Professional Documents
Culture Documents
The Mathematics Between Cyber Law &cyber Crime in Indian Arena'
The Mathematics Between Cyber Law &cyber Crime in Indian Arena'
The Mathematics Between Cyber Law &cyber Crime in Indian Arena'
GAURAV TIWARI
INTRODUCTION:
The founding fathers of Internet barely had any proclivity that Internet could transform itself into
an all pervading revolution which could be tainted for criminal activities and which required law.
These days, there are many troubling incidents in cyberspace. Due to the mysterious nature of
the Internet, it is probable to engage into a variety of criminal activities with impunity and people
with intelligence, have been hideously misusing this aspect of the Internet to perpetuate criminal
activities in cyberspace. . The advancement in this field has been multiplying exponentially but
cybercrimes are also thriving rapidly. Although generous progress in technology, uncertainty
still prevails and the efforts to trace, identify and bring the criminal to books have not borne
much fruit. If cybercrimes are not combated at the early stage, the posterity will suffer from the
human values, which will have very damaging effects on the society at large and innocent
individuals in particular.1 The very character of crime itself has undergone complete
transformation. There is a conjectural shift in terms of the costs of criminal behaviour and the
forms of criminality, which merits state attention. The globalization of the world’s economy and
the resultant exponential increase in the way business is carried out has given rise to a new wave
of crime, which requires more attention than traditional forms of violent crimes that currently
command the vast share of state law enforcement resources. Territorial boundaries are no longer
the barriers, as it may also exist in cyberspace, where corporations, which serve computer and
1
M. Ponnaian,, July- September 2000 “Cyber crimes, Modern crimes and Human rights”, P R P Journal of Human Rights, Vol. 4, at 13-14
telecommunications networks also control access. The capacity of criminals has been enhanced
to carry out serious offences manifolds due to progress in computer and communications
technologies and that too with a greatly diminished risk of apprehension. The defence
and cyberspace. The concept of jurisdiction becomes meaningless when an individual has only
an address on a computer network as identity. This century will therefore, be known not only for
greater technological innovation, but also be remembered for unpreparedness of legal and law
enforcement communities for the cyberspace crime, which is increasing unabated. The ever-
expanding financial resources of criminals will render them increasingly important players in
global financial markets.2 With the advent of the internet, cyberlaw has become an emerging
rights, jurisdiction and choice of law, and privacy rights. 3 There have been various kinds of
computer and internet related crimes. In fact, the growth of crime on the internet is directly
proportional to the growth of the internet itself, and so is the variety of crimes being committed
or attempted.4
The fundamental principles of crime are founded on rules of equity, justice and fair play, which
provide adequate guidelines for the formulation of a rational penal policy and at the same time
2
M.P. Shahi,(2000), “Crime and Corruption in the Digital Age”, at 27
3
J. Kaufman Winn and R. Warner, “Course: Law of the internet”, Southern Methodist University School of Law at
<http://www.smu.edu/~jwinn/inetlaw.htm>
4
“Computer and internet Crimes”, at <http://www.cyberspacelaws.com/crime.asp>
that a person may not be convicted of a crime unless the prosecution has proved beyond
He has caused a certain event, or responsibility is to be attributed to him for the existence
He had a defined state of mind in relation to the causing of the event or the existence of
Thus, a crime essentially consists of two elements, namely, actus reus and mens rea.
ACTUS REUS
The word actus connotes, a physical result of human conduct. The actus reus includes all the
elements in the definition of the crime except the mental element of the accused. It is not
merely an act but may consist of a state of affairs not including an act at all. Actus reus is
The actus reus is made up generally, but not always, of conduct, and sometimes it’s
consequences and also the circumstances in which the conduct takes place, or which constitute
the state of affairs, in so far as they are relevant. Sometimes a particular state of mind on the part
of the victim is required by the definition of the crime. If so, that state of mind is a part of the
actus reus.6
The element of actus reus in internet crimes is relatively easy to identify, but is very difficult to
prove. The fact of the occurrence of the act that can be termed as a crime can be said to have
5
J.C. Smith and B. Hogan,(1988) “Criminal Law”, at 31-36
6
Thus, in the prosecution of rape the absence of consent on the part of the prosecutrix is an essential constituent of the actus reus. If the
prosecution fails to prove such absence of consent the actus reus is not proved and the prosecution must fail.
making use of computer function;7
accessing data stored on a computer or from a computer which has access to data stored
outside;8
attempt to gain access through internet or passes signals through various computers and
made computers to perform a function on the instruction which the person gave to the
first computer in the chain. Such function can be said to constitute actus reus.9
trying to login, even though attempts are useless. For example, hackers have an
automated system of trying passwords of different systems, the very running of which
MENS REA
Mens rea is the second essential element, which constitutes crime is called “a guilty mind”.
This construalhad undergone gradual changes until modern criminal law came to regard a guilty
mind of some kind or some other such mental element as always being necessary. 11 Mens rea
negligence.12 Intention refers to the state of mind of a man who not only foresees but also wills
the possible consequences of his conduct. There cannot be intention unless there is foresight,
since a man who intends a particular act must have reasonable foresight of the consequences of
7
This is done by using input devices like the keyboard, mouse, etc
8
A hacker uses an authorized person’s password to login to any company’s main server, hoping to gain access to the company’s customer details.
The computer to which he logs in to stores these details in a huge data storage unit, which is, locate elsewhere. The data itself is stored on a
magnetic tape. The processing unit of the computer retrieves the information the storage unit. The computer would be thought to include the
magnetic tape, and so the data would still be considered as being ‘held in a computer’. See, C. Gringras,(1997) “The Laws of the internet”, at 216
9
For example, a hacker uses his computer to access an unauthorized account at an Internet Service Provider (ISP). It is enough for the
prosecution to prove that either of the computers belonging to the hacker or the ISP were made to function. However, the prosecution would
choose to prove that the ISP’s computer was made to function only when it is not possible or extremely difficult for the prosecution to prove that
the functioning of the ISP’s computer was a result of the instructions given by the hacker unless there is other evidence to prove the same.
10
A hacker oversees a password being entered by someone logging in to a remote computer. The login prompt specifies that the user must be
authorized to access the computer. Later, the hacker attempts to use the password himself, but fails owing to the remote computer allowing only
one login each day. This would still be actus reus as the rejection itself constitutes a function and this function was caused by the hacker using
the password without authorization at the wrong time.
11
Smith and Hogan,(1988)Supra note 7 at 55
12
J.W. Cecil Turner (ed.), Kenny’s, “Outlines of Criminal Law”, 18th ed., Cambridge University Press, Cambridge, at 31- 36
such act. Though intention cannot exist without foresight, the converse is not necessarily true,
i.e., there can be foresight without intention. A person who does not intend to cause a harmful
result may take an unjustifiable risk of causing it. If a man foresees the possible or even
probable consequences of his conduct and yet, without desiring them, still persists with such
conduct, he knowingly runs the risk of bringing about the unwished result. Such conduct may be
defined as recklessness.
Finally, a man may bring about an event without having any intention or foresight. He may
never have considered the possible consequences of his conduct and the end result may come as
a surprise even to him. Under Common Law, there is no criminal liability for harm caused by
An essential ingredient for determining mens rea in internet crime, on the part of the offender is
that he or she must have been aware at the time of causing the computer to perform the function
that the access intended to be secured was unauthorized. There must be, on the part of the
hacker, intention to secure access, though this intention can be directed at any computer and not
at a particular computer. Thus, the hackerneed not be aware of which computer exactly he or she
was attacking.14 Further, this intention to secure access also need not be directed at any
particular or particular kind of, programme or data. It is enough that the hacker intended to
13
Professor Kenny gives the example of manslaughter cases where it has been laid down time and again that harm caused inadvertently does not
carry criminal liability. Thus, he concludes that there are only two states of mind, which constitute mens rea in criminal law, namely, intention
and recklessness. Under Law of Torts harm caused by negligence is interpreted differently. The courts have evolved the concept of “the
reasonable man” for determining liability in tort law. Thus, a person might be liable for harm caused by his negligence if the consequences of his
conduct were foreseeable by a reasonable man in possession of all ordinary faculties and placed in the same circumstances. However, if the
consequences were not foreseeable by such reasonable man, then the person would not be guilty for the unintended consequences of his negligent
act.
14
This suits the prosecution in matters relating to unauthorized access on the internet, because it is often complicated to prove that a person
intended to login to a particular computer.
15
Gringras,(1997)Supra note 10 at 221
Thus, there are two vital ingredients for mens rea for hackers or crackers who gain unauthorized
The hacker should have been aware of the same at the time he or she tried to secure the
access.
The second ingredient is easier to prove if the accused hacker is a person from outside who has
no authority whatsoever to access the data stored in the computer or the computers; however, it
is difficult to prove the same in the case of a hacker with limited authority.16
On deeper analysis one finds that our obsolete and primitive civil and criminal statutes of the
Common Law vintage have somehow been made to subverse the ends of the present day Indian
society primarily through judicial innovation and ingenuity. Needless to add that such statutes
are overdue for a total review and replacement. The nature of cyber crimes and the skills
involved are such that existing legal framework cannot do much to control and contain the same.
In fact, the cyberspace technology has undermined to a major extent the traditional legal
concepts like property and has impacted the rules of evidence like burden of proof, locus standi
Cybercrimes have set in a debate as to whether a new legislation is needed to deal with them or
existing legal regime is flexible enough to effectively deals with this new form of criminality.
Generally the countries that have shown concern to combat cybercrimes have adopted two
16
A common example of this is where the accused hacker is an employee of a company and is accused of using the companies Intranet outside
their authority. The problem arises in such a case of a person who is entitled to limited access but not access of the kind in question i.e. he is
exceeding the limits of his authority. The question to be asked here is whether the person knew that he was unauthorized in that sense. The
question of fact as to whether the hacker knew the limits of authority is often a finely balanced one. The difficulty with partial authority raises an
issue of relevance for server operators also.
strategies, i.e., to approach computer crime both as traditional crime committed by/on high tech
DEFINITION OF CYBERCRIMES
Cybercrime has recently become a catchy term for a group of security issues in cyberspace.
However, despite its frequent use there is no commonly accepted definition. Surely, cybercrime
is related to the realm of computers, however, there is no consensus on whether those computers
have to be interconnected or not. Some definitions exclude explicitly computer related crimes
that are not committed online, as they view cybercrime in the narrow sense, while others prefer
broader definitions including all kinds of computer related offenses. However, it is evident that
most computer crimes are committed online. The UN Manual on the prevention and control of
computer-related crime provides the following definition of cybercrime: Computer crime can
involve activities that are traditional in nature, such as theft, fraud, forgery and mischief, all of
which are generally subject everywhere to criminal sanctions. The computer has also created a
host of potentially new misuses or abuses that may, or should be criminal as well (UN 1994, par.
22).18
In July 1996, the UK National Criminal Intelligence Service launched a study of computer crime
called Project Trawler. In the study the terms computer crime, information technology crime and
cybercrime are interchangeable. Project Trawler defines computer crime as follows: An offence
in which a computer network is directly and significantly instrumental in the commission of the
17
In America 31 States have passed new legislations to deal with computer related crimes whereas others have amended the definitions of
Larceny to include electronic media. See Michael D. Rostorker et al. “Computer Jurisprudence, Legal Response to the Information Revolution”,
(1986) at 344 In India also, the Indian Penal Code has been amended to cover computer related crimes and some such offences have been
separately covered under the IT Act, 2000. See also, British Computer Misuse Act, 1990, Singapore Computer Misuse Act, 1993 (as amended
1998), Malaysian Computer Crimes Act, 1997.
18
<http://www.uncjin.org/Documents/irpc4344.pdf>
19
<http://www.ncis.co.uk/newpage1.htm>
According to UNO expert recommendations, the term of “cybercrimes” covers any crime
committed by using computer systems or networks, within their frameworks or against them.
Theoretically, it embraces any crime that can be committed in the electronic environment. In
other words, crimes committed by using e-computers against information processed and applied
Cyber or Computer crimes are white-collar crimes and are committed by students, non-
professional computer programmers, business rivals, individuals having vested interest and
criminals. To define such a crime, one has to utter these three points:
When computer technology is responsible for the wrongful loss and wrongful gain of two
When any person commits an of the following acts, he is guilty of a computer crime:
destroys, or otherwise uses any data, computer database, computer, computer system,
use of any data or computer database from a computer, computer system, or computer
computer network.
means.
network.20
The internet with its speed and global access has made these crimes much easier, efficient, risk-
free, cheap and profitable to commit. New crimes created with the internet itself or for
20
Suresh T. Viswanathan,(2001), “The Indian Cyber laws”, at 81-83
commission of old crimes or incidental for commission of crime. 21 Broadly stated, ‘cybercrime’
help of or connected with, the internet, whether directly or indirectly, which is prohibited
by any law and for which punishment, monetary and/or corporal, is provided
A) Internet crime: The internet crimes include that group of crimes that make criminal use of
Hacking
Espionage
Spamming
B) Web based crime: Web based crimes have been categorized separately and have been further
classified separately and have been further classified into four subcategories.
Insurance frauds
Gambling
Distribution of pornography
21
Vivek Sood,(2001), “Cyber Law Simplified” at 39
Threats
Extrotion
E-mail bombing
Defamation
Cyberstalking
Fraudsters use chat rooms for developing relations with unsuspecting victims
Offences against the confidentiality, integrity and availability of computer data and
systems
22
Subhas P. Rathore and Bharat B. Das,(2001) “Cyber Crimes: The emerging trends and Challenges, Souvenir, National Conference on
Cyberlaws and Legal Education”, NALSAR University of Law, at 56-57
(c) Data interference
(d) Cyberstalking
(g) Spoofing
(i) Cybersquatting
CIVIL LIABILITY OR CRIMINAL LIABILITY IN CYBERCRIMES
The civil offences in Indian law impose only a liability for compensation to the person, who has
suffered, while the criminal offences may be punished with imprisonment and fine payable to the
State. There are crimes, which as come under both civil wrong and criminal offences so called
as hybrids. Various cyber crimes are there, which are mainly categorized into two broad ways:
Civil Liability: Civil liability provides remedy for compensation only which includes following
crimes, viz;
Defamation
Cybersquatting
Copyright theft
Design theft
Patent theft
Software piracy
Spamming
compensation to victims;
Cyberstalking
Hacking
Cracking
Network sabotage
Cyber frauds
Cyber gambling
Cyber cheating
Forgery
Information theft
Data theft
The objectives of The Information Technology Act, 2000 are defined as:
“To provide legal recognition for transactions carried out by means of electronic data
commerce”, which involve the use of alternatives to paper-based methods of communication and
storage of information, to facilitate electronic filing of documents with the Government agencies
and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers’ Books
Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected
To facilitate and give legal sanction to electronic fund transfers between banks and
financial institutions;
To give legal recognition for keeping books of account by Bankers in electronic form.
The first 17 sections of the Act are largely based on Model Law on Electronic Commerce
divided into XIII chapters. It has 4 schedules, Schedule I seeks to amend the Indian Penal Code;
Schedule II seeks to amend the Indian Evidence Act; Schedule III seeks to amend the Bankers’
Book Evidence Act; and Schedule IV seeks to amend the Reserve Bank of India Act.
Towards that end, the Act stipulates numerous provisions. It aims to provide for a legal
framework so that legal sanctity is accorded to all electronic records and other activities carried
The Act has defined cybercrimes for the first time and provided for penalties, punishment and
(IPR) protected software, tampering with electronic documents and committing electronic
forgery. The IT Act has a provision of penalties up to Rs. 1 crore for damaging computer
systems and three-year jail term with a fine of Rs. 2 lakhs for hackers. But these penalties don’t
mean much if the existing police investigating officers, forensic scientists, and the judiciary are
not familiar with the intricacies of the internet. The Act covers a totally uncharted field with no
past experience even in other countries. Accordingly, future modifications, based on experience,
Provides legal recognition to e-commerce, which means that contracts can be enforced.
Records can be kept in an electronic form. Written records also mean electronic records
Certifying Authorities.
Adjudicating authorities to decide if cyber crimes have been committed. Also provide
(Certifying Authorities) Rules, 2000 and The Cyber Regulations Appellate Tribunal
authorities.
Amendment of Indian Penal Code (1860), Indian Evidence Act (1872), Bankers’ Book
23
See also Cyber Regulation Advisory Committee
24
See also The Information Technology Rules, 2000
25
See also Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000
Evidence Act (1891) and the Reserve Bank of India Act (1934) 26 to bring them in tune
The Information Technology (Certifying Authorities) Rules, 200027 also stipulate the
Also provide security guidelines29 for the management and operation of Certifying
Authorities (CAs) and is aimed at protecting the integrity, confidentiality and availability
The Act has paved the way for an exponential growth of e-commerce and other internet enabled
services like e-trading, e-shopping and e-banking. The provisions of the Act do not apply to a
negotiable instrument, a power of attorney, a trust, a will, and any contract for the sale or
applies to any offence or contravention committed outside India by any person (irrespective of
India. It excludes network service providers from its ambit for any third party information (that
is, any information dealt with by them in their capacity as intermediaries) or data made available
by them, if they prove that the offence was committed without their knowledge, and they had
taken all precautions to prevent such commission. However, more explicitly, various computer
crimes that are not yet defined in the Act may be taken up to deal with the rapid technological
The Information Technology Act 2000 being India’s first cyber law is the central legislation,
which has been passed by the Parliament of India. Interestingly, it applies not only to the whole
of India including the State of Jammu & Kashmir but also applies to any contravention or
26
See also Schedules to the Information Technology Act, 2000
27
See also The Information Technology (Certifying Authorities) Rules, 2000
28
See also Information Technology (IT) Security Guidelines
29
See also Security Guidelines for Certifying Authorities
violation committed thereunder by any person anywhere in the world. State Governments have
also been given the powers to enact appropriate rules in the field of Information Technology. In
fact, Section 90 of the IT Act categorically states that the State Government may, by notification
in the official gazette, make rules to carry out the provisions of the Information Technology Act.
The rules to be made by the State Governments may include the electronic forms through which
common man communicates with the Government Departments or the format in which electronic
records shall be filed, created or issued and the manner of payment of any fee or charges for
filing, creation or issue of any electronic record. The State governments have appropriate
powers to legislate rules there under, apart from having powers to legislate on various steps
enumerated in the State List, which is detailed in the Constitution of India. Of course, it is
imperative to note that every rule made by the State Government under Section 90 of the IT Act
shall immediately be laid before each House of the State legislature for approval.30
In its resent form, the Act, therefore, not only recognizes the usefulness of e-commerce and
provide the necessary safeguards for the transactions by creating a necessary legal framework
but it also makes consequential amendments in the Indian Penal Code, Indian Evidence Act,
Reserve Bank of India Act and Bankers Book of Evidence Act, so that the offences relating to
documents and papers based transactions is made equal to the offences in respect of the
transactions carried out through the electronic media and further to facilitate electronic funds
transfer between the financial institutions and banks, and also to give legal sanctity to books of
30
Pavan Duggal,(2002), “CyberLaw- The Indian Perspective”, at 1-5
31
U.K. Chaudhary,Jan 2001 , “Information Technology Act, 2000: A step in the right direction”, CS vol. 31 at 30-31
JURISDICTION- THE CONCEPT
The effectiveness of a judicial system rests on core of regulations, which define every aspect of a
system’s functioning; and principally, its jurisdiction. A court must have jurisdiction, venue and
appropriate service of process in order to hear a case and render an effective judgement.
Jurisdiction is the power of a court to hear and determine a case. Without jurisdiction, a court’s
judgement is ineffective and impotent. Such jurisdiction is essentially of two types, namely
subject matter jurisdiction and personal jurisdiction. Subject matter jurisdiction is defined as the
competence of the court to hear and determine a particular category of cases. It requires
determination whether a claim is actionable in the court where the case is filed and personal
jurisdiction is simply the competence of the court to determine a case against a particular
category whether the person is subject to the court in which the case is filed. These two
jurisdictions must be conjunctively satisfied for a judgement to take effect. It is the presence of
jurisdiction that ensures the power of enforcement to a court and in the absence of such power,
INDIAN CONTEXT
The Information Technology Act, 2000 passed in India, is illustrative of the prevailing confusion
in the area of jurisdiction in the context of the internet. Section 1 of the Information Technology
Act, 2000, deals with the issue of applicability of this new law. Normally, the applicability of
laws within India can be broadly divided into the following major categories:
32
Nandan Kamath,(2000) “Law Relating to Computers internet & E-Commerce : A guide to Cyber Laws & the IT Act,2000 with Rules &
Regulations” at 20
Jammu & Kashmir has been granted a special status under the Constitution of India and special
laws are applicable to that state. Keeping in mind the universal nature of the impact of computers
and Internet, the legislature has decided that the IT Act 2000 shall be applicable to the whole of
The Act begins by saying, in clause (2) to section 1, that it shall extend to the whole of India and,
save as otherwise provided in the Act, it applies also to any offence or contravention thereunder
committed outside India by any person. Clause (2) of section 75 of the Act simply states that,
“… this Act shall apply to an offence or contravention committed outside India by any person if
the act or conduct constituting the offence or contravention involves a computer, computer
system or computer network located in India”. Provisions of this nature are unlikely to be
Firstly, it is unfair to suggest that the moment an Indian computer system is used, an action
illustrate, let us consider a web site located in a foreign country. The site may host content that
would be perfectly legal in its home country, but may be considered offensive or illegal in India.
If an Indian chooses to view this site on a computer situated in India, does that mean the site can
explained earlier, the judicial trend of examining the amount of activity that a site undertakes in a
particular jurisdiction is a far more equitable method to determine jurisdiction. Further, even if
Indian Courts are to claim jurisdiction and pass judgements on the basis of the principle
expostulated by the IT Act, it is unlikely that foreign Courts will enforce these judgements since
they would not accept the principles utilized by the Act as adequate to grant Indian courts
the first place, as the result of the strongly unitary model of government prevalent in India,
interstate disputes never assume the level of private international law. Hence, there has been
precious little by way of development of private international law rules in India. Furthermore,
there have been few cases in the Indian courts where the need for the Indian courts to assume
jurisdiction over a foreign subject has arisen. Such jurisprudential development would however,
become essential in the future, as the internet sets out to shrink borders and merge geographical
two levels. In the first place, given the manner in which foreign courts assume jurisdiction over
the internet related issues (as evidenced by the cases discussed above), the consequences of a
decree passed by a foreign court against an Indian citizen must be examined. In other words,
under what circumstance can the decision of a foreign court be enforced against an Indian citizen
or a person resident in India? It is necessary to examine the circumstance under which the Indian
courts would assume jurisdiction over foreign citizens in order to better understand the rights of
However, the law has gone much further. It shall also apply to any violation or contravention of
the provisions of this Act done by any person anywhere in the world. By means of this provision,
the law is assuming jurisdiction over violators of The Information Technology Act, 2000 outside
the territorial boundaries of India. This provision is explained perhaps by the unique nature of
cyberspace, which knows no boundaries. The Information Technology Act, 2000 specifically
provides that unless otherwise provided in the Act, the Act also applies to any offence or
contravention thereunder committed outside India by any person irrespective of his nationality. 33
It is however clarified that the Act shall apply to an offence or contravention committed outside
India by any person if the act or conduct constituting the offence or contravention, involves a
computer, computer system or computer network, located in India. 34 The words “act or conduct
network located in India” are very significant to determine jurisdiction ofthe IT Act over acts
committed outside India. For assuming jurisdiction over an act constituting an offence or
contravention under the IT Act, which is committed outside India, it has to be proved that the
said act involves a computer, computer system or computer network located in India. For
instance, where a website is created in the US which contains pornographic material, it shall not
give the IT Act jurisdiction to question the site unless the creation or maintenance or running
ofthe site involves a computer, computer system or computer network located in India. But
where the said website uses a server or any other computer network located in India, the IT Act
would assume jurisdiction to question the website under section 67 of the IT Act. Another
instance to explain the jurisdiction of the IT Act is where a person from the US hacks a computer
system or network in India, section 66 of the IT Act would come into play to punish the accused
for hacking because his act involves a computer in India. Similarly, where a person anywhere in
the world plants a virus into a computer system located in India, he would be liable under section
43(c) of the IT Act to pay damages by way of compensation net exceeding Rs 1 crore to the
victim.
Section 75 of the IT Act is restricted only to those offences or contraventions provided therein
and not to other offences under other laws such as the Indian Penal Code, 1860. Jurisdiction
33
Sec. 1(2) of IT Act, 2000
34
Sec. 75 of IT Act, 2000
over other cyber crimes, for instance under the Indian Penal Code, 1860, has to be determined by
the provisions of the Criminal Procedure Code, 1973. The fundamental principle on jurisdiction
is the same under the IT Act35 and the Criminal Procedure Code, 1973, though stated differently.
The basic legal principle of jurisdiction under the Code of Criminal Procedure, 1973 is that every
offence shall ordinarily be inquired into and tried by a court within whose local jurisdiction it
was committed.36 These principles in the Code of Criminal Procedure, 1973 apply for
where an offence is committed in more places than one, or partly in one place and partly in
another, or where it is continuing and continues to be committed in more than one local area, or
where the offence consists of several acts done in different local areas, then it may be inquired
into or tried by a court having jurisdiction over either of such areas.37 In the event where it is
uncertain in which of several areas the offence was committed, again it may be inquired into or
In a case where an act is an offence by reason of anything, which has been done and of a
consequence, which has ensued, the offence may be inquired into or tried by a court within
whose local jurisdiction such act has been done or such consequence has ensued. 39 For instance,
in a case of defamation, either of the courts, i.e. of the place from where the defamatory letter
was e-mailed and the place at which it was published or received, if different, shall have
jurisdiction to inquire and try the same. To cite another instance; where in pursuance of misrep-
resentation by A through e-mail from place X, property was delivered at place Y, A can be tried
35
Sec. 1(2) r/w Sec 75 of IT Act, 2000
36
Sec. 177 of Cr.P.C., 1973
37
Sec. 178 of Cr.P.C., 1973
38
Sec. 178(a) of Cr.P.C., 1973
39
Sec. 179 of Cr.P.C., 1973
for the offence of cheating either at place X or Y. In a case where a person in Bombay does an
act of hacking of a computer system located in Delhi, he may be tried either in Bombay or Delhi.
In a case where an act is an offence by reason of its relation to any other act which is also an
offence or which would be an offence if the doer was capable of committing an offence, the first
mentioned offence may be inquired into or tried by a court within whose local jurisdiction either
of the acts was done. For instance, in a case of manufacture of sub-standard fertilizer in place X,
which is marketed through e-commerce at place Y, prosecution can be launched at either of the
said places because the marketing of the sub-standard fertilizer is an offence by reason of sub-
standard manufacture.
Certain specified offences have been required by law to be inquired into or tried in certain
may be inquired into or tried by a court within whose local jurisdiction the offence was
committed or any part of the property which is the subject of the offence was received or
retained or was required to be returned or accounted for, by the accused person.41 For example,
if an employee of a company based at Delhi, by operating through the internet bank account of
his employer company in a Bombay bank, transfers funds to his account at Calcutta, the case of
misappropriation can be tried either at Delhi or Bombay where the offence was partially
The law also provides that in the case of any offence which includes cheating, if the deception is
any court within whose jurisdiction such letters or messages were sent or where the same were
received.42 Moreover, any offence of cheating and dishonestly inducing delivery of property
40
Sec. 180 of Cr.P.C., 1973
41
Sec. 181 of Cr.P.C., 1973
42
Sec. 182 of Cr.P.C., 1973
may be inquired into or tried by a court having jurisdiction on the place where the property was
delivered by the person deceived or where it was received by the accused person.43
In a case where two or more courts take cognizance of the same offence and a question arises as
to which of the courts has jurisdiction to inquire into or try that offence, this question shall be
decided by the High Court, under whose jurisdiction both such courts function. 44 However, if the
courts are not subordinate to the same High Court, the question of jurisdiction shall be decided
by the High Court within whose appellate criminal jurisdiction the proceedings were first
commenced.45 In such circumstances, all other proceedings with respect to that offence shall be
discontinued. Where two or more courts have jurisdiction over an offence, the choice of the
court for institution of the case lies with the complainant. He will obviously choose the forum,
which is most convenient for him and most inconvenient for the accused.
The law of jurisdiction stated in the Criminal Procedure Code, 1973 and section 75 of the IT Act,
2000, as discussed herein, is clear, specific and covers different situations which are likely to
generally arise in cyber crime cases. The internet by its nature and purpose operates when the
parties interacting or transacting are not physically face to face with one another. Due to the
global access of the internet, cyber crimes generally tend to transcend or disregard geographical
boundaries. These factors imply that in most cases of cyber crime, except where insiders are
involved, there would be two or more places, one from where the cyber criminal inflicts the
injury-for instance hacks, and the place where the injury is inflicted-for instance at the location
of the victim computer, which is hacked. This is in contrast to traditional crimes of rape, murder
and kidnapping where the criminal and the victim are at the same place. Moreover, every
criminal makes all possible attempts to conceal his identity and place of operation. Alibi is a
43
Sec. 182 of Cr.P.C., 1973
44
Sec. 186 (a) of Cr.P.C., 1973
45
Sec. 186 (b) of Cr.P.C., 1973
common defence in criminal matters. This basic tendency of a criminal coupled with the permis-
sible anonymity provided by the internet makes the cyber criminal almost invisible. Thus, in
terms of practical application of the law of jurisdiction over cyber crimes, in most cases, the
place of jurisdiction shall be where the victim is inflicted with the injury, whether personally, for
There is a valid point in the criticism that such a law assuming extra territorial jurisdiction passed
by the legislature is not enforceable in the real world. It is contrary to the principles of
international law to assume jurisdiction over citizens of another country, and so, it is likely to
lead to conflict of jurisdiction of different courts situated in different national jurisdictions. Also
it is important to note that there are differences between national legislations, laws, legal
Further compounding the problem is the issue that a particular act in one national jurisdiction is
legal and not barred by law but the same activity is illegal and barred by law, prevailing in
another national jurisdiction. Another ground of criticism has been that Section 1 does not lay
down the parameters of how such a provision would be enforceable in practical terms across
transnational boundaries and jurisdictions. Governments can take recourse to the extradition
process to bring to book the cyber criminals outside the territorial jurisdiction of their country,
provided there is a valid extradition treaty in place between the relevant countries. But the route,
as stipulated in Section 1 of the IT Act, 2000 is likely to throw up a complex arena of difficulties
The existing international law pertaining to sovereignty of a nation also details that a sovereign
notion can make laws affecting people who reside within its territorial boundaries. However, the
birth of Internet has seen geography become history and transactions taking place over networks
are transnational in nature, thereby complicating the entire issue of jurisdiction. This becomes
all the more evident from the emerging principles from various judgments relating to Jurisdiction
over Internet. From the beginning of Internet, the issue of jurisdiction has continued to challenge
legal minds, societies and nations in the context of the peculiarly inherent character of the
Internet. Section 1(2) and Section 75 of the IT Act, 2000 provide for extra-territorial jurisdiction
of the Indian courts, which, however, seem implausible to be implemented. The courts in India
at present have not been uniform in following the US trend of asserting jurisdiction on the basis
of active accessibility of site. So far, in various Internet domain names related cases, the Delhi
High Court has assumed jurisdiction merely on the basis of accessibility of Internet.
In the famous Yahoo! France case entitled Yahoo! Inc. v. La Ligue Contre Le Racisme et L
‘Antisemitisme46, the judicial thinking on jurisdiction got further refined. This judgment has far
reaching significance and consequences on the entire subject of jurisdiction. Till now, the courts
anywhere in the world could assume and were assuming jurisdiction on Internet transactions and
This decision underlines the principle that even if a foreign court passes a judgment or direction
against a legal entity of a particular country say country A, then that judgment or direction would
not be applicable automatically to country A’s legal entities or citizens. The decision or direction
of the foreign court will need to be scrutinized by country A’s courts keeping in mind the touch
stone and basic principles enshrined in the Constitution of the country as also enshrined in the
It is evident that the courts are looking into the totality of the circumstances when determining
whether to exercise jurisdiction over individuals involved in Internet related activities. However,
the coming of the Zippo case in the US changed the legal principles concerning assuming of
46
2001 U.s. Dist. LEXIS 18378 (N.D. Cal. 2001) & 145 F. Supp. 2d 1168 (N.D.Cal. 2001)
jurisdiction. In this case, the American Court decided that there must be “something more” than
mere Internet access in order to enable the court to assume jurisdiction. It is yet to be seen how
the Indian approach on jurisdiction emerges with the coming of the IT Act, specially Section 1
(2) and Section 75 (1) of its provisions, which specifically provides for its extraterritorial
jurisdiction. This extraterritorial jurisdiction all across the world can be exercised if the offence
jurisdiction can hardly be enforced given the present growth and context of international Law,
As per sub-section (3) of Section 1, the Information Technology Act, 2000 shall came into force
on such date as the Central Government may by notification appoint. The Central Government
issued a notification on 17th October 2000 bringing into force The Information Technology Act,
2000.
The Information Technology Act, 2000 is a laudable effort to create the necessary legal
infrastructure for promotion and growth of electronic commerce. Prior to the coming into effect
of the IT Act, 2000, the judiciary in India was reluctant to accept electronic records and
communications as evidence. Even email was not accepted under the prevailing statutes of India
as an accepted legal form of communication and as evidence in a court of law. The IT Act, 2000
changed this scenario by legal recognition of the electronic format. Indeed, the IT Act, 2000 is a
step forward.
From the perspective of the corporate sector, the IT Act 2000 and its provisions contain the
valid and legal form of communication in our country, which can be duly produced and
proved in a court of law. The corporates today thrive on email, not only as the form of
communication with entities outside the company but also as an indispensable tool for
intra company communication. Corporates ought to understand that they shall need to be
more careful while writing emails, whether outside the company or within, as emails, in
the detriment of the company. Even intra company notes and memos, till now used only
for official purposes, shall come within the ambit of the IT Act, 2000 and will be
admissible as evidence in a court of law. A lot would of course depend upon how these
2. Companies shall be able to carry out electronic commerce using the legal infrastructure
provided by the IT Act, 2000. Till the coming into effect of the Indian cyberlaw, the
growth of electronic commerce was impeded in our country basically because there was
3. Corporate will now be able to use digital signatures to carry out their transactions online
4. The IT Act, 2000 also throws open the doors for the entry of corporate in the business of
being Certifying Authorities for issuing Digital Signature Certificates. The law does not
make any distinction between any legal entity for being appointed as a Certifying
Authority so long as the norms stipulated by the IT Act, 2000, rules and regulations made
5. The Act also enables the companies to file any form, application or any other document
with any office, authority, body or agency owned or controlled by the appropriate
6. Corporate is mandated by different laws of the country, to keep and retain, valuable and
corporate information. The IT Act, 2000 enables companies legally to retain the
subsequent reference;
the electronic record is retained in the format in which it was originally generated,
the details, which will facilitate the identification of the origin, destination, date
and time of despatch or receipt of such electronic record, are available in the
electronic record.
7. The IT Act, 2000 addresses important issues of security, which are so critical to the
success of electronic transactions. The Act has given legal definition to the concept of
secure digital signatures, which would be required to have been passed through a system
digital signatures shall playa major role in the New Economy, particularly from the
perspective of the corporate sector, as they will enable more secure transactions online.
1.The IT Act, 2000 purports to be applicable to not only the whole of India but also to any
offence or contravention thereunder committed outside India by any person. This provision in
Section 1 (2) is not clearly drafted. It is not clear as to how and in what particular manner, the
Act shall apply to any offence or contravention thereunder committed outside India by any
person.
2. There is no logic in excluding negotiable instruments from the applicability of the IT Act,
2000. The net effect of this exclusion is that any dispute regarding payments, received by means
of any negotiable instruments for an e-commerce transaction, are excluded from the protection of
the IT Act, 2000. It refers to promoting electronic commerce and begins by excluding
immovable property from the ambit of electronic commerce, a reasoning that defies logic.
3. The IT Act, 2000 has failed to legalize electronic fund transfer in the country. The IT Act,
2000 does not recognize the concept of electronic payments, digital cash, electronic cash,
4. Domain names have not been defined and the rights and liabilities of domain name owners do
5. The IT Act, 2000 does not deal with any issues concerning the protection of Intellectual
Property Rights.
6. The language of Section 40 of the IT Act, 2000. Section 40 provides for generating key pairs
in Chapter VIII dealing with the duties of subscribers. It states that where any Digital Signature
Certificate, the public key of which corresponds to the private key of the subscriber, which is to
be listed in the Digital Signature Certificate, has been accepted by a subscriber, then, the
subscriber shall generate the key pair by applying the security procedure. The entire wording of
Section 40 is faulty and has been shown in such a way as to denote that the acceptance of the
Digital Signature Certificate precedes the generation of key pair by the subscriber.
7. IT Act, 2000 covers only a limited number of cyber crimes such as damage to computer
source code, hacking, publishing obscene electronic information, breach of protected systems,
publishing Digital Signature Certificates false in certain particulars or for fraudulent purposes.
Barring these offences, no other cyber crimes are covered under the IT Act. The IT Act 2000
does not cover various cybercrimes including cyber stalking, cyber harassment, cyber
defamation, cyber terrorism, spamming, cyber fraud, cyber gambling, Theft of internet hours,
Cyber theft, Cyber Cheating, Cyberventing, Credit Card Fraud, Cyber Forgery, Identity Fraud,
E-mail Spoofing, Credit Card Fraud, Chat room abuse, Cyber Money Laundering, Password
Scams, etc.
8. The IT Act, 2000 is silent on covering all kinds of offences dealing with abuses of chat rooms.
9. The IT Act, 2000 is that it is silent on the issue of online credit card payments, misuse and
10. The IT Act, 2000 is completely silent about the bailability or otherwise of the offences
prescribed in Chapter XI. There is no categorical mention at any point in Chapter XI from
Section 65 till Section 78 as to whether the offences prescribed under the sections are bailable or
not.
11. The Information Technology Act, 2000 has not tackled several vital issues pertaining to e-
commerce sphere like privacy and content regulation to name a few. Privacy issues have not
been touched at all. The right to privacy is recognized as a fundamental right under Article 21 of
the Constitution.
CHALLENGES OF CYBER CRIME IN INDIA
Cyber crime in India is no longer an illusion. The situation could go out of hand if computer
users, both in the government and the private sector, do not sit up and brace themselves to the
challenge. For the police, the temptation especially to view attacks on computer systems, as just
another form of crime is great. Three aspects of cyber crime deserve focused attention. These
are:
the nature of links forged by the Indian police with foreign law enforcement agencies so
Cyber crime does not recognise national borders. More than 30 countries have separate laws in
their statute book to check this menace. This Act is solely meant to quell cyber crime. It is a
piece of legislation intended mainly to lend legal recognition to e-commerce. It is also meant to
facilitate electronic filing of documents with the government agencies. The Indian Penal Code is
so well drafted that offences not listed in the IT Act right now can still be tackled through it, till
such time we are convinced that the IT Act needs to be recast in order to cope with the
expanding contours of cybercrime. We may also have to examine whether we need more than
one enactment. The volume and nature of cybercrime in our country would demand in course of
time a variety of laws. Apart from private digital enterprises, law enforcement agencies
including the Central Bureau of Investigation (CBI), the Enforcement Directorate, the
Directorate of Revenue Intelligence and the Income-Tax Investigation Wing, could provide
valuable inputs to the government. There is also the need to draw from the international
experience. No systematic effort has been made till now to impart training to prosecutors and
judges, although there is evidence of their keenness to become knowledgeable. Possibly, the
initiative may have to come from law enforcement agencies that have quality instructors and
training institutions. It is not difficult to draft special capsules for this purpose. Policing in
CONCLUSION
In sum, though cyber space is a global phenomenon that cannot be easily tackled but the
Information Technology Act, 2000 is a great step forward and it is the right initiative at the right
time. There is no doubt that such a law is absolutely necessary in the country today. The
medium that the Act seeks to regulate and facilitate has so profound an impact on human life that
several years later, that the extent and scale of the impact could be gauged. It could not therefore
have been allowed to run lawlessly without any system of checks and without clearly defined
rights and liabilities and forums in which to enforce them effectively. The law has not, therefore,
come a moment too soon and it is sincerely hoped that the Act would pave way for proper legal