Information Technology Law






Information Technology Law Notes | LB-5031 | University of Delhi



LL.B. V Term · Paper LB-5031 · University of Delhi, Faculty of Law · July 2020

Information Technology Law

IT Act, 2000E-Commerce LawCyber Crimes
Electronic EvidenceIntermediary LiabilityCyber Security

The Information Technology Act, 2000 is India’s primary law governing electronic commerce, digital signatures, cyber crimes, and data protection. This paper studies the IT Act in full — from legal recognition of electronic records to civil and criminal liabilities, intermediary liability, cyber security, e-contracts, domain name disputes, and jurisdictional issues in cyberspace. It also covers applicability of other laws (Contract Act, Trade Marks Act, Evidence Act) in the digital environment.

Topics Covered:

  • IT Act, 2000 — Introduction & Definitions
  • E-Records, Digital & Electronic Signatures
  • PKI & Certifying Authorities
  • Civil Liabilities (S.43, S.43A)
  • Criminal Liabilities (Ss.65–67B)
  • Electronic Evidence (Ss.65A–65B Evidence Act)
  • Intermediary Liability (S.79)
  • Cyber Security & Free Speech (S.66A, Shreya Singhal)
  • E-Contracts & Domain Name Disputes
  • Jurisdiction in Cyberspace

I. Introduction to IT Law and the IT Act, 2000

1.1 Nature of Cyberspace and E-Commerce

Cyberspace is a notional/virtual environment in which communication over computer networks occurs. It is borderless — transcending territorial, national, and jurisdictional boundaries. Cyberspace includes the internet, intranets, email systems, and all digital communication networks.

E-Commerce refers to commercial transactions conducted electronically over computer networks. Types:

  • B2B (Business to Business): Trade between companies (e.g., Alibaba wholesale platform)
  • B2C (Business to Consumer): Retail sale to end users (e.g., Amazon, Flipkart)
  • C2C (Consumer to Consumer): Peer transactions (e.g., OLX, eBay)

Key challenges of regulating cyberspace: anonymity of users, borderless nature, speed of communication, difficulty of evidence collection, multi-jurisdictional enforcement, and rapid technological change.

1.2 Object and Scope of the IT Act, 2000

🔵 Purpose of the IT Act, 2000
The Act aims to:

  • Provide legal recognition to electronic records and digital signatures
  • Remove the requirement of physical “writing” and “signature” for legal validity (facilitating e-commerce)
  • Provide a regulatory regime for Certifying Authorities and digital signature certificates
  • Create civil and criminal liabilities for contraventions
  • Make consequential amendments to the Indian Penal Code, Indian Evidence Act, Bankers’ Books Evidence Act, and RBI Act

Applicability (S.1(4)): The Act does NOT apply to: (i) a negotiable instrument (other than a cheque) as defined in S.13 of the Negotiable Instruments Act; (ii) a power of attorney as defined in S.1A of the Powers of Attorney Act; (iii) a trust as defined in S.3 of the Indian Trusts Act; (iv) a will as defined in clause (h) of S.2 of the Indian Succession Act; (v) any contract for the sale or conveyance of immovable property or any interest in such property.

Overriding effect (S.81): The IT Act overrides any other law to the extent of inconsistency.

1.3 Key Definitions – S.2

🔵 S.2(1)(i) — “Computer”
Any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or related to the computer in a computer system or computer network.
🔵 S.2(1)(j) — “Computer Network”
The interconnection of one or more computers or computer systems or communication devices through the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and terminals or a complex consisting of two or more interconnected computers or communication devices whether or not the interconnection is continuously maintained.
🔵 S.2(1)(k) — “Computer Resource”
Computer resource means computer, computer system, computer network, data, computer database or software.
🔵 S.2(1)(l) — “Computer System”
A device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions.
🔵 S.2(1)(ha) — “Communication Device”
Cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image.
🔵 S.2(1)(w) — “Intermediary”
With respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.
SectionTerm DefinedKey Point
S.2(1)(i)ComputerBroad definition — any electronic data processing device
S.2(1)(j)Computer NetworkInterconnection of computers via any communication medium
S.2(1)(k)Computer ResourceComputer + system + network + data + software
S.2(1)(l)Computer SystemDevice/collection performing logic, arithmetic, communication
S.2(1)(ha)Communication DeviceMobile phones, PDAs, any text/video/audio transmitting device
S.2(1)(p)Digital SignatureAuthentication using asymmetric cryptosystem + hash function
S.2(1)(ta)Electronic SignatureBroader than digital signature — any authenticated electronic method
S.2(1)(v)InformationData, messages, text, images, sound, voice, codes, programs, databases
S.2(1)(w)IntermediaryISP, search engines, e-commerce platforms, cyber cafes
Syed Asifuddin v. State of Andhra Pradesh, 2006 (1) ALD (Cri) 96
Andhra Pradesh High Court | 2005

Facts: Syed Asifuddin, an employee of Tata Indicom, was accused of tampering with mobile handsets to make them work on rival networks. The question was whether a mobile handset is a “computer” under the IT Act.

Issue: Is a mobile handset a “computer” under S.2(1)(i) of the IT Act? Does tampering with source code of a mobile constitute an offence under S.65?

Held: The AP HC held that a mobile phone is a “computer” under the wide definition in S.2(1)(i) of the IT Act. Tampering with the ESN (Electronic Serial Number) of the mobile handset (which is essentially computer source code) constitutes an offence under S.65. The court convicted the accused.

Principle: Mobile phones are “computers” under the IT Act’s broad definition; tampering with their source code/electronic serial numbers constitutes the offence of tampering with source code under S.65.

II. Legal Recognition & Authentication of Electronic Records

2.1 Legal Recognition of Electronic Records – Ss.4–5

🔵 S.4 — Legal Recognition of Electronic Records
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is rendered or made available in an electronic form and accessible so as to be usable for a subsequent reference.
🔵 S.5 — Legal Recognition of Electronic Signatures
Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is authenticated by means of an electronic signature affixed in such manner as may be prescribed by the Central Government.

These two sections are the cornerstone of e-commerce law — they remove the traditional requirement of physical writing and physical signature. An email, a PDF, or a digital record now satisfies the “writing” requirement; an electronic signature satisfies the “signature” requirement.

2.2 Digital Signatures and the Asymmetric Cryptosystem

🔵 S.2(1)(p) — “Digital Signature”
Authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of S.3.

How Digital Signatures Work — Asymmetric Cryptosystem:

🟢 How It Works (S.2(1)(f) — Asymmetric Cryptosystem)

  1. Each user has a Key Pair: a Private Key (kept secret) and a Public Key (publicly available).
  2. The sender uses a Hash Function (S.3) to generate a fixed-length “message digest” from the message.
  3. The sender encrypts the message digest with their Private Key — this is the digital signature.
  4. The recipient uses the sender’s Public Key to decrypt the digital signature and verify the message digest.
  5. If the decrypted digest matches the hash of the received message, the message is authentic and unaltered.

Functions served: Authentication (proves sender’s identity), Integrity (message not altered), Non-repudiation (sender cannot deny signing), Confidentiality (if message also encrypted).

BasisDigital SignatureElectronic Signature
SectionS.2(1)(p), S.3S.2(1)(ta), S.3A
MechanismUses asymmetric cryptosystem + hash functionBroader — any reliable electronic method of authentication
Certificate requiredYes — Digital Signature Certificate from Certifying AuthorityMay or may not require a certificate
Legal statusHigh — mathematically verifiableRecognised but reliability depends on method used
ExamplePKI-based signature (DSC used for tax filings, MCA filings)OTP-based authentication, biometric authentication
Added byOriginal IT Act, 2000IT (Amendment) Act, 2008

2.3 Electronic Signatures – S.3A (Inserted by Amendment Act, 2008)

S.3A recognises a broader category of “electronic signatures” beyond the asymmetric cryptosystem-based digital signatures. Any method of authentication can qualify as an electronic signature if it is reliable and meets the standards prescribed by the Central Government. This includes OTP-based authentication, biometric signatures, and other methods.

2.4 Public Key Infrastructure (PKI) – Ss.17–26

The PKI is the framework for managing digital certificates and public keys. Under the IT Act:

  • Controller of Certifying Authorities (CCA) (S.17): Apex regulatory authority — appointed by Central Government to supervise Certifying Authorities and their Digital Signature Certificates.
  • Certifying Authorities (CAs) (S.24): Licensed organisations that issue Digital Signature Certificates (DSCs). They verify the identity of applicants before issuing a DSC. E.g., eMudhra, NSDL e-Governance, (n)Code Solutions.
  • Digital Signature Certificate (DSC) (S.35): Issued by a CA, contains: subscriber’s public key, subscriber’s identity details, validity period, CA’s digital signature. Functions as an electronic identity card.
  • Suspension & Revocation (Ss.37–38): CAs can suspend or revoke DSCs in specified circumstances (e.g., compromise of private key, misrepresentation).
  • Offences (Ss.73–74): Publishing a false DSC or DSC for fraudulent purposes are criminal offences.
🟡 PKI Hierarchy
CCA (Root) → Certifying Authorities (e.g., eMudhra) → Subscribers (individuals/companies with DSCs)
This hierarchy of trust ensures that a digital signature can be traced back to a verified identity through the chain of certificate authorities.

2.5 Attribution, Acknowledgment and Despatch – Ss.11–13

  • S.11 — Attribution: An electronic record is attributed to the originator if it was sent by the originator himself, by a person authorised by the originator, or by an information system programmed by the originator to operate automatically.
  • S.12 — Acknowledgment: If the originator has not agreed with the addressee that acknowledgment is necessary, the contract is not conditional on acknowledgment. But if originator has requested acknowledgment, he may treat the message as not sent until he receives acknowledgment.
  • S.13 — Despatch: An electronic record is despatched when it enters a computer resource outside the control of the originator. It is received when it enters the computer resource of the addressee. Time and place of despatch is the location of the originator’s computer resource.

III. Civil Liabilities

3.1 Damage to Computer/Computer System – S.43

🔵 S.43 — Penalty and Compensation for Damage to Computer, Computer System, Etc.
If any person without permission of the owner or any other person in charge of a computer, computer system or computer network:
(a) accesses or secures access to such computer, computer system or computer network or computer resource;
(b) downloads, copies or extracts any data, computer database or information;
(c) introduces or causes to be introduced any computer contaminant or computer virus;
(d) damages or causes to be damaged any computer, computer system, computer network, data, computer database or any other programmes;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer resource;
(g) provides any assistance to any person to facilitate access in contravention of this section;
(h) charges the services availed of by a person to the account of another person;
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously;
(j) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code…
he shall be liable to pay damages by way of compensation to the person so affected.
🟡 Note: Civil vs Criminal Liability
S.43 creates civil liability — compensation payable. The corresponding criminal offence is S.66, which makes the same acts offences punishable with imprisonment and fine. S.43 is the civil remedy; S.66 is the criminal remedy for the same acts.
Vinod Kaushik v. Madhvika Joshi, WP(C) 160/2012 (Del HC)
Delhi High Court | 2012

Facts: A husband (Vinod Kaushik) accessed his wife’s and daughter’s email accounts without their knowledge or permission, read their emails, and used the information in matrimonial proceedings.

Issue: Does accessing someone else’s email account without permission constitute a violation under the IT Act? Is such evidence obtained admissible?

Held: The Delhi HC held that accessing another person’s email account without their permission is an offence under the IT Act (S.43 for civil liability, potentially S.66 for criminal). Such unauthorised access violates the right to privacy. Evidence obtained by illegal access to email may not be admissible. The court directed that no adverse inference be drawn from such illegally obtained information.

Principle: Unauthorised access to another’s email account violates the IT Act and the right to privacy; evidence obtained through illegal access to digital accounts is inadmissible and no adverse inference may be drawn from it.

3.2 Data Protection – S.43A, Sensitive Personal Data Rules

🔵 S.43A — Compensation for Failure to Protect Data
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Sensitive Personal Data or Information (SPDI Rules, 2011): Passwords, financial information (bank accounts, credit/debit cards), physical/physiological/mental health condition, sexual orientation, medical records, biometric information, and any details relating to the above.

Reasonable Security Practices: The body corporate must have a comprehensive documented information security programme and security standards such as IS/ISO/IEC 27001. If they comply with such standards and still suffer a breach, liability may be limited.

Sanjay Dhande v. ICICI Bank and Vodafone, Adjudicating Officer Order, 16/01/2014
Adjudicating Officer, Maharashtra | 2014

Facts: Sanjay Dhande complained that ICICI Bank and Vodafone negligently allowed someone to obtain a duplicate SIM of his mobile number (SIM swap fraud), using which the fraudster conducted unauthorised transactions from his bank account.

Issue: Whether ICICI Bank and Vodafone were liable under S.43A for negligently failing to protect sensitive personal data and failing to implement reasonable security practices.

Held: The Adjudicating Officer held that both ICICI Bank and Vodafone were negligent in their security procedures. Vodafone issued a duplicate SIM without adequate verification; ICICI Bank allowed OTP-based transactions without adequate safeguards. Both were ordered to pay compensation to the complainant under S.43A.

Principle: Banks and telecom companies are “body corporates” handling SPDI under S.43A; failure to implement reasonable security practices (e.g., inadequate SIM swap verification, inadequate OTP safeguards) leading to financial loss makes them liable for compensation.

3.3 Online Defamation

Online defamation involves publishing false statements on digital platforms (email, social media, websites, blogs) that damage a person’s reputation. The law governing online defamation includes:

  • Ss.499–500 IPC: Defamation — applicable to online statements (courts have applied IPC defamation provisions to email defamation).
  • S.66A IT Act: Was used for online defamation but was struck down by the Supreme Court in Shreya Singhal v. Union of India (2015) as unconstitutional.
  • Civil remedy: Action for damages in a civil court.
SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra, Suit No. 1201/2001 (Del District Court)
Delhi District Court | 2014

Facts: Jogesh Kwatra, a disgruntled employee of SMC Pneumatics, sent defamatory and obscene emails to SMC’s bosses worldwide, impersonating the company’s managing director and making false and derogatory statements.

Issue: India’s first case of cyber defamation — whether an injunction could be granted for email-based defamation.

Held: The Delhi District Court granted an ex-parte injunction restraining the defendant from sending such emails. This was India’s first cyber defamation case — courts applied civil defamation principles to email-based false and defamatory statements. The court held that online defamation is actionable in India.

Principle: India’s first cyber defamation case — email-based defamatory messages are actionable; civil courts can grant injunctions to restrain cyber defamation; existing defamation law (Ss.499–500 IPC) applies in cyberspace.

3.4 Adjudicating Officer and Appellate Tribunal – Ss.46, 57

  • Adjudicating Officer (S.46): The Central Government appoints an officer not below the rank of Director to adjudicate claims for compensation under S.43 and S.43A, where the claim does not exceed ₹5 crore.
  • TDSAT — Cyber Appellate Tribunal (S.57): Appeals from Adjudicating Officer’s orders lie to the Cyber Appellate Tribunal (now merged with TDSAT — Telecom Disputes Settlement and Appellate Tribunal). Further appeal to High Court on question of law.
  • Civil Court jurisdiction (S.46(1A)): Where compensation claimed exceeds ₹5 crore, parties may approach civil courts directly.

IV. Criminal Liabilities – Cyber Crimes

OffenceSectionPunishment
Tampering with computer source codeS.65Imprisonment up to 3 years OR fine up to ₹2 lakh, OR both
Computer related offences (hacking, data theft, etc.)S.66Imprisonment up to 3 years OR fine up to ₹5 lakh, OR both
Dishonestly receiving stolen computer resourceS.66BImprisonment up to 3 years OR fine up to ₹1 lakh, OR both
Identity theftS.66CImprisonment up to 3 years AND fine up to ₹1 lakh
Cheating by personation (online)S.66DImprisonment up to 3 years AND fine up to ₹1 lakh
Violation of privacy (capturing private images)S.66EImprisonment up to 3 years OR fine up to ₹2 lakh, OR both
Cyber terrorismS.66FImprisonment for life
Publishing obscene material onlineS.67First conviction: imprisonment up to 3 years + fine up to ₹5 lakh; subsequent: up to 5 years + fine up to ₹10 lakh
Publishing sexually explicit material onlineS.67AFirst conviction: imprisonment up to 5 years + fine up to ₹10 lakh; subsequent: up to 7 years + fine
Child pornography onlineS.67BFirst conviction: imprisonment up to 5 years + fine up to ₹10 lakh; subsequent: up to 7 years + fine
Breach of confidentiality and privacyS.72Imprisonment up to 2 years OR fine up to ₹1 lakh, OR both
Publishing false Digital SignatureS.73Imprisonment up to 2 years OR fine up to ₹1 lakh, OR both
Publication of DSC for fraudulent purposeS.74Imprisonment up to 2 years OR fine up to ₹1 lakh, OR both

4.1 Tampering with Computer Source Code – S.65

🔵 S.65 — Tampering with Computer Source Documents
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

Computer source code means the listing of programmes, computer commands, design and layout, and programme analysis of computer resource in any form.

Sanjay Kumar v. State of Haryana, CRR No. 66 of 2013 (P&H HC)
Punjab & Haryana High Court | 2013

Facts: An employee of an IT company modified the company’s software code without authorisation, altering financial records to commit fraud.

Issue: Whether unauthorised modification of computer source code by an employee constitutes an offence under S.65 even if done from within the organisation.

Held: The court held that S.65 applies to anyone who knowingly and intentionally alters source code — whether they are an outsider or an employee. The fact that the accused had authorised access to the system does not immunise them from S.65 if they exceeded their authority and deliberately altered source code.

Principle: S.65 applies to both insider and outsider tampering with computer source code; authorised access to a computer does not justify unauthorised modification of source code — intent and knowledge are the key mens rea elements.

4.2 Hacking – S.43(i) read with S.66

Hacking is the unauthorised access to a computer resource, often with malicious intent (data theft, disruption, espionage). Under the IT Act:

  • Civil liability: S.43(a) — unauthorised access → compensation
  • Criminal liability: S.66 — if any act under S.43 is done dishonestly or fraudulently → criminal offence (imprisonment up to 3 years and/or fine up to ₹5 lakh)

Types of hacking-related offences: data theft (S.43(b)), virus attacks (S.43(c)), email bombing (S.43(e)), Denial of Service (DoS) attacks (S.43(e)/(f)).

4.3 Identity Theft and Phishing – Ss.66C, 66D

🔵 S.66C — Identity Theft
Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
🔵 S.66D — Cheating by Personation Using Computer Resource
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

Phishing is a technique where a fraudster creates a fake website/email mimicking a legitimate bank or service to steal users’ login credentials and financial information.

NAASCOM v. Ajay Sood & Others, 119 (2005) DLT 596
Delhi High Court | 2005

Facts: Ajay Sood and others were operating a phishing scheme — sending emails purporting to be from NASSCOM (National Association of Software and Service Companies) and asking recipients to pay fees for fictitious job placements. NASSCOM sued for trade mark infringement and phishing.

Issue: Whether phishing (impersonating a well-known organisation online to defraud users) is illegal in India? Whether courts can grant relief against phishing before specific anti-phishing legislation exists?

Held: The Delhi HC held that phishing is an illegal activity under Indian law even before specific legislation — it constitutes passing off (TM law), fraud, and cheating under IPC. The court granted an injunction. This was the first Indian court decision to define and rule against “phishing” as a cyber crime.

Principle: India’s first anti-phishing judgment — phishing (online impersonation to defraud) is actionable under trade mark law (passing off), IPC (fraud/cheating), and the IT Act (now Ss.66C, 66D); courts can grant injunctions even without specific statutory prohibition.

4.4 Obscenity and Pornography Online – Ss.66E, 67, 67A, 67B

🔵 S.66E — Violation of Privacy
Whoever intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.
🔵 S.67 — Publishing Obscene Material in Electronic Form
Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished…
🔵 S.67B — Child Pornography
Whoever: (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit acts; (b) creates text/digital images relating to children; (c) cultivates, entices or induces children online — is guilty of the most serious online offence; punished with imprisonment up to 5 years (first conviction) or 7 years (subsequent).
Aveek Sarkar v. State of West Bengal, Criminal Appeal No. 902 of 2004 (SC)
Supreme Court of India | 2014

Facts: A magazine published a photograph of a nude foreign tennis star with her fiancé. The article was about racial discrimination in tennis. A complaint was filed for obscenity under S.292 IPC.

Issue: What is the correct test for “obscenity” in India — the older Hicklin test (British) or the more liberal Roth test (American)?

Held: The Supreme Court adopted the Community Standards Test (similar to the US Roth test) over the old Hicklin test. The Hicklin test asks whether material would “deprave and corrupt” the most vulnerable minds (children, weak-minded persons). The court held that the test must be whether the average person in the community (applying contemporary community standards) would find the material patently offensive or appealing to prurient interest without redemptive social value. The photograph in question — in the context of an article on racial discrimination — was not obscene.

Principle: India has replaced the Hicklin test with the Community Standards Test for obscenity — material is obscene only if an average person, applying contemporary community standards, would find it appeals to prurient interest without any redemptive social value; context is crucial.
State of Tamil Nadu v. Suhas Katti, CMM Egmore Court, Nov. 2004
Chief Metropolitan Magistrate, Egmore | 2004

Facts: The accused posted obscene and defamatory messages about a woman (a divorcee) on Yahoo groups, impersonating her and soliciting sexual favours. He also made harassing phone calls.

Issue: One of India’s first convictions under the IT Act for online obscenity/cyber harassment.

Held: The CMM, Egmore convicted the accused under S.67 IT Act (publishing obscene material online) and S.509 IPC (word, gesture or act intended to insult the modesty of a woman). Sentenced to 9 months rigorous imprisonment and fine. Notably, the case was investigated and tried within 7 days of the complaint — a landmark for cyber crime enforcement speed.

Principle: India’s first conviction under S.67 IT Act for online obscenity/harassment — posting sexually explicit and defamatory messages about a person online and impersonating them to solicit sexual contact constitutes both S.67 IT Act and S.509 IPC offences.

4.5 Cyber Stalking – S.354D IPC

🔵 S.354D IPC — Stalking (including Cyber Stalking)
Any man who follows a woman and contacts, or attempts to contact such woman to foster personal interaction repeatedly despite a clear indication of disinterest by such woman; or monitors the use by a woman of the internet, email or any other form of electronic communication — commits the offence of stalking. Punishable with imprisonment up to 3 years (first conviction) and up to 5 years (subsequent conviction).

Cyber stalking involves using electronic means (email, social media, tracking apps, GPS) to persistently follow, harass, or intimidate a person. The landmark Ritu Kohli Case (Delhi, 2001) was India’s first cyber stalking case — a spurned lover posted Ritu Kohli’s personal details (address, phone number) on adult websites inviting people to contact her; multiple men called her. FIR registered under S.509 IPC and S.67 IT Act.

4.6 Cyber Terrorism – S.66F

🔵 S.66F — Cyber Terrorism
Whoever commits or conspires to commit cyber terrorism — i.e., with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people, by:
(a) Denying or causing denial of access to any person authorised to access any computer resource; or
(b) Attempting to penetrate/access a computer resource without authorisation or in excess of authorisation, and by means of such conduct causing or likely to cause death or injuries or damage or disruption of critical information infrastructure or knowingly or intentionally penetrating or accessing a computer resource without authorisation or in excess of authorisation and obtaining access to information, data or computer database that is restricted for reasons of security of State — shall be punishable with imprisonment which may extend to imprisonment for life.
🟡 Example: Delhi Blast Case
In the “Rakesh v. Central Bureau” case (2011), a terror e-mail was sent by hacking a Wi-Fi network in Mumbai, claiming responsibility for the Delhi blasts. The IP address traced led to the hacked Wi-Fi owner’s residence, raising questions about attributing cyber crimes to IP addresses. Ultimately the actual sender was traced through further forensics.

V. Admissibility of Electronic Evidence

🔵 S.65A & S.65B — Indian Evidence Act, 1872 (Amended by IT Act, 2000)

S.65A: Contents of electronic records may be proved in accordance with S.65B.

S.65B — Conditions for Admissibility of Electronic Records:
A computer output (printout, digital file) is admissible as evidence if:
(i) The information was produced by the computer during a period when it was regularly used for that activity;
(ii) During that period, information of the kind contained was regularly fed into the computer in the ordinary course of activities;
(iii) The computer was operating properly during the relevant period, or if malfunctioning, such malfunction did not affect the production or accuracy of the output;
(iv) The information in the electronic record reproduces or is derived from information fed into the computer in the ordinary course of activities.

A S.65B Certificate must be given by a responsible person (an officer of the organisation) certifying the above conditions.

Anvar P.V. v. P.K. Basheer, Civil Appeal No. 4226 of 2012 (SC)
Supreme Court of India | 2014

Facts: In an election petition, the petitioner sought to produce electronic records (CDs containing audio/video recordings) as evidence without a S.65B certificate. The High Court admitted them. The matter reached the Supreme Court.

Issue: Can electronic records be admitted as secondary evidence under S.65 of the Evidence Act without complying with S.65B? Is a S.65B certificate mandatory?

Held: The Supreme Court held that S.65B is a complete code for admissibility of electronic records. Electronic records cannot be admitted as secondary evidence under S.65 (general provision) — they must comply with S.65B. A S.65B certificate from the person responsible for the computer system is mandatory for admissibility of electronic evidence. Without the certificate, electronic records cannot be admitted.

Principle: S.65B certificate is mandatory for admission of electronic records in evidence — general provisions on secondary evidence (S.65) do not apply to electronic records; S.65B is a complete and exclusive code for electronic evidence admissibility.
🟡 Update: Arjun Pandit Rao Khotkar v. Kailash Kushanrao Gorantyal, 2020 SCC Online SC 571
A three-judge bench of the Supreme Court reaffirmed and clarified Anvar P.V.: The S.65B certificate must be produced at the time of tendering evidence, not at a later stage. However, courts have discretion to allow production of the certificate at a later stage if parties show good cause. The requirement of S.65B certificate applies strictly to electronic records being produced as evidence.

VI. Intermediary Liability – S.79

🔵 S.79 — Exemption from Liability of Intermediary
An intermediary shall not be liable for any third party information, data, or communication link hosted by it if:
(a) The intermediary’s function is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;
(b) The intermediary does not initiate the transmission, select the receiver, or select or modify the information;
(c) The intermediary observes due diligence as per the Intermediary Guidelines and follows other guidelines prescribed by the Central Government.

However, if the intermediary has actual knowledge (or has been notified by the government) that its resource is being used to commit an unlawful act and fails to act expeditiously to remove or disable such material, the exemption is lost.

The “Safe Harbour” Principle:

S.79 creates a “safe harbour” (borrowed from US law — Section 230 CDA and DMCA’s safe harbour) — intermediaries are shielded from liability for third-party content they host, provided they comply with due diligence requirements and act on notices to take down illegal content. This protects platforms like Google, Facebook, YouTube, Twitter from being held responsible for user-generated content.

Due Diligence Requirements — Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:

  • Publish terms of service, privacy policy, and user agreement prominently.
  • Appoint a Grievance Officer, Nodal Officer, and Chief Compliance Officer (for “significant social media intermediaries” with 50 lakh+ users).
  • Act within 72 hours on government/court orders to take down content.
  • Enable traceability of messages for “significant social media intermediaries” (controversial provision — may compromise end-to-end encryption).
  • Publish monthly compliance reports.
Shreya Singhal v. Union of India, (2015) 5 SCC 1 (SC)
Supreme Court of India | 2015

Facts: S.66A of the IT Act punished sending “grossly offensive,” “menacing,” or “annoyance/inconvenience”-causing messages online. Several people were arrested under S.66A for Facebook posts, tweets, and online cartoons critical of politicians. A PIL challenged S.66A as unconstitutional.

Issues: (1) Is S.66A unconstitutional as a violation of free speech (Art.19(1)(a))? (2) What is the constitutional standard for restrictions on online speech? (3) Is the “intermediary take-down” provision under S.79(3)(b) (as it stood) constitutionally valid?

Held: The Supreme Court: (i) Struck down S.66A in its entirety as unconstitutional — it was vague and overbroad, using undefined terms like “grossly offensive,” “menacing,” and “causing annoyance.” It did not fall within any permissible ground of restriction under Art.19(2). (ii) Read down S.79(3)(b) — intermediaries need only take down content upon receiving a court order or government order, not merely on any private complaint. The original provision required removal on any notice — now restricted to judicial/governmental directions. (iii) S.69A (blocking of websites) was upheld as constitutionally valid as it has procedural safeguards.

Principle: S.66A struck down for vagueness and overbreadth — online speech restrictions must be clear, narrowly tailored, and fall within Art.19(2) permissible grounds; S.79(3)(b) read down — intermediaries not required to remove content merely on private complaint; court/government order required.
My Space Inc. v. Super Cassettes Industries Ltd. (T-Series), FAO(OS) 540/2011 (Del HC DB)
Delhi High Court (Division Bench) | 2016

Facts: T-Series (Super Cassette Industries) complained that MySpace hosted infringing Bollywood music uploaded by users, without taking down the content despite notices. MySpace claimed safe harbour under S.79 as an intermediary.

Issue: When does an intermediary lose safe harbour under S.79? What is the standard of “knowledge” required?

Held: The Delhi HC held that: (i) MySpace was entitled to safe harbour for passive hosting; (ii) However, once MySpace received specific notices from T-Series about specific infringing works, it had actual knowledge; (iii) Failure to act expeditiously on such notices forfeits safe harbour protection; (iv) The intermediary must have a notice-and-take-down mechanism. The court directed MySpace to disable access to infringing content upon receiving take-down notices.

Principle: Safe harbour under S.79 is lost when an intermediary receives actual notice of specific infringing content and fails to act; intermediaries must have robust notice-and-take-down mechanisms; “knowledge” is actual knowledge of specific content, not general awareness of possible infringement.
Google India Pvt. Ltd. v. M/s Visaka Industries Ltd., AP HC, Crl.P No. 7207/2009
Andhra Pradesh High Court | 2011

Facts: Visaka Industries complained that Google’s search engine results showed defamatory content about the company. Visaka sought criminal action against Google India.

Issue: Is Google liable for defamatory content appearing in search results? Is Google an “intermediary” entitled to S.79 protection?

Held: The AP HC held that Google is an intermediary under S.2(1)(w) and is entitled to safe harbour protection under S.79, as long as it does not initiate the defamatory content and complies with due diligence requirements. Search engines displaying third-party content are not primarily liable for that content. However, upon specific notice and court order, they must take down/de-index defamatory content. The case was later taken to the Supreme Court (2019 SC ruling) which similarly affirmed the intermediary protection framework.

Principle: Search engines are “intermediaries” under S.2(1)(w) and entitled to safe harbour under S.79; they are not primarily liable for third-party content in search results; specific take-down orders must however be complied with expeditiously.
Vyakti Vikas Kendra v. Jitendra Bagga, CS(OS) 1340/2012 (Del HC)
Delhi High Court | 2012

Facts: Vyakti Vikas Kendra (associated with Sri Sri Ravi Shankar/Art of Living) complained that Jitendra Bagga posted defamatory tweets about Sri Sri Ravi Shankar. Bagga also alleged counter-defamation. Both sued for online defamation.

Issue: Does a civil court have jurisdiction over online defamation? What remedies are available?

Held: The Delhi HC held that online defamation through social media (Twitter) is actionable. Civil courts have jurisdiction over online defamation claims. The court granted an interim injunction restraining defamatory tweets. The case established that reputation can be harmed through tweets and social media just as through printed media, and civil remedies (injunction, damages) are available.

Principle: Online defamation through social media is actionable in civil courts; reputation-harming tweets/posts attract civil remedies including injunctions; social media is not a “free zone” beyond legal accountability for defamation.

VII. Cyber Security and Free Speech

7.1 Interception, Monitoring and Blocking – Ss.69, 69A, 69B

🔵 S.69 — Powers to Issue Directions for Interception/Monitoring/Decryption
Where the Central Government or a State Government or any of its officers specially authorised is satisfied that it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognisable offence — may by order direct any agency of the Government to intercept, monitor or decrypt any information transmitted through any computer resource.
🔵 S.69A — Power to Issue Directions for Blocking Public Access
Where the Central Government is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognisable offence, it may direct any agency of the Government or any intermediary to block access by the public to any information generated, transmitted, received, stored or hosted in any computer resource.
Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
Supreme Court of India (9-Judge Constitution Bench) | 2017

Facts: The 9-judge Constitution Bench was asked whether the right to privacy is a fundamental right under the Indian Constitution.

Held: Unanimously held that the right to privacy is a fundamental right under Art. 21 (right to life) read with Arts. 14 and 19. Informational privacy (the right to control one’s personal data) is a component of this right. The court held that state surveillance and data collection must comply with the three-part test: (i) legality (law must exist), (ii) legitimate aim (proportionate goal), (iii) proportionality (least intrusive means). This judgment has major implications for cyber surveillance under Ss.69–69B of the IT Act.

Principle: Right to privacy is a fundamental right under Art.21; informational/digital privacy is constitutionally protected; government surveillance (including under IT Act) must satisfy legality, legitimate aim, and proportionality — any surveillance without adequate legal safeguards is unconstitutional.
Anuradha Bhasin v. Union of India, (2020) 3 SCC 637
Supreme Court of India | 2020

Facts: After the revocation of J&K’s special status (August 2019), the government imposed an internet shutdown in J&K for months. Journalists (including Anuradha Bhasin, Editor, Kashmir Times) challenged the shutdown as violating their fundamental rights.

Issue: Whether internet shutdowns are constitutionally permissible? What is the right to access the internet?

Held: The Supreme Court held: (i) Freedom of speech and expression under Art.19(1)(a) extends to the internet — the right to access the internet is a part of this fundamental right; (ii) Internet shutdowns can only be ordered for legitimate reasons with proportionality — indefinite suspension is unconstitutional; (iii) Orders for internet suspension must be published for public scrutiny; (iv) Periodic review of continued necessity of any internet shutdown is mandatory. The court directed the government to review and restore internet services where possible.

Principle: Access to the internet is a fundamental right under Art.19(1)(a); internet shutdowns must be proportionate, temporary, and subject to judicial review; indefinite or unreasonable internet shutdowns are unconstitutional.

VIII. E-Contracts

8.1 Formation of E-Contracts

An e-contract is a contract formed electronically, typically via email, website, or app. The fundamental requirements of a valid contract under the Indian Contract Act, 1872 — offer, acceptance, consideration, capacity, free consent, and lawful object — apply to e-contracts. The IT Act supplements these by recognising electronic communications as valid.

Types of E-Contracts:

  • Email Contracts: Contracts formed through email exchange — offer and acceptance by email. Courts have recognised these as valid contracts (see Trimex International v. Vedanta Aluminium).
  • Click-Wrap (Web) Contracts: User clicks “I Agree” or “Accept” — terms displayed on screen. Courts generally uphold these if terms are reasonably accessible and the user had a meaningful opportunity to review them.
  • Browse-Wrap Contracts: Terms are accessible via a hyperlink — user deemed to have agreed by using the website. Courts are more sceptical — constructive notice must be clear.
  • Shrink-Wrap Contracts: Software licence terms visible inside the box after purchase. If user opens the box, deemed to have accepted. Courts have had mixed views on enforceability.

Key IT Act Provisions on E-Contracts:

  • S.10A: Contracts formed electronically are not unenforceable solely because they were formed by electronic means.
  • Ss.11–13: Attribution, acknowledgment, and time/place of despatch of electronic records govern when a contract is concluded electronically.
World Wrestling Entertainment Inc. v. Reshma Collections, FAO(OS) 506/2013 (Del HC DB)
Delhi High Court (Division Bench) | 2014

Facts: WWE claimed that Reshma Collections was manufacturing and selling counterfeit WWE merchandise using WWE’s trade marks. WWE sought an injunction. The matter involved questions about e-commerce contracts and jurisdiction.

Issue: Whether email communications between parties constitute a binding contract; jurisdiction of Delhi courts over cyberspace disputes.

Held: The Division Bench confirmed that email exchanges can constitute binding contracts — applying S.10A IT Act and general contract law principles. The court also discussed the “effects doctrine” for jurisdiction — a court can exercise jurisdiction if the harmful effects of an online act are felt within its territory. Delhi courts had jurisdiction as WWE’s reputation was harmed in Delhi.

Principle: Email exchanges can form binding contracts under Indian law (S.10A IT Act + Contract Act); Delhi courts have jurisdiction over cyberspace disputes if harmful effects/passing off occur within Delhi.

IX. Trade Marks and Domain Names in Cyberspace

9.1 Domain Names as Trade Marks

A domain name is an internet address (e.g., amazon.com, flipkart.com). Domain names serve commercial functions beyond mere addresses — they identify the source of goods/services and function as trade marks. The Supreme Court recognised domain names as protectable as trade marks in Satyam Infoway v. Sifynet Solutions (AIR 2004 SC 3540).

9.2 Cybersquatting

Cybersquatting is the bad-faith registration of a domain name corresponding to another’s trade mark with the intent to sell it to the trade mark owner or prevent legitimate use. It is actionable as passing off under Indian law.

9.3 Dispute Resolution — UDRP and INDRP

  • UDRP (Uniform Domain-Name Dispute-Resolution Policy): ICANN’s global policy — mandatory for all generic TLD (.com, .org, .net) registrants. WIPO Arbitration Centre handles most UDRP disputes. Complainant must prove: (i) domain is identical/confusingly similar to its mark; (ii) registrant has no rights/legitimate interests; (iii) domain registered and used in bad faith.
  • INDRP (IN Domain Name Dispute Resolution Policy): For .in domains — administered by NIXI (National Internet Exchange of India). Similar three-part test as UDRP.

9.4 Keyword Advertising

Search engines (Google, Bing) allow advertisers to buy “keywords” — including competitors’ trade marks — so their ads appear in search results when users search for the competitor. This raises trade mark infringement issues, particularly in Europe and India. Delhi HC decisions have held that metatag use of a competitor’s trade mark without more may not constitute infringement, but explicit use of a registered mark as a keyword to attract customers may constitute infringement under S.29 of the TM Act.


X. Jurisdiction in Cyberspace

10.1 The Jurisdictional Challenge

Traditional jurisdiction rules are based on physical presence and territorial boundaries. Cyberspace is borderless — a single website can be accessed from anywhere in the world. This raises complex questions: Which court has jurisdiction over a cyber dispute? Which country’s law applies?

10.2 Traditional Rules Applied to Cyberspace

Civil Jurisdiction (CPC):

  • S.20 CPC: Suits may be instituted where the defendant resides, carries on business, or where the cause of action arises. For online disputes, the “cause of action” arises where the harm is felt.
  • Effects doctrine: Courts can exercise jurisdiction if significant effects of the online act are felt in their territory.

Criminal Jurisdiction:

  • S.177 CrPC: Trial where the offence was committed.
  • S.178 CrPC: If the offence is committed in more than one local area, trial may be in any of those areas.
  • S.75 IT Act — Extraterritorial Jurisdiction: The IT Act applies to any offence or contravention thereunder committed outside India by any person if it involves a computer, computer system or computer network located in India.
  • S.3 IPC: Any person who commits an offence in India is liable to be tried under IPC — including acts done outside India if they target persons or systems in India.
Banyan Tree Holdings Pvt. Ltd. v. A. Murali Krishna Reddy, CS(OS) 894/2008 (Del HC DB)
Delhi High Court (Division Bench) | 2009

Facts: Banyan Tree Hotels (Delhi-based) sued A. Murali Krishna Reddy (Chennai-based) for operating a hotel under the name “Banyan Tree” and maintaining a website that Delhi users could access. The Delhi HC’s jurisdiction was challenged.

Issue: Can a Delhi court exercise jurisdiction over a defendant (based in Chennai) merely because the defendant’s website is accessible from Delhi?

Held: The Delhi HC laid down the “purposeful availment” test for internet jurisdiction: Merely maintaining a passive website accessible everywhere is insufficient for personal jurisdiction in a particular forum. The plaintiff must show that the defendant “purposefully availed” itself of the forum’s market — i.e., the website was interactive and the defendant deliberately targeted or conducted commercial activities in Delhi. Mere accessibility of a website from Delhi does not confer jurisdiction on Delhi courts.

Principle: Jurisdiction in cyberspace cases requires “purposeful availment” — merely having a website accessible from a forum is insufficient; the defendant must have deliberately targeted or commercially interacted with the forum’s market. Passive websites ≠ jurisdiction; interactive/transactional websites targeting a forum = jurisdiction.

XI. Summary of All Important Case Laws

Case NameYearCourtKey Principle
Syed Asifuddin v. State of AP2005AP HCMobile phone is a “computer” under IT Act; SIM/ESN tampering = S.65 offence
Vinod Kaushik v. Madhvika Joshi2012Del HCUnauthorised access to spouse’s email = IT Act violation; illegal access evidence inadmissible
Sanjay Dhande v. ICICI & Vodafone2014AO, MHBank + telecom liable under S.43A for negligent security enabling SIM swap fraud
SMC Pneumatics v. Jogesh Kwatra2001/2014Del DCIndia’s first cyber defamation case; injunction granted for email defamation
NAASCOM v. Ajay Sood2005Del HCIndia’s first phishing judgment; phishing = passing off + fraud + IT Act offence
Aveek Sarkar v. West Bengal2014SCCommunity Standards Test adopted for obscenity (replaces Hicklin test)
State of TN v. Suhas Katti2004CMM, EgmoreIndia’s first S.67 IT Act conviction; online harassment/obscenity punishable
Anvar P.V. v. P.K. Basheer2014SCS.65B certificate mandatory for electronic evidence admissibility
Shreya Singhal v. UoI2015SCS.66A struck down; S.79 safe harbour clarified — only court/govt orders trigger take-down
My Space v. Super Cassettes2016Del HC DBSafe harbour lost after actual notice of specific infringing content; notice-and-take-down mandatory
Google India v. Visaka Industries2011/2019AP HC / SCSearch engines are intermediaries; entitled to S.79 safe harbour
Vyakti Vikas Kendra v. Jitendra Bagga2012Del HCTwitter defamation actionable; civil courts have jurisdiction; injunction grantable
Justice Puttaswamy v. UoI2017SC (9J)Privacy is a fundamental right; digital surveillance must meet legality+aim+proportionality
Anuradha Bhasin v. UoI2020SCInternet access is fundamental right; internet shutdowns must be proportionate and reviewed
Satyam Infoway v. Sifynet2004SCDomain names = trade marks; passing off lies for domain name misuse
Banyan Tree Holdings v. Murali Reddy2009Del HC DBPurposeful availment test for cyber jurisdiction; passive website ≠ jurisdiction
WWE v. Reshma Collections2014Del HC DBEmail exchange = valid contract; effects doctrine for cyber jurisdiction

📝 Important Questions for Exam

A. Short Answer Questions (2–5 Marks)

1. Define “computer” and “computer resource” under the IT Act, 2000. Are mobile phones computers?
Hint: S.2(1)(i) — broad definition; Syed Asifuddin case — mobile phone held to be a computer.
2. What is the legal recognition granted to electronic records and electronic signatures under the IT Act?
Hint: Ss.4–5 — electronic records satisfy the “writing” requirement; electronic signatures satisfy the “signature” requirement; removes paper and ink barrier to e-commerce.
3. Explain the “asymmetric cryptosystem” and its role in digital signatures.
Hint: Key pair (private + public key); hash function; authentication, integrity, non-repudiation, confidentiality; S.2(1)(f), S.3.
4. What is the difference between a “digital signature” and an “electronic signature” under the IT Act?
Hint: Digital signature (S.2(1)(p)) — asymmetric cryptosystem only; Electronic signature (S.3A, added 2008) — any reliable electronic authentication method including OTP, biometric.
5. What is “phishing”? Which provisions of the IT Act deal with phishing?
Hint: Fake website/email to steal credentials; Ss.66C (identity theft), 66D (cheating by personation); NAASCOM v. Ajay Sood.
6. What are the civil and criminal liabilities under the IT Act for unauthorised access to a computer system?
Hint: Civil — S.43(a) — compensation for unauthorised access; Criminal — S.66 — imprisonment up to 3 years + fine if done dishonestly/fraudulently.
7. What is the “community standards test” for obscenity? How is it different from the Hicklin test?
Hint: Hicklin = would it deprave most vulnerable? Community standards = would average person find it patently offensive without redemptive social value? Aveek Sarkar case.
8. What is S.65B of the Evidence Act? Is a S.65B certificate mandatory for electronic evidence?
Hint: Conditions for admissibility of electronic records — computer used regularly, information fed regularly, computer operating properly; S.65B certificate mandatory — Anvar P.V. v. P.K. Basheer.
9. What is the “safe harbour” protection for intermediaries under S.79 of the IT Act?
Hint: No liability for third-party content if intermediary: doesn’t initiate/select/modify content; observes due diligence; acts on court/government orders to take down. Shreya Singhal modified S.79.
10. What did the Supreme Court decide about S.66A in Shreya Singhal v. Union of India?
Hint: S.66A struck down — unconstitutional; vague terms (“grossly offensive,” “annoyance”), overbroad restriction on free speech; not saved by Art.19(2); right to speech online is fundamental right.
11. Explain the concept of “cyber stalking.” Which law covers it in India?
Hint: Persistent online monitoring/contact despite disinterest; S.354D IPC (added 2013); also S.509 IPC; Ritu Kohli case (first Indian case, used S.67 IT Act + S.509 IPC).
12. What is “cyber terrorism” under S.66F of the IT Act? What is its punishment?
Hint: Acts threatening sovereignty/integrity/security of India by computer means; denial of access, unauthorised penetration for national security harm; punishment = life imprisonment.
13. What is “cybersquatting” and how is it dealt with under Indian law?
Hint: Bad-faith registration of another’s TM as domain name; passing off action; UDRP (ICANN) for global TLDs; INDRP for .in; Satyam Infoway v. Sifynet — domain names = TM.
14. What is the “purposeful availment” test for jurisdiction in cyberspace cases?
Hint: Banyan Tree case — mere accessibility of website ≠ jurisdiction; defendant must have deliberately targeted/interacted commercially with the forum; passive vs interactive website distinction.
15. Is access to the internet a fundamental right in India? Discuss with reference to Anuradha Bhasin case.
Hint: Yes — SC held access to internet is part of Art.19(1)(a) (free speech); internet shutdowns must be proportionate, temporary, published, judicially reviewable; indefinite shutdown unconstitutional.

B. Long Answer / Essay Questions (10–15 Marks)

1. Explain the scheme of the Information Technology Act, 2000. What are its main objectives? Discuss the legal recognition granted to electronic records and digital signatures under the Act.
Hint: Background (UNCITRAL Model Law); objectives (facilitate e-commerce, remove writing/signature barrier, create CA framework, create civil/criminal liability); Ss.4–5 (recognition); Ss.3, 3A (signatures); PKI hierarchy; UNCITRAL influence.
2. Examine the civil and criminal liabilities created under the IT Act, 2000 for cyber crimes. Distinguish between S.43 and S.66. Discuss with reference to decided cases.
Hint: S.43 (civil — compensation for 10 types of computer-related wrongs); S.66 (criminal — same acts done dishonestly/fraudulently); Vinod Kaushik (email access), Sanjay Dhande (data protection); compare civil adjudication (Adjudicating Officer) vs criminal courts.
3. Critically examine the law on intermediary liability under S.79 of the IT Act as interpreted in Shreya Singhal v. Union of India. When does an intermediary lose “safe harbour” protection?
Hint: S.79 text (safe harbour conditions); Shreya Singhal — S.66A struck down, S.79 read down (only court/govt orders trigger removal); My Space case (actual notice + failure = loss of safe harbour); IT Intermediary Rules 2021 obligations; GDPR comparison.
4. Discuss the law on obscenity and online pornography under the IT Act, 2000. What is the test for obscenity in India after Aveek Sarkar? Examine the special provisions regarding child pornography.
Hint: Ss.67, 67A, 67B; Hicklin test (old) vs Community Standards Test (Aveek Sarkar — SC 2014); S.66E (privacy violation — capturing intimate images); Suhas Katti (first conviction); S.67B (child pornography — most severe — up to 7 years for subsequent conviction).
5. Examine the admissibility of electronic evidence under Ss.65A and 65B of the Indian Evidence Act. Is a S.65B certificate mandatory? Discuss the Supreme Court’s judgment in Anvar P.V. v. P.K. Basheer.
Hint: S.65A (gateway provision); S.65B (four conditions for admissibility); certificate mandatory — Anvar P.V. (SC 2014); Arjun Pandit Rao (2020) — certificate must be produced at time of tendering; why S.65 general secondary evidence provision does not apply.
6. Write a detailed note on e-contracts — their types, formation, and enforceability under Indian law. What are the special provisions of the IT Act relating to e-contracts?
Hint: S.10A IT Act (e-contracts not invalid for being electronic); Ss.11–13 (attribution, acknowledgment, despatch); types (click-wrap, browse-wrap, email, shrink-wrap); Contract Act general principles apply; Trimex v. Vedanta (email = contract); WWE v. Reshma (email exchange = binding contract).
7. Examine the law on jurisdiction in cyberspace with special reference to civil jurisdiction and the “purposeful availment” test. How do Indian courts determine jurisdiction in online disputes?
Hint: Challenge — borderless cyberspace vs territorial courts; S.20 CPC (cause of action); S.75 IT Act (extraterritorial jurisdiction); effects doctrine; purposeful availment (Banyan Tree); passive vs interactive websites; S.179 CrPC for criminal cases; extraterritorial jurisdiction of IT Act S.75.
8. Is the right to privacy a fundamental right in India? How does it apply in the context of the IT Act, surveillance, and internet shutdowns? Discuss with reference to Justice K.S. Puttaswamy and Anuradha Bhasin cases.
Hint: Puttaswamy (2017) — 9-judge bench — privacy fundamental right under Art.21; three-part test (legality, legitimate aim, proportionality); Anuradha Bhasin — internet access fundamental right; internet shutdowns must be proportionate; impact on Ss.69–69B surveillance powers under IT Act.
9. Explain the Public Key Infrastructure (PKI) under the IT Act. What is the role of the Controller of Certifying Authorities and Certifying Authorities? How are Digital Signature Certificates issued, suspended, and revoked?
Hint: PKI = trust hierarchy; CCA (S.17 — apex regulator); Certifying Authorities (licensed under S.24); DSC content and issuance (S.35); suspension (S.37) and revocation (S.38) grounds; offences (Ss.73–74); role in e-governance (tax filings, MCA compliance, e-courts).
10. Examine the law on data protection under S.43A of the IT Act. What are “sensitive personal data or information”? How does it compare with the GDPR framework?
Hint: S.43A — body corporate liable for negligent security; SPDI Rules 2011 (what qualifies as SPDI); IS/ISO 27001 safe harbour; Sanjay Dhande case; compare EU GDPR (comprehensive data protection law with DPA, data subject rights, data breach notification); India’s Personal Data Protection Bill journey (now DPDP Act 2023).

C. Problem-Based Questions

1. Raju accesses his colleague Priya’s email account using her password (which he saw her type), reads her emails, and uses personal information from them to harass her. Advise on civil and criminal liability.
Answer: Civil — S.43(a) unauthorised access → compensation; Criminal — S.66 (dishonest/fraudulent unauthorised access, imprisonment up to 3 years); S.66C (identity theft — using Priya’s electronic identity/password, imprisonment up to 3 years + fine); possibly S.354D IPC if harassment constitutes cyber stalking. Vinod Kaushik principle — such evidence inadmissible in any proceedings.
2. A bank allows a fraudster to obtain a duplicate SIM (SIM swap) of a customer’s number by accepting forged documents. The fraudster then uses OTPs to transfer ₹10 lakh from the customer’s account. Who is liable?
Answer: (i) Bank — S.43A liability for failing to implement reasonable security practices (OTP alone without additional verification may be inadequate; not detecting unusual transaction); (ii) Telecom company — S.43A (issued SIM without adequate verification); (iii) Fraudster — S.66C (identity theft), S.66D (cheating by personation), S.420 IPC (cheating). Sanjay Dhande case — both bank and telecom held liable.
3. X posts on Twitter: “Y is a corrupt politician who takes bribes.” Y sues for online defamation. X argues Twitter is responsible as the platform. Decide.
Answer: X is primarily liable — defamation requires false statement of fact; “corrupt bribe-taker” is a defamatory statement of fact (if false). Twitter is an intermediary protected by S.79 safe harbour — not primarily liable for X’s post. However, once Twitter receives court/government order, it must take down the tweet or lose safe harbour (Shreya Singhal). X’s liability: S.499/500 IPC (defamation); civil suit for damages. Vyakti Vikas Kendra — Twitter defamation actionable.
4. A Mumbai company finds that a Pune competitor’s website (accessible in Mumbai) is passing off on its trade mark. The Mumbai company wants to sue in Mumbai. The competitor challenges Mumbai’s jurisdiction. Decide.
Answer: Apply the purposeful availment test (Banyan Tree Holdings). If the Pune company’s website is merely passive/informational, Mumbai may lack jurisdiction (S.20 CPC — cause of action must arise in Mumbai). If the website is interactive/commercial and customers in Mumbai have transacted/been misled, there is a cause of action in Mumbai. Also consider the “effects doctrine” — if passing off harms the Mumbai company’s goodwill in Mumbai, cause of action arises in Mumbai (S.20(c) CPC).
5. Police arrest someone for a Facebook post criticising the Chief Minister, invoking S.66A IT Act. The accused challenges the arrest. Decide.
Answer: The arrest under S.66A is completely illegal — the Supreme Court in Shreya Singhal v. Union of India (2015) struck down S.66A as unconstitutional. S.66A does not exist in law anymore. The accused is entitled to immediate release. Police cannot arrest or prosecute anyone under a provision the Supreme Court has declared void. The accused can challenge the arrest through habeas corpus or appropriate writ petition.
6. A prosecution seeks to produce WhatsApp messages as evidence in a criminal trial. The phone has been seized from the accused. What procedural requirements must be met?
Answer: WhatsApp messages on a seized phone are “electronic records” — admissibility governed by S.65B Evidence Act. Requirements: (i) S.65B Certificate from the person responsible for the computer resource (here, the investigating officer or forensic expert who extracted the data) certifying the four conditions of S.65B; (ii) Certificate must be produced at the time of tendering evidence (Arjun Pandit Rao); (iii) Technical process of extraction must be documented. Without the S.65B certificate, the WhatsApp messages cannot be admitted as evidence (Anvar P.V.).
7. A government order shuts down the internet in an entire state for 3 months without publishing the order and without any judicial oversight. Evaluate legality.
Answer: Unconstitutional on multiple grounds: (i) Internet access is part of the fundamental right to free speech (Art.19(1)(a)) — Anuradha Bhasin; (ii) Internet shutdown orders must be published for public scrutiny; (iii) Indefinite/prolonged shutdown without review is disproportionate; (iv) Right to privacy (Puttaswamy) also engaged; (v) Orders under S.69A must comply with procedural safeguards; (vi) Any restriction must satisfy three-part test: legality + legitimate aim + proportionality. The 3-month unpublished shutdown fails on all counts.
8. A software company’s disgruntled ex-employee, after leaving the job, deletes critical code from the company’s servers remotely. Advise on available remedies.
Answer: Civil — S.43(d) (damages for deleting/altering data/computer system) + S.43(i) (destroying/altering computer source code); Criminal — S.66 (dishonest/fraudulent deletion of data — imprisonment up to 3 years + fine); S.65 (tampering with source code); also S.426 IPC (mischief), S.406 IPC (criminal breach of trust if employee relationship involved). The company can seek: (i) injunction to prevent further access; (ii) civil compensation (Adjudicating Officer if ≤₹5 crore, else civil court); (iii) criminal complaint to police.

D. MCQ Practice (20 Questions)

1. The Information Technology Act, 2000 does NOT apply to:
(A) Email contracts
(B) Digital signatures
(C) A will as defined in the Indian Succession Act ✓
(D) Computer software
2. A mobile phone was held to be a “computer” under the IT Act in:
(A) Syed Asifuddin v. State of Andhra Pradesh ✓
(B) Vinod Kaushik v. Madhvika Joshi
(C) NAASCOM v. Ajay Sood
(D) Anvar P.V. v. P.K. Basheer
3. Under S.43A, a “body corporate” is liable for failure to protect sensitive personal data if it is:
(A) Intentionally misusing personal data
(B) Selling personal data to third parties
(C) Negligent in implementing reasonable security practices ✓
(D) Using personal data for advertising
4. Section 66A of the IT Act was struck down in:
(A) Anvar P.V. v. P.K. Basheer
(B) Anuradha Bhasin v. Union of India
(C) Shreya Singhal v. Union of India ✓
(D) Justice Puttaswamy v. Union of India
5. The Supreme Court held that privacy is a fundamental right in:
(A) Anuradha Bhasin v. Union of India (2020)
(B) Shreya Singhal v. Union of India (2015)
(C) Justice K.S. Puttaswamy v. Union of India (2017) ✓
(D) NAASCOM v. Ajay Sood (2005)
6. A S.65B certificate for electronic evidence must be:
(A) Produced at any time during trial
(B) Produced only when challenged
(C) Produced at the time of tendering the electronic record as evidence ✓
(D) Not required if the electronic record is self-authenticating
7. The offence of cyber terrorism under S.66F is punishable with:
(A) Imprisonment up to 10 years
(B) Imprisonment up to 7 years
(C) Death penalty
(D) Imprisonment for life ✓
8. India’s first case recognising and injuncting phishing as a cyber crime was:
(A) Syed Asifuddin v. State of AP
(B) Shreya Singhal v. Union of India
(C) NAASCOM v. Ajay Sood ✓
(D) Banyan Tree v. Murali Reddy
9. The “purposeful availment” test for cyber jurisdiction was laid down in:
(A) WWE v. Reshma Collections
(B) My Space v. Super Cassettes
(C) Banyan Tree Holdings v. A. Murali Krishna Reddy ✓
(D) Satyam Infoway v. Sifynet Solutions
10. The test for obscenity adopted by the Supreme Court in Aveek Sarkar v. State of West Bengal is:
(A) Hicklin test
(B) Community Standards Test ✓
(C) Reasonable person test
(D) Harm test
11. Which section of the IT Act deals with tampering with computer source code?
(A) S.66
(B) S.43
(C) S.65 ✓
(D) S.67
12. The “safe harbour” protection for intermediaries under S.79 is lost when:
(A) Any private user complains about content
(B) The platform has more than 50 lakh users
(C) The intermediary receives actual notice of specific illegal content and fails to act ✓
(D) The intermediary is incorporated outside India
13. Under S.43(a) of the IT Act, civil liability for unauthorised access arises even if:
(A) The person accessed the system without any intention of causing damage ✓
(B) The person had a legal right to use other resources of the owner
(C) The access did not cause any financial loss
(D) The person disclosed the unauthorised access to the owner
14. India’s first conviction under S.67 of the IT Act (online obscenity) was in:
(A) SMC Pneumatics v. Jogesh Kwatra
(B) State of Tamil Nadu v. Suhas Katti ✓
(C) Aveek Sarkar v. State of West Bengal
(D) Vinod Kaushik v. Madhvika Joshi
15. S.66C of the IT Act deals with:
(A) Hacking
(B) Cyber terrorism
(C) Publishing obscene material
(D) Identity theft (fraudulent use of electronic signature/password of another) ✓
16. The extraterritorial jurisdiction of the IT Act is provided in:
(A) S.69
(B) S.79
(C) S.1(2)
(D) S.75 ✓
17. In Anuradha Bhasin v. Union of India, the Supreme Court held that access to the internet is:
(A) A statutory right under the IT Act
(B) Not a fundamental right but must be proportionately restricted
(C) A fundamental right under Art.19(1)(a) of the Constitution ✓
(D) A directive principle, not an enforceable right
18. The UDRP (Uniform Domain Name Dispute Resolution Policy) applies to disputes over:
(A) .in domain names only
(B) Country-code top-level domains
(C) Generic TLDs like .com, .org, .net ✓
(D) All domain names worldwide
19. Which section of the IT Act gives overriding effect to the IT Act over other laws?
(A) S.1(4)
(B) S.43A
(C) S.79
(D) S.81 ✓
20. India’s first cyber defamation case involving emails was:
(A) SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra ✓
(B) Vyakti Vikas Kendra v. Jitendra Bagga
(C) NAASCOM v. Ajay Sood
(D) Google India v. Visaka Industries


⚡ Quick Revision Summary

1. Key Definitions at a Glance

TermSectionOne-Line Definition
ComputerS.2(1)(i)Any electronic data processing device (includes mobile phones)
Computer NetworkS.2(1)(j)Interconnection of computers/communication devices
Computer ResourceS.2(1)(k)Computer + system + network + data + software
Communication DeviceS.2(1)(ha)Cell phones, PDAs, any device to communicate text/audio/video
Digital SignatureS.2(1)(p)Authentication using asymmetric cryptosystem + hash function
Electronic SignatureS.2(1)(ta)Any reliable electronic method of authentication (OTP, biometric, etc.)
IntermediaryS.2(1)(w)ISP, search engine, e-commerce platform, cyber cafe that stores/transmits records
Sensitive Personal DataS.43A r/w SPDI RulesPasswords, financial info, health data, biometrics, sexual orientation

2. All Sections Covered

SectionSubjectKey Rule
S.1(4)Exclusions from IT ActWills, powers of attorney, trusts, negotiable instruments, immovable property transactions excluded
S.4Legal recognition of electronic recordsElectronic records satisfy “writing” requirement
S.5Legal recognition of electronic signaturesElectronic signatures satisfy “signature” requirement
S.3 / S.3ADigital/Electronic SignatureS.3 — asymmetric cryptosystem; S.3A — any reliable method
S.10AE-contracts not invalidContracts concluded electronically are valid and enforceable
S.11–13Attribution, acknowledgment, despatchRules for when e-records are attributed and when contract is concluded
S.17–26PKI — CCA and Certifying AuthoritiesCCA = apex regulator; CAs issue DSCs; hierarchy of trust
S.43Civil liability for computer wrongsCompensation for unauthorised access, data theft, virus, DDoS, source code damage
S.43AData protectionBody corporate liable for negligent security practices affecting SPDI
S.46Adjudicating OfficerAdjudicates S.43/S.43A claims ≤ ₹5 crore
S.57TDSAT/Cyber Appellate TribunalAppeals from Adjudicating Officer’s orders
S.65Tampering with source codeKnowingly altering/concealing source code — 3 years / ₹2 lakh
S.66Computer-related offencesS.43 acts done dishonestly/fraudulently — 3 years / ₹5 lakh
S.66CIdentity theftFraudulent use of another’s electronic signature/password — 3 years + ₹1 lakh
S.66DCheating by personation onlineCheating by impersonating another via computer — 3 years + ₹1 lakh
S.66EViolation of privacyCapturing/publishing private images without consent — 3 years / ₹2 lakh
S.66FCyber terrorismThreatening sovereignty/security via computer — life imprisonment
S.67Online obscenityPublishing lascivious/prurient content online — 3/5 years + fine
S.67ASexually explicit content online5/7 years + fine for sexually explicit material
S.67BChild pornography online5/7 years + fine; most severe cyber crime category
S.69ABlocking of websitesGovt can order blocking for sovereignty/security/public order
S.72Breach of confidentialityDisclosing information accessed in official capacity — 2 years / ₹1 lakh
S.75Extraterritorial jurisdictionIT Act applies to offences outside India if involving computer resource in India
S.79Safe harbour for intermediariesNo liability for third-party content if due diligence + act on court/govt orders
S.81Overriding effectIT Act prevails over any inconsistent law
S.65A–65B (Evidence Act)Electronic evidenceS.65B certificate mandatory; four conditions; S.65 general provision does not apply
S.354D IPCCyber stalkingPersistent online monitoring/contact despite disinterest — 3/5 years

3. Landmark Cases Table

CaseYearCourtKey Ruling
Syed Asifuddin v. AP2005AP HCMobile = computer; SIM/ESN tampering = S.65
Vinod Kaushik v. Madhvika2012Del HCAccessing spouse’s email = IT Act violation; evidence inadmissible
Sanjay Dhande v. ICICI & Vodafone2014AO, MHS.43A — bank + telecom liable for SIM swap fraud (negligent security)
SMC Pneumatics v. Kwatra2014Del DCFirst cyber defamation; email defamation = actionable; injunction granted
NAASCOM v. Ajay Sood2005Del HCFirst phishing case; phishing = passing off + fraud + IT Act
Aveek Sarkar v. WB2014SCCommunity Standards Test replaces Hicklin test for obscenity
State of TN v. Suhas Katti2004CMM EgmoreFirst S.67 conviction; online harassment of woman = S.67 + S.509 IPC
Anvar P.V. v. Basheer2014SCS.65B certificate mandatory for electronic evidence
Shreya Singhal v. UoI2015SCS.66A struck down; S.79 safe harbour clarified
My Space v. Super Cassettes2016Del HC DBSafe harbour lost after actual notice + non-action on specific content
Puttaswamy v. UoI2017SC (9J)Privacy = fundamental right; legality + aim + proportionality test
Anuradha Bhasin v. UoI2020SCInternet access = fundamental right; shutdowns must be proportionate
Banyan Tree v. Murali Reddy2009Del HC DBPurposeful availment test; passive website ≠ cyber jurisdiction

4. Golden Rules

  • Ss.4–5 IT Act eliminate the paper and ink requirement — electronic = written + signed.
  • S.43 = civil compensation; S.66 = criminal imprisonment for the same acts (dishonest/fraudulent intent needed for S.66).
  • S.65B certificate is mandatory — without it, electronic records cannot be admitted as evidence (Anvar P.V.).
  • S.66A is dead — struck down by Supreme Court in Shreya Singhal. No one can be arrested under S.66A.
  • Safe harbour (S.79) protects intermediaries from liability for user content, but is lost upon actual notice + non-action.
  • Privacy is a fundamental right (Puttaswamy, 2017) — government surveillance must be lawful, targeted, and proportionate.
  • Access to internet = fundamental right (Anuradha Bhasin, 2020) — internet shutdowns must be proportionate and reviewed.
  • Community standards test (not Hicklin) governs obscenity — context matters (Aveek Sarkar).
  • Purposeful availment needed for cyber jurisdiction — passive website ≠ submission to local court’s jurisdiction.
  • Domain names = trade marks — passing off action available; UDRP/INDRP for dispute resolution (Satyam Infoway).

5. Memory Aids

DIGITAL SIGNATURE FUNCTIONS (CAIN):
C — Confidentiality
A — Authentication (proves sender’s identity)
I — Integrity (message not altered)
N — Non-repudiation (sender cannot deny signing)
S.43 CIVIL WRONGS (ACCESS DVDC):
A — Unauthorised Access
C — Copy/Download data
C — Contaminant/Virus introduction
E — Email bombing / Denial of Service
S — Source code damage
S — Steal or charge services to another’s account
SAFE HARBOUR CONDITIONS (IDS):
I — Intermediary doesn’t Initiate/select/modify content
D — Due Diligence observed (IT Rules 2021)
S — Specific notice from court/govt → take down (or harbour lost)
SHREYA SINGHAL OUTCOMES (SRS):
S — S.66A Struck down (unconstitutional — vague, overbroad)
R — S.79 Read down (only court/govt orders trigger take-down)
S — S.69A Saved (blocking with procedural safeguards = valid)


↑ Back to Top