Hacking And Cybercrime Under It Act

20 Sep 2025 --
0 Comments

1) What the IT Act covers (key offences relevant to “hacking” and cybercrime)

A. Hacking / unauthorized access

Section 66 (originally): covers “computer-related offences” such as unauthorized access, modification, damage to computer systems/records, typically described as hacking. Penalty: imprisonment and/or fine. (Note: statutory numbering and wording has changed over amendments; historically Sec.66 criminalised unauthorized access and damage.)

Section 43 (civil / remedial): civil liability for unauthorized access, downloading, copying, introduction of viruses, damage to computer systems — monetary compensation.

B. Identity fraud / impersonation

Section 66C: punishment for identity theft (using someone’s electronic identity or unique identification feature).

Section 66D: cheating by personation by using a computer resource or electronic communication.

C. Fraud, cheating and tampering with data

Section 65: tampering with computer source code (penal).

Section 72 / 72A: breach of confidentiality and privacy by persons disclosing private information obtained in the course of business/official duties; Section 72A penalises disclosure of personal information if it causes harm.

D. Intermediary liability and safe harbour

Section 79: limited liability for intermediaries (ISPs, hosting providers) provided they exercise “due diligence” and respond to takedown notices; courts have interpreted scope and exceptions.

E. Obscenity / child pornography / content offences

Section 67 / 67A / 67B: publishing/ transmitting obscene material in electronic form / child sexual material etc.

F. Cyber terrorism and national security

Section 66F: cyber terrorism — actions intended to threaten the unity, integrity, security or sovereignty of India, or to strike terror.

G. Evidence and digital records

Sections 65A and 65B of the Indian Evidence Act (as applied) — formal requirements for admissibility of electronic records: a certificate (under Section 65B) is normally required to admit electronic evidence. Courts have repeatedly framed and refined the rules for adducing electronic records in cybercrime prosecutions.

Police powers & procedure: The Act (and related rules) give investigating agencies powers to collect data, order interception/blocking in certain cases (subject to procedures), and to direct intermediaries to preserve logs.

2) How a “hacking” case typically proceeds (practical sketch)

Detection & complaint (victim or system admin lodges FIR / complaint).

Forensic preservation: image disks, preserve logs, secure server evidence (chain of custody).

Investigation: logs analyzed (IP addresses, timestamps, user agents), subpoenas to ISPs or intermediaries.

Electronic evidence: prepare Section 65B certificate(s) and properly authenticate electronic records.

Charges: Sections of IT Act + IPC offences (criminal breach of trust, cheating, criminal conspiracy, forgery) depending on facts.

Trial & expert evidence: digital forensic experts testify; courts evaluate admissibility and weight.

3) Six important Indian cases (detailed — facts, issues, holdings, legal reasoning, significance)

Case 1 — Shreya Singhal v. Union of India (Supreme Court, 2015) — freedom of speech & Section 66A

Facts: A challenge to Section 66A of the IT Act (which criminalised sending offensive/menacing etc. messages online) on grounds that it was vague and violated free speech (Article 19(1)(a)). Section 66A had been widely used to arrest people for social‑media posts.

Issues: Is Section 66A of the IT Act constitutionally valid? Did it impermissibly curtail freedom of speech by being vague and overbroad?

Holding: The Supreme Court struck down Section 66A as unconstitutional (violated Article 19(1)(a) and was not saved by reasonable restrictions in Article 19(2)). The court held the provision was vague, overbroad and allowed arbitrary arrests.

Reasoning: The law’s terms (e.g., “offensive”, “menacing”, “causing annoyance”) were undefined and subjective; the provision lacked precision and reasonable safeguards. Overbreadth risked chilling legitimate speech and dissent. The Court reiterated that the state cannot impose restrictions beyond those explicitly permitted by the Constitution.

Significance: A major protection for online speech; curtailed misuse of IT Act to arrest critics for online posts. The judgment also clarified aspects of intermediary liability (Section 79), and emphasised procedural safeguards. Although Section 66A was struck down, other IT provisions (for hacking, fraud, identity theft) remained operative.

Case 2 — Anvar P.V. v. P.K. Basheer & Ors. (Supreme Court, 2014) — admissibility of electronic evidence

Facts: Criminal matter where electronic records (e‑mails, printouts) were relied upon as prosecution evidence. The question was whether such electronic records are admissible and under what conditions (i.e., whether a certificate under Section 65B of the Evidence Act is mandatory).

Issues: Whether secondary evidence in the form of electronic printouts is admissible without a certificate under Section 65B(4) of the Evidence Act; what is the mandatory procedure for adducing electronic evidence?

Holding: The Supreme Court held that certification under Section 65B is mandatory for admissibility of electronic records. If a party seeks to admit an electronic record, the procedural requirement (a 65B certificate) must ordinarily be complied with.

Reasoning: Electronic records are not like ordinary documents; to ensure reliability, the statutory scheme requires a certificate identifying the device, the process of production, and the integrity of the electronic record. The Court therefore emphasised statutory compliance to avoid unreliable electronic evidence.

Significance: This decision placed a high evidentiary bar for cybercrime prosecutions — investigators had to ensure proper technical certification and chain of custody; many prosecutions impacted until procedure adjusted. (Later jurisprudence refined elements of this rule — see Case 4 below.)

Case 3 — Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (Supreme Court, 2020) — clarified electronic evidence principle

Facts: Criminal appeal involving electronic evidence and whether non‑production of a 65B certificate would render evidence inadmissible.

Issues: Whether Anvar (2014) had been applied too rigidly and whether secondary evidence of electronic records can be admitted under Sections 63–65 of the Evidence Act when it is not reasonably practicable to produce a 65B certificate.

Holding: The Court clarified (and read Anvar in context) — the mandatory nature of Section 65B certification applies when the party seeks to rely on electronic records as primary evidence. However, where secondary evidence is permissible under Section 65, courts may admit electronic evidence even in the absence of 65B certificate provided the conditions for secondary evidence are met and reliability is established.

Reasoning: Overly rigid application of Anvar could lead to unjust outcomes; courts must apply a pragmatic approach that balances reliability and fairness. The judgment set out that each case should be considered on facts; if secondary evidence rules are properly invoked and obtainability of primary certificate is impossible, evidence may be admitted after testing for reliability.

Significance: Gave investigators and prosecutors more workable options for adducing electronic evidence while maintaining safeguards — important for cybercrime trials where original devices are missing or inaccessible.

Case 4 — Avnish Bajaj (Baazee.com) — early intermediary liability prosecution (landmark factual scenario)

Facts (factual outline): In the early 2000s, the owner/operator of an online marketplace was prosecuted after obscene/illegal items were offered by third‑party sellers on the platform. Law enforcement arrested the intermediary (operator) alleging his site facilitated illegal transactions.

Issues: Whether an intermediary (online marketplace) is criminally liable for content uploaded/posted by third parties; what qualifies as “due diligence” and whether intermediaries can claim safe‑harbour under Section 79.

Holding / Outcome (principle): The case underscored the tension between holding intermediaries liable for user-generated content and recognising safe‑harbour if intermediaries follow due‑diligence rules and do not have actual knowledge of illegal content. Courts and later legislative rules progressively clarified that mere hosting does not automatically make an intermediary liable — liability arises where they fail to exercise due diligence or have actual/constructive knowledge and do not act on takedown notices.

Reasoning: Intermediaries facilitate speech and commerce; imposing strict liability would cripple online services. The law provides for conditional immunity—exercise of due diligence, compliance with takedown procedures, and cooperation with authorities are central.

Significance: Influenced the development of the intermediary rules, safe‑harbour principles and policy for notice‑and‑takedown — foundational for modern e‑commerce and hosting.

Note: the Avnish Bajaj episode was an early, high‑profile example showing how intermediaries were treated; subsequent law and judicial decisions refined safe harbour (Section 79) and procedural requirements for takedown.

Case 5 — State v. Suhas Katti (an early cyber‑impersonation prosecution — Madras jurisdiction)

Facts: An individual created a fake email account in the name of his former partner and sent offensive/obscene / defamatory mails to others, causing humiliation and reputational harm. The victim lodged a complaint; prosecution alleged impersonation, sending obscene/defamatory messages and invasion of privacy.

Issues: Whether impersonation and sending obscene/defamatory emails constituted offences under IT Act / IPC; whether the evidence (emails, logs) could be relied upon; appropriate charge selection (identity/cheating/defamation).

Holding / Outcome (principle): The prosecution secured conviction(s) under relevant provisions—the case is frequently cited as one of the first successful criminal prosecutions for online impersonation and harassment in India. Courts treated creation of fake electronic account, sending obscene material, and misrepresenting identity as punishable and emphasised the need to preserve electronic evidence.

Reasoning: Using someone else’s identity to cause harm is analogous to traditional impersonation / forgery / publishing obscene matter; electronic medium does not alter criminality. The case also highlighted importance of digital forensics and trace evidence (header info, provider logs).

Significance: Landmark as an early demonstration that existing criminal law + IT Act provisions could address online harassment and impersonation; encouraged police to develop cyber‑forensics capabilities.

Case 6 — Cyber‑fraud / phishing & identity‑theft prosecutions: representative judicial approach (composite summary of judicial trends)

Facts (typical): Offenders use phishing e‑mails or malware to capture bank login credentials, then cause unauthorised transfers. Victims complain; investigations trace transfers, IP addresses, intermediary logs, and device images.

Issues: Proving mens rea, establishing the chain of electronic evidence, linking the accused to logins/transfers, and choosing the right mix of IT Act sections and IPC (theft, cheating, criminal breach of trust, criminal conspiracy).

Judicial approach (typical holdings): Courts examine:

Forensic evidence linking device/IP to accused.

Bank records showing unauthorized transfers.

Whether the accused knowingly used stolen credentials (proof of dishonest intention).

Admissibility of email/server logs (Section 65B compliance).

Where adequate forensic and documentary proof exists, courts convict under IT Act sections (66C / 66D / 66) plus IPC offences.

Significance: Shows practical realities: cybercrime convictions rely heavily on careful forensic preservation, 65B compliance, and multi‑agency cooperation (banks, ISPs). Courts have stressed both protections for victims and strict evidentiary standards to prevent wrongful convictions.

4) Practical pointers from judicial trends (what courts focus on)

Admissibility & chain of custody: Courts insist on proper forensic procedures, imaging devices, and Section 65B certificates when primary electronic evidence is offered. Later clarifications allow secondary evidence in limited circumstances, but prosecution should aim to comply with 65B to avoid exclusion.

Intermediary role: Intermediaries are not automatically liable for user content if they follow due diligence and timely takedown. Actual knowledge and failure to act are central to liability.

Vagueness & constitutional limits: Overbroad wording (e.g., pre‑Shreya 66A) risks being struck down. Legislations and prosecutions must be precise to meet constitutional speech guarantees.

Overlay of IPC & IT Act: Cybercrimes often invoke both IT Act sections and cognate IPC offences (cheating, forgery, criminal breach of trust, defamation). Courts read them together to match the factual matrix.

Remedies: Besides criminal prosecution, victims can seek civil remedies under Section 43 (compensation), injunctions, and takedowns.

5) Illustrative charging matrix (how offences are mapped to facts)

Unauthorized access/hacking → Section 66 (IT Act), Section 43 (civil), possibly IPC offences for trespass/causing damage.

Identity theft/impersonation online → Section 66C, Section 66D.

Phishing / online fraud → Section 66 (if damage), Sections 66C/66D + IPC cheating (s. 420).

Publishing obscene content → Section 67/67A.

Disclosure of private data by official/insider → Section 72/72A.

6) Procedural & investigative checklist (practical, for investigators / victims)

Preserve devices: create forensic images immediately; maintain chain of custody.

Obtain server logs and ISP records (preserve under preservation notices).

Prepare 65B certificate(s) for electronic records you intend to rely upon.

Coordinate with banks for logs of transfers; issue freezing requests quickly.

Serve intermediaries with proper legal process for takedown / data.

Draft charges combining IT Act + IPC for full redress.

7) Closing notes and offer

The cases above summarise major legal principles shaping how Indian courts treat hacking, impersonation, intermediary liability and digital evidence under the IT Act.

I’ve used well‑known judicial trends up to my training cutoff and avoided adding raw external links here as you requested. If you want, I can:

Provide exact citations (bench, year, citation) for any of these cases (I’ll need to look them up),

Draft sample charge sheets or forensic evidence checklists for a hypothetical hacking incident,