.4 Adjudicating Officer and Appellate Tribunal – Ss.46, 57
- Adjudicating Officer (S.46): The Central Government appoints an officer not below the rank of Director to adjudicate claims for compensation under S.43 and S.43A, where the claim does not exceed ₹5 crore.
- TDSAT — Cyber Appellate Tribunal (S.57): Appeals from Adjudicating Officer’s orders lie to the Cyber Appellate Tribunal (now merged with TDSAT — Telecom Disputes Settlement and Appellate Tribunal). Further appeal to High Court on question of law.
- Civil Court jurisdiction (S.46(1A)): Where compensation claimed exceeds ₹5 crore, parties may approach civil courts directly.
IV. Criminal Liabilities – Cyber Crimes
| Offence | Section | Punishment |
|---|---|---|
| Tampering with computer source code | S.65 | Imprisonment up to 3 years OR fine up to ₹2 lakh, OR both |
| Computer related offences (hacking, data theft, etc.) | S.66 | Imprisonment up to 3 years OR fine up to ₹5 lakh, OR both |
| Dishonestly receiving stolen computer resource | S.66B | Imprisonment up to 3 years OR fine up to ₹1 lakh, OR both |
| Identity theft | S.66C | Imprisonment up to 3 years AND fine up to ₹1 lakh |
| Cheating by personation (online) | S.66D | Imprisonment up to 3 years AND fine up to ₹1 lakh |
| Violation of privacy (capturing private images) | S.66E | Imprisonment up to 3 years OR fine up to ₹2 lakh, OR both |
| Cyber terrorism | S.66F | Imprisonment for life |
| Publishing obscene material online | S.67 | First conviction: imprisonment up to 3 years + fine up to ₹5 lakh; subsequent: up to 5 years + fine up to ₹10 lakh |
| Publishing sexually explicit material online | S.67A | First conviction: imprisonment up to 5 years + fine up to ₹10 lakh; subsequent: up to 7 years + fine |
| Child pornography online | S.67B | First conviction: imprisonment up to 5 years + fine up to ₹10 lakh; subsequent: up to 7 years + fine |
| Breach of confidentiality and privacy | S.72 | Imprisonment up to 2 years OR fine up to ₹1 lakh, OR both |
| Publishing false Digital Signature | S.73 | Imprisonment up to 2 years OR fine up to ₹1 lakh, OR both |
| Publication of DSC for fraudulent purpose | S.74 | Imprisonment up to 2 years OR fine up to ₹1 lakh, OR both |
4.1 Tampering with Computer Source Code – S.65
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Computer source code means the listing of programmes, computer commands, design and layout, and programme analysis of computer resource in any form.
Facts: An employee of an IT company modified the company’s software code without authorisation, altering financial records to commit fraud.
Issue: Whether unauthorised modification of computer source code by an employee constitutes an offence under S.65 even if done from within the organisation.
Held: The court held that S.65 applies to anyone who knowingly and intentionally alters source code — whether they are an outsider or an employee. The fact that the accused had authorised access to the system does not immunise them from S.65 if they exceeded their authority and deliberately altered source code.
4.2 Hacking – S.43(i) read with S.66
Hacking is the unauthorised access to a computer resource, often with malicious intent (data theft, disruption, espionage). Under the IT Act:
- Civil liability: S.43(a) — unauthorised access → compensation
- Criminal liability: S.66 — if any act under S.43 is done dishonestly or fraudulently → criminal offence (imprisonment up to 3 years and/or fine up to ₹5 lakh)
Types of hacking-related offences: data theft (S.43(b)), virus attacks (S.43(c)), email bombing (S.43(e)), Denial of Service (DoS) attacks (S.43(e)/(f)).
4.3 Identity Theft and Phishing – Ss.66C, 66D
Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
Phishing is a technique where a fraudster creates a fake website/email mimicking a legitimate bank or service to steal users’ login credentials and financial information.
Facts: Ajay Sood and others were operating a phishing scheme — sending emails purporting to be from NASSCOM (National Association of Software and Service Companies) and asking recipients to pay fees for fictitious job placements. NASSCOM sued for trade mark infringement and phishing.
Issue: Whether phishing (impersonating a well-known organisation online to defraud users) is illegal in India? Whether courts can grant relief against phishing before specific anti-phishing legislation exists?
Held: The Delhi HC held that phishing is an illegal activity under Indian law even before specific legislation — it constitutes passing off (TM law), fraud, and cheating under IPC. The court granted an injunction. This was the first Indian court decision to define and rule against “phishing” as a cyber crime.
4.4 Obscenity and Pornography Online – Ss.66E, 67, 67A, 67B
Whoever intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.
Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished…
Whoever: (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit acts; (b) creates text/digital images relating to children; (c) cultivates, entices or induces children online — is guilty of the most serious online offence; punished with imprisonment up to 5 years (first conviction) or 7 years (subsequent).
Facts: A magazine published a photograph of a nude foreign tennis star with her fiancé. The article was about racial discrimination in tennis. A complaint was filed for obscenity under S.292 IPC.
Issue: What is the correct test for “obscenity” in India — the older Hicklin test (British) or the more liberal Roth test (American)?
Held: The Supreme Court adopted the Community Standards Test (similar to the US Roth test) over the old Hicklin test. The Hicklin test asks whether material would “deprave and corrupt” the most vulnerable minds (children, weak-minded persons). The court held that the test must be whether the average person in the community (applying contemporary community standards) would find the material patently offensive or appealing to prurient interest without redemptive social value. The photograph in question — in the context of an article on racial discrimination — was not obscene.
Facts: The accused posted obscene and defamatory messages about a woman (a divorcee) on Yahoo groups, impersonating her and soliciting sexual favours. He also made harassing phone calls.
Issue: One of India’s first convictions under the IT Act for online obscenity/cyber harassment.
Held: The CMM, Egmore convicted the accused under S.67 IT Act (publishing obscene material online) and S.509 IPC (word, gesture or act intended to insult the modesty of a woman). Sentenced to 9 months rigorous imprisonment and fine. Notably, the case was investigated and tried within 7 days of the complaint — a landmark for cyber crime enforcement speed.
4.5 Cyber Stalking – S.354D IPC
Any man who follows a woman and contacts, or attempts to contact such woman to foster personal interaction repeatedly despite a clear indication of disinterest by such woman; or monitors the use by a woman of the internet, email or any other form of electronic communication — commits the offence of stalking. Punishable with imprisonment up to 3 years (first conviction) and up to 5 years (subsequent conviction).
Cyber stalking involves using electronic means (email, social media, tracking apps, GPS) to persistently follow, harass, or intimidate a person. The landmark Ritu Kohli Case (Delhi, 2001) was India’s first cyber stalking case — a spurned lover posted Ritu Kohli’s personal details (address, phone number) on adult websites inviting people to contact her; multiple men called her. FIR registered under S.509 IPC and S.67 IT Act.
4.6 Cyber Terrorism – S.66F
Whoever commits or conspires to commit cyber terrorism — i.e., with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people, by:
(a) Denying or causing denial of access to any person authorised to access any computer resource; or
(b) Attempting to penetrate/access a computer resource without authorisation or in excess of authorisation, and by means of such conduct causing or likely to cause death or injuries or damage or disruption of critical information infrastructure or knowingly or intentionally penetrating or accessing a computer resource without authorisation or in excess of authorisation and obtaining access to information, data or computer database that is restricted for reasons of security of State — shall be punishable with imprisonment which may extend to imprisonment for life.
In the “Rakesh v. Central Bureau” case (2011), a terror e-mail was sent by hacking a Wi-Fi network in Mumbai, claiming responsibility for the Delhi blasts. The IP address traced led to the hacked Wi-Fi owner’s residence, raising questions about attributing cyber crimes to IP addresses. Ultimately the actual sender was traced through further forensics.
V. Admissibility of Electronic Evidence
S.65A: Contents of electronic records may be proved in accordance with S.65B.
S.65B — Conditions for Admissibility of Electronic Records:
A computer output (printout, digital file) is admissible as evidence if:
(i) The information was produced by the computer during a period when it was regularly used for that activity;
(ii) During that period, information of the kind contained was regularly fed into the computer in the ordinary course of activities;
(iii) The computer was operating properly during the relevant period, or if malfunctioning, such malfunction did not affect the production or accuracy of the output;
(iv) The information in the electronic record reproduces or is derived from information fed into the computer in the ordinary course of activities.
A S.65B Certificate must be given by a responsible person (an officer of the organisation) certifying the above conditions.
Facts: In an election petition, the petitioner sought to produce electronic records (CDs containing audio/video recordings) as evidence without a S.65B certificate. The High Court admitted them. The matter reached the Supreme Court.
Issue: Can electronic records be admitted as secondary evidence under S.65 of the Evidence Act without complying with S.65B? Is a S.65B certificate mandatory?
Held: The Supreme Court held that S.65B is a complete code for admissibility of electronic records. Electronic records cannot be admitted as secondary evidence under S.65 (general provision) — they must comply with S.65B. A S.65B certificate from the person responsible for the computer system is mandatory for admissibility of electronic evidence. Without the certificate, electronic records cannot be admitted.
A three-judge bench of the Supreme Court reaffirmed and clarified Anvar P.V.: The S.65B certificate must be produced at the time of tendering evidence, not at a later stage. However, courts have discretion to allow production of the certificate at a later stage if parties show good cause. The requirement of S.65B certificate applies strictly to electronic records being produced as evidence.
VI. Intermediary Liability – S.79
An intermediary shall not be liable for any third party information, data, or communication link hosted by it if:
(a) The intermediary’s function is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;
(b) The intermediary does not initiate the transmission, select the receiver, or select or modify the information;
(c) The intermediary observes due diligence as per the Intermediary Guidelines and follows other guidelines prescribed by the Central Government.
However, if the intermediary has actual knowledge (or has been notified by the government) that its resource is being used to commit an unlawful act and fails to act expeditiously to remove or disable such material, the exemption is lost.
The “Safe Harbour” Principle:
S.79 creates a “safe harbour” (borrowed from US law — Section 230 CDA and DMCA’s safe harbour) — intermediaries are shielded from liability for third-party content they host, provided they comply with due diligence requirements and act on notices to take down illegal content. This protects platforms like Google, Facebook, YouTube, Twitter from being held responsible for user-generated content.
Due Diligence Requirements — Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:
- Publish terms of service, privacy policy, and user agreement prominently.
- Appoint a Grievance Officer, Nodal Officer, and Chief Compliance Officer (for “significant social media intermediaries” with 50 lakh+ users).
- Act within 72 hours on government/court orders to take down content.
- Enable traceability of messages for “significant social media intermediaries” (controversial provision — may compromise end-to-end encryption).
- Publish monthly compliance reports.
Facts: S.66A of the IT Act punished sending “grossly offensive,” “menacing,” or “annoyance/inconvenience”-causing messages online. Several people were arrested under S.66A for Facebook posts, tweets, and online cartoons critical of politicians. A PIL challenged S.66A as unconstitutional.
Issues: (1) Is S.66A unconstitutional as a violation of free speech (Art.19(1)(a))? (2) What is the constitutional standard for restrictions on online speech? (3) Is the “intermediary take-down” provision under S.79(3)(b) (as it stood) constitutionally valid?
Held: The Supreme Court: (i) Struck down S.66A in its entirety as unconstitutional — it was vague and overbroad, using undefined terms like “grossly offensive,” “menacing,” and “causing annoyance.” It did not fall within any permissible ground of restriction under Art.19(2). (ii) Read down S.79(3)(b) — intermediaries need only take down content upon receiving a court order or government order, not merely on any private complaint. The original provision required removal on any notice — now restricted to judicial/governmental directions. (iii) S.69A (blocking of websites) was upheld as constitutionally valid as it has procedural safeguards.
Facts: T-Series (Super Cassette Industries) complained that MySpace hosted infringing Bollywood music uploaded by users, without taking down the content despite notices. MySpace claimed safe harbour under S.79 as an intermediary.
Issue: When does an intermediary lose safe harbour under S.79? What is the standard of “knowledge” required?
Held: The Delhi HC held that: (i) MySpace was entitled to safe harbour for passive hosting; (ii) However, once MySpace received specific notices from T-Series about specific infringing works, it had actual knowledge; (iii) Failure to act expeditiously on such notices forfeits safe harbour protection; (iv) The intermediary must have a notice-and-take-down mechanism. The court directed MySpace to disable access to infringing content upon receiving take-down notices.
Facts: Visaka Industries complained that Google’s search engine results showed defamatory content about the company. Visaka sought criminal action against Google India.
Issue: Is Google liable for defamatory content appearing in search results? Is Google an “intermediary” entitled to S.79 protection?
Held: The AP HC held that Google is an intermediary under S.2(1)(w) and is entitled to safe harbour protection under S.79, as long as it does not initiate the defamatory content and complies with due diligence requirements. Search engines displaying third-party content are not primarily liable for that content. However, upon specific notice and court order, they must take down/de-index defamatory content. The case was later taken to the Supreme Court (2019 SC ruling) which similarly affirmed the intermediary protection framework.
Facts: Vyakti Vikas Kendra (associated with Sri Sri Ravi Shankar/Art of Living) complained that Jitendra Bagga posted defamatory tweets about Sri Sri Ravi Shankar. Bagga also alleged counter-defamation. Both sued for online defamation.
Issue: Does a civil court have jurisdiction over online defamation? What remedies are available?
Held: The Delhi HC held that online defamation through social media (Twitter) is actionable. Civil courts have jurisdiction over online defamation claims. The court granted an interim injunction restraining defamatory tweets. The case established that reputation can be harmed through tweets and social media just as through printed media, and civil remedies (injunction, damages) are available.
VII. Cyber Security and Free Speech
7.1 Interception, Monitoring and Blocking – Ss.69, 69A, 69B
Where the Central Government or a State Government or any of its officers specially authorised is satisfied that it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognisable offence — may by order direct any agency of the Government to intercept, monitor or decrypt any information transmitted through any computer resource.
Where the Central Government is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognisable offence, it may direct any agency of the Government or any intermediary to block access by the public to any information generated, transmitted, received, stored or hosted in any computer resource.
Facts: The 9-judge Constitution Bench was asked whether the right to privacy is a fundamental right under the Indian Constitution.
Held: Unanimously held that the right to privacy is a fundamental right under Art. 21 (right to life) read with Arts. 14 and 19. Informational privacy (the right to control one’s personal data) is a component of this right. The court held that state surveillance and data collection must comply with the three-part test: (i) legality (law must exist), (ii) legitimate aim (proportionate goal), (iii) proportionality (least intrusive means). This judgment has major implications for cyber surveillance under Ss.69–69B of the IT Act.
Facts: After the revocation of J&K’s special status (August 2019), the government imposed an internet shutdown in J&K for months. Journalists (including Anuradha Bhasin, Editor, Kashmir Times) challenged the shutdown as violating their fundamental rights.
Issue: Whether internet shutdowns are constitutionally permissible? What is the right to access the internet?
Held: The Supreme Court held: (i) Freedom of speech and expression under Art.19(1)(a) extends to the internet — the right to access the internet is a part of this fundamental right; (ii) Internet shutdowns can only be ordered for legitimate reasons with proportionality — indefinite suspension is unconstitutional; (iii) Orders for internet suspension must be published for public scrutiny; (iv) Periodic review of continued necessity of any internet shutdown is mandatory. The court directed the government to review and restore internet services where possible.
VIII. E-Contracts
8.1 Formation of E-Contracts
An e-contract is a contract formed electronically, typically via email, website, or app. The fundamental requirements of a valid contract under the Indian Contract Act, 1872 — offer, acceptance, consideration, capacity, free consent, and lawful object — apply to e-contracts. The IT Act supplements these by recognising electronic communications as valid.
Types of E-Contracts:
- Email Contracts: Contracts formed through email exchange — offer and acceptance by email. Courts have recognised these as valid contracts (see Trimex International v. Vedanta Aluminium).
- Click-Wrap (Web) Contracts: User clicks “I Agree” or “Accept” — terms displayed on screen. Courts generally uphold these if terms are reasonably accessible and the user had a meaningful opportunity to review them.
- Browse-Wrap Contracts: Terms are accessible via a hyperlink — user deemed to have agreed by using the website. Courts are more sceptical — constructive notice must be clear.
- Shrink-Wrap Contracts: Software licence terms visible inside the box after purchase. If user opens the box, deemed to have accepted. Courts have had mixed views on enforceability.
Key IT Act Provisions on E-Contracts:
- S.10A: Contracts formed electronically are not unenforceable solely because they were formed by electronic means.
- Ss.11–13: Attribution, acknowledgment, and time/place of despatch of electronic records govern when a contract is concluded electronically.
Facts: WWE claimed that Reshma Collections was manufacturing and selling counterfeit WWE merchandise using WWE’s trade marks. WWE sought an injunction. The matter involved questions about e-commerce contracts and jurisdiction.
Issue: Whether email communications between parties constitute a binding contract; jurisdiction of Delhi courts over cyberspace disputes.
Held: The Division Bench confirmed that email exchanges can constitute binding contracts — applying S.10A IT Act and general contract law principles. The court also discussed the “effects doctrine” for jurisdiction — a court can exercise jurisdiction if the harmful effects of an online act are felt within its territory. Delhi courts had jurisdiction as WWE’s reputation was harmed in Delhi.
IX. Trade Marks and Domain Names in Cyberspace
9.1 Domain Names as Trade Marks
A domain name is an internet address (e.g., amazon.com, flipkart.com). Domain names serve commercial functions beyond mere addresses — they identify the source of goods/services and function as trade marks. The Supreme Court recognised domain names as protectable as trade marks in Satyam Infoway v. Sifynet Solutions (AIR 2004 SC 3540).
9.2 Cybersquatting
Cybersquatting is the bad-faith registration of a domain name corresponding to another’s trade mark with the intent to sell it to the trade mark owner or prevent legitimate use. It is actionable as passing off under Indian law.
9.3 Dispute Resolution — UDRP and INDRP
- UDRP (Uniform Domain-Name Dispute-Resolution Policy): ICANN’s global policy — mandatory for all generic TLD (.com, .org, .net) registrants. WIPO Arbitration Centre handles most UDRP disputes. Complainant must prove: (i) domain is identical/confusingly similar to its mark; (ii) registrant has no rights/legitimate interests; (iii) domain registered and used in bad faith.
- INDRP (IN Domain Name Dispute Resolution Policy): For .in domains — administered by NIXI (National Internet Exchange of India). Similar three-part test as UDRP.
9.4 Keyword Advertising
Search engines (Google, Bing) allow advertisers to buy “keywords” — including competitors’ trade marks — so their ads appear in search results when users search for the competitor. This raises trade mark infringement issues, particularly in Europe and India. Delhi HC decisions have held that metatag use of a competitor’s trade mark without more may not constitute infringement, but explicit use of a registered mark as a keyword to attract customers may constitute infringement under S.29 of the TM Act.
X. Jurisdiction in Cyberspace
10.1 The Jurisdictional Challenge
Traditional jurisdiction rules are based on physical presence and territorial boundaries. Cyberspace is borderless — a single website can be accessed from anywhere in the world. This raises complex questions: Which court has jurisdiction over a cyber dispute? Which country’s law applies?
10.2 Traditional Rules Applied to Cyberspace
Civil Jurisdiction (CPC):
- S.20 CPC: Suits may be instituted where the defendant resides, carries on business, or where the cause of action arises. For online disputes, the “cause of action” arises where the harm is felt.
- Effects doctrine: Courts can exercise jurisdiction if significant effects of the online act are felt in their territory.
Criminal Jurisdiction:
- S.177 CrPC: Trial where the offence was committed.
- S.178 CrPC: If the offence is committed in more than one local area, trial may be in any of those areas.
- S.75 IT Act — Extraterritorial Jurisdiction: The IT Act applies to any offence or contravention thereunder committed outside India by any person if it involves a computer, computer system or computer network located in India.
- S.3 IPC: Any person who commits an offence in India is liable to be tried under IPC — including acts done outside India if they target persons or systems in India.
Facts: Banyan Tree Hotels (Delhi-based) sued A. Murali Krishna Reddy (Chennai-based) for operating a hotel under the name “Banyan Tree” and maintaining a website that Delhi users could access. The Delhi HC’s jurisdiction was challenged.
Issue: Can a Delhi court exercise jurisdiction over a defendant (based in Chennai) merely because the defendant’s website is accessible from Delhi?
Held: The Delhi HC laid down the “purposeful availment” test for internet jurisdiction: Merely maintaining a passive website accessible everywhere is insufficient for personal jurisdiction in a particular forum. The plaintiff must show that the defendant “purposefully availed” itself of the forum’s market — i.e., the website was interactive and the defendant deliberately targeted or conducted commercial activities in Delhi. Mere accessibility of a website from Delhi does not confer jurisdiction on Delhi courts.
XI. Summary of All Important Case Laws
| Case Name | Year | Court | Key Principle |
|---|---|---|---|
| Syed Asifuddin v. State of AP | 2005 | AP HC | Mobile phone is a “computer” under IT Act; SIM/ESN tampering = S.65 offence |
| Vinod Kaushik v. Madhvika Joshi | 2012 | Del HC | Unauthorised access to spouse’s email = IT Act violation; illegal access evidence inadmissible |
| Sanjay Dhande v. ICICI & Vodafone | 2014 | AO, MH | Bank + telecom liable under S.43A for negligent security enabling SIM swap fraud |
| SMC Pneumatics v. Jogesh Kwatra | 2001/2014 | Del DC | India’s first cyber defamation case; injunction granted for email defamation |
| NAASCOM v. Ajay Sood | 2005 | Del HC | India’s first phishing judgment; phishing = passing off + fraud + IT Act offence |
| Aveek Sarkar v. West Bengal | 2014 | SC | Community Standards Test adopted for obscenity (replaces Hicklin test) |
| State of TN v. Suhas Katti | 2004 | CMM, Egmore | India’s first S.67 IT Act conviction; online harassment/obscenity punishable |
| Anvar P.V. v. P.K. Basheer | 2014 | SC | S.65B certificate mandatory for electronic evidence admissibility |
| Shreya Singhal v. UoI | 2015 | SC | S.66A struck down; S.79 safe harbour clarified — only court/govt orders trigger take-down |
| My Space v. Super Cassettes | 2016 | Del HC DB | Safe harbour lost after actual notice of specific infringing content; notice-and-take-down mandatory |
| Google India v. Visaka Industries | 2011/2019 | AP HC / SC | Search engines are intermediaries; entitled to S.79 safe harbour |
| Vyakti Vikas Kendra v. Jitendra Bagga | 2012 | Del HC | Twitter defamation actionable; civil courts have jurisdiction; injunction grantable |
| Justice Puttaswamy v. UoI | 2017 | SC (9J) | Privacy is a fundamental right; digital surveillance must meet legality+aim+proportionality |
| Anuradha Bhasin v. UoI | 2020 | SC | Internet access is fundamental right; internet shutdowns must be proportionate and reviewed |
| Satyam Infoway v. Sifynet | 2004 | SC | Domain names = trade marks; passing off lies for domain name misuse |
| Banyan Tree Holdings v. Murali Reddy | 2009 | Del HC DB | Purposeful availment test for cyber jurisdiction; passive website ≠ jurisdiction |
| WWE v. Reshma Collections | 2014 | Del HC DB | Email exchange = valid contract; effects doctrine for cyber jurisdiction |
📝 Important Questions for Exam
A. Short Answer Questions (2–5 Marks)
B. Long Answer / Essay Questions (10–15 Marks)
C. Problem-Based Questions
D. MCQ Practice (20 Questions)
⚡ Quick Revision Summary
1. Key Definitions at a Glance
| Term | Section | One-Line Definition |
|---|---|---|
| Computer | S.2(1)(i) | Any electronic data processing device (includes mobile phones) |
| Computer Network | S.2(1)(j) | Interconnection of computers/communication devices |
| Computer Resource | S.2(1)(k) | Computer + system + network + data + software |
| Communication Device | S.2(1)(ha) | Cell phones, PDAs, any device to communicate text/audio/video |
| Digital Signature | S.2(1)(p) | Authentication using asymmetric cryptosystem + hash function |
| Electronic Signature | S.2(1)(ta) | Any reliable electronic method of authentication (OTP, biometric, etc.) |
| Intermediary | S.2(1)(w) | ISP, search engine, e-commerce platform, cyber cafe that stores/transmits records |
| Sensitive Personal Data | S.43A r/w SPDI Rules | Passwords, financial info, health data, biometrics, sexual orientation |
2. All Sections Covered
| Section | Subject | Key Rule |
|---|---|---|
| S.1(4) | Exclusions from IT Act | Wills, powers of attorney, trusts, negotiable instruments, immovable property transactions excluded |
| S.4 | Legal recognition of electronic records | Electronic records satisfy “writing” requirement |
| S.5 | Legal recognition of electronic signatures | Electronic signatures satisfy “signature” requirement |
| S.3 / S.3A | Digital/Electronic Signature | S.3 — asymmetric cryptosystem; S.3A — any reliable method |
| S.10A | E-contracts not invalid | Contracts concluded electronically are valid and enforceable |
| S.11–13 | Attribution, acknowledgment, despatch | Rules for when e-records are attributed and when contract is concluded |
| S.17–26 | PKI — CCA and Certifying Authorities | CCA = apex regulator; CAs issue DSCs; hierarchy of trust |
| S.43 | Civil liability for computer wrongs | Compensation for unauthorised access, data theft, virus, DDoS, source code damage |
| S.43A | Data protection | Body corporate liable for negligent security practices affecting SPDI |
| S.46 | Adjudicating Officer | Adjudicates S.43/S.43A claims ≤ ₹5 crore |
| S.57 | TDSAT/Cyber Appellate Tribunal | Appeals from Adjudicating Officer’s orders |
| S.65 | Tampering with source code | Knowingly altering/concealing source code — 3 years / ₹2 lakh |
| S.66 | Computer-related offences | S.43 acts done dishonestly/fraudulently — 3 years / ₹5 lakh |
| S.66C | Identity theft | Fraudulent use of another’s electronic signature/password — 3 years + ₹1 lakh |
| S.66D | Cheating by personation online | Cheating by impersonating another via computer — 3 years + ₹1 lakh |
| S.66E | Violation of privacy | Capturing/publishing private images without consent — 3 years / ₹2 lakh |
| S.66F | Cyber terrorism | Threatening sovereignty/security via computer — life imprisonment |
| S.67 | Online obscenity | Publishing lascivious/prurient content online — 3/5 years + fine |
| S.67A | Sexually explicit content online | 5/7 years + fine for sexually explicit material |
| S.67B | Child pornography online | 5/7 years + fine; most severe cyber crime category |
| S.69A | Blocking of websites | Govt can order blocking for sovereignty/security/public order |
| S.72 | Breach of confidentiality | Disclosing information accessed in official capacity — 2 years / ₹1 lakh |
| S.75 | Extraterritorial jurisdiction | IT Act applies to offences outside India if involving computer resource in India |
| S.79 | Safe harbour for intermediaries | No liability for third-party content if due diligence + act on court/govt orders |
| S.81 | Overriding effect | IT Act prevails over any inconsistent law |
| S.65A–65B (Evidence Act) | Electronic evidence | S.65B certificate mandatory; four conditions; S.65 general provision does not apply |
| S.354D IPC | Cyber stalking | Persistent online monitoring/contact despite disinterest — 3/5 years |
3. Landmark Cases Table
| Case | Year | Court | Key Ruling |
|---|---|---|---|
| Syed Asifuddin v. AP | 2005 | AP HC | Mobile = computer; SIM/ESN tampering = S.65 |
| Vinod Kaushik v. Madhvika | 2012 | Del HC | Accessing spouse’s email = IT Act violation; evidence inadmissible |
| Sanjay Dhande v. ICICI & Vodafone | 2014 | AO, MH | S.43A — bank + telecom liable for SIM swap fraud (negligent security) |
| SMC Pneumatics v. Kwatra | 2014 | Del DC | First cyber defamation; email defamation = actionable; injunction granted |
| NAASCOM v. Ajay Sood | 2005 | Del HC | First phishing case; phishing = passing off + fraud + IT Act |
| Aveek Sarkar v. WB | 2014 | SC | Community Standards Test replaces Hicklin test for obscenity |
| State of TN v. Suhas Katti | 2004 | CMM Egmore | First S.67 conviction; online harassment of woman = S.67 + S.509 IPC |
| Anvar P.V. v. Basheer | 2014 | SC | S.65B certificate mandatory for electronic evidence |
| Shreya Singhal v. UoI | 2015 | SC | S.66A struck down; S.79 safe harbour clarified |
| My Space v. Super Cassettes | 2016 | Del HC DB | Safe harbour lost after actual notice + non-action on specific content |
| Puttaswamy v. UoI | 2017 | SC (9J) | Privacy = fundamental right; legality + aim + proportionality test |
| Anuradha Bhasin v. UoI | 2020 | SC | Internet access = fundamental right; shutdowns must be proportionate |
| Banyan Tree v. Murali Reddy | 2009 | Del HC DB | Purposeful availment test; passive website ≠ cyber jurisdiction |
4. Golden Rules
- Ss.4–5 IT Act eliminate the paper and ink requirement — electronic = written + signed.
- S.43 = civil compensation; S.66 = criminal imprisonment for the same acts (dishonest/fraudulent intent needed for S.66).
- S.65B certificate is mandatory — without it, electronic records cannot be admitted as evidence (Anvar P.V.).
- S.66A is dead — struck down by Supreme Court in Shreya Singhal. No one can be arrested under S.66A.
- Safe harbour (S.79) protects intermediaries from liability for user content, but is lost upon actual notice + non-action.
- Privacy is a fundamental right (Puttaswamy, 2017) — government surveillance must be lawful, targeted, and proportionate.
- Access to internet = fundamental right (Anuradha Bhasin, 2020) — internet shutdowns must be proportionate and reviewed.
- Community standards test (not Hicklin) governs obscenity — context matters (Aveek Sarkar).
- Purposeful availment needed for cyber jurisdiction — passive website ≠ submission to local court’s jurisdiction.
- Domain names = trade marks — passing off action available; UDRP/INDRP for dispute resolution (Satyam Infoway).
5. Memory Aids
C — Confidentiality
A — Authentication (proves sender’s identity)
I — Integrity (message not altered)
N — Non-repudiation (sender cannot deny signing)
A — Unauthorised Access
C — Copy/Download data
C — Contaminant/Virus introduction
E — Email bombing / Denial of Service
S — Source code damage
S — Steal or charge services to another’s account
I — Intermediary doesn’t Initiate/select/modify content
D — Due Diligence observed (IT Rules 2021)
S — Specific notice from court/govt → take down (or harbour lost)
S — S.66A Struck down (unconstitutional — vague, overbroad)
R — S.79 Read down (only court/govt orders trigger take-down)
S — S.69A Saved (blocking with procedural safeguards = valid)