AKLSWT - Information Technology Law PDF

NOTES ON
INFORMATION TECHNOLOGY LAW

For
9th Semester BBA LLB(Hons.)
Collaborated By on 28/06/2018
ASHWIN MENON V., ANSU SARA MATHEW, ANUSREE S.V., SRUTHI DAS &
AJAY RATNAN
9/5 BBA LLB(Hons.)
GOVERNMENT LAW COLLEGE, KOZHIKODE
CONTENTS
Title Page No.
MODULE 1 2-24
MODULE 2 25-46
MODULE 3 47-72
MODULE 4 73- 82
MODULE 5 83-108
Disclaimer: This document is a compilation of extracts from various sources. The material is intended
for personal use and for educational purposes only (Free of charge). Reproduction of the material for
any purposes other than what is intended is prohibited. Use this material at your own risk. Although the
authors and publishers have made every effort to ensure that the information in this document was
correct, the authors and publishers do not assume and hereby disclaim any liability to any party for any
loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from
negligence, accident, or any other cause.
NOTES ON INFORMATION TECHNOLOGY LAW
MODULE 1
Problem of Jurisdiction in Cyber Space & Legal Response – Relevancy and Admissibility of
Computer Evidences – Existing Legal Regime to facilitate electronic commerce and its
efficacy.
PROBLEM OF JURISDICTION IN CYBER SPACE & LEGAL RESPONSE
Jurisdiction is a legal aspect of state sovereignty and it refers to judicial, legislative and
administrative competence. The jurisdiction is the most crucial question posed in any court of
law. If the court does not have jurisdiction, the matter would not be proceeded in the court. The
court (Domestic or International) without jurisdiction does not have any authority to entertain
the matter, to decide rights and duties or impose penalty or punishment. The cyber space has
raised the basic problems of jurisdiction in international laws and domestic laws because of its
de-territorial nature. Internet allows parties to execute transactions without disclosing their
identity; and the parties may not even know each other’s location. The party may sit at any
corner of the world and violate the rights of the other party or person. The paradigm of the
jurisdiction in the International law and national law is required to be shifted because of the
peculiar nature, increasing use and need of the cyber space.
The customary international law does not allow evasion in a sovereign state by any other
(foreign) entity. In the celebrated Lotus case, the permanent court of justice held that the state
cannot exercise the jurisdiction on the persons, events and things physically located in the
territory of another state. The developing law of jurisdiction must address whether a particular
event in Cyberspace is controlled by the laws of the state or country where the Website is
located or by the laws of the state or country where the Internet service provider is located, or
perhaps all of these laws. A number of commentators and jurist have voiced the notion that
cyberspace should be treated as a separate jurisdiction or territory. In practice, this view has
not been supported by courts and also not addressed by law-makers.
As per the mandate of the International Law, no sovereign country can interfere in the
sovereignty of others. The control over physical space, people and things located in that space,
is a defining attribute of sovereignty and statehood. The advancement of the technology and
technological inter-dependence also has an adverse impact on the established principles of the
International Law (such as the principle of Sovereign Jurisdiction; Non-Interference; Sovereign
Equality, etc.).
Concept of Jurisdiction Under International Law and Its Application to The Cyber Space
Jurisdiction concerns the power of the state under international law to regulate or otherwise
impact upon people, property and circumstances and reflects the basic principles of state
sovereignty, equality of states and non-interference in domestic affairs. Even though the
international law sets minimum limitation, the sovereign state shall not control things, events,
Prepared By
ASHWIN MENON V., ANSU SARA MATHEW, ANUSREE S.V. SRUTHI DAS & AJAY RATNAN
Page | 2
and persons, etc., which are either totally out of its concern or are completely controlled by
other sovereign States.
Classification of jurisdiction under International law: - The jurisdiction in the International

law is divided broadly as: a) Civil jurisdiction & b) Criminal jurisdiction
The civil jurisdiction is applied in civil matters and criminal jurisdiction is applied to the
criminal matters.
In order to apply the above jurisdictions, traditional International law has adopted the following
basic principles or doctrines:
i) The territorial principle: The territorial principle protects the authority of the state over its
territory with respect to property, persons and acts occurring in the territory. The territorial
principle is further divided in the following categories:
a) Subjective territoriality: The subjective international principle allows the

exercise of jurisdiction in the state where a crime is commenced. Subject to certain
immunities under the International Law, this principle is applied when the offence is
committed within the sovereign territory of a state irrespective of the nationality of
the doer. The crime may be committed against the territorial state or against any other
state. Whenever it is punishable according to the laws of the territorial state, the state
has jurisdiction to punish the person.
b) Objective territoriality/ The ‘effects’ doctrine: Objective territoriality is invoked
where the action takes place outside the territory of the forum state, but the primary
effect of that activity is within the forum state. The effects principle is based upon the
territorial sovereignty of the state. The premise is that a state has jurisdiction over
extraterritorial conduct when that conduct has an effect within its territory.
ii) The nationality principle: According to the nationality principle, the State can exercise a
direct control over its nationals. The State gets the right to protect and the right to punish its
own nationals.
a) Passive nationality principle: A state may assert jurisdiction over activities which,
although committed abroad by foreign nationals, have affected or will affect nationals
of the state. This (passive personality) principle authorizes states to assert jurisdiction
over offences committed against their nationals abroad.
b) Active nationality principle: A sovereign state can claim jurisdiction on the basis
of nationality of the defendant. Individuals are subject to the jurisdiction of their state
of nationality because they owe allegiance to that state.
iii) Protective or security jurisdiction: The protective principle allows a state to prosecute
foreigners who have committed acts outside the State’s territory that are directed against the
sovereignty or security of the state or endanger its functions.7
Prepared By
Page | 3
iv) Universality jurisdiction: Under the principle of universal jurisdiction, a state is entitled,
or even required to bring proceedings in respect of certain serious crimes, irrespective of the
location of the crime, and irrespective of the nationality of the perpetrator or the victim. It
means unlike other principles of jurisdiction, the exercise of universal jurisdiction does not
require any nexus to the locus delicti, nationality of the offender, nationality of victims, or the
interest of the state.
Problem of Multiple Jurisdictions
Since cyberspace is a borderless space and the established rules are established by keeping in
mind the principles of territorial sovereignty, the established principles need to be either
modified, or there is a need to establish new principles of jurisdiction for cyberspace. The
multiple nations are claiming the jurisdiction on the same subject matter or against the same
culprit. All nations are not able to take actual action because of lack of physical presence or
property of the accused in a sovereign territory. At present, there is no international treaty to
compensate loss in proportion, if the action of the person (individual or corporation) is affecting
the nationals of multiple countries. The most basic cause of multiple jurisdictions is the
capacity of the individual actor to commit crime against many nations.
Disorder Through Judicial Orders in The Area of Jurisdiction in Cyberspace
There is a fundamental gap between the notions of personal jurisdiction that is basically
territorial in nature and the internet that defies all territorial constraints. This makes the
application of territory-based doctrines complicated.
In International Shoe Co. v. Washington, the court held that plaintiff has to show that the
defendant has sufficient minimum contacts with the forum state. According to the court, the
personal jurisdiction cannot be assumed without minimum contacts with the forum state.
Minimum Contacts: Minimum contacts is a term used in the United States law of civil
procedure to determine when it is appropriate for a court in one state to assert personal
jurisdiction over a defendant from another state.
Courts have struggled with the Internet as a source of minimum contacts. Although not
determinately established by the Supreme Court, many courts use the Zippo test, which
examines the kind of use to which a defendant's website is being put. Under this test, websites
are divided into three categories:
1.) Passive Websites, which merely provide information, will almost never provide sufficient
contacts for jurisdiction. Such a website will only provide a basis for jurisdiction if the website
itself constitutes an intentional tort such as slander or defamation, and if it is directed at the
jurisdiction in question;
2.) Interactive Websites, which permit the exchange of information between website owner
and visitors, may be enough for jurisdiction, depending on the website's level of interactivity
Prepared By
Page | 4
and commerciality, and the number of contacts which the website owner has developed with
the forum due to the presence of the website;
3.) Commercial Websites which clearly do a substantial volume of business over the Internet,
and through which customers in any location can immediately engage in business with the
website owner, definitely provide a basis for jurisdiction.
In Asahi Metal Indus. Co. v. Superior Court, the US court held that, the website’s effect
may be felt nationally or even internationally, but this, without more, was not enough to
establish an act that was ‘purposefully directed’ towards the forum state.
Minimum contacts with a jurisdiction would be established based on domicile, consent or

committing actions in the State, such as doing business or committing a tort. Even though the
court has the power to apply jurisdiction, the State has still to decide the reasonableness of the
application of the jurisdiction. The US court has used five factors while determining the
reasonableness of the contact. The five principles concluded by the court are:
1) The burden on defendant;

2) The forum state’s interest in adjudicating the disputes;
3) The plaintiff’s interest in obtaining convenient and effective relief;
4) The interstate judicial system’s interest in obtaining the most efficient resolution of
controversies;
5) The shared interest of several states in furthering substantive social policies
The test laid down in International Shoe Co. v. Washington i.e. ‘the minimum contacts’ test
has its own limitations. In instances of passive websites directed towards global community at
large, there cannot be ‘minimum contacts’ more than mere accessibility with particular nation.
The object of these types of websites may be to make material available or accessible to the
globe at large. For example, pornographic websites are not intentionally directed towards a
particular State. They are made accessible to the world community at large. In such cases, it is
difficult to prove ‘minimum contacts’ more than mere accessibility with a particular country;
and it is also difficult to prove ‘purposeful direction’ towards a particular country only.
Similarly, in online copyright infringement, copyrighted material may be accessible to whole
of the world. The ‘minimum contact’ with a particular nation may not be established or it may
not be ‘purposefully directed’ towards that nation. Therefore, minimum contacts, if any,
established in such instances is against the world at large. Therefore, application of these
doctrines to the copyright infringement would make authors helpless. They may not be able to
prove establishment of ‘minimum contact’ or ‘purposeful direction’ towards a particular
country.
Prepared By
Page | 5
Yahoo Case: Important International Case on Cyber Jurisdiction.
Another important case of the jurisdiction is Yahoo Inc v. La Ligue Contre Le Racisme Et
Antisemitisme. The Yahoo! is a US-based service provider. The Yahoo was providing
services in twenty other nations. Every national service had a two-letter code in its URL. The
services operated in France were operated at http://www.yahoo.fr. The above page was
providing services in local languages. The Yahoo! was also providing Yahoo!'s auction site.
The Yahoo! auction site was allowing anyone to post an item for sale and solicit bids from
computer users around the globe. Yahoo! was providing the site but was never a party to a
transaction. According to Yahoo! Policies, the auction sellers were prohibited from offering
items to buyers in jurisdictions in which the sale of such items violates the jurisdiction's
applicable laws.
Display of Nazi material or sale of Nazi-insignia is made illegal in France. Since it is made an
offence in France, there was no Nazi material or insignia at http://www.yahoo.fr., website
created for France. The discussion about Nazism had occurred in chat room of American
website. The American website was also carrying the information about the prohibited auction
material. The US Yahoo! website was accessible to French nationals and had the opportunity
(accesses) to purchase auction items including Nazi paraphernalia.
Two civil liberty groups brought an action in French court. According to the finding of the
French Court nearly 1,000 Nazi and Third Reich related objects, including Adolf Hitler's Mein
Kampf, The Protocol of the Elders of Zion (an infamous anti-Semitic report produced by the
Czarist secret police in the early 1900's) were being offered for sale on Yahoo.com's auction
site.
Yahoo! challenged the jurisdiction of the court, but its plea was denied. After a hearing on May
15, 2000, the French court issued an interim order on May 22 requiring Yahoo! to “take all
necessary measures to dissuade and render impossible any access [from French territory] via
Yahoo.com to the Nazi artifact auction service and to any other site or service that may be
construed as constituting an apology for Nazism or a contesting of Nazi crimes”. Yahoo!
objected to the order and contended, among other things, that “there was no technical solution
which would enable it to comply fully with the terms of the court order”. The court gave three
months’ time to comply with its order. The Yahoo! brought an action in US District court for
declaration of invalidity of the French court’s order in US. The District court held that
enforcement of the French order in US would violate First Amendment of the Constitution.
Therefore, according to court, they were unenforceable in the US.
The French liberty groups filed an appeal against the above finding of the court. Yahoo! Sought
a declaration from the Court that the First Amendment precludes the enforcement within the
United States of a French order intended to regulate the content of its speech over the Internet.
The number of authors raised the objections against judgment in Yahoo Inc v. La Ligue
Contre Le Racisme Et Antisemitisme. According to Rinat Hadas the instant court did not
Prepared By
Page | 6
attempt to discuss moral acceptability of Nazi propaganda. One difficulty in this decision,
arising from First Amendment application is, whose law applies to the Internet. Professor Jack
Goldsmith proposed that it was proper for France to exercise jurisdiction over Yahoo! because
“Yahoo has something on its website that is being accessed by French citizens that violates the
French law”.
The problem of conflict of law and conflict of jurisdiction in this case reminds the world
community about requirement of uniform standards or rules for cyberspace. The problem of
the jurisdiction raised in the French case shall be analyzed from both angles. From the angle of
the sovereign state, the state could not effectively exercise its sovereign right to enact and
implement the laws, though the website is accessible in its territory. Further, France, a
sovereign state, cannot ask for extradition of the culprit. Since the act is not punishable in the
US, the extradition by the US would be against the principle of ‘double criminality’. It is
important to note that ‘double criminality’ principle is a well-established principle of
international law. The said principle invalidates the extradition. From the user’s point of view
if every country like France starts imposing restrictions on speech and expression on internet,
the cyberspace would be a subject matter of immense restrictions; practically it may not even
be possible to utilize this most effective medium of communication. The user would be in
constant fear of prosecution in some or the other sovereign state.
INDIAN POSITION OF THE JURISDICTION IN CYBERSPACE
Now the question arises as to what is the position of jurisdiction of cyber space in India? In
majority of instances the Indian Penal Code, 1860 (IPC) and Information Technology Act,
2000 (IT, Act) in India deal with the above-mentioned problem. Section 2 to 4(2) of the IPC
deals with territorial and extra territorial offences.
The IPC is made applicable to the any offence committed by the Indian citizen in the whole of
the globe. In the instances of a person (non-citizen) doing offence outside the Indian territory,
the offence does not fit in the scope and ambit of the Indian Penal Code, 1860. Therefore,
offence conducted by the person from other sovereign nation in cyberspace is not punishable
under Indian Penal Code, 1860.
Another important legislation, IT Act, 2000 is enacted to resolve the problem of jurisdiction in
India. The Information Technology Act, 2000 is applicable to the citizen and non-citizens
committing crimes outside the Indian territory (Section 1(2) and 75 of the IT Act, 2000). It is
submitted that even section 75 of the Information Technology Act, 2000 and section 3 and 4
of The Indian Penal Code provides extraterritorial jurisdiction. The provisions of both the Acts
have only partially resolved the problem of the jurisdiction.
According to sub-section 1 of the section 75 of the Information Technology Act, 2000 the
jurisdiction with respect to the offence or contravention committed outside India by any person
irrespective of his nationality the IT Act, 2000 would be applicable. The sub-section 1 of the
section 75 is subject to qualification provided under sub-section 2 of the section 75. Sub-section
Prepared By
Page | 7
2 of the section 75 of the Information Technology Act, 2000 applies to an offence or

contravention committed outside India by any person if the act or conduct constituting the
offence or contravention ‘involves’ a computer, computer system or computer network located
in the territory of India.
The word ‘involve’ is very broad word. It may include the offence committed by the foreigner
against another foreigner of different country involving computer network located in the
territory of India. In such cases the offence may be conducted on internet from one sovereign
state to another sovereign state via network located in India. In above example though, internet
network is located in India neither interest of Indian territory nor citizen of India is involved in
any manner Therefore, these types of broad wording of the legislation are in conflict with the
territorial principle of the international law.
In addition to above sections, section 13 of Information Technology Act, 2000 is also relevant
to analyze the problem of jurisdiction in cyber space. Section 13 deals with time and place of
dispatch and receipt of electronic record. Sub-Section 3 of the section 13 is worded as follows:
“Save as otherwise agreed between the originator and the addressee, an electronic record is
deemed to be dispatched at the place where the originator has his place of business and is
deemed to be received at the place where the addressee has his place of business.” Section 13
of the IT Act, 2000 assumed the place of dispatch and place of receiver of electronic record at
the place of business, irrespective of actual place of dispatch or receipts of the electronic record.
This assumption is important because it provides jurisdiction to the Indian courts if the place
of business of originator or addressee is in India.
According section 13 the court will have jurisdiction though the electronic record in fact may
or may not be received in or dispatched from the computer, computer systems or computer
mechanism situated in India. Normally, the court gets jurisdiction at the place of business, place
of dispatching of electronic record and place of receiving the electronic record. Section 13 of
the IT, Act, 2000 will have overriding effect on CPC and CrPC.
As discussed above, according to statutory assumptions created under section 13 of IT Act,

2000 though the person is residing and dispatching an electronic message from the territory of
India and if his place of business is outside the territory of India, the Indian court cannot
exercise the jurisdiction. Similarly, according to said assumption created under section 13 the
court can assume jurisdiction though electronic message is dispatched or received outside the
territory of India if the person receiving or dispatching an electronic message has place of
business in India.
It needs to be noted that because of section 13 of the IT Act, 2000 the Indian court would not
be able to take cognizance of the matter though act of dispatching electronic message is
partially or fully conducted from the territory of India. Further, because of this statutory
assumption the court would be unable to take cognizance of the matter even if the electronic
message has an adverse impact on rights or interests of the citizen(s) of India. The assumption
created under section 13 of IT Act, 2000 does not have any advantage as such because
Prepared By
Page | 8
otherwise also according to general principles of jurisdiction and CPC and Cr. P.C the court
was empowered to take cognizance of the matter at the place of the business of the person.
Section 13 of the IT Act, is apparently inconsistence with territorial and passive nationality
principles of International law on jurisdiction.
Section 4 of the Indian Penal Code, 1860 has been amended by amendment Act, 2008.
According to new sub-section (3) of section 4 of Indian Penal Code, the code would apply to
“any person in any place without and beyond India committing offence targeting a computer
resource located in India”. According to explanation (b) the expression “computer resource”
shall have the same meaning assigned to it in clause (k) of sub-section (1) of section (2) of the
Information Technology Act, 2000 (21 of 2000). According to the new provision of the Indian
Penal Code, 1860 for applying the India Penal Code “targeted computer resource” shall be
located in India. It is pertinent to note that the word ‘targeting’ is used in sub-section 3 of
section of 4 IPC, 1860. The word ‘targeting’ is not further defined or clarified by the legislature.
The literal or dictionary meaning of ‘targeting’ is ‘aiming at’. The literal or dictionary meaning
of words used in criminal law is needed to stress out because the rule of strict interpretation is
applicable to the criminal law. The rule of strict interpretation implies the strict or literal
interpretation of the criminal law. It is submitted that, after applying the rule of strict
interpretation, there is a doubt whether IPC would be applied when:
a) aim or target is not a computer resources but a person. It means the intention is not
to cause wrongful loss to the computer resources including computer or data per se
but to the person via or with help of computer resources (for example by publishing
the defamatory comments). In this example ‘means’ and ‘target’ are different. ‘means’
is computer resource and ‘target’ is a person. Therefore, in the above example offence
is committed with the help of computer resource and not by targeting it.
b) the offences are committed via network located in India;
c) wrongful loss is caused to the person by making data accessible to the entire world
including India but date is copied from the computer located outside the territory of
India
d) In the examples of passive websites registered and created outside India (for
example photographical websites) but accessible in India. Similarly, a website with
unauthorized copyrighted material may have access in India without targeting
computer resources located in India. In these examples the target is not computer
resources located in India per se. The intention is to make it accessible to the entire
world. Incidentally, it would be accessible in India also. The above explanation shows
that the jurisdiction clause is resource (object) centric rather than victim centric.
Apart from above both these legislations would not be applicable to the recent development
that is services of cloud computing. The services of cloud computing may be provided by the
person, company or corporation. In cloud computing the computer resources may not be
physically located in the territory in India. The relation between the cloud computing company
and the person staying or residing in India would be governed by the cloud computing
Prepared By
Page | 9
agreement. The cloud computing agreement is a contractual liability. It is a civil liability

subject to term and conditions of the agreement. Further the jurisdiction of the court depends
upon the ‘choice of the law clause’ agreed by both the parties to contract. In instances of lack
of choice of law agreement, general rules of jurisdiction would be applied.
It is further submitted that in the instances of the agreement between the parties, the body
corporate may be responsible under Section 43A of the Information Technology Act, 2000.
According to Section 43A of the Information Technology Act, 2000: “where a body corporate,
possessing, dealing or handling any sensitive personal data or information in a computer
resource which it owns, controls or operates, in negligent in implementing and maintaining
reasonable security practices and procedures and thereby causes wrongful loss or wrongful
gain to any person, such body corporate shall be liable to pay damages by way of compensation
to the person so affected.”
It is submitted that according to Section 75 of IT, Act, 2000 or Section 4 of the IPC, the above-
mentioned body corporate should be located in the territory of India or shall use the computer
resources located in India. In other words, Section 43A would not work in isolation. It is not
an exception to the Section 75 of the Information Technology Act, 2000. It shall be interpreted
along with Section 75 of the IT Act, 2000. It is submitted that reading Section 43A of IT, Act,
2000 in isolation would be inconsistent with basic rule of interpretation of statutes (i.e. statute
shall be read as a whole). It is pertinent to note that Section 43A does not provide any liability
of the actual offender (i.e. a third person committing offence from foreign jurisdiction with the
help of computer etc. situated outside India). In an example of cloud computing or liability
under section 43A of the Information Technology Act, 2000, if the body corporate was not
negligent in implementing and maintaining reasonable security practices and procedures, then
no liability can be imposed against the said body corporate.
Furthermore, section 75 of the IT Act, 2000 or sections 4 of Indian Penal Code, 1860 do not
provide jurisdiction in scenario when an offence is committed by foreigner from other country
against citizen of India by using computer resource located outside India. For example, in
instances of Indian nationals carrying the computer resources with them outside the Indian
territory, no express jurisdiction is provided to Indian courts under IPC, 1860 or Information
Technology Act, 2000. In examples of social websites also the computer resources located in
the territory of India may not be used.
Apart from above, section 1 (2) and section 62 of Indian Copyright Act, 1957 are relevant to
analyze the problem of jurisdiction in cyberspace. According to section 1 (2) of the Indian
Copyright Act, 1957, the Indian Copyright Act extends to the whole of India. According to
section 62 (1) of the Indian Copyright Act, 1957, “Every suit or other civil proceeding arising
under this chapter in respect of the infringement of copyright in any work or the infringement
of any other right conferred by this Act shall be instituted in the district court having
jurisdiction”. Further, according to section 62(2) of the Indian Copyright Act, 1957 for the
purpose of sub-section 1 district court include a district court within the local limits of whose
jurisdiction, at the time of the institution of the suit or other proceeding, the person instituting
Prepared By
Page | 10
the suit or other proceeding actually and voluntarily resides or carries on business or personally
works for gain. The explanation on above sections shows that the Indian Copyright Act, 1957
is made applicable to the Indian territories only. It does not provide any express provision for
extra-territorial application of the Indian Copyright Act, 1957.
It means Indian laws on jurisdiction are location (territory) centric rather than victim or
offender centric. In other words, the IT Act and IPC are the glaring examples of non-application
of the passive nationality principle recognized by International Law. It is respectfully submitted
that the Indian Parliament lacks visualization of nature and probable offences committed with
help of cyberspace. The Indian laws on jurisdiction need to shift offence centric paradigm to
offender and victim centric.
The amendment to IPC is partially providing relief or remedy from possible misuse of
computer resources. It may be noted that the Amendment Act fails to provide relief or remedies
against the offences committed by the person, when the computer resources are not located in
the territory of India, though the rights of Indian citizens are infringed.
Though the IPC and IT, Act, 2000 provides partial jurisdiction to courts implementation of the
Acts depends upon the extradition treaty of India with the territorial states or friendly
diplomatic relations with the respective countries.
Apart from above sections 178, 179, 182 and 188 of the Criminal Procedure Code, 1973 deals
with the issue of jurisdiction. Section 178 of Criminal Procedure Code deals with place of
inquiry or trial. The section 178 provides jurisdiction to the court when the act, fully or in part,
arises in the said territory. Section 179 of Criminal Procedure Code provides jurisdiction to the
court on the basis of the act done or its impact. According to section 179 of CrPC, 1973, “when
an act is an offence by reason of anything which has been done and of a consequence which
has ensued, the offence may be inquired into or tried by a court within whose local jurisdiction
such thing has been done or such consequence has ensued”. The Criminal Procedure Code has
adopted territorial principles and impact theory of jurisdiction. Section 182 of Cr. P. Code deals
with offences committed by letters or telecommunication messages. It provides jurisdiction
where letters or messages were sent or received. Section 188 deals with offence committed
outside India. It provides the same jurisdiction as provided in the original Indian Penal Code.
SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra,
The first case from India about the cyber defamation. In this case High Court of Delhi assumed
jurisdiction over a matter of defamation of reputation of corporate through e-mails. The court
passed an ex-parte injunction. The concept of consequence and cause of action extends
jurisdiction but a conflicting situation arises where there is no defined regulation at one of the
places. For example, the Act does not provide any provision to catch the internet pornography
on foreign websites but only for sites in India.
Prepared By
Page | 11
The Supreme Court of India, in SIL Import v. Exim Aides Silk Importers pointed out that
judiciary needs to interpret a statute in the light of technological change that has occurred. Until
there is specific legislation in regard to the jurisdiction of the Indian Courts with respect to
Internet disputes, or unless India is a signatory to an International Treaty under which the
jurisdiction of the national courts and circumstances under which they can be exercised are
spelt out, the Indian courts will have to give a wide interpretation to the existing statutes, for
exercising Internet disputes.
The virtual world is a set back to the traditional principles; but sovereignty and other principles
discussed above would not completely disappear. The jurisdictional and choice-of-law
dilemmas posed by cyberspace activity cannot be adequately resolved by applying the “settled
principles” and “traditional legal tools” developed for analogous problems in real-space.
In Yahoo! Case, criminal act was not punishable in other court but still the court had initiated
the proceeding against Yahoo! US. The logic given in Yahoo! Case was that the material had
access in French territory. Therefore, despite the person being out of the territory, he may be
held responsible for the act committed in cyberspace. Does this mean that before doing
activities in the cyberspace, laws of all the countries shall be kept in mind? Traditional
International Law does not compel a person to observe the laws of other nations unless he/she
enters into that territory or that territory is directly affected. In the era of internet, it is difficult
to observe, how many countries are directly or indirectly affected. In this chaotic situation there
is a need to establish a supra-national organization to deal with problems posed by cyberspace.
As discussed above, the established principles of law and international law are either not
responding to or are not able to resolve the problems posed by cyberspace. The cyberspace is
fundamentally different from physical space. It is fundamentally different in its nature, control,
extent and impact. Internet is new and separate jurisdiction in which the rules and regulations
of physical world do not apply as it is. According to some of the authors it is a seamless global-
economic zone, borderless and unregulatable.
Further, the cyberspace radically undermines the relationship between legally significant
(online) phenomena and physical location. The rise of the global computer network has
destroyed the link between geographical location and application of laws. It has dire impact
upon: (1) the power of local governments to assert control over online behaviour; (2) the effects
of online behaviour on individuals or things; (3) the legitimacy of the efforts of a local
sovereign to enforce rules applicable to global phenomena; and (4) the ability of physical
location to give notice of which sets of rules apply.
The globe needs to move from territorial philosophy to new legal philosophy known as global
transnationalism. The international law will have to act in such a way so as to resolve the
conflict considering the rights and interests of every affected party. For that purpose, the
cyberspace shall be declared as res extra commercium (i.e. territory not subject to national
appropriation, such as high seas). To manage this territory, there shall be a supra-national
organization under the control of UNO. Establishment of such organization under UNO would
have multiple advantages such as: a) the State would get bargaining power while taking
decisions; b) the technologically powerful countries will not be able to use arbitrary domination
Prepared By
Page | 12
over other nations; c) it would lead to harmonization of the rules and systems, which would
lead to amicable and faster solutions to the conflicts.
RELEVANCY AND ADMISSIBILITY OF COMPUTER EVIDENCES
The increased use of technology, poses challenges accommodating and reflecting the new age
developments in laws across jurisdictions, which in turn has provided the much-required
impetus to the emergence and appreciation of digital evidence. Keeping up with the times,
requisite amendments were also made to Indian laws in the year 2000 with introduction of the
Information Technology Act, 2000 (‘IT Act’), which brought in corresponding amendments to
existing Indian statutes to make digital evidence admissible. The IT Act, which is based on the
UNCITRAL Model Law on Electronic Commerce, led to amendments in the Indian Evidence
Act, 1872 (‘Evidence Act’), the Indian Penal Code, 1860 (‘IPC’) and the Banker’s Book
Evidence Act, 1891.
With the change in law, Indian courts have developed case law regarding reliance on electronic
evidence. Judges have also demonstrated perceptiveness towards the intrinsic ‘electronic’
nature of evidence, which includes insight regarding the admissibility of such evidence, and
the interpretation of the law in relation to the manner in which electronic evidence can be
brought and filed before the court. While the admissibility of electronic evidence in legal
proceedings is not new in India, with the passage of time, the safeguards employed for enabling
the production of documents have changed substantially, especially since the storage and use
of electronic information has increased and become more complex. Recently, the Supreme
Court of India in case of Anvar P. K. vs. P.K Basheer &Ors., overruled the earlier decision
the case of the State (NCT of Delhi) v Navjot Sandhu, also popularly known as the
‘Parliament 1 (2014) 10SCC 473. 2 (2005) 11 SCC 600. Attacks’ case. The Supreme Court
redefined the evidentiary admissibility of electronic records to correctly reflect the provisions
of the Evidence Act by reinterpreting the application of sections 63, 65 and 65B.
Principles and salient provisions of the Evidence Act
Conventionally, the fundamental rule of evidence is that direct oral evidence may be adduced
to prove all facts, except documents. The hearsay rule suggests that any oral evidence that is
not direct cannot be relied upon unless it is saved by one of the exceptions as outlined in
sections 59 and 60 of the Evidence Act dealing with the hearsay rule. However, the hearsay
rule is not as restrictive or as straightforward in the case of documents as it is in the case of oral
evidence. This is because it is settled law that oral evidence cannot prove the contents of a
document, and the document speaks for itself. Therefore, where a document is absent, oral
evidence cannot be given as to the accuracy of the document, and it cannot be compared with
the contents of the document.
While primary evidence of the document is the document itself, it was realized that there would
be situations in which primary evidence may not be available. Thus, secondary evidence in the
form of certified copies of the document, copies made by mechanical processes and oral
accounts of someone who has seen the document, was permitted under section 63 of the
Evidence Act for the purposes of proving the contents of a document. Therefore, the provision
Prepared By
Page | 13
for allowing secondary evidence in a way dilutes the principles of the hearsay rule and is an
attempt to reconcile the difficulties of securing the production of documentary primary
evidence where the original is not available.
Section 65 of the Evidence Act sets out the situations in which primary evidence of the
document need not be produced, and secondary evidence – as listed in section 63 of the
Evidence Act – can be offered. This includes situations when the original document
1) is in hostile possession;
2) or has been proved by the prejudiced party itself or any of its representatives;
3) is lost or destroyed;
4) cannot be easily moved, i.e. physically brought to the court;
5) is a public document of the state;
6) can be proved by certified copies when the law narrowly permits; and
7) is a collection of several documents.
With the advent of the digitisation of documents, the hearsay rule faced further challenges and
dilution. With increased digitization of documents, evidence was now mostly electronically
stored which meant greater propensity for adducing secondary evidence in case of digital
evidence.
Prior to 2000 in India, electronically stored information was dealt with as a document, and
secondary evidence of electronic records were adduced as ‘documents’ in accordance with
section 63 of the Evidence Act. Printed reproductions or transcripts of the electronic record
would be prepared and its authenticity was certified by a competent signatory, who would
identify their signature in court and be open to cross examination. However, this procedure was
rather archaic, based on the law drafted a century ago, and did not include the meta data where
it was available, such as the header information in e-mails, for instance. This long-drawn
procedure was also open to abuse and did not ensure the authenticity of the record. It became
clear that the electronic- record can no longer be treated on the same footing as that of regular
documents. It was time to introduce new provisions to deal exclusively with evidence that is
available in digital form. As the pace and proliferation of technology expanded, the creation
and storage of electronic information grew more complex, the law had to change more
substantially.
Admissibility of electronic records
The Evidence Act has been amended from time to time, especially to provide for the
admissibility of electronic records along with paper-based documents as evidence in the Indian
courts. Some of the significant amendments include granting electronic records the status of
documents for the purpose of adducing evidence. (Section 3 of the Indian Evidence Act, 1872)
The definition of ‘admission’ (Section 17 of the Indian Evidence Act, 1872. ) was changed to
include a statement, oral or documentary, or contained in electronic form, which suggests any
inference as to any fact in issue or relevant fact, while section 22A was inserted to provide for
the relevancy of oral evidence as to the contents of electronic records. It provides that oral
Prepared By
Page | 14
admissions as to the contents of electronic records are not relevant unless the genuineness of
the electronic records that are produced is in question.
Perhaps the most important amendment to the Evidence Act has been the introduction of
sections 65A and 65B under the second schedule of the IT Act, (Section 92 of the Information
Technology Act, 2000) which provides for a special procedure for adducing evidence in
relation to electronic records.
Section 65B provides that notwithstanding anything contained in the Evidence Act, any
information contained in an electronic record (whether it be the contents of a document or
communication printed on a paper, or stored, recorded, copied in optical or magnetic media
produced by a computer), is deemed to be a document and is admissible in evidence without
further proof of the production of the original, providing the conditions set out in section 65B
for the admissibility of evidence are satisfied, which have been set out as under:
1. At the time of creation of the electronic record, the computer output containing the
information was produced from a computer that was used regularly to store or process
information for the purposes of any activities regularly carried on over that period by
the person having lawful control over the use of the computer.
2. During the period, the kind of information contained in the electronic record was
regularly fed in to the computer in the ordinary course of the activities.
3. Throughout the material part of the period, the computer was operating properly or,
if not, the computer was out of operation for some period, but it was not such to affect
the electronic record or the accuracy of the contents.
4. The electronic record bears the information that is a reproduction of the original
electronic record.
Section 65B (4) mandates the production of a certificate of authenticity of electronic evidence
which is signed by a responsible person who was responsible for the computer on which the
electronic was created or stored, in order to certify the qualifications, set out above. The
certificate must uniquely identify the original electronic record, describe the manner of its
creation, describe the particulars of the device that created it, and certify compliance with the
conditions of sub-section (2) of section 65B. Section 65A provides that the contents of
electronic records may be proved in accordance with the provisions of section 65B.
Risk of manipulation and compliance with the provisions of section 65B of the Evidence
Act
Despite the mandatory nature of these conditions, the law has been applied inconsistently. For
instance, the certificate of authenticity has not always been filed with the electronic records in
legal proceedings. For instance, in the case of State (NCT of Delhi) v. Navjot Sandhu, the
Supreme Court had held that courts could admit electronic records such as printouts and
compact discs (CDs) as prima facie evidence without authentication. This case dealt with the
proof and admissibility of the records of mobile telephone calls. The accused made a
submission that no reliance could be placed on the mobile telephone records because the
Prepared By
Page | 15
prosecution had failed to produce the relevant certificate under section 65B (4) of the Evidence
Act and that the procedure set out in section 65B of the Evidence Act was not followed.
The Supreme Court concluded that a cross examination of the competent witness acquainted
with the functioning of the computer during the relevant time and manner in which the printouts
of the call records were taken was sufficient to prove the call records. As a result, the printouts
and CDs were not compared to the original electronic record or certified at the time of adducing
it as evidence.
This trend of ignoring the special procedure prescribed for adducing electronic records as
evidence was seen even in subsequent cases. For instance, the case of Ratan Tata v. Union of
India was another case where a CD containing intercepted telephone calls was introduced in
the Supreme Court without following the procedure laid down under section 65B of the
Evidence Act.
Unfortunately, the lower judiciary in India are largely technologically unreliable, and do not
appreciate the authenticity issues or ensure safeguards while allowing the admission of
electronic evidence, barring a few exceptions. These decisions of the Supreme Court set up a
further precedent for the lower judiciary to appreciate the special procedure prescribed for
electronic evidence.
The decisions set out above lost sight of the fact that it was precisely for the reason that printed
copies of the electronic records would be vulnerable to manipulation and abuse that the
legislature promulgated a special procedure for adducing electronic records as evidence in
court. Since the Evidence Act provides all forms of computer outputs to be admissible as
evidence, the courts, ignoring the provisions of section 65B (4), have ignored and overlooked
the intrinsic nature of electronic evidence and exposed digital evidence to the risk of
manipulation. In this respect, the courts in India have not taken up the discussion on this topic
by Mason. Therefore, for a very long period, unless the credibility of the digital evidence itself
was in question, courts have not raised any apprehension regarding the authenticity or require
the intervention of forensic teams to determine the veracity of the record, and electronic records
filed in the court were premised to be correct without being subject to any checks and balances.
Briefly, the position regarding authentication in the United States of America is not consistent.
A series of tests advocated by Professor Imwinkelried were followed in In re Vee Vinhnee,
debtor, American Express Travel Related Services Company, Inc. v Vee Vinhnee, but no
consideration has been given to the criticisms of part of this test. In England and Wales, the
approach tends to consider the other evidence surrounding the facts of the case to determine
authenticity, and in Singapore, reliance is made on section 3(1) of the Singapore Evidence Act
(Cap 97, 1997 Rev ed.), which provides for the admissibility of digital evidence. The new
regime in Singapore after the Evidence (Amendment) Act 2012, provides that rules of best
evidence and the rules on authentication applies to electronic evidence in the same manner as
any other item of evidence.
Mandatory authentication of digital evidence
Prepared By
Page | 16
Over the years, with increased exposure to electronic records, there has been a progression
from an age of treating electronic records as ordinary documents. However, it took nine years
before the Supreme Court conclusively decided that documentary evidence in the form of an
electronic record can be proved only in accordance with the procedure set out under section
65B of the Evidence Act.
In Anvar P. K. vs. P.K Basheer &Ors., the Supreme Court overruled the decision in the case
of Navjot Sandhu and redefined the evidentiary admissibility of electronic records to correctly
reflect the letter of the Evidence Act by reinterpreting the application of sections 63, 65 and
65B of the Evidence Act. In this case, Mr P.V. Anwar had filed an appeal, who had lost the
previous Assembly election in Kerala, and contended that his opponent P. K. Basheer, MLA
had tarnished his image and had indulged in character assassination and the defamatory content
was recorded in songs and on CDs. The Supreme Court declined to accept the view that the
courts could admit electronic records as prima facie evidence without authentication. It was
held that in the case of any electronic record, for instance a CD, VCD, chip, etc., the same must
be accompanied by the certificate in terms of section 65B obtained at the time of taking the
document, without which, the secondary evidence pertaining to that electronic record is
inadmissible. Hence, strict compliance with section 65B is now mandatory for persons who
intend to rely upon e-mails, web sites or any electronic record in a civil or criminal trial before
the courts in India.
This outlook of the Supreme Court of India is to ensure that the credibility and evidentiary
value of electronic evidence is provided for, since the electronic record is more susceptible to
tampering and alteration. In its judgment, Kurian J observed, at, that: ‘Electronic records being
more susceptible to tampering, alteration, transposition, excision, etc. without such
safeguards, the whole trial based on proof of electronic records can lead to travesty of justice.’
The progressive and disciplined approach of the Indian courts in ensuring compliance of the
safeguards for relying on digital evidence is a result of a proper recognition and appreciation
of the nature of electronic records itself. This is a landmark decision for India in the methods
of taking evidence, as it will not only save the courts time wasted in parties attempting to prove
the electronic records through secondary oral evidence in form of cross examinations, but also
discourage the admission of fudged and tampered electronic records from being relied upon,
albeit certain precautions for authenticity of the electronic records will continue to be
necessary. Therefore, the computer generated electronic record cannot be solely relied upon,
because there is a possibility of it being hampered and should be used as a corroborative
evidence.
Other Important Judgments
Relying upon the judgment of Anvar P.V. supra, while considering the admissibility of
transcription of recorded conversation in a case where the recording has been translated, the
Supreme Court held that as the voice recorder had itself not subjected to analysis, there is no
point in placing reliance on the translated version. Without source, there is no authenticity for
the translation. Source and authenticity are the two key factors for electronic evidence.
Sanjaysinh Ramrao Chavan Vs. Dattatray Gulabrao Phalke
Prepared By
Page | 17
The Hon’ble High Court of Delhi, while deciding the charges against accused in a corruption
case observed that since audio and video CDs in question are clearly inadmissible in evidence,
therefore trial court has erroneously relied upon them to conclude that a strong suspicion arises
regarding petitioners criminally conspiring with co-accused to commit the offence in question.
Thus, there is no material on the basis of which, it can be reasonably said that there is strong
suspicion of the complicity of the petitioners in commission of the offence in question. Ankur
Chawla Vs. CBI
The Hon’ble High Court of Calcutta while deciding the admissibility of email held that an
email downloaded and printed from the email account of the person can be proved by virtue of
Section 65B r/w Section 88A of Evidence Act. The testimony of the witness to carry out such
procedure to download and print the same is sufficient to prove the electronic
communication. Abdul Rahaman Kunji Vs. The State of West Bengal
In the recent judgment pronounced by Hon’ble High Court of Delhi, while dealing with the
admissibility of intercepted telephone call in a CD and CDR which were without a certificate
u/s 65B Evidence Act, the court observed that the secondary electronic evidence without
certificate u/s 65B Evidence Act is inadmissible and cannot be looked into by the court for any
purpose whatsoever. Jagdeo Singh Vs. The State and Ors.
The need for additional safeguards
The Indian Evidence Act could be further amended to rule out any manipulation – at least for
the purposes of presuming prima facie authenticity of the evidence of the electronic record –
by adding a condition that the record was created in the usual way by a person who was not a
party to the proceedings and the proponent of the record did not control the making of the
record.
By ensuring that the record was created by a party who was adverse in interest to the proponent
of the record, and the record was being used against the adverse party, the risk of the
manipulation of the records would be reduced significantly. This is because, it is argued, no
disinterested party would want to certify the authenticity of the record which to his knowledge
had been tampered with. This is an additional condition that has been provided under the
Evidence (Amendment) Act, 1996 of Singapore.
The courts also have to be mindful that data can be easily forged or altered, and section 65B of
the Evidence Act does not address these contingencies. For instance, when forwarding an e-
mail, the sender can edit the message. Such alterations are often not detectible by the recipient,
and therefore a certificate of a third party to the dispute may not always be a reliable condition
to provide for the authenticity of the document.
Serious issues have been raised in the digital world due to malpractices such as falsification of
information and impersonation, in relation to the authenticity of information relied upon as
evidence. It raises queries as to how it is possible to prove the creation and transmission of
electronic communication by one party when the party’s name as the author of the post could
have been inserted by anyone. Perhaps, it may be prudent for the courts or the government to
Prepared By
Page | 18
set up a special team of digital evidence specialists who would assist the courts and specifically
investigate the authenticity of the electronic records.
It is clear that the admission of electronic evidence is the norm across all jurisdictions, rather
than the exclusion. Along with advantages, the admissibility of electronic records can also be
complex – although some jurisdictions have imposed the requirements regarding admissibility
as in India. It is, thus, upon the ‘keepers of law’, the courts to see that the correct evidence is
presented and administered so as to facilitate a smooth working of the legal system. Sound and
informed governance practices along with scrutiny by the courts must be adopted to determine
whether the evidence fulfils the three essential legal requirements of authenticity, reliability
and integrity. Hopefully, with the Supreme Court having re-defined the rules, the Indian courts
will adopt a consistent approach, and will execute all possible safeguards for accepting and
appreciating electronic evidence.
EXISTING LEGAL REGIME TO FACILITATE ELECTRONIC COMMERCE AND

ITS EFFICACY.
Electronic commerce, or e-commerce, (also written as eCommerce) is a type of business

model, or segment of a larger business model, that enables a firm or individual to conduct
business over an electronic network, typically the internet. Electronic commerce operates in all
four of the major market segments: business to business, business to consumer, consumer to
consumer, and consumer to business.
Electronic data interchange (EDI) is the structured transmission of data between

organizations by electronic means. It is used to transfer electronic documents or business data
from one computer system to another computer system, i.e. from one trading partner to another
trading partner without human intervention. It is more than mere e-mail; for instance,
organizations might replace bills of lading and even cheques with appropriate EDI messages.
EDI and other similar technologies save a company money by providing an alternative to, or
replacing, information flows that require a great deal of human interaction and materials such
as paper documents, meetings, faxes, etc. One very important advantage of EDI over paper
documents is the speed in which the trading partner receives and incorporates the information
into their system thus greatly reducing cycle times.
India’s growing e-commerce space
Significant improvements in technology and the rapid pace of growth in the digital payments
sector over the last three years have increased the number of Indians buying online. In 2016
alone, over 69 million Indians bought their apparels and accessories, books, mobiles, laptops,
and other electronic items online. By 2020, this number is expected to rise to over 175 million
– owing to the technology transformation led by the rise in the use of smartphones and tablets,
and improved access to the low-cost internet.
An online marketplace is a portal, which connects buyers and sellers. The marketplace itself
does not undertake the activity of buying and selling – the sale transactions happen between
the actual third-party buyers and sellers.
Prepared By
Page | 19
In India, there are three type of e-commerce business model are in vogue (i) Inventory base
model of e-commerce (ii) Marketplace base model of e-commerce (iii) Hybrid model of
inventory based and market place model.
The most well-known business models for e-commerce business in India are:
• Business to Consumer (B2C) model is where businesses directly deal with the
consumers. The conventional B2C model distribution channel involved a
distributor/wholesaler who acted as a link between the manufacturer and the retailer.
The retailer was the ultimate middleman who interacted with the end consumer.
• Business to Business (B2B) model is where transactions are between companies, such
as manufacturer and wholesalers or wholesalers and retailers. IndiaMART.com is one
of the biggest online markets which provide a platform for the businesses to find other
competitive suppliers.
• Consumer to Consumer (C2C) model is where transactions are between consumer
and consumer. Traditionally consumers dealt with other consumers, but rarely these
activities were in a commercial sense. The emergence of E-Commerce has provided a
platform for the consumers to trade on with other consumers. The best example for such
model is eBay.
Indian Information Technology Act and E-commerce: Indian Information Technology (IT)
Act gives legal recognition to electronics records and electronic signature. These are the
foremost steps to facilitate paper less trading. Under this Act Ministry of Electronics &
Information Technology also has Information Technology Rule, 2000 for Reasonable security
practices and procedures and sensitive personal data or information. Under section 72A of IT
Amendment Act, 2008, punishment for disclosure of information in breach of a lawful contract
is laid down.
The act establishes that an ecommerce transaction is legal if the offer and acceptance are made
through a ‘reasonable’ mode. The objectives of the Information Technology Act, as outlined
in the preamble, are to provide legal recognition for E-commerce transactions. The Act lays
down procedures for networking operations and for civil wrongs and offences. The Indian
Information Technology Act does not have any express provision regarding the validity or
formation of online contracts.
For instance, a communication sent by an offeror to an offeree through indirect means, such as
an email that passes multiple servers and spam mails, is not regarded as a reasonable mode
under the IT act. Reasonable modes of acceptance in an ecommerce transaction are:
Direct mail from the offeree to the offeror.
Acceptance by conduct, which is pressing an ‘Accept’ button to an offer.
The IT act governs the revocation of an ecommerce offer and acceptance. An ecommerce
transaction is said to be complete when the offeror receives acknowledgment of the receipt of
the offer. Besides, an offeror has the liberty to terminate an offer, provided its acceptance has
not been communicated by the offeree.
Prepared By
Page | 20
The Information Technology (Amended) Act, ITAA, was amended in 2008 to increase security
of e-commerce transactions, with special provisions for legal recognition of digital signatures
and electronic documents. Section 43A of ITAA holds ecommerce companies accountable for
protection of personal data.
FDI Policy for E-Commerce in India
The Department of Industrial Policy and Promotion (“DIPP”), Ministry of Commerce and
Industry, formulates policies on FDI through Press Notes and Press Releases which are notified
by the Reserve Bank of India (“RBI”) as amendments to Foreign Exchange Management
(Transfer or Issue of Security by Persons Resident Outside India) Regulations, 2000. (FEMA)
The liberalism of E-Commerce in India is often a debated and sometimes a controversial topic.
The E-Commerce sector in India not only faces tough competition from the conventional retail
lobbies but also suffers restrictions from the government policies on Foreign Direct Investment
(“FDI policy”). The government brought about some relaxation last year by allowing a single
brand retail entity operating a brick and mortar store to undertake retail trading through E-
Commerce, although the confusion prevailed. The DIPP in order to provide clarity to extant
FDI policy issued guidelines for foreign direct investment in E-Commerce sector
(“Guidelines”)
The FDI policy issued by DIPP provides two entry routes for investment:
• Automatic Route where foreign investments do not require prior approval of the
government and
• Government / Approval Route where prior approval of the Government of India
through Foreign Investment Promotion Board (“FIPB”) is required.
DIPP in the Guidelines has attempted to distinguish between inventory-based model
(“Inventory Model”) and marketplace model (“Marketplace Model”) of E-Commerce. The
inventory-based model as defined in the Guidelines is an E-Commerce activity where the
inventory of goods and services is owned by E-Commerce entity and is sold to the consumers
directly, whereas, in the Marketplace Model is a model where the E-Commerce entity provides
an IT platform on a digital and electronic network and acts as a facilitator between the buyer
and the seller.
According to the Guidelines, FDI is not permitted in the Inventory Model of E-Commerce, but
100% FDI has been permitted in the Marketplace Model under the automatic route. The E-
Commerce marketplace may provide support services to sellers in warehousing and logistics
but shall not exercise ownership on the inventories. Such ownership over the inventories shall
render the business an Inventory Model.
FDI In B2B And B2C E-Commerce
The Guidelines have put the recent FDI changes to the E-Commerce sector in a consolidated
manner as stated below:
Prepared By
Page | 21
• 100% FDI under the automatic route is permitted in B2B E-Commerce i.e. Marketplace
Model.
• No FDI is permitted in the B2C E-Commerce i.e. Inventory Model except to the following
circumstances:
o A manufacturer is permitted to sell its products manufactured in India through E-
Commerce retail.
o A single brand retail entity operating through brick and mortar store is permitted
to undertake retail trading through E-Commerce.
o An Indian manufacturer is permitted to sell its own single brand products through
E-Commerce retail. Indian manufacturer would be the investee company, which
is the owner of the Indian brand and which manufacturers in India, in terms of
value, at least 70% of its products in-house, and sources, at most 30% from Indian
manufacturers.
Apart from FDI Policy, which regulates foreign investment into the e-commerce industry, all
other Indian laws, which would apply to any online business, would apply to e-commerce
businesses as well. Such as:
The Indian Contract Act 1872 would apply to determine whether the arrangements between
different stakeholders (i.e. the buyers, the sellers and the e-commerce / marketplace platform
itself) has been structured as valid enforceable contracts. E-commerce or electronic
transactions lead to the formation of e-contracts, wherein typically the agreements are standard
form agreements. Thus, such contracts are governed by the Indian Contract Act, 1872 and in
view of the technological intervention, such contracts are also governed by relevant provisions
under the Information Technology Act, 2000. Thus, as per the Indian Contract Act, such
contracts must adhere to the basic requirements of validity i.e. contract entered with free
consent of parties, there is lawful consideration of the contract, parties shall be competent to
contract and the object of contract shall be lawful.
Provision under the IT Act- The Information Technology Act, 2008 (IT Act), under Section
10A provides for validity of contracts formed through electronic means and lays down that
where in a contract formation, the communication of proposals, the acceptance of proposals,
the revocation of proposals and acceptances, as the case may be, are expressed in electronic
form or by means of an electronic record, such contract shall not be deemed to be unenforceable
solely on the ground that such electronic form or means was used for that purpose.
The laws relating to intellectual property (such as the Copyright Act 1957 and the Trademark
Act 1999) would be referred to determine the intellectual property rights of the stakeholders.
For instance, if a seller is selling fake goods of a well-known brand via a marketplace platform,
the seller may be prosecuted by the lawful brand owner under the Copyright Act 1957 and the
Trademark Act 1999
The entity, which operates an e-commerce business, would also need to comply with applicable
local laws such as the Shops and Establishments Act which are specific to different states, in
relation to their physical offices.
Prepared By
Page | 22
Apart from these general laws, the Information Technology Act 2000 (“IT Act”) contains
specific provisions, which regulate online transactions. For instance, the IT Act provides for
the validity of contracts entered into via online media such as ‘click’ accept methods.
Remedies under sale of Goods Act 1930
Sale of goods act 1930 can apply to protect consumer’s interest. In the online sphere Sale of
Goods Act apply with equal force in B2B and B2C transactions involving sale of goods.
According to section 12 of the Act a buyer is conferred with the right of cancelling the contract
and to see damages in case of breach of a condition which is essential part of contract. If on
delivery a consumer finds it is not the same model as exhibited in the catalogue and ordered by
him the defendant has breached a condition and therefore plaintiff is entitled to cancel the
contract. Measures of damage is governed by section 73 of Contract Act 1872.
Legal Remedies in Tort Law
Tort Law may also protect consumers for any civil wrongs committed by sellers or online
service providers on the ground of online negligence. The remedies in Tort Law will lie in
addition to any remedies in Contract Law.
Legal Remedies under Special Statutes
Special statutes like Food safety and standards Act, 2006, Drugs and Cosmetic Act, 1940 and
Legal metrology Rules 2011 that prescribes law to contain adequate declaration on goods and
protect consumer’s interest.
Criminal Liability under IPC
Criminal liability for injury or damage caused by defective products or services is imposed by
virtue of IPC where mens rea and actus rea can be established beyond reasonable doubts. IPC
prescribes punishment to offenders for false weight and measures (sec 265), Adulteration of
goods (sec 272) and false property marks (sec 481), breach of trust (sec 406), impersonation
and cheating (sec 419 and 420) etc.
Legal remedies under Consumer Protection Act,1986
to India The Consumer protection Act,1986 applies to E- Commerce transactions and protects
consumers in case a service provider is deficient in rendering services or supplies defective
products or carries out unfair trade practices. In such eases Court is empowered to grant relief
described in Section 14 for rectifying the defect, replace the goods, refund the payment made,
and costs to tire part)’ and withdraw hazardous goods from the market.
In Anupama Purohit Vs. Make My Trip. Com, an online service provider despite receiving
an advance payment failed to book a double bedroom for a consumer although it had granted
confirmation for booking. The defendant debited twice the account of the complainant by using
his credit card details and password which was used to make an online payment. The Court
held the defendant is liable. In India, Consumer Protection Act does not address the. issue of
prior information mid disclosure requirements nor mandates terms of use and declaration of
Prepared By
Page | 23
privacy policy of retailers and sendee providers and deals only with the complaints of unfair
trade practices.
Legalities and formalities, one needs to be aware about before entering the ecommerce
space
If the Indian company contemplating e-commerce already has or is contemplating foreign
investment then they should be aware of the restrictions on foreign investments into the e-
commerce sector placed by the Government. For instance, 100% FDI is permitted in entities
involved in B2B e-commerce and not in retail trading.
Apart from the foreign investment restrictions, e-commerce entities need to be mindful of
various other legal issues such as:
o Data protection
o Safe harbours available to intermediaries
o Laws relating to online payments
o Consumer protection issues
o Laws relating to content such as laws on defamation and obscenity
What actions can attract penalties?
Any violation of the foreign investment laws can attract investigation from the Directorate of
Enforcement under the Ministry of Finance. Violation of the foreign investment laws may lead
to penalty up to thrice the sum involved in such contraventions where such amount is
quantifiable, or up to two lakh Rupees where the amount is not quantifiable. Further, officers
who are in charge of the business of the company may also be proceeded again
Apart from foreign investment laws, it is important for online businesses to be conscious of the
safe harbours, which the IT Act provides to intermediaries. Intermediaries are entities who
receive, store or transmit electronic records on behalf of third parties or provide services with
respect to such electronic records. Online market places may be treated as intermediaries.
Other penalties are:
o In case of e-commerce portals, that themselves buy and sell goods, the consumer protection
laws, the sales of goods law etc. equally applies
o In case of counterfeit or adulterated goods penalties under specific laws such as the
Copyright Act and Food Safety and Standards Act, 2006 will also apply
o In case of sale of prohibited items such as drugs, the penalties under Drugs and Cosmetics
Act 1940 may also get attracted
Prepared By
Page | 24
MODULE 2
Legal issue relating to Internet Contract – liability of Internet Service Provider – Spread of
Obscene Material in Internet and Legal Response.
LEGAL ISSUE RELATING TO INTERNET CONTRACT
The term “contract “is defined in sec 2(h) of the Indian contract act ,1872 as AN AGREEMENT
ENFORCEABLE BY LAW IS A CONTRACT; thus, for the formation of a contract there must
be –
• An agreement, and
• The agreement should be enforceable by law.
What are e-contracts?
E-Contract is an aid to drafting and negotiating successful contracts for consumer and business
e-commerce and related services. It is designed to assist people in formulating and
implementing commercial contracts policies within e-businesses. It contains model contracts
for the sale of products and supply of digital products and services to both consumers and
businesses.
An e-contract is a contract modelled, executed and enacted by a software system. Computer
programs are used to automate business processes that govern e-contracts. E-contracts can be
mapped to inter-related programs, which have to be specified carefully to satisfy the contract
requirements. These programs do not have the capabilities to handle complex relationships
between parties to an e-contract
An electronic or digital contract is an agreement “drafted” and “signed” in an electronic form.
An electronic agreement can be drafted in the similar manner in which a normal hard copy
agreement is drafted. For example, an agreement is drafted on our computer and was sent to a
business associate via e-mail. The business associate, in turn, e-mails it back to us with an
electronic signature indicating acceptance. An e-contract can also be in the form of a “Click to
Agree” contract, commonly used with downloaded software: The user clicks an “I Agree”
button on a page containing the terms of the software license before the transaction can be
completed. Since a traditional ink signature isn’t possible on an electronic contract, people use
several different ways to indicate their electronic signatures, like typing the signer’s name into
the signature area, pasting in a scanned version of the signer’s signature or clicking an “I
Accept” button and many more.
E-Contracts can be categorized into two types i.e. web-wrap agreements and shrink-wrap
agreements. A person witnesses these e-contracts everyday but is unaware of the legal
intricacies connected to it. Web-wrap agreements are basically web-based agreements which
requires assent of the party by way of clicking the “I agree” or “I accept” button e.g. E-bay user
agreement, Citibank terms and conditions, etc. Whereas Shrink-wrap agreements are those
which are accepted by a user when a software is installed from a CD-ROM e.g. Nokia pc-suite
software.
Prepared By
Page | 25
ESSENTIAL ELEMENTS OF ONLINE CONTRACT

1) Offer –There must be a lawful proposal or offer made by one party known as the proposer and
it is the starting point of a contract. By browsing and choosing the goods and services available
on the website of the seller, the consumer makes an offer to purchase such in relation with the
invitation to offer made by the seller.
2) Acceptance – When a proposal or offer is made is accepted by the person to whom the offer
is made, it becomes a promise. The acceptance of the proposal must be unconditional and
absolute and must be communicated to the proposer or the offeror. In case of an online contract,
offer and acceptance can be made through e-mails or by filing requisite form provided in the
website. They may also need to take an online agreement by clicking on ‘I Agree’ or ‘I Accept’
for availing the services offered.
3) Intention to create legal relationship – If there is no intention of creating legal relationship
on the part of the parties to contract, there is no contract between them.
4) There must be a lawful object – Parties to the agreement must contract for a legal object. A
contract is only enforceable by law only when it is made for a lawful purpose. It must not defeat
any provision of law and must not be fraudulent in nature. Thus, a contract on a website
designed for the purpose of selling illegal substances online is a void contract.
5) There must be a legal or lawful consideration – Consideration is one of most important
elements of a contract. The basic rule is that when a party to a contract promises to perform his
promise he must get something in return for the performance of his promise. Consideration is
something of some value in the eyes of law. It may be of some benefit, right, interest or profit
given to the party as inducement of promise. An act constituting consideration must be moved
at the desire of the promisor and must be legal, real and not imaginary. Promises that are
physically impossible to perform cannot have real consideration. For eg. an online site that
offers purchase of land in moon.
6) Capacity of parties – Parties to a contract must be capable of entering into a contract. He must
attain the age of majority and must be of sound mind. He must not be disqualified from
contracting by any law for the time being in force. In our country an agreement where either
party is a minor has no significance. It is considered as void ab-initio.
7) There must be free and unaffected consent – Consent which is defined under Section 13 of
the Indian Contract Act, 1872 is an essential requirement of a contract. It is basically the
meeting of minds of the parties. When both agree upon the same thing in the same manner,
they are said to consent. In case consent is caused by coercion, it is voidable at the option of
the party whose consent was so caused.
8) Possibility of performance – The terms and conditions of agreement must be certain and not
vague and must also be such as are capable of performance. An agreement to do an act
impossible in itself cannot be enforced as per section 29 of the Indian Contract Act, 1872.
Law governing e-contract: -
1.) 10A. Validity of Contracts Formed Through Electronic Means. - Where in a

contract formation, the communication of proposals, the acceptance of proposals,
the revocation of proposals and acceptances, as the case may be, are expressed in
Prepared By
Page | 26
electronic form or by means of an electronic record, such contract shall not be

deemed to be unenforceable solely on the ground that such electronic form or means
was used for that purpose.
2.) Section (11) of Information Technology Act, 2000: An electronic record shall be
attributed to the originator—
(a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the originator in respect of
that electronic record; or
(c) by an information system programmed by or on behalf of the originator to operate
automatically.
Illustration 1: Pooja logs in to her web-based gmail.com email account. She composes an
email and presses the ―Send‖ button, thereby sending the email to Sameer. The electronic
record (email in this case) will be attributed to Pooja (the originator in this case) as Pooja herself
has sent it.
Illustration 2: Pooja instructs her assistant Siddharth to send the above-mentioned email. In
this case also, the email will be attributed to Pooja (and not her assistant Siddharth). The email
has been sent by a person (Siddharth) who had the authority to act on behalf of the originator
(Pooja) of the electronic record (email).
Illustration 3: Pooja goes on vacation for a week. In the meanwhile, she does not want people
to think that she is ignoring their emails. She configures her gmail.com account to
automatically reply to all incoming email messages with the following message: “Thanks for
your email. I am on vacation for a week and will reply to your email as soon as I get back”.
Now every time that gmail.com replies to an incoming email on behalf of Pooja, the
automatically generated email will be attributed to Pooja as it has been sent by an information
system programmed on behalf of the originator (i.e. Pooja) to operate automatically.
3.) Section (12) of Information Technology Act, 2000: Acknowledgment of Receipt
According to Section 12(1) of the IT Act, where the originator has not agreed with the
addressee that the acknowledgment of receipt of electronic record be given in a particular form
or by a particular method, an acknowledgment may be given by—
a) any communication by the addressee, automated or otherwise; or
b) any conduct of the addressee, sufficient to indicate to the originator that the electronic
record has been received.
This sub-section provides for methods in which the acknowledgment of receipt of an electronic
record may be given, provided no particular method has been agreed upon between the
originator and the recipient. One method for giving such acknowledgement is any
communication (automated or otherwise) made by the addressee in this regard.
Prepared By
Page | 27
Illustration: Let us go back to the earlier example of Pooja going on vacation for a week. She
has configured her email account to automatically reply to all incoming email messages with
the following message “Thanks for your email. I am on vacation for a week and will reply to
your email as soon as I get back”.
The incoming message is also affixed at the bottom of the abovementioned message.
Now when Siddharth sends an electronic record to Pooja by email, he will receive Pooja ‘s pre-
set message as well as a copy of his own message. This automated communication will serve
as an acknowledgement that Pooja has received Siddharth ‘s message.
Another method is any conduct of the addressee, sufficient to indicate to the originator that the
electronic record has been received. Let us take another illustration.
Illustration: Rohit sends an email to Pooja informing her that he would like to purchase a car
from her and would like to know the prices of the cars available for sale. Pooja subsequently
sends Rohit a catalogue of prices of the cars available for sale. It can now be concluded that
Pooja has received Rohit ‘s electronic record. This is because such a conduct on the part of
Pooja (i.e. sending the catalogue) is sufficient to indicate to Rohit (the originator) that his email
(i.e. the electronic record) has been received by the addressee (i.e. Pooja).
According to section 12(2) of the IT Act, it says where the originator has stipulated that the
electronic record shall be binding only on receipt of an acknowledgment of such electronic
record by him, then unless acknowledgment has been so received, the electronic record shall
be deemed to have been never sent by the originator.
Illustration: Suppose Priya wants to sell a car to Sam. She sends him an offer to buy the car.
In her email, Priya asked Sam to send her an acknowledgement that he has received her email.
Sam does not send her an acknowledgement. In such a situation it shall be assumed that the
email sent by Priya was never sent.
According to section 12(3) of the IT Act, where the originator has not stipulated that the
electronic record shall be binding only on receipt of such acknowledgment, and the
acknowledgment has not been received by the originator within the time specified or agreed
or, if no time has been specified or agreed to within a reasonable time, then the originator may
give notice to the addressee stating that no acknowledgment has been received by him and
specifying a reasonable time by which the acknowledgment must be received by him and if no
acknowledgment is received within the aforesaid time limit he may after giving notice to the
addressee, treat the electronic record as though it has never been sent.
Illustration: Rohit sends the following email to Sameer: Further to our discussion, I am ready
to pay Rs. 25 Lakh for the source code for the PKI software developed by you. Let me know as
soon as you receive this email.
Sameer does not acknowledge receipt of this email. Rohit sends him another email as follows:
I am resending you my earlier email in which I had offered to pay Rs 25 lakh for the source
code for the PKI software developed by you. Please acknowledge receipt of my email latest by
next week. Sameer does not acknowledge the email even after a week.
Prepared By
Page | 28
The initial email sent by Rohit will be treated to have never been sent.
4.) Section (13) of the Information Technology Act
Time and place of despatch and receipt of electronic record. -
As per section 13(1) of the IT Act, save as otherwise agreed to between the originator and the
addressee, the dispatch of an electronic record occurs when it enters a computer resource
outside the control of the originator.
Illustration: Shashi composes a message for Raj at 11.56 a.m. At exactly 12.00 noon she
presses the ―Submit‖ or ―Send button. When she does that the message leaves her computer
and begins its journey across the Internet. It is now no longer in Shashi ‘s control. The time of
dispatch of this message will be 12.00 noon.
Section 13(2) of the IT Act Save as otherwise agreed between the originator and the addressee,
the time of receipt of an electronic record shall be determined as follows, namely: —
a) if the addressee has designated a computer resource for the purpose of receiving electronic
records, —
(i) receipt occurs at the time when the electronic record enters the designated computer
resource; or
(ii) if the electronic record is sent to a computer resource of the addressee that is not the
designated computer resource, receipt occurs at the time when the electronic record is
retrieved by the addressee;
b) if the addressee has not designated a computer resource along with specified timings, if
any, receipt occurs when the electronic record enters the computer resource of the addressee.
Illustration: The marketing department of a company claims that it would make the delivery
of any order within 48 hours of receipt of the order. For this purpose, they have created an
order form on their website. The customer only has to fill in the form and press ‘submit’ and
the message reaches the designated email address of the marketing department.
Now Suresh, a customer, fills in this order form and presses ‘submit’. The moment the message
reaches the company’s server, the order is deemed to have been received. Karan, on the other
hand, emails his order to the information division of the company. One Mr. Sharma, who is out
on vacation, checks this account once a week. Mr. Sharma comes back two weeks later and
logs in to the account at 11.30 a.m. This is the time of receipt of the message although it was
sent two weeks earlier. Now suppose the company had not specified any address to which
orders can be sent by email. Had Karan then sent the order to the information division, the time
of receipt of the message would have been the time when it reached the server of the company.
As per section 13(3) of the IT Act, save as otherwise agreed to between the originator and the
addressee, an electronic record is deemed to be dispatched at the place where the originator
has his place of business, and is deemed to be received at the place where the addressee has
his place of business.
Prepared By
Page | 29
Illustration: Keshav is a businessman operating from his home in Pune, India. Keshav sent an
order by email to a company having its head office in New York, USA. The place of dispatch
of the order would be Keshav ‘s home and the place of receipt of the order would be the
company’s office.
Section 13(4) of the IT Act says that, the provisions of sub-section (2) shall apply
notwithstanding that the place where the computer resource is located may be different from
the place where the electronic record is deemed to have been received under sub-section (3).
Illustration: Let us consider the illustration mentioned above of Keshav and the New York
based company. Even if the company has its mail server located physically at Canada, the place
of receipt of the order would be the company’s office in New York USA.
With regard to place of business Section 13(5) of the IT Act provides following explanation—
a) if the originator or the addressee has more than one place of business, the principal place of
business, shall be the place of business;
b) if the originator or the addressee does not have a place of business, his usual place of
residence shall be deemed to be the place of business;
c) ―usual place of residence‖, in relation to a body corporate, means the place where it is
registered.
Illustration: Suraj sent an order by email to a company having its head office in New York,
USA. The company has offices in 12 countries. The place of business will be the principal
place of business (New York in this case). Suraj is a businessman operating from his home in
Pune, India. He does not have a separate place of business. Suraj ‘s residence will be deemed
to be the place of business.
TYPES OF ONLINE CONTRACT
Online contracts can be of three types mainly i.e. shrink-wrap agreements, click or web-wrap
agreements and browse-wrap agreements. In our everyday life, we usually witness these types
of online contracts. Other types of online contracts include employment contract, contractor
agreement, consultant agreement, Sale re-sale and distributor agreements, non-disclosure
agreements, software development and licensing agreements, source code escrow agreements.
a) Shrink-wrap agreements are usually the licensed agreement applicable in case of
software products buying. In case of shrink-wrap agreements, with opening of the
packaging of the software product, the terms and conditions to access such software
product are enforced upon the person who buys it. Shrink-wrap agreements are simply
those which are accepted by user at the time of installation of software from a CD-
ROM, for example, Nokia pc-suite.
b) Click- wrap agreements are web-based agreements which require the assent or
consent of the user by way of clicking “I Agree’ or “I Accept” or “Ok” button on the
dialog box. In click –wrap agreements, the user basically have to agree to the terms and
conditions for usage of the particular software. Users who disagree to the terms and
conditions will not be able to use or buy the product upon cancellation or rejection. A
Prepared By
Page | 30
person witnesses web-wrap agreement almost regularly. The terms and conditions for
usage are exposed to the users prior to acceptance. For agreement of an online shopping
site etc.
Case: – Rudder v. Microsoft Corporation: -The plaintiffs commenced a class action

lawsuit alleging breach by Microsoft of certain payment related terms of Microsoft’s
MSN Member Agreement. The Member Agreement was an on-line “click-wrap”
agreement that required each prospective member to scroll down through several pages
of terms and conditions and then indicate their agreement to the terms by clicking an “I
Agree” button before being provided with access to the services. Although the plaintiffs
wished to rely on several terms of the Member Agreement, in bringing the action the
plaintiff’s disputed the choice of law and forum selection clauses that the defendant
Microsoft sought to enforce. The plaintiffs asserted that because not all of the Member
Agreement was visible at one time they did not receive adequate notice of such
provisions and that as a consequence they were not enforceable. The court determined
that the Member Agreement was enforceable stating that scrolling through several
pages was akin to having to turn through several pages of a multi-page paper contract
and to not uphold the agreement “would lead to chaos in the marketplace, render
ineffectual electronic commerce and undermine the integrity of any agreement entered
into through this medium”
c) An agreement made intended to be binding on two or more parties by the use of website
can be called a browse wrap agreement. In case of browse wrap agreement, a regular
user of a particular website deemed to accept the terms of use and other policies of the
website for continuous use.
ELECTRONIC SIGNATURES
Electronic or Digital Signatures consist of cryptographic techniques which ensure privacy and
verify the origin and integrity of the message; the techniques commonly used are a mix of
algorithms, keys and codes. Symmetric cryptography uses just a single key to encrypt and
decrypt the messages, on the other hand asymmetric technique uses two keys one of which is
public (because it is known by the parties) and one, which is private (just one of the parties
knows it).
Most modern signatures are based on asymmetric methods, described as a special door that can
only be opened with four key lock, two on either side. Once both parties have locked the keys
into the door, it is possible to open door and for the parties to be sure that they can negotiate
through that open door safely. Signatures serve the purposes of evidence, approval, and
efficiency and logistics. To achieve these basic purposes a digital signature must be capable of
Signer and Document authentication, these methods are tools used to exclude impersonators
and forgers and are essential ingredients of what is often called non-repudiation service. This
prevents a person from unilaterally terminating or making modifications to legal obligations
arising out if a computer-based transaction.
Prepared By
Page | 31
Authentication of electronic records is dealt with under Section 3 of IT Act, by way of affixing
an electronic signature. It is stipulated that such authentication shall be achieved by using the
asymmetric crypto system and hash function61 whereby the initial electronic record is
transformed into another electronic record. Thus, digital requirements should possess, as
minimum requirements, the following characteristics:  A crypto system which is asymmetric
 The initial electronic record transforming into another electronic record  Hash function and
hash result  The hash function ‘s stability  The hash function ‘s safety  Public Key and
Private Key.
A signature is not part of the substance of a transaction, but rather of its representation or form.
Signing documents serve the following purposes:
• Evidence: A signature authenticates writing by identifying the signer with the signed
document. When the signers make a mark in a distinctive manner, the writing becomes
attributable to the signer.
• Ceremony: The act of signing a document calls to the signer’s attention the legal
significance of the signer’s act hereby helps prevent “inconsiderate engagements”
• Approval: In certain contexts, defined by law or custom, a signature expresses the
signer’s approval or authorization of the writing or the signer ‘s intention that it has a
legal effect.
Through the Information Technology Act, 2000 (IT Act), Indian was able to recognize the use
of electronic signatures. With the aim of improving the ease of doing business; rationalizing
the way documents are stored, and improving the safety, and cost-effectiveness of records, the
Indian Government has greatly advocated for the use of digital technologies by its citizens and
corporations.
Presently, it is safe to state; there has been a significant increase in adoption of electronic
signatures all over India. This can be partly attributed to the government’s emphasis on
facilitating electronic transactions using Aadhaar (a distinctive identification number provided
by the government to all Indians nationals).
With that said, in India, electronic signatures must satisfy a few conditions before they can be
relied upon.
Requirements for validity
The Information Technology Act, 2000 provides for the adoption of e signatures and
acknowledges two forms of e-signs as having similar legal acceptance as pen-and-paper
signatures. These forms specifically acknowledged under the IT Act include:
• E signatures which incorporate an Aadhaar ID with an electronic Know-Your-

Customer (eKYC) method.
• Digital signatures which are created by an “asymmetric crypto-system and hash
function”. For such signatures, the signer is usually issued a long-term certificate-based
digital identity number, stored on a USB token, which is used to place a sign on a
document.
Prepared By
Page | 32
For the above forms of electronic signatures to be legitimate, they must satisfy these further
conditions.
• The signatory of the e signature must be unique

• At the point of signing, the signatory should be in control of the data employed to
generate the e-sign.
• Any tamper with the signature, or the form to which the signature is placed, must be
easily detectable.
• There must be an audit trail of procedures followed during the signing process.
• Signer certificates should only be granted by the Certifying Authority.
If all these conditions are followed, then there is an obvious legal belief in favor of the legality
of any document signed using e-signatures.
Documents that Indian law prohibits to be signed electronically
The government of India has held that e signatures cannot be adopted on all types of documents.
The following documents cannot be signed online and should be executed with the typical pen-
and-paper signature to be considered legally acceptable.
• Any document listed by the government of India on the official gazette

• Power of attorney
• Trust deeds
• A will and other forms of testamentary disposition
• Negotiable documents such as bills of exchange, drafts, promissory notes and more
• Documents involving any sale of immovable property such as real estate
VALIDITY OF ONLINE CONTRACT

The Information Technology Act, 2000 provides various procedural, administrative guidelines
and regulates the provisions relating to all kinds of electronic transactions. These include
computer data protection, authentication of documents by way of digital or electronic signature.
Though electronic contracts have been given recognition by the IT Act, 2000, but majority
feels it less secured to get into any kind of online contracts as there are no concrete judicial
precedents for the validity and enforceability of online contracts in India. In case of browse
wrap contracts, we usually accept the terms and conditions of the contract by clicking the button
that indicates ‘I Agree’ and in case of shrink wrap contract or purchase of a software product,
assent is given by the consumer or the purchaser with tearing of the wrapper and using it. Many
have the tendency of not reading the terms and conditions carefully before agreeing to such.
But these actions should be taken consciously and carefully only after reading the terms of the
contract properly as it leads to a valid contract and the terms can be strictly enforced against
them.
However, courts in other countries such as US, have dealt with validity and enforceability of
contracts such as shrink wrap and click wrap contracts. It was held in the famous case
of ProCD. Inc. vs. Zeidenburg “that the very fact that purchaser after reading the terms of the
Prepared By
Page | 33
license featured outside the wrap license opens the cover coupled with the fact that he accepts
the whole terms of the license that appears on the screen by a key stroke, constitutes an
acceptance of the terms by conduct.” Thus, it is confirmed that shrink wrap agreements are
valid contracts and are enforceable against the purchaser of the software. But the enforceability
of the shrink wrap agreement is extended as far as the general principles of contract are not
violated. The validity of click wrap agreement was first considered when the Court for northern
district of California upheld in the famous case of Hotmail Corporation that “the defendant
is bound by the terms of the license as he clicked on the box containing “I agree” thereby
indicating his assent to be bound” [Hotmail Corporation v. Van $ Money Pie Inc.].
It was also held by the Appellate Division of Superior Court of New Jersey, that by clicking
the “I Agree” option given in the dialogue box the plaintiff has entered into a valid and binding
contract and can be made liable for the terms and conditions laid down in the contract. Click
wrap agreements are thus valid and enforceable in US as long as the offer and acceptance rule
are taken into consideration.
The Indian Contract Act, 1872 provides a basic contractual rule that a contract is valid if it is
made by competent parties out of their free consent for a lawful object and consideration. There
is no specific way of communicating offer and acceptance; it can be done verbally, in writing
or even by conduct. Thus, oral contracts are as valid as written contracts; the only condition is
they should possess all the essentials of a valid contract. It was held in the case of Bhagwandas
Goverdhandas Kedia v. Girdharilal Parshottamdas, “that ordinarily, it is the acceptance of
offer and intimation of that acceptance which results in a contract. This intimation must be by
some external manifestation which the law regards as sufficient. Hence, even in the absence of
any specific legislation validating e-contracts cannot be challenged because they are as much
valid as a traditional contract is.”
An online contract is simply a communication between two parties in regard to transfer of
goods/services. And as per Indian Evidence Act any e- mail communication and other
communication made electronically is recognized as valid evidence in a Court of law. By
considering the points, it can be concluded that the contract that follows the communication is
valid too and Indian law thus recognizes the validity of online contracts.
The citizens of India are encouraging the concept of Digital India, but there are no definite
legislations relating to the transactions done over computerized communication networks.
Several laws such as The Indian Contract Act, 1872, Information Technology Act, 2000, Indian
Copyright Act, 1957 and the Consumer Protection Act, 1986 to some extent are working and
acting on resolving issues that arise relating to the formation and validation of online contracts.
The Information Technology Act, 2000 is the Act that governs the transactions conducted over
internet and explains the considerable mode of acceptance of the offer and provides the rules
for revocation of offer and acceptance in a vague or indefinite manner. Hence, a separate law
for regulating contracts based on electronic devices is highly recommended.
EVIDENTIARY VALUE OF ONLINE CONTRACT
In a country like India, where the literacy rate is not so high, the concept of ‘Digital India’ is a
far reach. People still feel insecure to do online based transactions mainly because the terms
Prepared By
Page | 34
and conditions of such contracts are not transparent. Another major issue is the nature of the
law governing the electronic contracts. Even if the IT Act, 2000 has legalized electronic
contracts, there are no definite provisions mentioned in the Act.
Documents are mainly registered for conservation of evidence, assurance of title and to protect
oneself from fraud. The evidentiary value of electronic contracts has been given recognition
and can be understood in the light of various sections of Indian Evidence Act. Sec 65B of the
Indian Evidence Act deals with the admissibility of electronic records. As per Sec 65B of the
Indian Evidence Act any information contained in an electronic record produced by the
computer in printed, stored or copied form shall deemed to be a document and it can be
admissible as an evidence in any proceeding without further proof of the original subject to
following conditions are satisfied such as the computer from where it was produced was in
regular use by a person having lawful control over the system at the time of producing it, during
the ordinary course of activities the information was fed into the system on a regular basis, the
output computer was in a proper operating condition and have not affected the accuracy of the
data entered.
Section 85A, 85B, 88A, 90A and 85C of the Indian Evidence Act deal with the presumptions
as to electronic records. Sec 85A has been inserted later to confirm the validity of electronic
contracts. It says that any electronic record in the form of electronic agreement is concluded
and gets recognition the moment a digital signature is affixed to such record. The presumption
of electronic record is valid only in case of five years old record and electronic messages that
fall within the range of Section 85B, Section 88A and Section 90A of Indian Evidence Act.
LIABILITY OF INTERNET SERVICE PROVIDER
Internet service providers (or "ISPs") provide Internet access service to customers in exchange
for a fee. ISPs also store data for their customers' use, such as on a Usenet newsgroup server
or a World Wide Web server. In general, ISP liability can be summed up in three words:
"ignorance is bliss." ISP liability for the activities of its customers is generally based on a
knowledge of the customer's activity. If the ISP is unaware of the behaviour of its customer,
most courts seem reluctant to hold the ISP liable for that behaviour. However, once the ISP
becomes aware of the customer's activity, or should have become aware of the activity with
reasonable diligence, courts are much more likely to hold the ISP liable for its customer's
actions. In addition to ISP liability, most of the following discussion is equally applicable to
service providers who do not connect directly to the Internet, such as bulletin board operators
and proprietary information providers
1.) Copyright liability concerns for internet service providers
A party is guilty of copyright infringement if they violate one of the five exclusive rights given
to copyright owners under the Copyright Act. Included in those rights are the right to prevent
others from reproducing (or copying) a work, publicly displaying a work, or distributing a
work. It is clear that on-line service providers will be liable for copyright infringement if they
are directly involved in the copying of protected material. For example, if a service provider
were to place an electronic copy of the latest best-selling novel (or a pirated copy of Microsoft
Prepared By
Page | 35
Word) on their bulletin board or web site, they would be guilty of copyright infringement. In
these circumstances, an ISP is no different than any other party.
However, Internet Service Providers can be found liable for copyright infringement even where
they are not directly engaged in the copying of protected materials. For instance, ISPs are
responsible for equipment, such as a computer operating as a server that is capable of making
copies without any direct involvement of any person. Consequently, one relevant question is:
"when is an ISP liable under copyright law for the copies made by its equipment?" As one
example, the newsgroup servers controlled by ISPs make thousands of copies of newsgroup
files every day. Although some of these files undoubtedly contain copyrighted materials, no
ISP has yet to be found guilty of copyright infringement merely for the unknown, autonomous
action of their newsgroup servers.
Nevertheless, an ISP must be aware of the theories under the Copyright Act by which a party
can be held liable for infringement even if they do not directly take part in the copying or
distribution of a work. Under the concept of "contributory infringement," a party may be
guilty of copyright infringement when they cause or contribute to the infringing conduct of
another with knowledge of the other party's infringing activities. In addition, under the concept
of "vicariously liability," a person may be liable for the infringing actions of another if the
person has the right and ability to control the infringer's acts and receives a direct financial
benefit from the infringement. Vicarious liability can be established without the defendant
having actual knowledge of the infringer's activity. Under these two theories, it is possible for
an ISP to be held liable for copyright infringement, even if the ISP was not directly involved
in making the infringing copy.
Copyright act 1957
As per Section 51(a)(ii) of the Copyright Act; “the Indian Copyright Act, the act of
infringement is when, a person without any licence by the registrar or the owner of the
particular copyright, does an act that is in the contravention of the conditions of a that licence
or condition imposed by a competent authority under this Act permits for profit any place to
be used for the communication of the work to the public where such communication constitutes
an infringement of the copyright in the work, unless he is unaware as and had no reason to
believe that the particular communication to the general public would result in copyright
infringement.”
Nowadays the Internet service providers, instruct their servers transmit and store their users
data across the network. This act of ISP’s helps them to hold any third party liable in case of
any infringement. In order to be liable for the infringement, it is very necessary that the ISP
should benefit financially from it. The ISP’s earn even if they offer some copyrighted illegal
material because of the advertisements that come along with it. Therefore, an ISP can be held
liable not only when they transmit such infringed material but they are liable even if they store
it.
Prepared By
Page | 36
Criminal Liability
An ISP can be held criminally liable when, he does an act of infringement or abets infringement
of:
(a) the copyright in a work, or
(b) any other right conferred by this Act,
If a person does such an act than the Copyrights Act provides for the punishment to be given
to him, i.e. of imprisonment which may extend to one year, or with fine, or with both.
However, the Copyright Act clearly states that the ISP can be held liable only in the case he
was unaware infringing material stored or being transmitted through their servers. This
provides an exception to the liability.
Information Technology Act, 2000
S. 79 of the Information Technology Act states the ISP( a Network service provider in the case
of this act) as an “Intermediary”, which is defined as “ any person who on behalf of any other
person receives, transmits or stores any message or provides any service with respect to any
message.” This section also provides that, no ISP can be held liable if he proves that he was
unaware of the infringement that was caused by the third party that he had exercised all due
diligence to prevent the commission of such offence.
Therefore, the ISP can get away from being liable for the copyright infringement if it is proved
under this section
(a) That the ISP was unaware of the infringement,
(b) That he took all the due diligence to prevent such infringement.
However, data has passed through an ISP’s servers or stored in them, that is likely to infringe
the copyright of another, it is considered that such ISP had to have ‘knowledge’ of such data
and he has the duty to take appropriate measures to prevent such infringement. In such a case,
the ISP cannot take a defence that he was unaware of such infringement.
A person is said to have done an act with due diligence when in the layman’s terms he had
done that act or prevented an act by reasonable standards expected out of a prudent person who
is said to have the knowledge about such illegal activity.
Drawbacks of Copyright Act
(a) The IT Act provides a wider scope to the authorities to harass ISPs in matters where their
liability is the question.
(b) Which actions can be termed as done with ‘due diligence’ is not defined anywhere in the
act.
(c) Who is an ISP? The answer to this question is not given under the IT Act. Also, the IT Act
does not provide for the liability of ISP. The liability of ISP is as same as for anyone who is
simply a communication carrier.
Prepared By
Page | 37
Copyright liability--legal cases

The potential liability of ISPs for the activities of others was explored in Religious Technology
Center v. Netcom, a California case decided in 1995. In that case, files containing copyrighted
materials owned by the Church of Scientology were placed on an Internet newsgroup through
a newsgroup server controlled by Netcom (an ISP). The user that placed the files on the Internet
actually utilized a local bulletin board service (BBS) that provided Internet access through
Netcom. The Church requested that the BBS and Netcom deny access to the individual
involved, and that they remove all documents containing Church materials from the servers
they controlled. When both the BBS and Netcom refused, the case went to court. The court
found that neither the BBS nor Netcom had directly infringed the Church's copyrights, since
neither party had taken any affirmative steps to cause the copies to be made. Although the
computer systems of both parties operated automatically to receive and transmit the postings
of subscribers, the court found that this is not enough to establish a direct infringement claim.
On a claim for vicarious liability, the court also found against the Church, finding that there
was no direct monetary reward to either Netcom or the BBS for the posting of infringing
materials. However, the Court found that Netcom may be liable to the Church under the theory
of contributory infringement by materially contributing to the infringement of the user.
Although the court recognized that there could be no liability even under the contributory
infringement theory unless Netcom knew of the infringement, the court stated that if Netcom
knew or should have known about the presence of the copyrighted materials on its server and
failed to remove them, that failure could amount to contributory infringement. The notice that
the Church provided to Netcom may have been enough for Netcom to be liable for its failure
to act on that notice. Unfortunately, before this final issue could be determined by the court,
the parties settled the lawsuit.
Earlier cases, however, have implied an even greater liability for BBS operators and ISPs. In
the case of Playboy Enterprises v. Frena, a BBS operator whose bulletin board contained
copyrighted photographs owned by Playboy was found liable of violating the right to display
and publish the photographs. This was true even though the BBS operator did not make the
copies himself, and in fact was never proven to have knowledge of their existence. In effect,
this case held the BBS operator liable merely for providing a means by which copies (made by
others) could be distributed to the public. If this logic were extended to ISPs in general, an ISP
could be held liable for its member’s activities on the ISPs web and newsgroup servers, even
without knowledge of such activity. However, it is unlikely that such a ruling would ever be
made given the major impact such a position would have on the expansion of and access to the
Internet.
2.) Trademark liability
ISPs are liable for their own activities that constitute trademark infringement. As a result, if an
ISP were to advertise their services under a trademark that is confusingly similar to a mark of
another party (such as Netcom, IBM Link, or CompuServe), they would be exposed to charges
of trademark infringement. In addition, if an ISP's own web page contained the trademarks of
another, the ISP's use of those marks would be analyzed like any other web page owner (see
Bit Law’s discussion on Internet trademark infringement for more information).
Prepared By
Page | 38
ISPs are in a slightly different position when one of their customers misuses a trademark of
another. In this case, the ISP may very well face possible liability under the theory of
contributory trademark infringement. Much like contributory copyright infringement,
contributory trademark infringement liability may exist where the ISP causes or contributes to
the infringing conduct of another with knowledge of the other party's infringing activities.
Although such a case has not yet been analyzed by any court, one can imagine a situation where
an ISP is notified of trademark infringement on one of its customer's web pages and yet fails
to act on this notification. By analogy to the Netcom decision discussed in connection with
recent ISP copyright cases above, the ISP in this case may in fact face legal action for trademark
infringement.
Online Trademarks Infringement
Nowadays, the Internet is the main means of communication. Although it has a high number
of users, the Internet is also an ideal tool for committing offenses. The main problem regarding
online trademarks infringement may arise when the internet user commits a crime through the
services of the ISP, can the ISP be liable?
While considering the liability of ISP’s in India for trademark infringement, the following Acts
are important; the first one is the Trademarks Act, 1999 and the Information Technology Act,
2000.
Clause (6) of Section 29 of the Trade Marks Act, 1999 sets out what constitutes use of a
registered trademark. Subsection (b) states that use is when an entity that “offers or exposes
goods for sale puts them on the market, or stocks them for those purposes under the registered
trademark or offers or supplies services under the registered trade mark”.
This can be interpreted to include service providers, whether they are ISPs or auction or e-
commerce websites that facilitate infringement by stocking the goods bearing the registered
trademarks.
Firstly, the ISP can look for contents, which are uploaded and can filter them if they want to.
But this will not be favourable for their clients as it will harm their privacy and freedom from
online censorship. Again, it would be a costly affair as there is so much content that has to be
filtered by the ISPs, and moreover, it is not possible to look at the content and understand if its
copyright protected or not. The only other alternative that ISPs have is to make their clients
sign an indemnity contract, therefore, letting them assume all responsibility in the case of any
trademark infringement. From the viewpoint of any Internet Users- if ISPs are made
responsible for infringements, then smaller ISP’s will be forced to shut down. The larger ones
will charge more as they have to deal with potential lawsuits. Ultimately, this cost will be
shifted to the customers, making access to cost of Internet higher. However, if the ISPs are not
made liable, the problem of piracy will keep on increasing.
L’Oreal vs. eBay: This case was handled by the High Court of London and then after by the
Court of Justice of the European Court (CJEU). L’Oreal claimed that eBay didn’t act to prevent
sales of counterfeited goods on the online market, and therefore they sued eBay for online
Prepared By
Page | 39
infringement of the trademark. The Court held that eBay used keywords corresponding to
L’Oreal’s trademarks and held that eBay was liable as it had played an ‘active’ part in
trademark infringement. It placed a higher burden on online sellers.
Due Diligence: For India, the rules for due diligence has been prescribed in the Information
Technology Guidelines (Intermediaries Rules) 2011. Under these rules due diligence requires
the intermediaries to take the following steps:
• Appointment of Grievance Officers- the ISPs must appoint a grievance officer, and this
must be made known to the public.
• They must publish a) a set of rules and regulations b) a privacy policy and c) a user
agreement for access to usage of their resources.
• Intimation of consequences of non- compliance by users: The Intermediary is also
required to inform the clients that in the case of non-compliance they can terminate
access.
Intermediaries: An internet intermediary is an entity which provides services that enable
people to use the internet. There are many different kinds of internet intermediaries which fall
into two broad categories: “conduits” and “hosts”. “Conduits” are technical providers of
internet access or transmission services. Conduits do not interfere with the content they are
transmitting other than for automatic, intermediate or transient storage needed for transmission.
“Hosts” are providers of content services – for instance, online platforms and storage services.
Liability of Intermediaries
The Information Technology Act, 2000 has been amended in 2008, so as to broaden the
definition of intermediaries and to include internet service providers, online payment sites,
online auction sites, etc.
According to the Information Technology Act, 2000 an intermediary must not knowingly
publish, host, or initiate transmission of unlawful information.
The intermediary will be liable if:
1) It has aided or induced the commission of the unlawful act knowingly.
2) Even after being notified by a Government agency the intermediary fails to remove any
content, which is being used for some illegal activity.
The amended Section 79 of the Information Technology Act, 2000 provides that an
intermediary will be liable when it:
1) Initiates the transmission.
2) Selects the receiver of transmission.
3) Selects or modifies the information available in some way.
4) Does not observe due diligence.
5) Plays an active part in the infringement of the trademark.
Prepared By
Page | 40
Therefore, now the burden of proof has been shifted to the accuser, and ISP’s will be deemed
to be innocent as long as they continue to adhere to all the other provisions of law.
However, the ISP will be bound to be liable if it fails to remove any content even after a
complaint is made to it in regards to any infringement. ISP’s need to take basic precautions to
ensure that they filter out any content which is in violation to one’s rights. The problem arises
when people want ISP’s to be financially responsible rather the persons directly responsible
for the infringement. The main reason is most IPS’s are corporate entities, and it is easier to
find the ISP hosting the content rather than the person who has uploaded the content. Moreover,
there is another aspect to this. Copyright holders tend to target the ISP’s as they have more
financial capability than the person.
SPREAD OF OBSCENE MATERIAL IN INTERNET AND LEGAL RESPONSE.
The entire world in Cyberspace is a place under one rooftop. The thoughts, considerations,
articulations, views, culture, convention and traditions spill out of one corner to the next corner
of the globe at a single click. With the outpouring from one corner to another of these cultures,
conventions, traditions, articulations, perspectives, contemplations and thoughts the
unavoidable hardship i.e. the flexibility and agreeability and blending of one culture with the
other was acknowledged, a major conflict between the materialistic west and spiritual east.
Pornography is one such zone of significant clash. It has been from the very initiation a debate
issue. This issue was significantly more under debate after a reported case of cybercrime as per
section 67, in which a minor i.e. class XI understudy of Bal-Bharti School, Delhi had suffered.
The Internet has offered ascend to another platform for the online distribution and utilization
of obscene information and data. Billions of individuals around the globe are going through
websites taking into account this information and data. These websites contribute to the biggest
development sector of the digital economic world. However, as the utilization of internet-web
has outgrown with the passing of time, it is misused additionally and an expansive number of
various sorts of crimes are submitted through this internet web such as hacking, IPR
infringement, cyber terrorism, cyber fraud, cyber defamation, cyber forgery, cyber stalking and
so on. One of the major of these crimes is cyber obscenity.
Obscenity is exceptionally delicate issue everywhere throughout the globe yet there is no
settled meaning of the word “Obscenity” under any law. What is naked workmanship or
sexually unequivocal thing for one individual might be Obscene or porn for another. Obscenity
on the Internet is not typically a crime. Internet-Web has given a medium to the assistance of
violations like Pornography or Obscenity. Digital Obscenity is the exchanging of sexually
expressive materials within the internet. Despite the fact that the Indian Constitution ensures
the freedom to expression and freedom of speech, it has been held that a law against obscenity
is constitutional.
The Supreme Court of India has characterized obscene as “repulsive, offensive to modesty
filthy, decency or lewd “. It is extremely hard to affirm whether any pornographic material is
illegal or not? One specific obscene material might be illegal in India however not in different
nations.
Prepared By
Page | 41
The test for pornography was first set out by the Regina v. Hicklin, as a propensity to debase
and degenerate those whose brains are open to such shameless impacts and into whose hands
a distribution of this sort may fall.
Definition and Meaning of Cyber Obscenity
The word “Cyber Space” was first utilized by William Gibson in his novel “Neuromancer”
1982. The word Cyber or Cyberspace indicates a virtual situation inside which organized PCs’
action happens and Obscenity is any announcement or act which firmly outrages the
predominant profound quality of the time. Obscenity is a lawful term that applies to anything
hostile to ethics and is frequently likened with the term pornography. Obscenity is gotten from
the Latin word obscene.
U.S. Supreme Court in Miller vs. California set out a test for obscenity, which deems a work
obscene if: The average person, applying contemporary community standards would find
that the work, taken as a whole, appeals to the prurient interest.
In R.V. Hicklin, the word obscene was plainly characterized as “Any issue which tends to
debase or degenerate those whose psyches are interested in corrupt impact.”
The Hicklin test expresses that an administering body may forbid anything that “debases and
undermines those whose brains are interested in such corrupt impacts and into whose hands a
production of this sort may fall.” Digital obscenity is the exchanging of sexually expressive
materials inside the internet. The digital pornography or obscenity talk about is exceptionally
mind boggling in light of the fact that pornography is not really unlawful. The test is the United
Kingdom and different locales is regardless of whether the materials are obscene and debase
its watchers, however, there are significant lawful and good contrasts as to criteria that
empower law implementers to set up obscenity and deprivation. In England, for instance,
people every day see scandalous pictures, however, the different aspects of the mass media.
These same pictures may be lawfully obscene in some Islamic social orders, yet they are
considered splendidly adequate in more lenient nations.
As per Supreme Court of India, “the idea of obscenity would vary from nation to nation relying
upon the measures of ethics of contemporary society.” And that obscenity has a propensity to
debase and degenerate those whose brains are interested in such improper impacts.
Transmitting Obscene Material in Electronic Form: A Crime
Obscenity when considered as an offence it is not defined in any acts in India, however certain
laws state that ‘obscenity’ in certain situations establishes it as an offence. Indian Penal Code,
1860 and Information Technology Act, 2000 are the two legislations in India which recognizes
obscenity as an offence or crime in certain circumstances. However, nor the Information
Technology Act, 2000 or the Indian penal code has defined the word obscene or obscenity, but
as per section 67 of the Information Technology Act, 2000 and section 292 of the Indian Penal
Code, 1860 elaborates and explains Obscenity as “anything which is lascivious or appeals to
the prurient interest or if its effect is tend to deprave and corrupt persons.”
Brief Explanation of Each Word
Prepared By
Page | 42
1) Lascivious: It is something which excites lust in a person;

2) Appeals to: This word here means something which arouses interest in a person;
3) Prurient interest: This word here means which is drawn by lustful thoughts;
4) Effect: This word here means to cause or change or any event;
5) Tend to deprave and Corrupt: This word here means to draw a person towards becoming
immoral or bad morally;
6) Persons: This word here means natural persons including men, women, children[5]; it
does not include any artificial persons.
Henceforth as per the two laws i.e. Indian Penal Code 1860 and Information Technology Act,
2000 (as amended by Information Technology Act, 2008), anything which is anything which
is lascivious or appeals to the prurient interest or if its effect is tend to deprave and corrupt
persons is said to be obscene.
Cyber Obscenity Under Various Legislation in India
Obscenity is an offense under the Indian Penal Code, 1860. Section 292 of the Indian Penal
Code, 1860 thoroughly sets out the conditions in which “obscenity” is an offense. Section
292(1) of the Indian Penal Code, 1860 laid out that any activity i.e.
(a) Deal, enlist, conveyance, open presentation or course, makes, produces or, then again has
the ownership of any obscene book, leaflet, paper, drawing, painting, portrayal, or, then again
figure or some other obscene protest at all or
(b) Import, send out or pass on any obscene protest for any of the reasons specified
aforementioned, or knowing or having motivation to trust that such obscene protest will be
sold, let to procure, disseminated or freely showed or in any way out into flow, or
(c) Partaking in or getting benefits from any business throughout which any such obscene
articles are, for any of the reasons previously mentioned, made, created, bought, kept, imported,
traded, passed on, openly showed or in any way put into flow, or
(d) Promotes or makes known by any methods at all that any individual is drawn in or is
prepared to take part in any act or that any such obscene protest can be secured from or, on the
other hand through any individual or
(e) Offer or endeavour to do any act, are the offense under section 292 of the Indian Penal
Code, 1860.
Punishment Under Indian Penal Code, 1860, Information Technology Act, 2000 (As
Amended by Information Technology Act, 2008) & Indecent Representation of Women
(Prohibition) Act, 1986
The Punishment for an offense under section 292 of the Indian Penal Code, 1860 is on first
conviction with detainment (straightforward or thorough) for a term which may stretch out to
two years, and with fine which may stretch out to two thousand rupees, and in case of a moment
or resulting conviction, with detainment (straightforward or thorough) for a term which may
Prepared By
Page | 43
stretch out to five years, and furthermore with fine which may stretch out to five thousand
rupees.
Obscenity is additionally an offense under the Information Technology Act 2000. Section 67
of the Information Technology Act sets out the law that obscenity is an offense when it is
published or transmitted or caused to be published in any electronic form.
67. Punishment for publishing or transmitting obscene material in electronic

form.- Whoever publishes or transmits or causes to be published in the electronic form, any
material which is lascivious or appeals to the prurient interest or if its effect is such as to tend
to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to
read, see or hear the matter contained or embodied in it, shall be punished on first conviction
with imprisonment of either description for a term which may extend to two three years and
with fine which may extend to five lakh rupees and in the event of a second or subsequent
conviction with imprisonment of either description for a term which may extend to five years
and also with fine which may extend to ten lakh rupees.
Published: Published here means any information which is distributed and broadcasted
formally by issuing and selling copies of the same for general public.
Transmitted: Transmission here means transfer, pass, communicate, a medium for
transmitting, signal etc.
Caused to be Published: Caused to be public here means that to give effect of publishing
some information by direct or indirect way. It also includes the publishing the certain
information by any internet service provider or website server.
67A. Punishment for publishing or transmitting of material containing sexually explicit

act, etc. in electronic form. - Whoever publishes or transmits or causes to be published or
transmitted in the electronic form any material which contains sexually explicit act or conduct
shall be punished on first conviction with imprisonment of either description for a term which
may extend to five years and with fine which may extend to ten lakh rupees and in the event of
second or subsequent conviction with imprisonment of either description for a term which may
extend to seven years and also with fine which may extend to ten lakh rupees.
67B. Punishment for publishing or transmitting of material depicting children in sexually

explicit act, etc. in electronic form. - Whoever, -
a) publishes or transmits or causes to be published or transmitted material in any electronic form
which depicts children engaged in sexually explicit act or conduct or
b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes,
exchanges or distributes material in any electronic form depicting children in obscene or
indecent or sexually explicit manner or
Prepared By
Page | 44
c) cultivates, entices or induces children to online relationship with one or more children for and
on sexually explicit act or in a manner that may offend a reasonable adult on the computer
resource or
d) facilitates abusing children online or
e) records in any electronic form own abuse or that of others pertaining to sexually explicit act
with children, shall be punished on first conviction with imprisonment of either description for
a term which may extend to five years and with a fine which may extend to ten lakh rupees and
in the event of second or subsequent conviction with imprisonment of either description for a
term which may extend to seven years and also with fine which may extend to ten lakh rupees:
Provided that the provisions of section 67, section 67A and this section does not extend to any
book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-
(i) The publication of which is proved to be justified as being for the public good on the
ground that such book, pamphlet, paper writing, drawing, painting, representation or figure
is in the interest of science, literature, art or learning or other objects of general concern; or
(ii) which is kept or used for bonafide heritage or religious purposes
The Indecent Representation of Women (Prohibition) Act 1986, disallows obscene
portrayal of girls or women. Section 2(C) of the Indecent Representation of Women
(Prohibition) Act, 1986 characterizes obscene portrayal of girls or women as “the delineation
in any way of the figure of a girl or women, her frame or body or any part thereof so as to have
the impact of being disgusting, or slanderous to, or stigmatizing, ladies, or is probably going to
debase, degenerate or harm the general population morale quality or ethics.”
This Act denies any production, show, ads, deliver or cause to be created, deal, let to contract,
disseminate or circle containing obscene portrayal of girls or women and the distribution or
sending by post any books, handouts, slide, film, composing, drawing, painting, photo,
portrayal or figure in any shape containing obscene portrayal of a girl or women.
The Indian court embraced the approach of Common Law. As in Ranjit Udeshi v. Territory
of Maharashtra case Supreme Court built up an adjusted adaptation of the Hicklin test as the
test for indecency in India. A test has been laid down to identify what material, work or content
shall amount to being obscene by interpreting the word “obscene” as that, which is “offensive
to modesty or decency, lewd, filthy and repulsive.”
In Chandrakant Kalyandas Kakodkar v. Province of Maharashtra, the court held: “What
is obscenity has not been defined either in section 292 of IPC or in any of the statutes
prohibiting and penalizing, mailing importing, exporting, publishing and selling of obscene
matters. It is the duty of court to consider the obscene passages are so likely to deprave and
corrupt those whose minds are open to influences of this sort and into whose hands the book is
likely to fall and in doing so one must not overlook the influence of the book on the social
morality of our contemporary society.”
In Samaresh Bose v. Amal Mitra, the Supreme Court held that the idea of vulgarity would
contrast from nation to nation contingent upon the principles of ethics of contemporary society.
Prepared By
Page | 45
Recognizing loopholes in the ‘likely audience’ test laid down in Chandra Kant Kalyan case,10
the Supreme Court in Ajay Goswami vs. Union of India opined that earlier test of a
‘community-based standard’ has become redundant in the present age of technology while
holding that prohibition on selling or publishing obscene material is a reasonable restriction
imposed on the freedom of speech and expression provided under Article 19 of the Constitution
of India. This judgment evolved a “Responsible Reader Test” which was appreciated and
recognized as the best one by the legal luminaries in the area of Cyber and Criminal law, since
the approach of court in this case was logical as internet has diminished all geographical
boundaries and community standards are rapidly becoming global rather than territory specific.
Prepared By
Page | 46
MODULE 3
Requirement of Law on Data Protection in the Digital Age – Encryption and Right to Privacy
– Legal Response – Legal Response for Internet Crime.
REQUIREMENT OF LAW ON DATA PROTECTION IN THE DIGITAL AGE
The 21st century has witnessed such an explosive rise in the number of ways in which we use
information, that it is widely referred to as “the information age”. It is believed that by 2020,
the global volume of digital data we create is expected to reach 44 zettabytes. Much of that
new information will consist of personal details relating to individuals, including information
relating to the products they have purchased, the places they have travelled to and data which
is produced from “smart devices” connected to the Internet.
With the rapid development of technology, computers are able to process vast quantities of
information in order to identify correlations and discover patterns in all fields of human
activity. Enterprises around the world have realised the value of these databases and the
technology for its proper mining and use is evolving every day. Proprietary algorithms are
being developed to comb this data for trends, patterns and hidden nuances by businesses. Many
of these activities are beneficial to individuals, allowing their problems to be addressed with
greater accuracy. For instance, the analysis of very large and complex sets of data is done today
through Big Data analytics. Employing such analytics enables organisations and governments
to gain remarkable insights into areas such as health, food security, intelligent transport
systems, energy efficiency and urban planning. This is nothing short of a digital revolution.
This digital revolution has permeated India as well. Recognising its significance, and that it
promises to bring large disruptions in almost all sectors of society, the Government of India
has envisaged and implemented the “Digital India‖” initiative. This initiative involves the
incorporation of digitisation in governance; healthcare and educational services; cashless
economy and digital transactions; transparency in bureaucracy; fair and quick distribution of
welfare schemes etc to empower citizens. With nearly 450 million Internet users and a growth
rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market
for global players. This digital economy is expected to generate new market growth
opportunities and jobs in the coming 40-50 years.
While the transition to a digital economy is underway, the processing of personal data has
already become ubiquitous in both the public and private sector. Data is valuable per se and
more so, when it is shared, leading to creation of considerable efficiency. The reality of the
digital environment today, is that almost every single activity undertaken by an individual
involves some sort of data transaction or the other. The Internet has given birth to entirely new
markets: those dealing in the collection, organisation, and processing of personal information,
whether directly, or as a critical component of their business model. As has been noted by the
Supreme Court in Justice K.S. Puttaswamy Case: ―” Uber‟, the world’s largest taxi company,
owns no vehicles. “Facebook‟, the world’s most popular media owner, creates no content.
“Alibaba‟, the most valuable retailer, has no inventory. And “Airbnb‟, the world’s largest
accommodation provider, owns no real estate.
Prepared By
Page | 47
Something as simple as hailing a taxi now involves the use of a mobile application which
collects and uses various types of data, such as the user ‘s financial information, her real-time
location, and information concerning her previous trips. Data is fundamentally transforming
the way individuals do business, how they communicate, and how they make their decisions.
Businesses are now building vast databases of consumer preferences and behaviour.
Information can be compressed, sorted, manipulated, discovered and interpreted as never
before, and can thus be more easily transformed into useful knowledge. The low costs of storing
and processing information and the ease of data collection has resulted in the prevalence of
long-term storage of information as well as collection of increasingly minute details about an
individual which allows an extensive user profile to be created. Such information can then be
used to create customised user profiles, based on their past online behaviour, which has the
benefit of reducing the time required to complete a transaction. For instance, e-commerce
websites track previous purchases, use algorithms to predict what sorts of items a user is likely
to buy, thereby reducing the time spent on each purchase.
There are a large number of benefits to be gained by collecting and analysing personal data
from individuals. Pooled datasets allow quicker detection of trends and accurate targeting. For
instance, in the healthcare sector, by collecting and analysing large data sets of individual‘s
health records and previous hospital visits, health care providers could make diagnostic
predictions and treatment suggestions; an individual‘s personal locational data could be used
for monitoring traffic and improving driving conditions on the road; banks can use Big Data
techniques to improve fraud detection; insurers can make the process of applying for insurance
easier by using valuable knowledge gleaned from pooled datasets.
At the same time, the state processes personal data for a plethora of purposes and is arguably
its largest processor. In India, the state uses personal data for purposes such as the targeted
delivery of social welfare benefits, effective planning and implementation of government
schemes, counter-terrorism operations, etc. Such collection and use of data is usually backed
by law, though in the context of counter-terrorism and intelligence gathering, it appears not to
be the case. Thus, both the public and the private sector are collecting and using personal data
at an unprecedented scale and for multifarious purposes. While data can be put to beneficial
use, the unregulated and arbitrary use of data, especially personal data, has raised concerns
regarding the privacy and autonomy of an individual. Some of the concerns relate to
centralisation of databases, profiling of individuals, increased surveillance and a consequent
erosion of individual autonomy. This was also the subject matter of the landmark judgement
of the Supreme Court in Puttaswamy, which recognised the right to privacy as a fundamental
right. The Supreme Court stated that the ―right to privacy is protected as an intrinsic part of
the right to life and personal liberty under Article 21 of the Constitution and as a part of the
freedoms guaranteed by Part III of the Constitution‖. Further, it went on to recognise
informational privacy as a facet of the right to privacy and directed the Union Government to
put in place a robust data protection regime to ensure protection against the dangers posed to
an individual ‘s privacy by state and non-state actors in the information age.
In this light, in order to harness the benefits of the digital economy and mitigate the harms
consequent to it, formulating a data protection law is the need of the hour for India.
Prepared By
Page | 48
What is Data Protection?

Personal data is any information relating to you, whether it relates to your private, professional,
or public life. In the online environment, where vast amounts of personal data are shared and
transferred around the globe instantaneously, it is increasingly difficult for people to maintain
control of their personal information. This is where data protection comes in.
Data protection refers to the practices, safeguards, and binding rules put in place to protect your
personal information and ensure that you remain in control of it. In short, you should be able
to decide whether or not you want to share some information, who has access to it, for how
long, for what reason, and be able to modify some of this information, and more.
Governments also have a security interest in ensuring the protection of personal data. In 2015,
criminals stole 21.5 million records from the US Office of Personnel Management that
contained the highly sensitive personal data of federal employees and their family members.
This type of attack is happening more frequently across the globe, and countries must take
action to better protect individuals’ information.
Why do we need data protection laws?
There are two main reasons that governments should pursue comprehensive data protection
frameworks:
• Laws need to be updated to address today’s reality. Ever since the internet was
created, people have been sharing more and more of their personal information online.
In many countries, privacy rules exist and remain important to help protect people’s
information and human rights, but they are not adapted to suit the challenges of today’s
connected world.
• Corporate co- and self-regulation is not working to protect our data. Around the
world, companies and other entities that collect people’s data have long advocated for
regulation of privacy and data protection not through binding frameworks but rather
through self- or co-regulation mechanisms that offer them greater flexibility. However,
despite several attempts, we have yet to see examples of non-binding regimes that are
positive for users’ rights (or, indeed, for business as a whole).
Emergence of the issue of Data Protection
The protection of data finds its roots in the individual's right to privacy doctrine. The right to
privacy has been explicitly contained in or has inferentially been found to exist in the
constitutions of most developed nations. India does not currently have a specific data protection
law. Data protection and privacy are given scattered and rather sparse coverage by existing
laws. The existing data protection laws, discussed in some detail below, are strewn in laws
pertaining to information technology, intellectual property, crimes, and contractual relations.
Under increasing pressure from BPO operations and call centres in India that handle large
volumes of data from the United States and Europe, the Indian government is contemplating
the passage of a comprehensive law protecting data.
Prepared By
Page | 49
Despite the urgency of the matter and pressure from internal and external fronts, India has
delayed enactment of legislation for several years. The form of the legislation - whether
umbrella, sectoral, or a combination of the two - which will provide optimal protection for
cross-border data processed in India, has been under discussion for several years. At this point,
it appears likely that India's Information Technology Act of 2000 ("IT Act of 2000") will be
amended to incorporate laws that provide comprehensive protection to data. This approach,
which continues to be discussed as the probable solution to India's data protection dilemma,
does not entail enactment of a separate comprehensive law to deal with data security and
privacy issues across all industries, as has been the case with the European Union.
Until such time as India enacts adequate data protection laws, the current laws in India are the
only protection offered for data privacy violations. These existing laws, including the IT Act
of 2000 - which is the most pertinent since it pertains specifically to the use of computer data
- have their shortcomings, which are discussed below. Unlike the Directive, which imposes
liability on each participant within the chain of command who failed to protect the sanctity of
the data, India's existing laws only prosecute those individuals who directly violate laws related
to computer systems or copyright. Entities are exempt for breaches of data privacy, unless such
a violation was made knowingly. Unlike the Directive, which protects data breaches by limiting
its collection and use, the Indian laws do not specify conditions under which data can be
collected and used. Where liability may be found by stretching the existing laws to cover
breaches of data privacy, penalties afforded to victims are inadequate in a transnational context.
The existing Indian laws and their deficiencies are addressed in further detail below.
Information Technology Act of 2000
Section 43(b) of the IT Act of 2000, affords cursory safeguards against breaches in data
protection. The scope of Section 43(b) is limited to the unauthorized downloading, copying or
extraction of data from a computer system: essentially unauthorized access and theft of data
from computer systems.
Section 43(b) is limited in scope and fails to meet the breadth and depth of protection that the
E.U. Directive mandates. The law creates personal liability for illegal or unauthorized acts,
while making little effort to ensure that internet service providers or network service providers,
as well as entities handling data, be responsible for its safe distribution or processing.
Furthermore, the liability of entities is diluted in Section 79 of the Act, which inserts
"knowledge" and "best efforts" qualifiers prior to assessing of penalties. A network service
provider or intermediary is not liable for the breach of any third-party data made available by
him if he proves that the offence or contravention was committed without his knowledge, or
that he had exercised all due diligence to prevent the commission of such offence or
contravention.
The Personal Data Protection Bill, based on the framework of the EU Data Privacy Directive
(1996), was introduced in the Parliament in 2006 but lapsed subsequently. Prior to the
Information Technology Act, India did not have any legislation addressing the issue of data
protection. The Preamble of the Act listed out prevention of cybercrimes and providing
Prepared By
Page | 50
adequate data security measures and procedures to protect and facilitate widest possible use of
Information
Technology worldwide, as one of its main objectives. However, only after several amendments
subsequently did the IT Act provide for adequate legal protection for data stored in the
electronic medium. It incorporated provisions regarding privacy and data protection by
prescribing both civil (Section 46) and criminal (Section 72) liabilities for protecting privacy
of individuals.
Further Section 65, in the original IT Act provided for protection of the source code and
penalized with imprisonment a fine any tampering with such computer source documents.
Section 66 further provided for the definition of hacking and also the punishment for the same.
The amendment to Section 66 widened the definition of hacking by including various other
means to destroy or alter the data stored in a computer or access the computer in an
unauthorized manner without actually mentioning the acts to be hacking. Further, as per
section 67C of the amended IT Act mandates ‘intermediaries’ to maintain and preserve certain
information under their control for durations which are to be specified by law, failing which
they will be subjected to punishment in the form of imprisonment upto three years and fine.
The newly inserted section 43A makes a start at introducing a mandatory data protection
regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any
‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing
which they would be liable to compensate those affected by any negligence attributable to this
failure. In addition to the civil remedies spelled out, Section 72-A could be used to impose
criminal sanctions against any person who discloses information in breach of a contract for
services. These amendments have widened the liability for breach of data protection and
negligence in handling sensitive personal information.
In contrast to the IT Act of 2000, the E.U. Directive envisions much broader violations
associated with breach of data security than does the limited sphere of the IT Act of 2000. As
described previously, the E.U. Directive provides for protections in the entire chain of control
of data and creates systems of security and associated penalties within the various stages of
data processing. For instance, the Directive prescribes limits to the collection of personal data,
requiring that a purpose for the data collection be articulated. The Directive also requires that
data must be obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject; personal data should be relevant to the purposes for which they are
to be used, and, to the extent necessary for those purposes, should be accurate, complete and
kept up-to-date.
The 1980 Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data
promulgated by the Organization for Economic Cooperation and Development (the "OECD")
are also instructive, demonstrating that a large void exists in India's IT Act of 2000. A
reformation of the IT Act of 2000 should encompass the principles contained in the Directive,
and the parallel OECD principles related to limitation of data collection, data quality, specified
purpose, use limitation, security safeguards, individual participation and accountability.
Prepared By
Page | 51
Further, in matters of transnational data protection, the IT Act of 2000 is deficient in that
jurisdiction for cases arising out of violations lies in India.
A special tribunal is established by the Central Government, and all matters arising out of the
IT Act of 2000 are within the jurisdiction of this Cyber Appellate Tribunal. While the IT Act
of 2000 is diligent in establishing a tribunal headed by a qualified judicial officer, the difficulty
in accessibility to this tribunal is stark in a transnational setting. Injured parties who are non-
residents of India would have to adjudicate disputes in a foreign jurisdiction, incurring the
related expense and inconvenience thereof. The limited parties, from whom recourse and be
sought, limited circumstances under which remedy may be established, and the limited nature
of the damages is even barer when the avenues for recourse and compensatory sums are viewed
from a perspective of third party nationals.
What India needs: Data law, regulator
In his 266-page judgment declaring privacy as a fundamental right in the case of Justice KS
Puttaswamy (Retd.) and Anr. Vs. Union of India, Justice D Y Chandrachud wrote, “Ours is
an age of information. Information is knowledge. The old adage that ‘knowledge is power’ has
stark implications for the position of the individual where data is ubiquitous, an all-
encompassing presence… The Internet has become all pervasive as individuals spend more
and more time online each day of their lives.”
Though India does not have a larger data protection framework, over the years, a number of
domain-specific laws have been amended to protect users’ data.
Foremost among these is the Information Technology (Reasonable Security Practices and
Sensitive Personal Data or Information) Rules, 2011. Issued under Section 43A of the
Information Technology Act, 2000, it is, however, only applicable to corporate entities, not to
any arm of the government. Also, the rules are restricted to sensitive personal data — medical
history, biometric information and sexual history, among other things.
There is an array of other laws and regulations — provisions in the Aadhaar Act, the Credit
Information Companies (Regulations) Act for the financial sector, and data protection laws for
the telecom and health sectors.
Experts, however, say that in the age of digital data, these laws are not adequate and what India
needs is an “omnibus” or horizontal data protection law.
A major void in these laws, is that “citizens don’t have much recourse; only if you have lost
property or suffered financial harm can you approach the court for justice”. A breach of
personal information, however, does not allow a person to seek damages or compensation.
Earlier, India witnessed disruptions from cyberattacks through a ransomware, WannaCry.

These attacks and breaches threaten to trigger heavy damages, including loss of data and
disruptions in business. They could also involve regulatory compensation. So, policy, rules and
practices must address cybersecurity and data breaches in sensitive sectors and areas critical to
national interest.
Prepared By
Page | 52
ENCRYPTION
In computing, encryption is the method by which plaintext or any other type of data is
converted from a readable form to an encoded version that can only be decoded by another
entity if they have access to a decryption key. Encryption is one of the most important methods
for providing data security, especially for end-to-end protection of data transmitted across
networks.
Encryption is widely used on the internet to protect user information being sent between a
browser and a server, including passwords, payment information and other personal
information that should be considered private. Organizations and individuals also commonly
use encryption to protect sensitive data stored on computers, servers and mobile devices like
phones or tablets.
History of encryption
The word encryption comes from the Greek word kryptos, meaning hidden or secret. The use
of encryption is nearly as old as the art of communication itself. As early as 1900 B.C., an
Egyptian scribe used nonstandard hieroglyphs to hide the meaning of an inscription. In a time
when most people couldn't read, simply writing a message was often enough, but encryption
schemes soon developed to convert messages into unreadable groups of figures to protect the
message's secrecy while it was carried from one place to another. The contents of a message
were reordered (transposition) or replaced (substitution) with other characters, symbols,
numbers or pictures in order to conceal its meaning.
How encryption works
Unencrypted data, often referred to as plaintext, is encrypted using an encryption algorithm
and an encryption key. This process generates ciphertext that can only be viewed in its original
form if decrypted with the correct key. Decryption is simply the inverse of encryption,
following the same steps but reversing the order in which the keys are applied. Today's most
widely used encryption algorithms fall into two categories: symmetric and asymmetric.
Symmetric-key ciphers, also referred to as "secret key," use a single key, sometimes referred
to as a shared secret because the system doing the encryption must share it with any entity it
intends to be able to decrypt the encrypted data. The most widely used symmetric-key cipher
is the Advanced Encryption Standard (AES), which was designed to protect government
classified information.
Symmetric-key encryption is usually much faster than asymmetric encryption, but the sender
must exchange the key used to encrypt the data with the recipient before the recipient can
perform decryption on the ciphertext. The need to securely distribute and manage large
numbers of keys means most cryptographic processes use a symmetric algorithm to efficiently
encrypt data but use an asymmetric algorithm to securely exchange the secret key.
Asymmetric cryptography, also known as public key cryptography, uses two different but
mathematically linked keys, one public and one private. The public key can be shared with
everyone, whereas the private key must be kept secret. The RSA encryption algorithm is the
Prepared By
Page | 53
most widely used public key algorithm, partly because both the public and the private keys can
encrypt a message; the opposite key from the one used to encrypt a message is used to decrypt
it. This attribute provides a method of assuring not only confidentiality, but also the integrity,
authenticity and non-reputability of electronic communications and data at rest through the use
of digital signatures.
Benefits of encryption
The primary purpose of encryption is to protect the confidentiality of digital data stored on
computer systems or transmitted via the internet or any other computer network. A number of
organizations and standards bodies either recommend or require sensitive data to be encrypted
in order to prevent unauthorized third parties or threat actors from accessing the data. For
example, the Payment Card Industry Data Security Standard requires merchants to encrypt
customers' payment card data when it is both stored at rest and transmitted across public
networks.
Modern encryption algorithms also play a vital role in the security assurance of IT systems and
communications as they can provide not only confidentiality, but also the following key
elements of security:
• Authentication: the origin of a message can be verified.

• Integrity: proof that the contents of a message have not been changed since it was
sent.
• Nonrepudiation: the sender of a message cannot deny sending the message.
Types of encryption
Traditional public key cryptography depends on the properties of large prime numbers and the
computational difficulty of factoring those primes. Elliptical curve cryptography (ECC)
enables another kind of public key cryptography that depends on the properties of the elliptic
curve equation; the resulting cryptographic algorithms can be faster and more efficient and can
produce comparable levels of security with shorter cryptographic keys. As a result, ECC
algorithms are often implemented in internet of things devices and other products with limited
computing resources.
As development of quantum computing continues to approach practical application, quantum
cryptography will become more important. Quantum cryptography depends on the quantum
mechanical properties of particles to protect data. In particular, the Heisenberg uncertainty
principle posits that the two identifying properties of a particle -- its location and its momentum
-- cannot be measured without changing the values of those properties. As a result, quantum
encoded data cannot be copied because any attempt to access the encoded data will change the
data. Likewise, any attempt to copy or access the data will cause a change in the data, thus
notifying the authorized parties to the encryption that an attack has occurred.
Encryption is used to protect data stored on a system (encryption in place or encryption at rest);
many internet protocols define mechanisms for encrypting data moving from one system to
another (data in transit).
Prepared By
Page | 54
Some applications tout the use of end-to-end encryption (E2EE) to guarantee data being sent
between two parties cannot be viewed by an attacker that intercepts the communication
channel. Use of an encrypted communication circuit, as provided by Transport Layer Security
(TLS) between web client and web server software, is not always enough to insure E2EE;
typically, the actual content being transmitted is encrypted by client software before being
passed to a web client and decrypted only by the recipient.
Messaging apps that provide E2EE include Facebook's WhatsApp and Open Whisper Systems'
Signal. Facebook Messenger users may also get E2EE messaging with the "Secret
Conversations" option.
How encryption is used
Encryption was almost exclusively used only by governments and large enterprises until the
late 1970s when the Diffie-Hellman key exchange and RSA algorithms were first published --
and the first personal computers were introduced. By the mid-1990s, both public key and
private key encryption were being routinely deployed in web browsers and servers to protect
sensitive data.
Encryption is now an important part of many products and services, used in the commercial
and consumer realms to protect data both while it is in transit and while it is stored, such as on
a hard drive, smartphone or flash drive (data at rest).
Devices like modems, set-top boxes, smartcards and SIM cards all use encryption or rely
on protocols like SSH, S/MIME, and SSL/TLS to encrypt sensitive data. Encryption is used to
protect data in transit sent from all sorts of devices across all sorts of networks, not just the
internet; every time someone uses an ATM or buys something online with a smartphone, makes
a mobile phone call or presses a key fob to unlock a car, encryption is used to protect the
information being relayed. Digital rights management systems, which prevent unauthorized
use or reproduction of copyrighted material, are yet another example of encryption protecting
data.
Cryptographic hash functions
Encryption is usually a two-way function, meaning the same algorithm can be used to encrypt
plaintext and to decrypt ciphertext. A cryptographic hash function can be viewed as a type of
one-way function for encryption, meaning the function output cannot easily be reversed to
recover the original input. Hash functions are commonly used in many aspects of security to
generate digital signatures and data integrity checks. They take an electronic file, message or
block of data and generate a short digital fingerprint of the content called a message digest or
hash value. The key properties of a secure cryptographic hash function are:
• Output length is small compared to input

• Computation is fast and efficient for any input
• Any change to input affects lots of output bits
• One-way value -- the input cannot be determined from the output
• Strong collision resistance -- two different inputs can't create the same output
Prepared By
Page | 55
The ciphers in hash functions are optimized for hashing: They use large keys and blocks, can
efficiently change keys every block and have been designed and vetted for resistance to related-
key attacks. General-purpose ciphers used for encryption tend to have different design goals.
For example, the symmetric-key block cipher AES could also be used for generating hash
values, but its key and block sizes make it nontrivial and inefficient.
Contemporary encryption issues
For any cipher, the most basic method of attack is brute force; trying each key until the right
one is found. The length of the key determines the number of possible keys, hence the
feasibility of this type of attack. Encryption strength is directly tied to key size, but as the key
size increases so, too, do the resources required to perform the computation.
Alternative methods of breaking a cipher include side-channel attacks, which don't attack the
actual cipher but the physical side effects of its implementation. An error in system design or
execution can allow such attacks to succeed.
Attackers may also attempt to break a targeted cipher through cryptanalysis, the process of
attempting to find a weakness in the cipher that can be exploited with a complexity less than a
brute-force attack. The challenge of successfully attacking a cipher is easier if the cipher itself
is already flawed. For example, there have been suspicions that interference from the National
Security Agency weakened the Data Encryption Standard algorithm, and following revelations
from former NSA analyst and contractor Edward Snowden, many believe the NSA has
attempted to subvert other cryptography standards and weaken encryption products.
More recently, law enforcement agencies such as the FBI have criticized technology companies
that offer end-to-end encryption, arguing that such encryption prevents law enforcement from
accessing data and communications even with a warrant. The FBI has referred to this issue as
"Going Dark," while the U.S. Department of Justice has proclaimed the need for "responsible
encryption" that can be unlocked by technology companies under a court order.
WhatsApp Encryption System
WhatsApp is now end-to-end encrypted at all times. This will ensure that users’ messages,
videos, photos sent over WhatsApp can’t be read by anyone else — not WhatsApp, not cyber-
criminals, not law-enforcement agencies. Even calls and group chats will be encrypted.
WhatsApp is using “The Signal Protocol”, designed by Open Whisper Systems, for its
encryption. In its White Paper, explaining the technical details of the end-to-end encryption,
WhatsApp says that “once the session is established, clients do not need to rebuild a new
session with each other until the existing session state is lost through an external event such as
an app reinstall or device change.”
It reads, “clients exchange messages that are protected with a Message Key using AES256 in
CBC mode for encryption and HMAC-SHA256 for authentication. The Message Key changes
for each message transmitted, and is ephemeral, such that the Message Key used to encrypt a
message cannot be reconstructed from the session.” It also says that calls, large file attachments
are end-to-end encrypted as well.
Prepared By
Page | 56
RIGHT TO PRIVACY AND DATA PROTECTION
The Global technological development and computer related nature of the global economic
activities inevitably means that large amount of personal data cross national borders every day,
either over communication networks, such as the Internet, or through the manual transfer of
media, such as hard disks within notebook computers. Such transfers will predominantly occur
in the absence of any form of control or supervision by a regulatory authority. However, such
transfer could obviously pose a threat to individual, since national data protection laws may be
circumvented by transferring data to a so called 'data haven', which lacks such legislation.
The concept of data protection brings in a paradox which on hand seeks to give an individual
a greater measure of control over personal information and to place control over dissemination
of information and on the other it conflicts with individual claims to be allowed access to
information that may be intrusion in relation to the concept of privacy. The concept of data
protection is one of the most significant contributions to the law of information technology.
International Legal Instruments Protecting Privacy
The Legal protections of the right to privacy in general and of data privacy in particular have
various issues around the world and have different directives on data privacy. The basic right
to protect an individual's privacy has been enshrined in the Universal Declaration of Human
Rights, 1948 (UDHR, 1948)'as follows:
"No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, nor to attacks upon his honour and regulation. Everyone has the right to
protection of the law against such interference or attacks."
This has also been articulated in various other International covenant and treaties under which
privacy is specifically mentioned as a right. Article 17 of the International Covenant on Civil
and Political Rights (ICCPR) provides that
(1) No person shall be subject to arbitrary or unlawful interference with his privacy. family,
human or correspondence, nor to lawful attacks on his honour and reputation.
(2) Everyone has the right to the protection of the law against such interference or attacks.
Article 16 of the UN Convention on Protection of the Child (UNCPC), Article 14 of the UN
Convention on Migrant Workers (UNCMW), Article 8 of the European Convention on Human
Rights, Article 11 of the American Convention on Human Rights; all these have set out the
right to privacy in terms similar to the UDHR.
The UDHR and the ICCPR are directly binding upon India as it is a signatory to both these
international conventions. However, no consequent legislation has been enacted in India to
protect the above-mentioned rights.
Data Protection Legislations: International Perspective
The genesis of modem legislation in this area can be traced to the first data protection law in
the world enacted in Germany in 1970; it was the first computer specific statute in the form of
Prepared By
Page | 57
a Data Protection Act. This statute was widely accepted all over Europe and throughout the
world. This was followed by national laws in Sweden (1973), the United States (1974), again
in Germany (1977), in France (1978) and Britain (1984).
A simple distinction between data protection and privacy is made in the “Lindop Report”
When it gives an example that the use of inaccurate or incomplete information, is within the
proper scope of data protection, is not necessarily a privacy issue, while data security is a part
of the requirements of adequate data protection, it also covers issues of computer systems and
computer related crimes.
The parliament of England framed its Data Protection Act (DPA) in the year 1984 which
thereafter repealed by the Data Protection Act of 1998. This Act is basically instituted for the
purpose of providing protection and privacy of the personal data of the individuals in U.K. The
Act covers data which can be used to identify a living person. This includes names, birthday,
anniversary dates, addresses, telephone numbers, fax numbers, e-mail addresses etc. It applies
only to the data which is held or intended to be held, on computers or other equipments
operating automatically in response to instructions given for that purpose or held in a relevant
filing system.
As per the Act, the persons and organizations which store personal data must register with the
information commissioner, which has been appointed as the government official to oversee the
Act. The Act put restrictions on collection of data. Personal data can be obtained only for one
or more specified and lawful purposes and shall not be further processed in any manner
incompatible with that purpose or purposes. The personal data shall be adequate, relevant, and
not excessive in relation to the purpose or purposes for which they are processed.
Though both U.S. and the European Union focus on enhancing privacy protection of their
citizens, U.S takes a different approach to privacy from that of the European Union. US adopted
the sectoral approach that relies of mix of legislation, regulation, and self-regulation. In U.S,
data are grouped into several classes on the basis of their utility and importance. Thereafter,
accordingly a different degree of protection is awarded to the different classes of data.
Several Acts were also passed in order to stabilize the data protection laws in the United States.
The Privacy Act was passed in the year 1974 which provided for establishing standards for
when it is reasonable, ethical and justifiable for government agencies to compare data in
different databases. Another Electronic Communications Privacy Act was passed for restricting
the interception of electronic communications and prohibiting the access to stored data without
the consent of the user or the communication service.
Further, the Children's Online Privacy Protection Act was passed by the US Congress in
October 1998 requiring website operators to obtain parental consent before obtaining personal
information from children, and a Consumer Internet Privacy Protection Act required an Internet
Service Provider to get permission of the subscriber before disclosing his personal information
to third parties.
However, the existing federal laws are not suffice to cover the broad range of issues and
circumstances that make the new digital environment a threat to personal privacy. Further, the
Prepared By
Page | 58
US Government has been reluctant to impose a regulatory burden on Electronic Commerce

activities that could hamper its development and has looked for an answer in self-regulation.
Two crucial international instruments evolved from these laws. The Council of Europe's 1981
Convention for the Protection of Individuals with regard to the Automatic Processing of
Personal Data and the Organization for Economic Cooperation and Development (OCED)
Guidelines Governing the Protection of Privacy and Trans Border Flows of Personal Data, set
out specific rules covering the handling of electronic data. The rules describe personal
information as data that are afforded protection at every step from collection to storage and
dissemination.
In recent years, in several countries, issues of privacy have been filed with the concept of 'data
protection'.
In order to prevent organizations from avoiding data protection controls, and therefore
guaranteeing a free flow of information, International governmental organization have
themselves involved in attempting to obtain international harmonization for data protection
legislation; including the Organization for Economic Cooperation and Development (OCED),
United Nations, The Council of Europe, European Union, United States, United Kingdom,
Japan, Malaysia, China etc.
The OCED Principles
The Organization for Economic Cooperation and Development (OCED) was established in
1961, and currently comprises 30 leading industrial nations as its member. The nature of the
organization has meant that interest in data protection has centered primarily on the promotion
of trade and economic advancement of Members States, rather than 'privacy' concerns.
The guidelines are simply recommendations to countries to adopt good data protections
practices in order to prevent unnecessary restrictions on Trans border data flows and have no
formal authority. However, some companies and trade associations, particularly in the United
States and Canada, have formally supported the guidelines. The OECD guidelines consist of
eight basic principles which are as follows:
1. Collection Limitation Principle: There should be limits to the collection of personal data
and any such data should be obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
2. Data Quality Principle: Personal data should be relevant to the purpose for which they are
to be used, and, to the extent necessary for those purpose, should be accurate, compete and kept
up-to-date.
3. Purpose Specification Principle: The purpose for which personal data are collected should
be specified not later than at the time of collection and the subsequent use limited to the
fulfilment of those purpose or such others as are not incompatible with those purposes and as
are specified on each occasion of change of purpose.
Prepared By
Page | 59
4. Use Limitation Principle: Personal data should not be disclosed, made available or
otherwise used for purposes other than those specified in accordance with (Principle 3) except:
(a) With the consent of the data subject; or (b) By the authority of law.
5. Security Safeguards Principle: Personal data should be protected by reasonable security
safeguards against such risk as loss or unauthorized access, destruction, use modification or
disclosure of data.
6. Openness Principle: There should be a general policy of openness about developments
practices and policies with respect to personal data. Means should be readily available of
establishing existence and nature of personal data, and the main purpose of their use, as well
as the identity and usual residence of the data controller.
7. Individual Participation Principle: An individual should have the right: -
(a) To obtain from a data controller, or otherwise, confirmation of whether or not the data
controller has data relating to him;
(b) To have communicated to him, data relating to him
(i) Within a reasonable time;
(ii) At a charge, if any, that is not excessive;
(iii) In a reasonable manner; and
(iv)In a form that is readily intelligible to him;
(c) To be given reasons if a request made under sub-para is denied and to be able to
challenge such denial; and
(d) To challenge data relating to him and; if the challenge is successful, to have the data
erased, rectified, completed or amended.
8. Accountability Principles: A data controller should be accountable for complying with
measures which give effect to the principles stated above. The OECD guidelines were
developed to harmonize national privacy legislations and, at the same time, have much
relevance and the directions may be taken by states for privacy protection.
RIGHT TO PRIVACY
Drafting a data protection law for India is not a greenfield exercise. Though piecemeal, several
legislative developments and judicial pronouncements are relevant for determining the
contours of such a law.
(1) Judicial Developments on Right to Privacy
The Supreme Court in Puttaswamy overruled its previous judgments of M.P. Sharma v.
Satish Chandra (M.P. Sharma) and Kharak Singh v. State of Uttar Pradesh (Kharak
Singh) which appeared to observe that there was no fundamental right to privacy enshrined in
the Constitution of India. By doing so, it upheld several precedents following Kharak Singh,
which had recognised a right to privacy flowing from Article 21 of the Constitution of India.
Prepared By
Page | 60
The Supreme Court in M.P. Sharma examined whether the constitutionality of search and
seizure of documents pursuant to a FIR would violate the right to privacy. A majority decision
by an eight-judge Constitution bench observed that the right to privacy was not a fundamental
right under the Constitution.
Subsequently, in Kharak Singh, the issue at hand was whether regular surveillance by police
authorities amounted to an infringement of constitutionally guaranteed fundamental rights. A
Constitution bench of six judges analysed this issue in the backdrop of the validity of the
regulations governing the Uttar Pradesh police which legalised secret picketing, domiciliary
visits at night and regular surveillance., The Supreme Court struck down night-time domiciliary
visits by the police as violative of ‘ordered liberty’. Further, the Supreme Court held that Article
21 of the Constitution of India is the repository of residuary personal rights and it recognised
the common law right to privacy. However, the Court observed that privacy is not a guaranteed
fundamental right. It must be noted though, dissenting judge, Justice Subba Rao, opined that
even though the right to privacy was not expressly recognised as a fundamental right, it was an
essential ingredient of personal liberty under Article 21 and thus fundamental.
Following this approach of Justice Subba Rao, the nine-judge bench of the Supreme Court in
Puttaswamy recognised the right to privacy as an intrinsic part of the fundamental right to life
and personal liberty under Article 21 of the Constitution of India in particular, and in all
fundamental rights in Part III which protect freedoms in general and overruled the
aforementioned judgments to this extent. Notably, it was held that the Constitution of India
must evolve with the circumstances of time to meet the challenges thrown up in a democratic
order governed by the rule of law and that the meaning of the Constitution of India cannot be
frozen on the perspectives present when it was adopted.
The right to privacy was grounded in rights to freedom under both Article 21 and Article 19 of
the Constitution of India encompassing freedom of the body as well as the mind. It was held
that privacy facilitates freedom and is intrinsic to the exercise of liberty and examples of the
freedoms enshrined under Article 25, Article 26 and Article 28(3) of the Constitution of India
were given to show how the right to privacy was necessary to exercise all the aforementioned
rights. The approach of the Supreme Court in Kharak Singh and A.K. Gopalan v. State of
Madras of putting the freedoms given under Part III of the Constitution of India under distinct
compartments was also rejected. Instead, it was held that that these rights are overlapping and
the restriction of one freedom affects the other, as was also held previously in the Maneka and
Cooper judgments. Therefore, a law restricting a freedom under Article 21 of the Constitution
of India would also have to meet the reasonableness requirements under Article 19 and Article
14 of the Constitution of India.
The Supreme Court acknowledged that the concept of the right to privacy, as seen from
jurisprudence in India and abroad has evolved from the basic right to be let alone, to a range of
negative and positive rights. Thus, it now includes ‘the right to abort a foetus; rights as to
procreation, contraception, general family relationships, child rearing, education, data
protection, etc. The Court recognised ‘informational privacy’ as an important aspect of the right
to privacy that can be claimed against state and non-state actors. The right to informational
privacy allows an individual to protect information about herself and prevent it from being
Prepared By
Page | 61
disseminated. Further, the Court recognised that the right to privacy is not absolute and may be
subject to reasonable restrictions. In order to limit discretion of State in such matters, the Court
has laid down a test to limit the possibility of the State clamping down on the right – the action
must be sanctioned by law, it must be necessary to fulfil a legitimate aim of the State, the extent
of the State interference must be ‘proportionate to the need for such interference’, there must
be procedural safeguards to prevent the State from abusing its power. It has expressly
recognised “protecting national security, preventing and investigating crime, encouraging
innovation and the spread of knowledge, and preventing the dissipation of social welfare
benefits” as certain legitimate aims of the State.
(2) Legislative Developments
Though the Puttaswamy judgment is a landmark legal development in the discourse on privacy,
especially informational privacy; prior legislative attempts have been made to secure
informational privacy in various sectors in India. These includes the general data protection
rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific
laws on data protection.
a. The Information Technology (Reasonable Security Practices and Sensitive Personal
Data or Information) Rules, 2011 (SPDI Rules)
The SPDI Rules have been issued under Section 43A of the IT Act. Section 43A, relates to
“Compensation for Failure to Protect Data” and enables the enactment of “reasonable security
practices and procedures” for the protection of sensitive personal data. The SPDI Rules
incorporate, to a limited extent, the OECD Guidelines, specifically: collection limitation,
purpose specification, use limitation and individual participation.
The SPDI Rules mandate certain requirements for the collection of information and insist that
it be done only for a lawful purpose connected with the function of the organisation. In addition,
every organisation is required to have a detailed privacy policy. The SPDI Rules also set out
instructions for the period of time information can be retained and gives individuals the right
to correct their information. Disclosure is not permitted without consent of the provider of the
individual, or unless such disclosure is contractually permitted or necessary for legal
compliance. When it comes to sharing information with Government agencies, then the consent
of the provider is not required and such information can be shared for purposes such as
verification of identity, prevention, detection and investigation including of cyber incidents,
prosecution, and punishment of offences.
The SPDI Rules apply only to corporate entities and leaves the government and government
bodies outside its ambit; the rules are restricted to “sensitive personal data”, which includes
attributes like sexual orientation, medical records and history, biometric information etc. and
not to the larger category of personal data. Further, the Cyber Appellate Tribunal (CyAT)
which hears appeals under the IT Act has issued its last order in 2011. The absence of an
effective enforcement machinery therefore raises concerns about the implementation of the
SPDI Rules. It is thus necessary to make a comprehensive law to adequately protect personal
data in all its dimensions and to ensure an effective enforcement machinery for the same.
Prepared By
Page | 62
b. The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and
Services) Act, 2016 (Aadhaar Act)
The Aadhaar Act enables the Government to collect identity information from citizens
including their biometrics, issue a unique identification number or an Aadhaar Number on the
basis of such biometric information, and thereafter provide targeted delivery of subsidies,
benefits and services to them. The Aadhaar Act also provides for Aadhaar based authentication
services wherein a requesting entity (government/public and private entities/agencies) can
request the Unique Identification Authority of India (UIDAI) to verify/validate the correctness
of the identity information submitted by individuals to be able to extend services to them. The
requesting entity is required to obtain the consent of the individual before obtaining her identity
information for the purpose of authentication and must use her identity information only for
the purpose of authentication.
The Aadhaar Act establishes an authority, namely, the UIDAI, which is responsible for the
administration of the said Act. It also establishes a Central Identities Data Repository (CIDR)
which is a database holding Aadhaar Numbers and corresponding demographic and biometric
information. Under the Aadhaar Act, collection, storage and use of personal data is a
precondition for the receipt of a subsidy, benefit or service. Though the Aadhaar Act does not
per se make application for an Aadhaar Number mandatory (it is specifically provided as an
“entitlement” under Section 3) except for availing of certain benefits, subsidies and services
funded from the Consolidated Fund of India, in practice, taking of Aadhaar Number is
becoming mandatory for availing most services through a range of cognate laws.
The Aadhaar Act and its regulations recognise various data protection principles, to ensure the
security of information and privacy of Aadhaar Number holders. First, there is an obligation
on the UIDAI to ensure security and confidentiality of the identity information and
authentication records of individuals which includes taking all necessary steps to protect such
information against unlawful access, use or disclosure, and accidental or intentional
destruction, loss or damage. Further, the Aadhaar Act prohibits the sharing of core biometric
information, and the use of it for a purpose other than the generation of Aadhaar Numbers and
authentication. The sharing of information other than core biometric information is permissible
under certain conditions. The Aadhaar Act also permits an individual to make a request to the
UIDAI to provide her access to her identity information (excluding her core biometric
information) and her authentication records. She can also seek rectification of her demographic
data if it changes/is incorrect, and her biometric information if it is lost or changes. Finally, the
UIDAI will have no knowledge of the purpose of any authentication.
Data protection norms for personal information collected under the Aadhaar Act are also found
in the Aadhaar (Data Security) Regulations, 2016 (Aadhaar Security Regulations). The
Aadhaar Security Regulations impose an obligation on the UIDAI to have a security policy
which sets out the technical and organisational measures which will be adopted by it to keep
information secure.
Despite its attempt to incorporate various data protection principles, Aadhaar has come under
considerable public criticism. First, though seemingly voluntary, possession of Aadhaar has
Prepared By
Page | 63
become mandatory in practice, and has been viewed by many as coercive collection of personal
data by the State. Concerns have also been raised vis-a-vis the provision on Aadhaar based
authentication which permits collection information about an individual every time an
authentication request is made to the UIDAI. Finally, despite an obligation to adopt adequate
security safeguards, no database is 100% secure. In light of this, the interplay between any
proposed data protection framework and the existing Aadhaar framework will have to be
analysed.
c. Financial Sector
Financial information, being a highly sensitive category of information, necessitates an
adequate data protection regime for its protection. The primary legal instruments that address
data protection in the financial sector include: The Credit Information Companies (Regulation)
Act, 2005 (CIC Act), the Credit Information Companies Regulation, 2006 (CIC Regulations)
and circulars issued by the Reserve Bank of India (RBI). Further, the SPDI Rules recognise
financial information such as credit card, debit card and other payment instrument details as
sensitive personal data, thus to that extent regulating their use, collection and disclosure.
(i). CIC Act
In the financial sector, provisions scattered across various statutes provide for an obligation to
maintain customer confidentiality and adherence to data protection norms. However, the CIC
Act, along with the CIC Regulations, is perhaps the legislation with the most comprehensive
provisions on data protection in the financial sector.
The CIC Act primarily applies to credit information companies (CICs) and recognises them as
collectors of information. The CIC Act imposes an obligation on CICs to adhere to privacy
principles at the stage of collection, use and disclosure of credit information, and requires them
to ensure that credit information held by them is accurate, complete and protected against loss
or unauthorised use, access and disclosure. Similarly, the CIC Regulations impose an
obligation on CICs to ensure data security and secrecy. It also requires them to adhere to a large
number of recognised data protection principles such as: data collection limitation, data use
limitation, data accuracy, data retention and access and modification.
(ii). RBI Circulars
The Know Your Customer (KYC) norms limit the categories of information that banks and
financial institutions can seek from their customers. Once such information is collected, there
is an obligation on banks to keep it confidential. Further, multiple instruments such as the
Master Circular on Credit Card, Debit Card and Rupee Denominated Co-Branded Prepaid Card
Operations of Banks and Credit Card issuing NBFCs, the Master Circular on Customer
Services, 2009 and the Code of Banks Commitment to Customers etc. all provide for privacy
and customer confidentiality obligations that have to be adhered to by various entities in the
financial sector.
Prepared By
Page | 64
d. Telecom Sector
There are multiple laws that operate in the telecom sector such as the Indian Telegraph Act,
1885 (Telegraph Act), the Indian Wireless Telegraphy Act, 1933, the Telecom Regulatory
Authority of India Act, 1997 (TRAI Act) and various regulations issued thereunder. However,
data protection norms in the telecom sector are primarily dictated by the Unified License
Agreement (ULA) issued to Telecom Service Providers (TSP) by the Department of
Telecommunications (DoT).
The format in which, and the types of information that are to be collected from the individual
is prescribed by the DoT. A TSP has an obligation to take necessary steps to safeguard the
privacy and confidentiality of the information of individuals to whom it provides a service and
from whom it has acquired such information by the virtue of the service provided.
Further, the TSP is obliged to maintain all commercial, call detail records, exchange detail
records and IP detail records for at least one year for scrutiny by the DoT. As far as security
safeguards are concerned, there are multiple obligations prescribed for the TSP which includes
inducting only those network elements into its telecom network which have been tested as per
the contemporary Indian or International Security Standards, amongst others. Finally, customer
information can be disclosed only if the individual has consented to such disclosure and the
disclosure is in accordance with the terms of consent. In addition, the TSP has to make efforts
to comply with the Telegraph Act which imposes an obligation on it to facilitate the
Government to carry out ‘interception’ of messages in case of emergencies - a privacy intrusion
justified largely in the name of national security. There are some procedural safeguards built
into this process of interception.
Further, the Telecom Regulatory Authority of India (TRAI) has framed the Telecom
Commercial Communication Preference Regulations, 2010 (TRAI Regulations) to deal with
unsolicited commercial communications. The TRAI Regulations envisage the setting up of
Customer Preference Registration Facility by telecom service providers through which
customers could choose to not receive commercial communications. However, these
regulations are limited to messages and other communication through phones and would not
cover an email application or advertisements appearing on browsers.
e. Health Sector
Despite the inherently sensitive nature of health information, the legal framework on data
protection in the health sector appears to be inadequate. The Clinical Establishments (Central
Government) Rules, 2012 (Clinical Establishments Rules) requires clinical establishments to
maintain and provide Electronic Medical Records/Electronic Health Records, thus mandating
the storage of health information in an electronic format. The SPDI Rules recognise health
information as constituting ‘sensitive personal data’ and thus regulates its collection, use and
disclosure. However, as already mentioned the SPDI Rules apply only to the private sector thus
leaving the whole of the public health sector outside its ambit.
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002
(IMC Code) issued under the Indian Medical Council Act, 1956 mandate physician-patient
Prepared By
Page | 65
confidentiality unless the disclosure of the patient ‘s information is required by law, or if there
is a serious and identified risk to an individual/community, or the disease is a notifiable one.
Interestingly, at the same time the IMC Code requires that the patient, her relatives and
responsible friends have knowledge of the patient's condition so as to serve her best interests
thus allowing for disclosure without the consent of the patient. Further, physicians are
encouraged to computerise medical records, maintain them for a period of three years and
provide access to them to the patient upon her request. However, the limited privacy safeguards
and absence of an enforcement mechanism renders the IMC Code largely inadequate to address
the concerns surrounding health information.
These existing laws and regulations will have to be analysed and changes, if any, concomitant
with the introduction of a new data protection framework, suggested.
(3) The AP Shah Committee Report
In 2012, a Group of Experts on Privacy was constituted by the erstwhile Planning Commission
under the Chairmanship of Justice AP Shah (Justice AP Shah Committee). The report of the
Justice AP Shah Committee recommended a detailed framework that serves as the conceptual
foundation for a privacy law in India, considering multiple dimensions of privacy. After a
detailed deliberative and consultative exercise, it proposed a set of nine National Privacy
Principles to be followed, broadly derived from the OECD Guidelines. It also proposed a co-
regulatory form of enforcement with privacy commissioners set up by statute along with self-
regulatory organisations. The principles recommended by the Justice AP Shah Committee as
well as the model of enforcement deserve close scrutiny insofar as they relate to question of
data protection.
LEGAL RESPONSE FOR INTERNET CRIME
What is a cybercrime?
Cyber Crime is not defined officially in IT Act or in any other legislation. In fact, it cannot be
too. Offence or crime has been dealt with elaborately listing various acts and the punishments
for each, under the Indian Penal Code, 1860 and related legislations. Hence, the concept of
cyber-crime is just a “combination of crime and computer”.
Cybercrime in a narrow sense (computer crime): Any illegal behaviour directed by means of
electronic operations that targets the security of computer systems and the data processed by
them.
Cybercrime in a broader sense (computer-related crime): Any illegal behaviour committed by

means of, or in relation to, a computer system or network, including such crimes as illegal
possession and offering or distributing information by means of a computer system or network.
• Any contract for the sale or conveyance of immovable property or any interest
in such property;
Prepared By
Page | 66
• Any such class of documents or transactions as may be notified by the Central

Government
Cases Studies as per selected IT Act Sections
Here are the case studies for selected IT Act sections.
For the sake of simplicity and maintaining clarity, details on the IT Act sections have been
omitted. Kindly refer the Appendix at the last section for the detailed account of all the penalties
and offences mentioned in IT Act.
Section 43 – Penalty and Compensation for damage to computer, computer system, etc
Related Case: Mphasis BPO Fraud: 2005 In December 2004, four call centre employees,
working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four
customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the
PINs. In association with others, the call centre employees opened new accounts at Indian
banks using false identities. Within two months, they used the PINs and account information
gleaned during their employment at MphasiS to transfer money from the bank accounts of Citi
Group customers to the new accounts at Indian banks.
By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly
identified the individuals involved in the scam. Arrests were made when those individuals
attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount
recovered was $230,000.
Verdict: Court held that Section 43(a) was applicable here due to the nature of unauthorized
access involved to commit transactions.
Section 65 – Tampering with Computer Source Documents

Related Case: Syed Asifuddin and Ors. Vs. The State of Andhra Pradesh: In this case,
Tata Indicom employees were arrested for manipulation of the electronic 32- bit number (ESN)
programmed into cell phones theft were exclusively franchised to Reliance Infocomm.
Verdict: Court held that tampering with source code invokes Section 65 of the Information
Technology Act.
Section 66 – Computer Related offenses

Related Case: Kumar v/s Whiteley: In this case the accused gained unauthorized access to
the Joint Academic Network (JANET) and deleted, added files and changed the passwords to
deny access to the authorized users. Investigations had revealed that Kumar was logging on to
the BSNL broadband Internet connection as if he was the authorized genuine user and ‘made
alteration in the computer database pertaining to broadband Internet user accounts’ of the
subscribers. The CBI had registered a cyber-crime case against Kumar and carried out
investigations on the basis of a complaint by the Press Information Bureau, Chennai, which
detected the unauthorised use of broadband Internet. The complaint also stated that the
subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’
sites from Bangalore, Chennai and other cities too, they said.
Prepared By
Page | 67
Verdict: The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G

Arun Kumar, the techie from Bangalore to undergo a rigorous imprisonment for one year with
a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (Computer related
Offense).
Section 66A – Punishment for sending offensive messages through communication service
Relevant Case #1: Fake profile of President posted by imposter On September 9, 2010, the
imposter made a fake profile in the name of the Hon’ble President Pratibha Devi Patil. A
complaint was made from Additional Controller, President Household, President Secretariat
regarding the four fake profiles created in the name of Hon’ble President on social networking
website, Facebook. The said complaint stated that president house has nothing to do with the
Facebook and the fake profile is misleading the general public. The First Information Report
Under Sections 469 IPC and 66A Information Technology Act, 2000 was registered based on
the said complaint at the police station, Economic Offences Wing, the elite wing of Delhi Police
which specializes in investigating economic crimes including cyber offences.
Relevant Case #2: Bomb Hoax mail: In 2009, a 15-year-old Bangalore teenager was arrested
by the cyber-crime investigation cell (CCIC) of the city crime branch for allegedly sending a
hoax e-mail to a private news channel. In the e-mail, he claimed to have planted five bombs in
Mumbai, challenging the police to find them before it was too late. At around 1p.m. on May
25, the news channel received an e-mail that read: “I have planted five bombs in Mumbai; you
have two hours to find it.” The police, who were alerted immediately, traced the Internet
Protocol (IP) address to Vijay Nagar in Bangalore. The Internet service provider for the account
was BSNL, said officials.
Section 66C – Punishment for identity theft

Relevant Cases:
The CEO of an identity theft protection company, Lifelock, Todd Davis’s social security
number was exposed by Matt Lauer on NBC’s Today Show. Davis’ identity was used to obtain
a $500 cash advance loan.
Li Ming, a graduate student at West Chester University of Pennsylvania faked his own death,
complete with a forged obituary in his local paper. Nine months later, Li attempted to obtain a
new driver’s license with the intention of applying for new credit cards eventually.
Section 66D – Punishment for cheating by impersonation by using computer resource

Relevant Case: Sandeep Vaghese v/s State of Kerala
A complaint filed by the representative of a Company, which was engaged in the business of
trading and distribution of petrochemicals in India and overseas, a crime was registered against
nine persons, alleging offenses under Sections 65, 66, 66A, C and D of the Information
Technology Act along with Sections 419 and 420 of the Indian Penal Code.
The company has a web-site in the name and and style www.jaypolychem.com' but, another
web site www.jayplychem.org’ was set up in the internet by first accused Samdeep Varghese
Prepared By
Page | 68
@ Sam, (who was dismissed from the company) in conspiracy with other accused, including
Preeti and Charanjeet Singh, who are the sister and brother-in-law of `Sam’
Defamatory and malicious matters about the company and its directors were made available in
that website. The accused sister and brother-in-law were based in Cochin and they had been
acting in collusion known and unknown persons, who have collectively cheated the company
and committed acts of forgery, impersonation etc.
Two of the accused, Amardeep Singh and Rahul had visited Delhi and Cochin. The first
accused and others sent e-mails from fake e-mail accounts of many of the customers, suppliers,
Bank etc. to malign the name and image of the Company and its Directors. The defamation
campaign run by all the said persons named above has caused immense damage to the name
and reputation of the Company.
The Company suffered losses of several crores of Rupees from producers, suppliers and
customers and were unable to do business.
Section 66E – Punishment for violation of privacy

Relevant Cases:
i.Jawaharlal Nehru University MMS scandal: In a severe shock to the prestigious and
renowned institute – Jawaharlal Nehru University, a pornographic MMS clip was apparently
made in the campus and transmitted outside the university. Some media reports claimed that
the two accused students initially tried to extort money from the girl in the video but when they
failed the culprits put the video out on mobile phones, on the internet and even sold it as a CD
in the blue film market.
ii.Nagpur Congress leader’s son MMS scandal: On January 05, 2012 Nagpur Police arrested
two engineering students, one of them a son of a Congress leader, for harassing a 16-year-old
girl by circulating an MMS clip of their sexual acts. According to the Nagpur (rural) police,
the girl was in a relationship with Mithilesh Gajbhiye, 19, son of Yashodha Dhanraj Gajbhiye,
a zila parishad member and an influential Congress leader of Saoner region in Nagpur district.
Section-66F Cyber Terrorism

Relevant Case: The Mumbai police have registered a case of ‘cyber terrorism’—the first in the
state since an amendment to the Information Technology Act—where a threat email was sent
to the BSE and NSE on Monday. The MRA Marg police and the Cyber Crime Investigation
Cell are jointly probing the case. The suspect has been detained in this case. The police said an
email challenging the security agencies to prevent a terror attack was sent by one Shahab Md
with an ID sh.itaiyeb125@yahoo.in to BSE’s administrative email ID
corp.relations@bseindia.com at around 10.44 am on Monday. The IP address of the sender has
been traced to Patna in Bihar. The ISP is Sify. The email ID was created just four minutes
before the email was sent. “The sender had, while creating the new ID, given two mobile
numbers in the personal details column. Both the numbers belong to a photo frame-maker in
Patna,’’ said an officer.
Status: The MRA Marg police have registered forgery for purpose of cheating, criminal
intimidation cases under the IPC and a cyber-terrorism case under the IT Act.
Prepared By
Page | 69
Section 67 – Punishment for publishing or transmitting obscene material in electronic

form
Relevant Case: This case is about posting obscene, defamatory and annoying message about
a divorcee woman in the Yahoo message group. E-mails were forwarded to the victim for
information by the accused through a false e- mail account opened by him in the name of the
victim. These postings resulted in annoying phone calls to the lady. Based on the lady’s
complaint, the police nabbed the accused. Investigation revealed that he was a known family
friend of the victim and was interested in marrying her. She was married to another person, but
that marriage ended in divorce and the accused started contacting her once again. On her
reluctance to marry him he started harassing her through internet.
Verdict: The accused was found guilty of offences under section 469, 509 IPC and 67 of IT
Act 2000. He is convicted and sentenced for the offence as follows:
▪As per 469 of IPC he has to undergo rigorous imprisonment for 2 years and to pay fine of
Rs.500/-
▪As per 509 of IPC he is to undergo to undergo 1-year Simple imprisonment and to pay Rs 500/-
▪As per Section 67 of IT Act 2000, he has to undergo for 2 years and to pay fine of Rs.4000/-
All sentences were to run concurrently.

The accused paid fine amount and he was lodged at Central Prison, Chennai. This is considered
the first case convicted under section 67 of Information Technology Act 2000 in India.
Section 67B – Punishment for publishing or transmitting of material depicting children

in sexually explicit act, etc. in electronic form
Relevant Case: Janhit Manch & Ors. v. The Union of India 10.03.2010 Public Interest
Litigation: The petition sought a blanket ban on pornographic websites. The NGO had argued
that websites displaying sexually explicit content had an adverse influence, leading youth on a
delinquent path.
Section 69 – Powers to issue directions for interception or monitoring or decryption of

any information through any computer resource
Relevant Case: In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested
on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical
figure in the state of Maharashtra, on the social-networking site Orkut. The police identified
him based on IP address details obtained from Google and Airtel -Lakshmana’s ISP. He was
brought to Pune and detained for 50 days before it was discovered that the IP address provided
by Airtel was erroneous. The mistake was evidently due to the fact that while requesting
information from Airtel, the police had not properly specified whether the suspect had posted
the content at 1:15 p.m.
Verdict: Taking cognizance of his plight from newspaper accounts, the State Human Rights
Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as
damages. The incident highlights how minor privacy violations by ISPs and intermediaries
could have impacts that gravely undermine other basic human rights.
Prepared By
Page | 70
Common Cyber-crime scenarios and Applicability of Legal Sections
Let us look into some common cyber-crime scenarios which can attract prosecution as per the
penalties and offences prescribed in IT Act 2000 (amended via 2008) Act.
▪ Harassment via fake public profile on social networking site

A fake profile of a person is created on a social networking site with the correct address,
residential information or contact details but he/she is labelled as ‘prostitute’ or a person
of ‘loose character’. This leads to harassment of the victim. Provisions Applicable: -
Sections 66A, 67 of IT Act and Section 509 of the Indian Penal Code.
▪ Online Hate Community

Online hate community is created inciting a religious group to act or pass objectionable
remarks against a country, national figures etc. Provisions Applicable: Section 66A of
IT Act and 153A & 153B of the Indian Penal Code.
▪ Email Account Hacking

If victim’s email account is hacked and obscene emails are sent to people in victim’s
address book. Provisions Applicable: - Sections 43, 66, 66A, 66C, 67, 67A and 67B of
IT Act.
▪ Credit Card Fraud

Unsuspecting victims would use infected computers to make online transactions.
Provisions Applicable: - Sections 43, 66, 66C, 66D of IT Act and section 420 of the IPC.
▪ Web Defacement
The homepage of a website is replaced with a pornographic or defamatory page.
Government sites generally face the wrath of hackers on symbolic days. Provisions
Applicable: - Sections 43 and 66 of IT Act and Sections 66F, 67 and 70 of IT Act also
apply in some cases.
▪ Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs

All of the above are some sort of malicious programs which are used to destroy or gain
access to some electronic information. Provisions Applicable: - Sections 43, 66, 66A of
IT Act and Section 426 of Indian Penal Code.
▪ Cyber Terrorism
Many terrorists are use virtual (GDrive, FTP sites) and physical storage media (USB’s,
hard drives) for hiding information and records of their illicit business. Provisions
Applicable: Conventional terrorism laws may apply along with Section 69 of IT Act.
▪ Online sale of illegal Articles

Where sale of narcotics, drugs weapons and wildlife is facilitated by the Internet
Provisions Applicable: - Generally conventional laws apply in these cases.
Prepared By
Page | 71
▪ Cyber Pornography
Among the largest businesses on Internet. Pornography may not be illegal in many
countries, but child pornography is. Provisions Applicable: - Sections 67, 67A and 67B
of the IT Act.
▪ Phishing and Email Scams

Phishing involves fraudulently acquiring sensitive information through masquerading a
site as a trusted entity. (E.g. Passwords, credit card information) Provisions Applicable:
- Section 66, 66A and 66D of IT Act and Section 420 of IPC
▪ Theft of Confidential Information

Many business organizations store their confidential information in computer systems.
This information is targeted by rivals, criminals and disgruntled employees. Provisions
Applicable: - Sections 43, 66, 66B of IT Act and Section 426 of Indian Penal Code.
▪ Source Code Theft

A Source code generally is the most coveted and important “crown jewel” asset of a
company. Provisions applicable: - Sections 43, 66, 66B of IT Act and Section 63 of
Copyright Act.
▪ Tax Evasion and Money Laundering

Money launderers and people doing illegal business activities hide their information in
virtual as well as physical activities. Provisions Applicable: Income Tax Act and
Prevention of Money Laundering Act. IT Act may apply case-wise.
▪ Online Share Trading Fraud

It has become mandatory for investors to have their demat accounts linked with their
online banking accounts which are generally accessed unauthorized, thereby leading to
share trading frauds. Provisions Applicable: Sections 43, 66, 66C, 66D of IT Act and
Section 420 of IPC
Prepared By
Page | 72
MODULE 4
Sale through Internet and Consumer Protection – Information Technology Act – Legal
Response to E Governance – Taxation in Internet.
E-COMMERCE AND CONSUMER PROTECTION

In a business ecosystem, consumers are the most vital elements. A business is not reviewed in
isolation but is always considered in a combination with the consumers of its good and services.
Given such high level of importance that a consumer has in a business network, it is a matter
of great shame that their consumer rights are not protected due to non-availability of effective
and stringent laws and the ineffectual redressal mechanisms, especially in e-commerce or
online transactions. Though e-commerce has enabled the Indian consumer to cross boundaries
of states and countries to procure products of their choice, this increased scope for purchase
and sale transactions brought about by e-commerce is not well protected by the various Indian
consumer laws.
The laws with respect to the same have proved to be stagnant, leaving many of such customers
remediless. Non-protection of data made available online, ineffective delivery system,
misleading advertisements, uncertainty with respect to jurisdiction in case of disputes, are some
of the emerging concerns in the field of e-commerce.
E- Commerce though not specifically defined in any Consumer legislation, is in general
parlance defined as activities that relate to buying and selling of goods and services over the
Internet. Electronic commerce operates in all four of the major market segments: business to
business, business to consumer, consumer to consumer and consumer to business. In India,
there are three type of e-commerce business model are in vogue (i) Inventory base model of e-
commerce (ii) Marketplace base model of e-commerce (iii) Hybrid model of inventory based
and market place model. The scope of e-commerce has grown simultaneously with the growth
of internet worldwide. The huge platform that e-commerce has provided the Indian traders for
trade and commerce is noteworthy. Not only have the traders benefitted from transgressing
territorial boundaries for the sale of their products, the consumers of goods and services have
been provided with such advantages like multiple choices, convenient delivery services, quality
goods at competitive prices etc. Internet has thus revolutionized the way Indians and the rest
of the world buy and sells their products.
INTERNATIONAL SCENARIO
Many organizations are working for the protection of the consumers. Some of them are
Economic Cooperation and Development, International Chamber of Commerce and
International Consumer Protection and Enforcement Network.
Economic Cooperation and Development {OECD}: The guidelines sanctioned after intense
negotiation in the context of e-commerce, proved much helpful to the government, consumers,
and business and became practically feasible. They embraced flexibility in response to the
development of age. The guidelines also achieved a benchmark for consumer protection in the
online marketplace. They facilitate online trade, thereby not implementing any of the restrictive
Prepared By
Page | 73
trade policies. Some of its universal guidelines for consumer protection in e-commerce are as
follows.
• E-commerce should get an equal protection, when shopping online or when buying the
same goods from a local store.
• There should be a complete disclosure about the goods and services rendered. The e-
customers should be aware of the transaction, they have consented to. They should be
having a complete knowledge of what they are buying and the transaction they are
dealing with.
• The confirmation process for sale should give a fair chance to the consumer for
reviewing the products that he intends to buy in case there is any cancellation.
• Most importantly, the system of payments must be secure and reliable.
• In the case of an international transaction, if a dispute arises, it becomes difficult to
redress. Thus, Alternative Dispute Resolution system is recommended here.
International Chamber of Commerce: It was in 1996, that the organization released

‘guidelines on advertising and marketing on the internet’. The guidelines issued by the ICC
were meant to be applied to all promotional activities like marketing and advertising on the
internet. They set standards of ethical conduct to be observed by all involved in the above
activities. Its specific objectives with respect to consumer protection in the sphere of e-
commerce can be checked out at a glance:
• Improve and instil the public confidence in advertising and marketing via the new
system.
• To safeguard optimal freedom of expression for advertisers and markers.
• To minimize the need for governmental legislation or regulation.
• Meet the consumer privacy expectation.
International Consumer Protection and Enforcement Network: The ICPEAN aims to

preserve and protect the interests of the consumers all over the world. It shares information
about activities taking place across borders which may be of use to the consumers and promote
their welfare to encourage global cooperation among law enforcement agencies.
The Okinawa Charter on Global information society addressed topical issues at length like,
making use of digital opportunities, bridging the digital divide, promoting global participation.
To achieve its objectives, it has set forth policies and guidelines, thus increasing access and
participation in global e-commerce networks.
INDIAN SCENARIO
On one hand online shopping portals like Flipkart and Jabong ensure numerous options for a
wide range of goods online with quick and effective delivery systems, on the other hand , online
operations are undertaken by Indian Railways, State Electricity Boards , banks , movie theatres
etc for payment and booking purposes. Thus the feasibility of operations that online
transactions have brought about to the Indian trade industry and other transactions is
remarkable. However, the sad reality on the other side of the coin is that even with such
Prepared By
Page | 74
increased scope, there is a disadvantage of entering into such online transactions, being the
ambiguity in the laws relating to them.
CONSUMER PROTECTION ACT, 1986
A consumer has various rights that are granted to him by the provisions of numerous consumer
laws enacted in the country. Consumer Protection Act, 1986 is the fundamental and principle
Act that lays down and guarantees rights to consumers. This Act enumerates the three-tier
redressal mechanism that exists in India namely at the district, state and national levels to
redress any consumer dispute. However, the law until recent times was ambiguous as to
whether such provisions would be applicable to online transactions. On July 8, 2014 the
Minister of State for Consumer Affairs, Food and Public Distribution, in a written reply in Lok
Sabha made an announcement of including online transactions also in the ambit of Consumer
Protection Act, 1986. This fundamentally meant that complainants can approach various
Consumer Forum i.e. District Consumer Forum, State Commission and National Commission
for resolution of their grievances. Though such an announcement does not necessarily
transform into a law, it was a vital step to bring into effect, a mechanism for safeguarding the
rights.
However, even this does not mean that there is a separate mechanism for redressal of disputes
arising out of online transactions or that new provisions that specially cater to e-commerce
have been introduced. In effect the provisions of the Consumer Protection Act, 1986 are made
applicable to online transactions as well. Prior to this recent express declaration, the Consumer
Protection Act, 1986 was impliedly applied to online transactions, in accordance with the
definitions provided under the Act. Any person who buys any good or avails or hires any
service for any consideration, whether paid or otherwise, except for commercial use is regarded
as a consumer under the Consumer Protection Act, 1986. Buyer as per Sale of Goods Act, 1930
is defined as any person who buys or agrees to buy goods. Thus, following these two
definitions, any person who pays or agrees to pay a price for a particular good can be regarded
as a consumer, irrespective of such a sale being online. Additionally, contract of sale4 as
defined under the Sale of goods Act, 1930 is indicative of the fact that such may apply to online
transactions along with regular transactions.
Thus, earlier though there was absolutely no express mention of e-commerce falling under the
ambit of Consumer Protection Act, 1986 these provisions impliedly provided a right to
consumer to seek redressal under the same. However, Consumer Protection Act, 1986 only
provides a narrower picture. The Act does not provide a solution to the various loopholes that
are brought about by online transactions due to their impersonal nature, which may be
considered their flipside as well. The scope that Consumer Protection Act, 1986 has with
respect to e-commerce is thus restricted to providing a redressal mechanism that is applicable
to direct transactions as well. Further, Consumer Protection Act, 1986 becomes applicable
when there is a “defect in goods” or “deficiency in services”. Hence only if one of the above
two criteria are satisfied Consumer Protection Act, 1986 would come into play. In e-commerce
the major concern is about efficient delivery of the goods. However, there is no redressal
provided if goods are not delivered in the time specified. Such intricacies create more trouble
Prepared By
Page | 75
to the online consumers due to the anonymity of the seller . Many complaints have been filed
by online consumers regarding the same in consumer forums, however the unclear laws and
the consequent ambiguity has resulted in their grievances not being paid heed to.
INFORMATION TECHNOLOGY ACT, 2000
Apart from the principle law for consumer protection, many other laws cover online
transactions. Information Technology Act, 2000 is another functional and comprehensive
legislation which provides a legal framework for e-commerce. It essentially covers commercial
transactions, in specific between the government through of its many functionaries and the
citizens. The transactions are focused towards e-governance and are aimed at implementing
measures for authentication of the electronic records by usage of digital signature certificates
etc (Chapter VII of I T Act) for carrying out day to day business transactions like filing and
viewing official documents in the electronic format. The IT Act, 2000 is an attempt by the govt.
to digitalize its workings by making every piece of information available online and further
ensuring that such transactions are secured. Further, it provides for remedial measures like
appointment of Controller (Section 17 of I T Act) and setting up a Cyber Regulations Appellate
Tribunal (Chapter X of IT Act) for penalizing the cyber offences as laid under Section 43 to 47
of the Act.
The most significant characteristic of this Act, however still is that it provides legal recognition
to electronic records (Section 8 of IT Act). In effect it also amends the Evidence Act, Indian
Penal Code, Bankers' Books Evidence Act and the Indian Stamp Act. This legal recognition
forms the foundation of all the e-commerce undertaken by customers and also guarantees
effective enforcement of the rights of consumers, if infringed.
Yet, this act does not holistically cover all the aspects of e-commerce with respect to consumer
rights. It primarily covers business or commercial transactions that are undertaken by business
to govt. or vice versa. It provides details about filing, retaining, viewing documents with respect
to a business and safeguards and authenticates those documents with the help of digital
signatures, asymmetric crypto system etc. An ordinary Indian man does not, in his daily life
enter into such transaction; instead they mostly utilize electronic commerce for online
shopping, online banking and money transfer activities etc. No specific provisions for the same
have been laid down under the Act even though it is the need of the hour for the enactment of
such provisions. The objectives of the Act as stated include facilitation and giving legal
sanction to electronic fund transfers between banks and financial institutions in addition to
giving legal recognition for keeping of books of accounts by bankers in electronic form.
Though nowadays such facilities have been made possible, no legal framework for protection
of consumer rights is provided under the IT Act. Thus, this significant aspect of e-commerce
is not covered
ELECTRONIC GOVERNANCE
There are various benefits provided by the technology whether it is at an individual level, or
development of the Country as a whole. It’s a tool which makes a platform for the growth and
Prepared By
Page | 76
development of the Country and is therefore important. The use by government agencies of the
information technologies (IT) to improve and transform relations with the citizens, businesses
and other arms of the government for availing services to its citizens and providing them an
efficient way of complying with the norms/rules/regulations set by the government, is known
as e-governance. This kind of technological use is being introduced for the welfare of the
marginalized sections of the society also and is therefore an initiative for helping them join the
mainstream of the society. It’s only that the information needs to be spread among all the
sections of the society to avail the services of the e-governance. Government through the use
of IT based technology has now become facilitator of its services to different segments of
people at all levels.
The use of IT by the government to facilitate services like filling the forms online, payment of
bills (electricity, water supply etc.), distant education for its citizens, filing the tax returns,
registration of land records and birth and death rates in India, and tele-medicines, and the
services like e-chaupal have led to an efficient, and easy to use of system for the citizens
irrespective of any disparity among them. Government can provide services and information
electronically to its citizens and business enterprises. Business transactions with the
government can be done by Government to Business Transactions (G2B) where the
information is delivered and transactions are made electronically with the businesses. It even
helps in government to government transactions, or inter-departmental transactions within the
government, and with government employees called, Inter Government Administration,
(G2G). Through e-governance the transactions would be more efficient, effective and
transparent. E-governance can also help increasing the exports and tourism and raise foreign
trade of the country through G2X Transactions.
Advantages
E-governance is a scheme to connect the citizens, businesses and other arms of the government
and help them interact in a better way to improve the economy of the country as a whole. Not
only this, it also helps in the empowerment of the citizens, as all the new government policies,
rules etc. would be put on the forefront through e-governance. This would facilitate right to
information to the citizens enshrined under Article 19 of the Constitution and empower them
to avail of their rights in better way, as before it was hard to keep themselves updated with
policies and rules adopted by the government. So, the system has not only made the
administration better but also helped citizens get updated with the new policies, processes and
the help-lines been offered by the government at all levels.
The e-governance has made the system more transparent, by cutting down the practice of red-
tapism, corruption by the officials, as now the government can reach the citizens directly. E-
governance in a long run would surely bring the benefit of improving the revenue collections,
and therefore would help the government to gain higher revenue for enhancing the welfare of
citizens. Not only this it would also at the same time reduce the cost of running the government
as every service offered by the government would be governed through the technology, at the
same time there wouldn’t be un-employment as the employees previously employed would be
transferred to alternative jobs for their livelihood.
Prepared By
Page | 77
At present, India is providing E-governance services in the field of Agriculture, education and
power and is yet to provide the same for income tax returns and revenue collections also. Other
Countries like Singapore, Canada have already introduced the most commonly used services
online for the efficiency of the citizens by 2005 and improved the same by now with increased
citizen’s satisfaction. And in case of United States, citizens can access the services offered by
the government within three clicks, why should India be left behind? It’s delightful to note that,
the national action plan has been approved for the implementation in the year 2003-2007, with
10 components and 25 mission mode projects, like Banking, Income tax, passport visa and
immigration projects, National citizen database, Central excise, pensions, land records,
property registration, municipalities, commercial taxes etc. This can be said to be the way of
re-engineering the government services according to the changing needs of time, by providing
integrated services as one stop shop for all services of the government. Other important
advantage being, accountability of the government as the payment made is stored into the data
of the computer system with the receipt of the payment. This would help in citizens’ welfare,
and the national economic growth.
The first e-governance project on Land records computerization was BHOOMI in the state of
Karnataka, and then we also have Rural Access to Services through internet (RASI) in the state
of Tamil Nadu. Andhra Pradesh has introduced a project called e-Seva, for services like
payment of bills, certificates, permits/licenses, reservation of tickets etc., and has also
introduced a system for registration for the registration of all the services. There are also many
other states also which have introduced the e-governance services, and lot more to join.
Meghalaya has now been providing services like social welfare, food civil supplies and
consumer affairs, housing transport etc through the use of websites. We also have online
complaint management system in Mumbai, which is called as SETU. Even Indian Government
has taken an initiative to provide for the e-governance services through the means of internet,
the same has been provided on http:/egov.mit.gov.in/ and in addition to this there is also an e-
governance framework been prepared by the National Informatics Centre (NIC) at
http:/Home.nic.in.
Most of the IT based technologies have been helping the government to enable the services
through Common Service Centers (CSC) though it would require good deal of investment but
at the same time would also bring long term benefits and reduce routine governance or financial
problems faced by the government in raising the number of officials at work. FINO has even
come up with a provision for the use of smart cards (which would contain the details of the
holder, with the fingerprints of all his fingers, and his digital signature and photograph) to be
used and verified by the central server.
Other important area where the system has turned out to be a blessing is the check posts at
Gujarat Highways. This has resulted in huge increase in the revenue collection on transit of the
trucks carrying overweighed products. The legal penalty for overload is Rs. 2000 per ton. The
collections previously were prone to the corruptions practices by the check-posts officers.
Prepared By
Page | 78
Digital India
Digital India is a campaign launched by the Government of India to ensure the Government
services are made available to citizens electronically by improved online infrastructure and by
increasing Internet connectivity or by making the country digitally empowered in the field of
technology. The initiative includes plans to connect rural areas with high-speed
internet networks. Digital India consists of three core components, (a) development of secure
and stable digital infrastructure, (b) delivering government services digitally, and (c) universal
digital literacy.
Launched on 1 July 2015 by Prime Minister Narendra Modi, it is both enabler and beneficiary
of other key Government of India schemes, such as BharatNet, Make in India, Startup
India and Standup India, Industrial corridors, Bharatmala, Sagarmala, Dedicated Freight
Corridors and UDAN-RCS.
The National e-Governance Plan (NeGP)
The National e-Governance Plan (NeGP), takes a holistic view of e-Governance initiatives
across the country, integrating them into a collective vision, a shared cause. Around this idea,
a massive countrywide infrastructure reaching down to the remotest of villages is evolving,
and large-scale digitization of records is taking place to enable easy, reliable access to the
internet.
Further, with a vision to transform e-Governance for transforming Governance and keeping in
view the need to utilize emerging technologies such as Cloud and Mobile Platform and focus
on the integration of services, the Government has proposed to implement “e-Kranti: National
e-Governance Plan (NeGP) 2.0” under the Digital India programme.
E-Kranti
e-Kranti is an essential pillar of the Digital India initiative. Considering the critical need for e-
Governance, mobile Governance and Good Governance in the country, the approach and key
components of e-Kranti have been approved by the Union Cabinet on 25.03.2015 with the
vision of “Transforming e-Governance for Transforming Governance”.
The e-Kranti framework addresses the electronic delivery of services through a portfolio of
mission mode projects that cut across several Government Departments.
Objectives
• To redefine NeGP with transformational and outcome-oriented e-Governance

initiatives
• To enhance the portfolio of citizen centric services
• To ensure optimum usage of core Information & Communication Technology (ICT)
• To promote rapid replication and integration of e-Governance applications
• To leverage emerging technologies
• To make use of more agile implementation models
Prepared By
Page | 79
Key Features
Transformation and not Translation - All project proposals in e - Kranti must involve a
substantial transformation in the quality, quantity and manner of delivery of services and
significant enhancement in productivity and competitiveness.
Integrated Services and not Individual Services - A common middleware and integration of the
back-end processes and processing systems are required to facilitate integrated service delivery
to citizens.
Government Process Reengineering (GPR) - To mandate GPR as the essential first step in all
new MMPs without which a project may not be sanctioned. The degree of GPR should be
assessed and enhanced for the existing MMPs.
ICT Infrastructure on Demand - Government departments should be provided with ICT
infrastructures, such as connectivity, cloud and mobile platform on demand. In this regard,
National Information Infrastructure (NII), which is at an advanced stage of project formulation,
would be fast-tracked by DeitY (Department of Electronics and Information Technology).
Cloud by Default - The flexibility, agility and cost-effectiveness offered by cloud technologies
would be fully leveraged while designing and hosting applications. Government Cloud shall
be the default cloud for Government Departments.
Mobile First - All applications are designed/ redesigned to enable delivery of services through
mobile.
Fast Tracking Approvals - To establish a fast - track approval mechanism for MMPs, once the
Detailed Project Report (DPR) of a project is approved by the Competent Authority,
empowered committees may be constituted with delegated powers to take all subsequent
decisions
Mandating Standards and Protocols - Use of e-Governance standards and protocols as notified
by DeitY be mandated in all e-governance projects
Language Localization - It is imperative that all information and services in e-Governance
projects are available in Indian languages as well.
National GIS (Geo-Spatial Information System) - NGIS to be leveraged as a platform and as a
service in e-Governance projects.
Security and Electronic Data Preservation - All online applications and e-services to adhere to
prescribed security measures including cyber security. The National Cyber Security Policy
2013 notified by DeitY must be followed.
Aadhaar
Aadhaar is a 12-digit unique identity number that can be obtained by residents of India, based
on their biometric and demographic data. The data is collected by the Unique Identification
Authority of India (UIDAI), a statutory authority established in January 2009 by the
government of India, under the jurisdiction of the Ministry of Electronics and Information
Prepared By
Page | 80
Technology, following the provisions of the Aadhaar (Targeted Delivery of Financial and other
Subsidies, benefits and services) Act, 2016.
Aadhaar is the world's largest biometric ID system. World Bank Chief Economist Paul
Romer described Aadhaar as "the most sophisticated ID programme in the world". Considered
a proof of residence and not a proof of citizenship, Aadhaar does not itself grant any rights to
domicile in India. Under its provisions, government has been issuing various notifications
making Aadhaar mandatory for government projects, such as LPG subsidies and Mid-Day
Meal scheme. In addition, in 2017, Parliament passed the Finance Act to amend the Income
Tax Act, 1961, and made Aadhaar mandatory for filing of income tax returns and applying for
PAN.
While India does not have a comprehensive law on privacy and data security, the Aadhaar Act,
2016 has some protections. For example, it prohibits UIDAI and its officers from sharing a
person’s identity information and authentication records with anyone. It also forbids a person
authenticating another person’s identity from collecting or using their information without their
consent. Other protections include prohibitions against publicly displaying a person’s Aadhaar
number and sharing of a person’s fingerprints and iris scans with anyone.
Aadhaar and Privacy
What started as a unique identification number to streamline the distribution of welfare to the
needy has now turned into an all-pervasive tool that can arm the government with sensitive
data of all Indians. At the heart of this issue is the sheer quantity of data being amassed as part
of the scheme and the many privacy and security concerns generated as a result of it.
The Aadhaar of today, in addition to basic personal information, includes biometric data like
your fingerprints, your iris scan and now even your facial scans (albeit introduced as a safety
feature). This is designed to address the issue of failed biometric authentication, as an
alternative for people having difficulty authenticating, due to factors like worn out fingerprints,
or changing biometric data due to old age, hard work conditions, accidents and the like.
But what it fails to address is the growing unease among citizens about the scale of the project,
its intent, and the actual legality of enabling such an architecture, which could threaten the
citizens with the possibility of State surveillance.
It has been argued that the collection of identity data without adequate safeguards interferes
with the fundamental right to privacy protected under Article 21 of the Constitution. Article
21 guarantees right to life and personal liberty. In August 2015, a three-judge bench of the
Supreme Court passed an order stating that a larger bench must be formed to decide the
questions of: (i) whether right to privacy is a fundamental right, and (ii) whether Aadhaar
violates this right.
On the 24th of August, a nine-judge bench of the Supreme Court delivered its verdict in Justice
K.S. Puttaswamy (Retd) and Anr vs Union of India and Ors, unanimously affirming that the
right to privacy is a fundamental right under the Indian Constitution. The verdict brought to an
end a constitutional battle that had begun almost exactly two years ago, on August 11, 2015,
Prepared By
Page | 81
when the Attorney-General for India had stood up during the challenge to the Aadhaar Scheme
and declared that the Constitution did not guarantee any fundamental right to privacy. The three
judges hearing the case referred the constitutional question to a larger bench of five judges
which, in turn, referred it further to a nine-judge bench.
Chief Justice JS Khehar ruled that right to privacy is protected intrinsically as part of rights
guaranteed under Article 21 of the Constitution. The judgement explicitly overrules previous
judgements of the Supreme Court in Kharak Singh vs. State of UP and M.P Sharma v Union of
India, which had held that there is no fundamental right to privacy under the Indian
Constitution.
As far Aadhaar is concerned, the judgment did not invalidate it in any way. However, it did
give a boost to anti-Aadhaar arguments which rely on privacy as now the government can no
longer say that there is no Right to Privacy.
Taxation in Internet
The rapid pace of growth of the e-commerce industry is not only indicative of the increasing
receptiveness of the public but has also brought to the fore the issues that the legal system of
the country has been faced with. From the initial years when internet was a new phenomenon
to recent times where internet has become a basic necessity for every household in most
metropolitan cities, the e-commerce industry has come a long way. The legal system has
constantly tried to catch up especially with the enactment of the various rules under the IT Act
to deal with a host of issues emerging from the use of internet. Moreover, the IP issues in
ecommerce transactions have taken a new form with users finding loopholes to not only easily
duplicate material but also mislead other users. Hence, much more is needed to effectively
regulate the tangled web.
Sales tax Issues: - In the context of e-commerce transactions, sales tax is relevant with respect
to sale of intangible goods. In this regard, the Supreme Court has held that intangible goods
such as software put in a tangible media, technical knowhow and other IPRs are goods for the
purpose of sales tax. It has also been held that the IP that has been incorporated on a media for
the purpose of transfer and media cannot be split up. Therefore, sale of computer software falls
within the scope of sale of goods and is taxable. According to tax experts, it might be difficult
to fault companies like Facebook, Google, Yahoo! and Twitter, or accuse them of evading
taxes, under the current laws. Such internet companies - which do not operate as permanent
establishments here - might not be taxable under the present Indian legal system.
Prepared By
Page | 82
MODULE 5
Domain Name Dispute – Legal Response – Copyright Infringement in Internet – Response Of
Investment Law in Internet Age – UNICITRAL Law of Electronic Commerce 1986 and
Information Technology Act 2000 – Fraud in Internet – Defamation in Internet – Cyber
Forensic
DOMAIN NAME DISPUTE – LEGAL RESPONSE
Domain Names
A domain name is the address where Internet users can access your website.
Domain names serve to identify Internet resources, such as computers, networks, and services,
with a text-based label that is easier to memorize than the numerical addresses used in the
Internet protocols. A domain name may represent entire collections of such resources or
individual instances. Individual Internet host computers use domain names as host identifiers,
also called ‘host names’. The term’ host names’ is also used for the leaf labels in the domain
name system, usually without further subordinate domain name space. Host names appear as a
component in Uniform Resource Locators (URLs) for Internet resources such as web sites.
Domain names are also used as simple identification labels to indicate ownership or control of
a resource. Such examples are the realm identifiers used in the Session Initiation Protocol (SIP),
the Domain Keys used to verify DNS domains in e-mail systems, and in many other Uniform
Resource Identifiers (URIs).
The practice of using a simple memorable abstraction of a host's numerical address on a
computer network dates back to the ARPANET era, before the advent of today's commercial
Internet. Today, the INTERNET CORPORATION FOR ASSIGNED NAMES AND
NUMBERS (ICANN) manages the top-level development and architecture of the Internet
domain name space. It authorizes domain name registrars, through which domain names may
be registered and reassigned.
There are various hierarchies or levels of Domain names. Domain names are divided into
hierarchies. The top-level of the hierarchy appears after the last dot ('.') in a domain name. In
"microsoft.com", the top-level domain name is .COM. The .COM name is the most common
top-level domain name and is used to indicate that the domain name is owned by a commercial
enterprise. Other common top-level domain names include .ORG (for non-profit
organizations), .NET (for network and Internet related organizations), .EDU (for four-year
colleges and universities), and .GOV (for government entities)..
Below the top-level domains in the domain name hierarchy are the second-level domain (SLD)
names. These are the names directly to the left of .com, .net, and the other top-level domains.
As an example, in the domain example.co.uk, co is the second-level domain. Next are third-
level domains, which are written immediately to the left of a second-level domain. There can
be fourth- and fifth-level domains, and so on, with virtually no limitation. An internationalized
domain name (IDN) is an Internet domain name that contains at least one label that is displayed
in software applications, in whole or in part, in a language-specific script or alphabet, such as
Prepared By
Page | 83
Arabic, Chinese, Cyrillic, Tamil, Hebrew or the Latin alphabet-based characters with diacritics
or ligatures, such as French. These writing systems are encoded by computers in multi-byte
Unicode. Internationalized domain names are stored in the Domain Name System as ASCII
strings using Puny code transcription.
Registration of Domain Names in India
The Top-level Domain names on the internet are .IN and.CO.IN. These were made available
to the general public in the year 2005. Domain names must not be confused with property rights
in names, such as trademarks. A domain name is acquired through simple contract with a
registry, and any rights which the holder has in respect of the name derive from the contract.
Fundamentally, a ‘domain name registration’ refers to a process by which a new SLD is created
under an established TLD (such as.com, .org). By this process, a person or a firm (the
Registrant) contacts a Domain Name Registrar and requests the use of a particular name as a
domain name in the DNS. Generally, no examination is done regards the presence of any right
of the Registrant in the proposed domain name. The registrar then contacts the registry for that
top-level domain and asks whether the desired name is still available. If no one has a previously
registered it, then the registrar may process the request and register the desired name to the
registrant.
The law does not permit any one to carry on his business in such a way as would persuade the
customers or clients in believing that the goods or services belonging to someone else are his
or are associated therewith. It does not matter whether the latter person does so fraudulently or
otherwise. The reasons are two. Firstly, honesty and fair play are, and ought to be, the basic
policies in the world of business. Secondly, when a person adopts or intends to adopt a name
in connection with his business or services, which already belongs to someone else, it results
in confusion and has propensity of diverting the customers and clients of someone else to
himself and thereby resulting in injury. Thus, the wide connectivity offered by the internet
created a lacuna that was created as the scope of domain names went beyond geographical
boundaries. This mandated the need for an international regulation of the domain name system
(DNS). This international regulation was affected through WIPO and ICANN
The outcome of consultation between ICANN and WIPO has resulted in the setting up not only
of a system of registration of domain names with accredited Registrars but also the evolution
of the Uniform Domain Name Disputes Resolution Policy (UDNDR Policy) by ICANN on
24th October 1999. As far as registration is concerned, it is provided on a first come first serve
basis. Besides the UDNDR Policy is instructive as to the kind of rights which a domain name
owner may have upon registration with ICANN accredited Registrars.
Dispute Resolution
The dispute resolution concerning disputes regarding domain names are carried out under the
Uniform Domain Name Disputes Resolution Policy (UDNDR Policy) by ICANN.
A person may complain before administration-dispute-resolution service providers listed by
ICANN under Rule 4(a) that:
Prepared By
Page | 84
i) A domain name is “identical or confusingly similar to a trademark or service mark” in which

the complainant has rights; and
ii) The domain name owner/registrant has no right or legitimate interest in respect of the
domain name; and
iii) A domain name has been registered and is being used in bad faith.
Rule 4(b) has listed by way of illustration the following four circumstances as evidence of
registration and use of a domain name in bad faith:
(i) Circumstances indicating that the domain name owner/registrant has registered or the
domain name owner/registrant has acquired the domain name primarily for the purpose of
selling, renting or otherwise transferring the domain name registration to the complainant who
is the owner of the trademark or service mark or to a competitor of that complainant, for
valuable consideration in excess of its documented out-of-pocket costs directly related to the
domain name; or
(ii) The domain name owner/registrant has registered the domain name in order to prevent the
owner of the trademark or service mark from reflecting the mark in a corresponding domain
name, provided that it has engaged in a pattern of such conduct; or
(iii) The domain name owner/registrant has registered the domain name primarily for the
purpose of disrupting the business of a competitor; or
(iv) By using the domain name, the domain name owner/ registrant has intentionally attempted
to attract, for commercial gain internet users, to its web site or other on-line location, by
creating a likelihood of confusion with the complainants mark as to the source, sponsorship,
affiliation, or endorsement of the domain name owner/registrant web site or location or of a
product or service on its web site or location.
The defences available to such a complaint have been particularized “but without limitation",
in Rule 4 (c) as follows:
(i) Before any notice to the domain name owner/registrant, the use of, or demonstrable
preparations to use, the domain name or a name corresponding to the domain name in
connection with bona fide offering of goods or services; or
(ii) The domain name owner/registrant (as an individual, business, or other organization) has
been commonly known by the domain name, even if it has acquired no trademark or service
mark rights; or
(iii) The domain name owner/registrant is making a legitimate non-commercial or fair use of
the domain name, without intent for commercial gain to misleadingly divert consumers or to
tarnish the trademark or service mark at issue.
These rules indicate that the disputes may be broadly categorized as: (a) disputes between
trademark owners and domain name owners and (b) between domain name owners inter se. A
prior registrant can protect its domain name against subsequent registrants. Confusing
similarity in domain names may be a ground for complaint and similarity is to be decided on
Prepared By
Page | 85
the possibility of deception amongst potential customers. The defences available to a

complaint are also substantially similar to those available to an action for passing off under
trademark law. As far as India is concerned, there is no legislation, which explicitly refers to
dispute resolution in connection with domain names. But although the operation of the Trade
Marks Act, 1999 itself is not extra territorial and may not allow for adequate protection of
domain names, this does not mean that domain names are not to be legally protected to the
extent possible under the laws relating to passing off.
Scope under Trademarks Act, 1999
In India, the Trademarks Act, 1999 (Act) provide protection to trademarks and service marks
respectively. A closer perusal of the provisions of the Act and the judgments given by the
Courts in India reveals that the protection available under the Act is stronger than
internationally required and provided.
Rule 2 of the UDNDR Policy requires the applicant to determine that the domain name for
which registration is sought, does not infringes or violates someone else’s rights. Thus, if the
domain name, proposed to be registered, is in violation of another person’s “trademark rights”,
it will violate Rule 2 of the Policy. In such an eventuality, the Registrar is within his right to
refuse to register the domain name. This shows that a domain name, though properly registered
as per the requirements of ICANN, still it is subject to the Trademarks Act, 1999 if a person
successfully proves that he has ‘rights’ flowing out of the Act.
The Act covers the remedies peculiar to Indian legal system as well as the well-known common
law principles of passing off. At the same time, it is in conformity with the recognized
international principles and norms. Thus, the protection provided under the Act is more reliable
and secure. The following provisions are relevant in this regard:
(a) A trademark registered under the Act has the backing of the infringement and passing off
remedies. An unregistered trademark is not protected by the Act, except to the extent of availing
of passing off remedy. The definition of the terms “mark” and “trademark” is so widely given
that it conveniently covers domain name. It must be noted that a “mark” is used, rightly or
wrongly, if it is used in printed or other visual representation. It cannot be doubted that a
domain name corresponding a mark is definitely used both in the printed form (electronic form)
and by visual representation. Thus, the provisions of the Act can safely be invoked to fix the
liability in those cases.
(b) A passing off action is maintainable in law even against the registered owner of the
trademark, particularly if the trademark has a transborder reputation. This, principle recognizes
the mandate of protecting the well-known trademarks, as required by the TRIPS Agreement
and the Trademarks Act, 1999. Thus, even if a domain name is registered in good faith and
innocently, the passing off action is maintainable against the registrant.
(c) The registration of domain name with the Registrars recognized and approved by the
ICANN may not have the same consequences as registration under the Trademarks Act, 1999.
For instance, a registration under the Act carries with it a presumption of validity.
Prepared By
Page | 86
(d) The Act considers even an innocent infringement or passing off as wrong against the right
holder, unlike domain name where mala fides has to be proved. Thus, it does not matter whether
the person offending the right does so fraudulently or otherwise.
(e) The Act will have overriding effect over any other law, which is in conflict with it. Further,
since it is in conformity with the TRIPS Agreement, it is equally in conformity with the well-
accepted international standards. It must be noted that Rule 4 (k) provides that the proceedings
under the UDNDR Policy would not prevent either the domain name owner/registrant or the
complainant from submitting the dispute to a court of competent jurisdiction for independent
resolution, either before proceeding under ICANN's policy or after such proceeding is
concluded. This shows that there is a simultaneous and double protection available under the
Act.
(f) The provisions of the Act are in conformity with the TRIPS Agreement and the W.T.O
provisions. These provisions are mandatory in nature unlike the provisions of W.I.P.O, which
are persuasive and discretionary in nature. The UDNDR Policy is formulated under the
provisions of W.I.P.O; hence it is not binding on parties whose rights are flowing from the Act.
The distinction is crucial since in case of conflict between the Policy and the Act, the latter will
prevail and will govern the rights of the parties falling within its ambit.
(g) The Act allows the making of an “International application” resulting in automatic
protection in designated countries mentioned in it. This gives a wider and strong protection to
the trademark and makes its misappropriation harsh and punitive.
(h) The procedure for registration under the Act is more safe and reliable, as it is not granted
on a first come first basis. The safeguards provided under the Act are properly followed and
only thereafter a trademark is granted. Thus, the right recognized under the Act is more reliable,
strong and authentic.
Rediff Communications Ltd. v. Cybertooth & Another the Bombay High Court while granting
an injunction restraining the defendants from using the domain name ‘RADIFF’ or any other
similar name, held that when both domain names are considered there is every possibility of
internet users being confused and deceived into believing that both domain names belong to
one common source and connection although the two belong to two different persons. Again
the website using the domain name, ‘Naukari.com’ was held to be confusingly similar to that
of the plaintiff, ‘naukri.com’, with a different spelling variant establishing prima facie inference
of bad faith.
In Marks & Spencer v. One-in-a Million, the UK Court observed that when a person
deliberately registers a domain name on account of its similarity to the name, brand name or
trademark of an unconnected commercial organization, he must expect to find himself at the
receiving end of an injunction to restrain the threat of passing-off.
One of the most significant cases in the Indian context of cybersquatting remains Yahoo! Inc.
v. Akash Arora & Anr, wherein the court held that the trademark laws apply with equal force
in the internet similar to that in the physical world.
Prepared By
Page | 87
CYBERSQUATTING
Cybersquatting refers to illegal domain name registration or use. Cybersquatting can have a
few different variations, but its primary purpose is to steal or misspell a domain name in order
to profit from an increase in website visits, which otherwise would not be possible. Trademark
or copyright holders may neglect to reregister their domain names, and by forgetting this
important update, cybersquatters can easily steal domain names. Cybersquatting also includes
advertisers who mimic domain names that are similar to popular, highly trafficked websites.
Cybersquatting is one of several types of cybercrimes. Cybersquatting is also known as domain
squatting.
COPYRIGHT INFRINGEMENT IN INTERNET
Indian Copyright Act, 1957 deals with the protection of computer software but it does not have
any provision to check the piracy of software on Internet. Though several important
amendments were made to the Indian Penal Code, 1860, Indian Evidence Act, 1872, the Code
of Criminal Procedure, 1973 and the Banker’s Books Evidence Act by Information Technology
Act, 2000, the law of copyright remained unaffected. Thus, it has become necessary that the
Copyright Act also deals with problems of online copyright infringement and other related
aspects. Though no specific reference has been made with this aspect, but the amended
provisions of the Copyright Act tries to deal with some practical problems and including the
inclusion of fair use policy and other aspect of transient and incidental storage of work or
performance or for providing links for such links.
Section 14 of the Copyright Act, 1957 defines copyright as the exclusive right subject to the
provisions of this Act, to do or authorize the doing of any of the following acts in respect of a
work or any substantial part thereof, namely: -
a. In the case of a literary, dramatic or musical work not being a computer programme, -
i. To reproduce the work in any material form including the storing of it in any medium
by electronic means;
ii. To issue copies of the work to the public not being copies already in circulation;
iii. To perform the work in public, or communicate it to the public;
iv. To make any cinematograph film, or sound recording in respect of the work;
v. To make any translation of the work;
vi. To make any adaptation of the work;
vii. To do in relation to a translation or adaptation of work, any of the acts specified in
relation to the work in sub-clause (i) to (iv).
b. In the case of a computer programme
i. To do any of the acts specified in clause (a);
Prepared By
Page | 88
ii. To sell or give on hire, or offer for sale or hire any copy of the computer
programme, regardless of whether such copy has been sold or given on hire on
earlier occasions;
c. in the case of an artistic work,-
i. To reproduce the work in any material form including depiction in three
dimensions of a two dimensional work or in two dimensions of a three dimensional
work;
ii. To communicate the work to the public;
iii. To issue copies of the work to the public not being copies already in circulation;
iv. To include the work in any cinematograph film;
v. To make any adaptation of the work;
vi. To do in relation to any adaptation of the work any of the acts specified in relation
to the work in sub-clause (i) to (iii).
d. in the case of a cinematograph film,-
i. To make a copy of the film including a photograph of any image forming a part
thereof;
ii. To sell or give on hire, or offer for sale or hire, any copy of the film, regardless of
whether such copy has been sold or given on hire on earlier occasions;
e. in the case of a sound recording,-
i. To make any other sound recording embodying in it;
ii. To sell or give on hire, or offer for sale or hire, any copy of the sound recording,
regardless of whether such copy has been sold or given on hire on earlier occasions;
iii. To communicate the sound recording to the public.
Section 51 (a) of the Copyright Act states that “the act of infringement is when, a person
without any license by the registrar or the owner of the particular copyright, does an act that is
in the contravention of the conditions of license or condition imposed by a competent authority
under this Act, permits for profit any place to be used for the communication of the work to
the public where such communication constitutes an infringement of the copyright in the work,
unless he is unaware as and had no reason to believe that the particular communication to the
general public would result in copyright infringement.” In view of the same and also the fact
that the provision provides for permitting “any place “which itself is loosely worded and is
unfettered by any qualification, the said words “any place” have to be construed widely so as
Prepared By
Page | 89
to include the place at the webs page or internet in order to give effect to the provision to be
operative in cases of newer kind of the infringements being caused at the web space. Thus, the
Copyright Infringement includes the online infringement and any one can sue for the
infringement of copyright based on the web pages or web contents including websites & mobile
Application.
It does not expressly provide as to whether such infringement occurred in cyberspace or in
physical world. If we read the language of the Section 51 along with the Section 14 of the
Copyright Act, 1957 it becomes clear that reproducing any copyrighted work, issuing copies
of the work to the public or communicating the work to the public would amount to the
copyright violation under the Act.
But, in case of linking or in-lining there is no reproduction of any copyrighted work. The
reproduction takes place at the end of the user who visits the linked page via link.
Linking
Linking means the joining of any two web pages on Internet. A link is an embedded electronic
address that points to another location and takes the user there. A link may lead either to another
file in the same website, or to a file on a different computer located elsewhere on the Internet.
It might be possible that a number of links appear on a single web page. Linking may be of two
types, deep linking and surface linking.
In case of Surface Linking the home page of any site is linked while Deep Linking means
bypassing the home page and linking to the internal pages within the web site. Section 2(ff) of
the Indian Copyright Act, 1957 defines the term “communication to public” in the following
words: “Communication to public means making any words available for being seen or heard
or otherwise enjoyed by the public directly or by any means of display or diffusion other than
by issuing copies of such work regardless of whether any member actually sees, hears or
otherwise enjoys the work so made available.”
The explanation to this section further provides to include any communication through satellite
or cable. Therefore, this definition covers the contents of a web site on internet by virtue of
expression “by any means of display”. Therefore, linking comes within the ambit of Indian
copyright law. If any linking is done to the detriment of any site, its owner can take recourse
to legal remedy under Indian Copyright act, 1957.
Before linking deep in to any site it is prudent to first take the permission of the owner of site.
On the other hand, in order to prevent unwanted linking the creator of web site should insert a
prohibition clause in its terms of use as “do not link to this site without any express consent on
the part of the copyright holder of this site.”
In-lining
The term ‘In-lining’ refers to the creation of a new web page by summoning different elements
from diverse pages or servers. If any user browses this composite web page, this page will
direct the browser to obtain the pictures, graphics etc. from the original sources.
Prepared By
Page | 90
In case of inline linking the user may never come to know that the contents of the composite
page have not been stored at the site has being visited by him. The inline linking is not covered
by the Section 14 and 51 of the Indian Copyright Act, 1957 as the person employing an inline
link on his site is not causing any reproduction of the copyrighted contents. But, the definition
of the ‘communication to public’ as provided under section 2(ff) of the Copyright Act can be
interpreted to include ‘inline linking’ by virtue of the expression ‘by any means of display’.
On the other hand, Section 14(a)(vi) of the Act grants the right of adaptation only to the author
of copyrighted work. By in-lining the linking site could take some elements from the linked
site’s settings i.e. pictures, text, film clips etc. and create its own site. This amounts to an
infringement of adaptation rights of the author.
In-lining creates moral issues also. Section 57 of the Copyright Act, 1957 guarantees special
rights of the author of any copyrighted work which is adversely affected by the practice of in-
lining. Though, the Act does not expressly provide for making in-lining illegal, but any
modification or mutilation to the contents of a web site without the express permission of the
owner of the copyrighted material amounts to an infringement in the eye of copyright law of
India.
Framing
Under Indian Copyright Act, 1957 the legality of framing can be tested by applying the
provisions of section 51 read with section 14 of the Act. In case of framing, the framer of the
other’s site neither reproduces the copyrighted content nor makes copy of the same but he
provides only a visiting browser with instructions to retrieve the content of that site in to
framer’s website. Therefore, the framer of site cannot be held liable for unauthorized copying
or reproduction of copyrighted work under Indian Copyright Act but he could be trapped under
section 57(1) of the Act for infringing the right to integrity of the copyright owner.
Only owner of copyrighted work is entitled to make adaptation to such work under section
14(a) (vi) of the Indian Copyright Act, 1957. This right is adversely affected by the process of
framing because the framing site acquires some elements from the multimedia settings of the
framed site(s) and creates its own web pages(s). Now, it is the primary responsibility of our
courts to look in to the intention of the framer in order to test the legality of framing.
Caching (mirroring)
‘Caching’ is a technical process which essentially involves the storage of information so that
future requests for the same information can be performed faster. In relation to Google, this
can be illustrated as follows: Google crawls as many websites as possible so that it can serve
results from these pages when a user searches for certain keywords. As Google crawls these
websites, it picks up necessary information about the site (size, title, URL etc.) but more
importantly, also creates a temporary copy of the webpage, which is called a ‘cache’. This is
an exact replica of the page and is temporarily stored on Google’s servers so that it can be
displayed to users in case the original webpage is taken down (or other reasons as explained
below). The cache is refreshed approximately every two weeks. The Copyright Amendment
Act, 2012, which is now in force, has introduced Section 52(1)(b) and (c). These two sections
Prepared By
Page | 91
provide exemptions to intermediaries for the storage of transient copies of information. Clause
(b) protects Internet Service Providers, while clause (c) protects ‘information intermediaries’
such as Google, Facebook etc. Therefore, liability for ‘caching’ should be analysed in the
context of these new amendments.
Status of the Intermediary
Internet Intermediaries are essentially companies which provide online services which
facilitate transmission of user generated data. Often this data is the subject of copyright owned
by a person other than the User who initiates the transmission. Due to this there is often the
concern that the internet intermediary may be held liable for copyright infringement which
originates due to the illegality of the User.
Anish Njaan vs State: The case involved an IIT Kharagpur student Ravi Raj, who placed on
the baazee.com a listing offering an obscene MMS video clip for sale with the username alice-
elec. Despite the fact that baazee.com have a filter for posting of objectionable content, the
listing nevertheless took place with the description, “Item 27877408 – DPS Girls having fun!!!
full video + Baazee points.” The item was listed online around 8.30 pm in the evening of
November 27th 2004 and was deactivated, around 10 am on 29th November 2004. The Crime
Branch of Delhi police took cognizance of the matter and registered an FIR. Upon
investigation, a charge sheet was filed showing Ravi Raj, Avnish Bajaj, the owner of the
website and Sharat Digumarti, the person responsible for handling the content, as accused.
Since, Ravi Raj absconded; the petition was filed by Avnish Bajaj, seeking the quashing of the
criminal proceedings.
HELD (Delhi High Court)
The court observed that a prima facie case for the offence under Section 292 (2) (a) and 292
(2) (d) IPC is made out against the website both in respect of the listing and the video clip
respectively. The court observed that “[b]y not having appropriate filters that could have
detected the words in the listing or the pornographic content of what was being offered for sale,
the website ran a risk of having imputed to it the knowledge that such an object was in fact
obscene”, and thus it held that as per the strict liability imposed by Section 292, knowledge of
the listing can be imputed to the company.
However, as far as Avnish Bajaj is concerned, the court held that since the Indian Penal Code
does not recognize the concept of an automatic criminal liability attaching to the director where
the company is an accused, the petitioner can be discharged under Sections 292 and 294 of
IPC, but not the other accused.
As regards S. 67, read with Section 85 of the IT Act, the Court however, observed that a prima
facie case was made out against the petitioner Avnish Bajaj, since the law recognizes the
deemed criminal liability of the directors even where the company is not arraigned as an
accused. The judgement however did not declare Avnish Bajaj guilty.
Section 79 of the Information Technology Act, 2000:
Exemption from liability of intermediary in certain cases. —
Prepared By
Page | 92
(1) Notwithstanding anything contained in any law for the time being in force but subject to
the provisions of sub-section (2) and (3), an intermediary shall not be liable for any third-party
information, data, or communication link made available or hosted by him.
(2) The provisions of sub-section (1) shall apply if—
(a) the function of the intermediary is limited to providing access to a communication system
over which information made available by third parties is transmitted or temporarily stored or
hosted; or
(b) the intermediary does not—
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission;
(c) the intermediary observes due diligence while discharging his duties under this Act
and also observes such other guidelines as the Central Government may prescribe in this behalf.
(3) The provisions of sub-section (1) shall not apply if—
(a) the intermediary has conspired or abetted or aided or induced, whether by threats or
promise or otherwise in the commission of the unlawful act;
(b) upon receiving actual knowledge, or on being notified by the appropriate Government or
its agency that any information, data or communication link residing in or connected to a
computer resource controlled by the intermediary is being used to commit the unlawful act, the
intermediary fails to expeditiously remove or disable access to that material on that resource
without vitiating the evidence in any manner.
Explanation. —For the purpose of this section, the expression “third party information” means
any information dealt with by an intermediary in his capacity as an intermediary.
Thus, observing due diligence as per the section 79 of the Act provided the intermediaries the
right to seek exemption under the IT Act, 2000. However, the judgment of Hon’ble Delhi High
Court in the matter of Super Cassettes Industries Ltd Vs My Space Inc, had led to the
confusion over the protection given to the Intermediaries under the IT ACT, 2000. The Hon’ble
Court while giving a Prima Facie view on the Injunction had come to the conclusion that that
the provisions of Section 79 of The Information Technology Act, 2000 will have no bearing
on the liability of infringement of Copyright because of the proviso provided under Section 81
of the Act. The protection given to the Intermediaries with respect to copyright and patent
Prepared By
Page | 93
infringement cases has been taken away by considering the provisions of Section 79 of the Act
read with Section 81 of the Act. Thus, intermediary can be sued for online infringement of
copyright content despite given an exemption under Section 79 of The Information Technology
Act, 2000. The interpretation of Section 79 read with Section 81 of the Act has led to take away
the exemption provided under the Act.
In this context the recent amendments under the Copyright Act, 2012 provide for an exemption
from liability. The procedure for this is defined under the Copyright Rules, 2013. Copyright
Amendment Act, 2012 amended the existing law to bring in a provision to exempt liability of
internet intermediaries for copyright. The relevant provisions contained in the Amendment Act
are Sections 52(1) (b) and 52(1) (c) which bring the Indian Copyright Act in accordance with
the International Practice. A proviso has been added to this clause to provide a similar provision
as safe harbor as per international norms to internet service providers, as they are merely
carriers of information provided by others. This is generally referred to as ‘notice and take
down procedure’. If the person responsible for the storage of the copy has received a written
complaint from the owner of copyright in the work, that the transient or incidental storage is
an infringement, such persons responsible for the storage shall refrain from facilitating such
access for a period of twenty-one days or till he receives an order from the competent court
refraining from facilitating access. In case no such order is received before the expiry of such
period of twenty-one days, he may continue to provide the facility of such access.
Effect of the Landmark Judgement in Shreya Singhal vs UOI
In this judgement, the Court laid down that the provisions of Section 79(3) (b) and the
Intermediary Rules have to be read down. Their interpretation has been narrowed down. By
doing so, the Court has clarified that the Intermediary must receive a court order / notification
from a government agency for removing specific information / content and only then can it be
obligated to take down any content.
Therefore, Intermediaries would not be obligated to undertake any takedown / removal action
upon receipt of third parties' complaints (however grave and severe) even if the complaint on
its face merits takedown. This in turn means that, any person aggrieved by content on Facebook
or Google blogger will have to approach the government or the courts for relief – they can no
longer approach the Intermediary directly to take down content.
Section 52 (c) of the Copyright Act defines- Certain acts not to be infringement of
copyright-
(c) transient or incidental storage of a work or performance for the purpose of providing
electronic links, access or integration, where such links, access or integration has not been
expressly prohibited by the right holder, unless the person responsible is aware or has
reasonable grounds for believing that such storage is of an infringing copy:
Provided that if the person responsible for the storage of the copy has received a written
complaint from the owner of copyright in the work, complaining that such transient or
Prepared By
Page | 94
incidental storage is an infringement, such person responsible for the storage shall refrain
from facilitating such access for a period of twenty-one days or till he receives an order from
the competent court refraining from facilitating access and in case no such order is received
before the expiry of such period of twenty-one days, he may continue to provide the facility of
such access.
Jurisdiction
Section 62 of the Act stipulates an additional forum of jurisdiction to seek redressal for an
injury caused. The statute states that the person instituting the suit can institute the same at the
place where he ‘voluntarily resides or carries on business or personally works for gain’. The
wrongdoer is compelled to the forum of the choice of the plaintiff.
The Delhi Court in Yahoo! Inc v Akash Arora held that the cause of action could be
established by something more than mere accessibility. In this case, the plaintiffs have done
business and have interacted within the local limits of the state and hence the scope of
jurisdiction can be enhanced.
In matters relating to the infringement on the Internet, the defendant is said to have established
minimum contact if he carries on business in India by subscribing Indian Net users. If a suit is
decreed against an Indian in a foreign court for infringement on the internet, the same can be
enforced in accordance to section 13 of the Civil Procedure Code 1908. In case of infringement
by a foreign national, the Courts must exercise extraordinary care with regard to unresolved
jurisdictional issues.
The WIPO Performances and Phonograms Treaty (WPPT), WIPO Copyright Treaty
(WCT) and the Berne Convention are also silent with respect to uniform practice to exercise
jurisdiction.
UNCITRAL LAW ON ELECTRONIC COMMERCE 1996 AND INFORMATION

TECHNOLOGY ACT, 2000.
The United Nations Commission on International Trade Law (UNCITRAL) was

established by the United Nations General Assembly by its Resolution 2205 (XXI) of 17
December 1966 "to promote the progressive harmonization and unification of international
trade law". UNCITRAL carries out its work at annual sessions held alternately in New York
City and Vienna. UNCITRAL's original membership comprised 29 states, and was expanded
to 36 in 1973, and again to 60 in 2004. Member states of UNCITRAL are representing different
legal traditions and levels of economic development, as well as different geographic regions.
States includes 12 African states, 15 Asian states, 18 European states, 6 Latin American and
Caribbean states, and 1 Oceanian state. The Commission member States are elected by the
General Assembly.
Prepared By
Page | 95
The UNCITRAL Model Law on Electronic Commerce was adopted by the United Nations
Commission on International Trade Law (UNCITRAL) in 1996 in furtherance of its mandate
to promote the harmonization and unification of international trade law, so as to remove
unnecessary obstacles to international trade caused by inadequacies and divergences in the law
affecting trade. Over the past quarter of a century, UNCITRAL, whose membership consists
of States from all regions and of all levels of economic development, has implemented its
mandate by formulating international conventions (the United Nations Conventions on
Contracts for the International Sale of Goods, on the Limitation Period in the International Sale
of Goods, on the Carriage of Goods by Sea, 1978 ("Hamburg Rules"), on the Liability of
Operators of Transport Terminals in International Trade, on International Bills of Exchange
and International Promissory Notes, and on Independent Guarantees and Stand-by Letters of
Credit), model laws (the UNCITRAL Model Laws on International Commercial Arbitration,
on International Credit Transfers and on Procurement of Goods, Construction and Services),
the UNCITRAL Arbitration Rules, the UNCITRAL Conciliation Rules, and legal guides (on
construction contracts, countertrade transactions and electronic funds transfers).
Genesis of IT legislation in India: Mid 90’s saw an impetus in globalization and
computerization, with more and more nations computerizing their governance, and e-
commerce seeing an enormous growth. Until then, most of international trade and transactions
were done through documents being transmitted through post and by telex only. Evidences and
records, until then, were predominantly paper evidences and paper records or other forms of
hard-copies only. With much of international trade being done through electronic
communication and with email gaining momentum, an urgent and imminent need was felt for
recognizing electronic records ie; the data what is stored in a computer or an external storage
attached thereto.
The United Nations Commission on International Trade Law (UNCITRAL) adopted the Model
Law on e-commerce in 1996. The General Assembly of United Nations passed a resolution in
January 1997 inter alia, recommending all States in the UN to give favourable considerations
to the said Model Law, which provides for recognition to electronic records and according it
the same treatment like a paper communication and record.
Objectives of I.T. legislation in India: It is against this background the Government of India
enacted its Information Technology Act 2000 with the objectives as follows, stated in the
preface to the Act itself - “to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly referred
to as "electronic commerce", which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with the
Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act,
1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for
matters connected therewith or incidental thereto.”
The Information Technology Act, 2000, was thus passed as the Act No.21 of 2000, got
President assent on 9 June and was made effective from 17 October 2000. The Act essentially
deals with the following issues:-
Prepared By
Page | 96
• Legal Recognition of Electronic Documents

• Legal Recognition of Digital Signatures
• Offenses and Contraventions
• Justice Dispensation Systems for cyber crimes.
CYBER FRAUDS
The ever-growing reliance on computers and the Internet, Internet fraud has been an increasing
concern for civilians and law-enforcement agencies. Because tracking hackers is difficult and
catching Internet frauds is even more challenging, the best protection is to avoid fraud attempts.
The first part of sidestepping identity theft, viruses and other intrusions is being able to identify
fraud when you see it.
Cyber fraud refers to any type of deliberate deception for unfair or unlawful gain that occurs
online. The most common form is online credit card theft. Other common forms of monetary
cyber fraud include nondelivery of paid products purchased through online auctions and non-
delivery of merchandise or software bought online. Cyber fraud also refers to data break-
ins, identity theft, and cyber bullying, all of which are seriously damaging.
Types of Cyber Frauds
Internet Auction Fraud and Non-Delivery of Merchandise

Internet auction fraud is a prevalent scam that targets consumers on auction websites such as
eBay. Typically, this scam will consist of someone posting a product for sale on an auction site
to "sell" the product to the highest bidder. The product, however, is either non-existent or not
the product described on the auction site. Scammers will try to collect the full funds from the
winning bidder before shipping the product. This is typically facilitated via a money wire
transfer, and the seller will ask for funds to be sent to a third party.
In the instances where scammers ship a product to the buyer, the scammer will send a product
of vastly lower value than what was purchased. The shipment will need to be signed for, which
obligates the buyer to pay in full for the product, even though it isn't the promised item. This
is known as the Non-Delivery of Merchandise scam.
Spam and Identity Theft
Spam is implicated in a common form of fraud, in which bulk emails are dispersed to millions
of email addresses in an effort to corrupt people's computers, steal identities or pull unknowing
individuals into paying for fraudulent products or services.
A spam message will offer any number of false dealings to recipients. Popular offerings
including low-interest loans, free credit report checks, sweepstake winnings and relationships
with "local" singles. These types of scams require people to open a message and click on a link.
This opens up the computer to a virus, worm or other "bug" that will corrupt the computer. In
cases of identity theft, the bug will attempt to retrieve passwords, Social Security numbers,
credit card information, home addresses and telephone numbers. Other bugs will embed
themselves in the computer's registry and damage system performance.
Prepared By
Page | 97
Credit Card Fraud

This scam requests that a consumer registers or inputs credit card information on a fraudulent
website. The site may sell products or services. When a reputable, trustworthy vendor asks for
credit card information, it won't save the data without user permission and will take steps to
keep user information safe. Fraudulent sites will ask for the same information as does a
reputable site, but will steal the information and make purchases using the data the credit card
owner gave to the website.
Forms of Investment Fraud
Various investment schemes typically target stock investors, trying to steal money and
investors' identities. Some of these scams will come in the form of an online newsletter. In
these newsletters, frauds will offer inside information on stocks, for a fee, and offer false data
instead of real information.
Online bulletin boards have also become a hotbed of fraudulent activity. Companies often use
online bulletin boards to publish information; however, a bogus board will release
disinformation.
A pump and dump scheme can start with a fraudulent newsletter or bulletin board where secret
or private information is offered. The object of this scheme is to alter stock values. After
effectively hindering a stock, the schemer will sell his or her own stock in a timely fashion for
personal gain.
Information and Technology Act, 2000 and the amendment Act, 2008 deals with cybercrimes
in India. Chapter XI of the Act defines various cybercrimes and prescribes punishments for the
same. It focuses on various offences such as Hacking, Cyber Stalking, Data Theft, and
Introduction of worms and viruses, obscenity and child pornography. The genesis of every
cyber is available in the general criminal law of India i.e.; Indian Penal Code, hence relevant
provisions from the code are referred along with IT Act. The Act totally has 13 chapters and
90 sections.
The Act begins with preliminary and definitions and from there on the chapters that follow deal
with authentication of electronic records, digital signatures, electronic signatures etc. Elaborate
procedures for certifying authorities (for digital certificates as per IT Act -2000 and since
replaced by electronic signatures in the ITAA -2008) have been spelt out. Then the concept of
due diligence, role of intermediaries and some miscellaneous provisions have been described.
Legal Response to Cyber Fraud

Frauds committed through Internet are done in various methods and the legitimate online
businesses of banking and insurance are the one, which bears the brunt of the cybercrime.
The fraud in the cyber world is committed against individuals as well as by individuals against
corporations against government services. The Fraud in Internet in the individual scale will
include e-mail soliciting of fund transfers, sale of products, services that will entice the
potential victim of his personal details of bank accounts, credit cards and other details, which
Prepared By
Page | 98
will be used to commit the fraud against the individuals. On the corporate side, mostly in
banking and financial sectors, individuals commit fraud on online transactions and services.
The IT Act has no provisions nor has dealt with cyber frauds except for frauds relating to E-
commerce related accounts of subscribers holding digital signature under section 44 of the IT
ACT which is not a criminal liability. However, the acts of fraud through Internet can be
covered through the sections of 25 and 415 of the Indian Penal Code. Though the exact use of
word of ‘fraud‘is debatable, the acts can be covered under ‘cheating‘by section 415 of IPC,
which states:
Sec. 415B Cheating: Whoever, by deceiving any person, fraudulently, or dishonestly induces
the person so deceived to deliver any property to an person, or to consent that any person shall
retain any property, or intentionally induces the person so deceived to do or omit to do anything
which he would not do or omit if he were not so deceived, and which act or omission causes or
is likely to cause damage or harm to that person in body, mind, reputation or property, is said
to “cheat”.
Thus, the commonly used term of ‘fraud ‘can be brought under cheating if it fulfills the
following aspects of:
1. A false representation of a person which he or she knows is false at the time of the
representation
2. The intention of the representation is dishonest with a motive of deceiving the person to
whom it is made and
3. The person is deceived to part away with a property or an omission, which otherwise he or
she would not have done without the deception.
Sec. 25- Fraudulent Act: Section 25 of I.P.C., there is a mention of the word ‘fraudulently
‘which states that, “A person is said to do a thing fraudulently if he does that thing with intent
to defraud but not otherwise”. Here again the word ‘defraud ‘is not defined but is interpreted
by Courts in various cases. Here deception is an essential element of fraud and it does not
matter whether it is for an advantage of from ill will towards the person deceived. Thus, frauds
involved in Internet can evoke section 25 of I.P.C.
The following are other provisions which have bearing with Frauds committed in cyber world.
Sec.416 Cheating by Impersonation: A person who a) pretends to be some other person or b)

by knowingly substituting one person for another or c) by representing that he or any another
person is a person other than he or other person really is. The person may be real or imaginary
one. Thus a person committing fraud in online transaction of a banking account will evoke
section 416 for cheating by impersonation.
Secs. 417- 420 Aggravated Cheating: Here further section of 418 will apply for cheating with
knowledge that wrongful loss may thereby be caused to a person whose interest the offender is
Prepared By
Page | 99
bound to protect. Further cheating and thereby dishonestly, inducing the person deceived to
deliver any property to any person, or to make, alter, or destroy a valuable property to any
person, or to make, alter, or destroy a valuable security or anything which is signed, or sealed
and which is capable of being converted into a valuable security will apply for ‘fraudulent acts’
in the cyber space.
The following is the provision dealing with cyber fraud in Information and Technology Act:
Sec 71. Penalty for misrepresentation:
Whoever makes any misrepresentation, to, or suppresses any material fact from, the Controller
or the Certifying Authority for obtaining any license or Digital Signature Certificate, as the
case may be, shall be punished with imprisonment for a term which may extend to two years,
or with fine which may extend to one lakh rupees, or with both.
Section 71 of the Act provides that if a person obtains a license or Digital Signature Certificate
from the Controller or Certifying Authority, as the case may be, by any misrepresentation or
by suppressing any material fact, he shall be punished.
Punishment: The punishment shall be either imprisonment for a term which may extend to two
years or fine to a tune of one lakh rupees or both.
Publishing false Digital Signature Certificate:

Publishing for a false digital signature certificate or making false digital signature certificate
available by any other means to any other person is an offence. However, this offence is not
strict but depends upon the knowledge of the accused. An accused will be liable for only when
he has knowledge that-
a) The certifying authority listed in certificate has not issued; or
b) The subscriber listed in the certificate has not accepted it; or
c) The certificate has been revoked or suspended.
Unless such publication is for the purpose of verifying a digital signature created prior to such
suspension or revocation.
Punishment: Any person who publishes a false Digital Signature Certificate or otherwise makes
such certificate available to any third person shall be punished with imprisonment for a term
which may extend to two years, or with fine which may extend to one lakh rupees or
with both.
Publication for fraudulent purpose: Any person, who knowingly creates, publishes or
otherwise, makes available a digital signature certificate for any fraudulent or unlawful purpose
shall be punished with imprisonment for a term which may extend to two years, or with fine
which may extend to one lakh rupees, or with both.
CYBER DEFAMATION
The term defamation is used to define the injury that is caused to the reputation of a person in
the eyes of a third person. The injury can be done by words oral or written, or by signs or by
Prepared By
Page | 100
visible representations. The intention of the person making the defamatory statement must be
to lower the reputation of the person against whom the statement has been made in the eyes of
the general public. Defamation, which is conventionally associated with ‘published materials
‘, assumes significance over the Internet. Cyber defamation is publishing of defamatory
material against another person with the help of computers or internet. If someone publishes
some defamatory statement about some other person on a website or send emails containing
defamatory material to other persons with the intention to defame the other person about whom
the statement has been made would amount to cyber defamation. The harm caused to a person
by publishing a defamatory statement about him on a website is widespread and irreparable as
the information is available to the entire world. Cyber defamation affects the welfare of the
community as a whole and not merely of the individual victim. It also has its impact on the
economy of a country depending upon the information published and the victim against whom
the information has been published.
There are basically two main broad categories falling under cyber defamation.
• The first category involves the cases in which the liability is of the primary publishers
of the defamatory material, e.g. web site content providers, e-mail authors etc;
• The second category involves the cases involving the liability of the internet service
providers or bulletin board operators.
LEGAL RESPONSE
STATUTORY PROVISIONS GOVERNING CYBER DEFAMATION IN INDIA
The Indian Penal Code, 1860 contains provisions to deal with the menace of cyber
defamation.
1. Section 499 of IPC:
• Section 499 of IPC says that whoever, by words either spoken or intended to be read,
or by signs or by visible representations, makes or publishes any imputation concerning
any person intending to harm, or knowing or having reason to believe that such
imputation will harm, the reputation of such person, is said, except in the cases
hereinafter excepted, to defame that person.
• The offence of defamation is punishable under Section 500 of IPC with a simple
imprisonment up to 2 years or fine or both.
• The law of defamation under Section 499 got extended to "Speech" and "Documents"
in electronic form with the enactment of the Information Technology Act, 2000.
There are also exceptions to the section 499 which are as follows:
• Imputation of anything true, it be for the public good to make it is not defamation- for
this it has to qualify for public good and also what is published should be proved to be
true in substance and in fact.
Prepared By
Page | 101
• It is not defamation to express in good faith any opinion respecting the conduct of a
public servant in the discharge of his public functions or respecting his character, so far
as his character appears in that conduct and no further- such publication should be
correct not only in substance and fact but also should not exceed in its limit.
• To express in good faith any opinion respecting the conduct of any person touching
public questions and respecting his character so far as it appears in that conduct, is not
defamation- this is for fair criticism and this should not have fact which are not true and
will lose the ground of the fair criticism
• It is not defamation to publish a true report of proceedings of court or of the result of
such proceedings. It need not be verbatim report but a report, which is substantially
true.
• It is not offence to express in good faith any opinion on the merits of a case decided in
court or the conduct of witnesses and others concerned or respecting the character of
such persons so far as it appears in that conduct- freedom to discuss fairly on the
administration of justice but should be fair and honest, reasonable in its analysis.
• It is no offence to express in good faith opinion or the merits of any performance which
its author has submitted to the judgment of the public or respecting the character of the
author so far it appears in such performance – any comment on the literary or artistic
work, if it is intended as a valid critique for the consumption of the public and as a guide
and judgment to help the public.
• It is no offence for a person having lawful authority over another to pass censure in
good faith - this is on censuring of a higher authority on good faith. An academic head
sending a note to be put up in a notice board or censuring a pupil in front of other pupils
will not amount to defamation as the academic head derives his authority from the
parent to do the act in good faith.
• It is no offence to prefer an accusation in good faith to an authorized person. - a
complaint before a magistrate or an appropriate authority on the actual conduct will not
amount to defamation
• It is no offence if a person makes an imputation in good faith, for the protection of his
or others interest. - to protect one ‘s own interests or of others or for public good if it is
made in good faith it is an exemption.
• It is no offence to convey a caution intended for the good of the person to whom it was
conveyed or for public good – if someone publishes a matter, which is defamatory to a
practice of some people in the community, but in the interest of the members it will not
amount to defamation.
All the above exemptions and the provisions of Section 499 will apply to matters published in
World Wide Web and also to closed groups of news groups, chat rooms or bulletin board where
there is a possibility of the third person viewing the material other than the complainant.
• Section 469 of IPC says that whoever commits forgery, intending that the document or
electronic record forged shall harm the reputation of any party, or knowing that it is
Prepared By
Page | 102
likely to be used for that purpose shall be punished with imprisonment of either
description for a term which may extend to three years and shall also be liable to fine.
• The phrase “intending that the document forged” under Section 469 was replaced by
the phrase “intending that the document or electronic record forged” vide the
Information and Technology Act, 2000.
• Section 503 of IPC defines the offense of criminal intimidation by use of use of emails
and other electronic means of communication for threatening or intimidating any person
or his property or reputation.
• Section 503 says that whoever, threatens another with any injury to his person,
reputation or property, or to the person or reputation of any one in whom that person is
interested, with intent to cause alarm to that person, or to cause that person to do any
act which he is not legally bound to do, or to omit to do any act which that person is
legally entitled to do, as the means of avoiding the execution of such threats, commits
criminal intimidation.
I.T Act & Defamation
The Information Technology Act, 2000 was amended in 2008. The amended Act which
received the assent of the President on February 5, 2009, contains section 66A which does not
specifically deal with the offence of cyber defamation but it makes punishable the act of
sending grossly offensive material for causing insult, injury or criminal intimidation.
Section 66A of the IT Act says that any person who sends, by means of a computer resource
or a communication device: -
• any information that is grossly offensive or has menacing character; or

• any content information which he knows to be false, but for the purpose of causing
annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation,
enmity, hatred, or ill will, persistently makes by making use of such computer resource
or a communication device,
• any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages shall be punishable with imprisonment for a term which may extend to
three years and with fine.
Shreya Singhal v. Union of India

The vague and arbitrary terms used in Section 66A led to much misuse of both personal and
political nature, with several criminal cases being instituted against innocuous instances of
online speech, including political commentary and humour. Furthermore, Section 79 of the IT
Act and the Rules made thereunder, which created an onerous liability regime for
internet Intermediaries were also challenged in a series of writ petitions before the Supreme
Prepared By
Page | 103
Court, which were clubbed together and heard by a bench consisting of Justices Chelameswar
and Nariman.
In a 52-page judgement, which extensively discussed Indian, English and US jurisprudence on
free speech, the Supreme Court struck down Section 66-A of the Information Technology
Act, read down Section 79 of the Information Technology Act and the related rules, and
affirmed the constitutionality of Section 69A of the Act.
It was declared that declared that Section 66A is not only vague and arbitrary, but that it also
“disproportionately invades the right of free speech.” This verdict in Shreya Singhal is a hugely
important landmark in the Supreme Court’s history for many reasons. It represents a rare
instance of the court adopting the extreme step of declaring a censorship law passed by
Parliament as altogether illegitimate. But what’s most uplifting about the judgment is that it
has explicated to us, with remarkable felicity, the scope of the right available to us to express
ourselves freely, and the limited space given to the state in restraining this freedom in only the
most exceptional of circumstances. In clarifying the balance between the right and its narrow
constraints, the court has struck a vicious blow against the duplicitous stand taken by the state,
which consistently represents the right to freedom of speech and expression as a fragile
guarantee at best. As Justice Nariman’s opinion has highlighted, the liberty of thought and
expression is not merely an aspirational ideal. It is also “a cardinal value that is of paramount
significance under our constitutional scheme.”
Important Cases
SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra
In this case the reputation of a corporate was being defamed by an employee of the plaintiff
company by sending derogatory, defamatory, obscene, vulgar, filthy and abusive emails to its
employers and also to different subsidiaries of the said company all over the world with the
aim to defame the company and its Managing Director.
The Hon'ble Judge of the Delhi High Court passed an ex-prate ad interim injunction observing
that a prima facie case had been made out by the plaintiff.
Consequently, the Delhi High Court restrained the defendant from sending derogatory,
defamatory, obscene, vulgar, humiliating and abusive emails either to the plaintiffs or to its
sister subsidiaries all over the world including their Managing Directors and their Sales and
Marketing departments. Further, Hon'ble Judge also restrained the defendant from publishing,
transmitting or causing to be published any information in the actual world as also in
cyberspace which is derogatory or defamatory or abusive of the plaintiffs.
State of Tamil Nadu v. Suhas Katti
The case is related to the posting of obscene, defamatory and annoying message about a
divorcee woman in the yahoo message group. E-Mails were also forwarded to the victim for
information by the accused through a false e-mail account opened by him in the name of the
victim. The posting of the message resulted in annoying phone calls to the lady in the belief
that she was soliciting. Based on a complaint made by the victim in February 2004, the Police
Prepared By
Page | 104
traced the accused to Mumbai and arrested him within the next few days. Relying on the expert
witnesses and other evidence produced before it, including the witnesses of the Cyber Cafe
owners, the Additional Chief Metropolitan Magistrate held the accused guilty of offences under
section 469, 509 IPC and 67 of IT Act, 2000 and the accused is convicted and is sentenced for
the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the
offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of
Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of
Rs.4000/- All sentences to run concurrently.” The conviction of the accused was achieved
successfully within a relatively quick time of 7 months from the filing of the FIR
CYBER FORENSICS
Computer forensics is a branch of digital forensic science pertaining to evidence found in

computers and digital storage media. The goal of computer forensics is to examine digital
media in a forensically sound manner with the aim of identifying, preserving, recovering,
analyzing and presenting facts and opinions about the digital information.
The intangible nature of digital evidence coupled with the fragile and vulnerable structure of
the internet has posed inherent obstacles in collecting and preserving of digital evidence. The
dearth of adequate techno-legal skills coupled with lack of expertise in collecting such evidence
has undisputedly led to a rise in the cyber-crimes in the nation.
According to the National Crimes Record Bureau, 4,231 cyber-crimes were registered under
the IT Act and cyber-crime-related sections of the Indian Penal Code (IPC) during 2009-11. A
total of 1,184 people was arrested under the IT Act for cyber-crimes, while 446 people were
arrested under IPC sections. At least 157 cases were registered for hacking under the IT Act in
2011, while 65 people were arrested. Although a very large number of cyber-crimes probably
go unreported, this statistic gives us some idea about prevalence of cyber-crime in the country.
This is making cyber forensics increasingly relevant in today’s India.
In strictest legal parlance, the usage of apt forensic tools and technical knowledge to recover
the electronic evidence within the contours of the rules of evidence, for it to be admissible
before the court of law can be defined as cyber forensics. The electronic evidence so obtained
has to satisfy the criteria of crime attribution to the perpetrator by tracing its digital footprints
by preservation, extraction, interpretation, and documentation of digital evidence. It
encompasses a gamut of overlapping arena, e.g. database forensic, wireless forensic, network
forensic, disk forensic, mobile forensic, media forensic, IP Address tracking, cloud computing,
e-mail tracking etc. It seeks to protect the subject computer system, discover all the files on
the system, recover the deleted files, reveal the content of hidden and temporary files, access
the contents of the protected or encrypted files, analyze the relevant data and provide a
testimony on the basis of analysis of the above evidence.’
Prepared By
Page | 105
Legal Position in India

The confluence of two legal paradigms, i.e., the law of evidence and that of information
technology has made the legal domain at par with the contemporary challenges of the cyber
space.
1. Firstly, the traditional law defining the term “Evidence” has been amended to include
electronic evidence in Section 3, The Evidence Act, 1872. The other parallel legal
recognition appeared in Section 4, The Information Technology (Amendment) Act, 2008,
with the provision for acceptance of matter in electronic form to be treated as “written” if
the need arises. These show a prima facie acceptability of digital evidence in any trial.
2. Further, Section 79A of the IT (Amendment) Act, 2008 has gone aboard to define electronic
evidence as any information of probative value that is either stored, or transmitted in
electronic form and includes computer evidence, digital audio, digital video, cell phones and
digital fax machines.
3. With regards to admissibility of electronic records, Section 65-B of the Evidence Act, 1872
enunciates various conditions for the same.
4. Since digital evidence ought to be collected and preserved in certain form, the admissibility
of storage devices imbibing the media content from the crime scene is also an important
factor to consider. Reading Section 3 and Section 65-B, The Evidence Act, 1872
cumulatively, it can be inferred that certain computer outputs of the original electronic
record, are now made admissible as evidence “without proof or production of the original
record. Thus, the matter on computer printouts and floppy disks and CDs become admissible
as evidence.”
5. The other most crucial question in cybercrime investigation regarding the reliability of
digital evidence has also been clarified by Section 79A of the IT (Amendment) Act, 2008,
which empowers the Central government to appoint any department or agency of Central or
State government as Examiner of Electronic Evidence. This agency will play a crucial role
in providing expert opinion on electronic form of evidence.
A Brief Overview
Since every law is toothless without an enforcement mechanism, it becomes pertinent to
understand the mechanisms as well. In such a scenario, understanding the effect and the nature
of the computer-related crime becomes relevant, i.e., whether the computer is used as a
means/target for conducting any illegal activity with a dishonest and fraudulent intention under
Section 66 of the Information Technology (Amendment) Act, 2008. It is important to
understand that, for an act to be investigated as a cyber-crime under Section 66 of the
Information Technology (Amendment) Act, 2008, it has to be an act as defined under Section
43 of the Act coupled with dishonest and fraudulent intentions according to Section 24 and 25
of the Indian Penal Code. If the act falls short of the above criteria, then it falls under the
jurisdiction of the Adjudicating Officer and becomes an offence only and will not be
investigated as a cybercrime.
The computer-related crimes wherein computer is used as a target could include hacking, denial
of service, virus dissemination, website defacement, spoofing and spamming. Whereas, the
crimes wherein computer is used as tool for attack could include financial frauds, data
modification, identity theft, cyber stalking, data theft, pornography, theft of trade secret and
intellectual property and espionage on protected systems. In such scenarios, cyber forensic can
Prepared By
Page | 106
be used to image, retrieve and analyse the data stored in any digital device which has the
probability to relate the crime to the criminal. Be it an answering machine which stores voice
messages, or a server which records the contents downloaded, everything needs to be evaluated
with caution so that a chain of custody is maintained and the authenticity of the original
message is left unaltered.
At the initial level, the complainant can approach the cyber-crime police stations, or to a police
station in its absence. Once the information reveals the commission of a cognisable offence
under the IT (Amendment) Act, 2000, the details regarding the nature/modus operandi of the
cyber- crime is recorded in the complaint, e.g., profile name in case of social networking abuse,
with the allied documents like, server logs, copy of defaced web page in soft copy and hard
copy etc. Subsequent to this, a preliminary review of the entire scene of the offence is done to
identify and evaluate the potential evidences.
A pre-investigation technical assessment is also conducted to make the Investigating Officer
fully aware about the scope of the crime, following which a preservation notice is sent to all
the affected parties for preserving the evidence. To ensure the integrity of the evidence,
containment steps are taken to block access to the affected machines. For instance, the
Investigating Officer could ask the bank to freeze the suspect`s bank account in case of
financial frauds. When it comes to collection of evidence, the procedure for gathering
evidences from switched-off systems and live systems have to be complied with the search and
seizure mandate under Section 165, CrPC and Section 80 of the IT (Amendment) Act, 2008
and should be reflected in the Pachamama.
Another indispensable part of the investigation would be to avert the fabrication and tampering
of the digital evidence by maintaining the chain of custody of the evidence since the time it is
seized, transferred, analysed and presented before the court of law to ensure its integrity.
Hashing is one of the most common methods used to ensure the integrity of the digital evidence
and the media content. It encompasses “cryptographic hash function algorithm” and is a kind
of mathematical method which is “based on an algorithm which creates a digital representation,
or compressed form of the message, often referred to as a “message digest” or “finger print” of
the message, in the form of a “hash value” or “hash result” of a standard length that is usually
much smaller than the message but nevertheless substantially unique to it”.
With regards to documentation recording the digital evidence collection, the Investigating
Officer needs to record it in Digital Evidence Collection Form. This shall succinctly include
the process, the tools used, the hash value acquired from the forensic images of the evidences,
and the hashing algorithm used for hashing. Apart from being crucial factors in affecting the
evidentiary value of the digital evidence, maintaining the chain of custody and a documentation
record of the same is in the nature of a mandate on the Investigating Officer, since its non-
observance might expose the IO to criminal liability under Section 72 of the IT (Amendment)
Act, 2008.
After collecting and documenting the evidence either by forensic imaging or by storing it in
other devices like USBs, hard drives etc., the evidence is packaged, labelled, tagged and is
updated in the evidence database. Once the digital evidence is seized, orders of the competent
court may be sought to retain the seized properties or send the digital evidence for forensic
analysis. In cases where the owners of the property approach the court for the release of the
Prepared By
Page | 107
impounding properties, the IO should send a forensic imaged copy of the seized property rather
than the original material seized for smoother investigation.
Apart from these procedural compliances, a cyber-crime investigation would be incomplete
without analysing other external information. For instance, time zone conversions are used to
assess the exact time of the offence especially when targeted at a system beyond the local
jurisdiction with a different time zone. Other external data gathered from ISPs, mobile service
providers, social networking websites, financial institutions, web-site domain etc. is collated
and co-related with the lab findings for reconstructing the case in totality.
Cyber Crime Investigation by CBI
The CBI also can be approached for any serious economic offence, which is not of a general
and routine nature. It has Economic Offences Division for the investigation of major financial
scams and serious economic frauds, including crimes relating to fake Indian currency notes,
bank frauds and cyber-crimes. For the purpose of combating such crimes, CBI has certain
specialised structures, namely, Cyber Crimes Research and Development Unit (CCRDU),
Cyber Crime Investigation Cell (CCIC), Cyber Forensics Laboratory; and Network Monitoring
Centre.
1. The CCRDU is mainly entrusted with the task of collecting information on cyber-crime
cases reported for further investigation in liaison with the State Police Forces. On a
larger parlance, it plays a pivotal role in the collection and dissemination of information
on cyber-crimes in consonance with the Ministry of IT, Government of India and
other organizations/Institutions and Interpol Headquarters.
2. The CCIC has the power to investigate the criminal offences envisaged under the
Information Technology (Amendment) Act, 2008 and is also the point of contact for
Interpol to report the cyber-crimes in India.
3. The third organ, i.e., CFL, is the one which provides consultations and conducts
criminal investigation for various law enforcement agencies. It not only provides on-
site assistance for computer search and seizure upon request, but also is the one which
provides expert testimony in the court of law. It is pertinent to note that, the CFL must
also adhere to all the legal formalities during the seizure of the media for making the
media analysis admissible. The analysis should be based on the image of the media,
rather than the media itself and the chain of custody should be maintained.
4. Keeping the possibility of remote access from an isolated location across the globe into
consideration, the data storage in another jurisdiction cannot be ruled out all-together.
In situations involving the storage location of the data in another country, the Interpol
ought to be informed and Section 166, Cr PC needs to be complied.
5. Last but not the least, the Network Monitoring Centre is entrusted to monitor the
Internet by the usage of various tools.
Recently, CBI has signed a memorandum of understanding (MoU) with Data Security Council
of India (DSCI) with a view to seek expert services from the latter in managing the new
challenges in cybercrimes and updating officials with the latest technology. This shows a novel
collaborative approach between the law enforcement agencies and IT Industry for
strengthening the security measures.
Prepared By
Page | 108

AKLSWT - Information Technology Law PDF

Uploaded by

Copyright:

Available Formats

You might also like

AKLSWT - Information Technology Law PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AKLSWT - Information Technology Law PDF

Uploaded by

Copyright:

Available Formats

NOTES ON

INFORMATION TECHNOLOGY LAW

GOVERNMENT LAW COLLEGE, KOZHIKODE

PROBLEM OF JURISDICTION IN CYBER SPACE & LEGAL RESPONSE

Classification of jurisdiction under International law: - The jurisdiction in the International

a) Subjective territoriality: The subjective international principle allows the

Problem of Multiple Jurisdictions

Disorder Through Judicial Orders in The Area of Jurisdiction in Cyberspace

Minimum contacts with a jurisdiction would be established based on domicile, consent or

1) The burden on defendant;

Yahoo Case: Important International Case on Cyber Jurisdiction.

INDIAN POSITION OF THE JURISDICTION IN CYBERSPACE

2 of the section 75 of the Information Technology Act, 2000 applies to an offence or

As discussed above, according to statutory assumptions created under section 13 of IT Act,

agreement. The cloud computing agreement is a contractual liability. It is a civil liability

SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra,

RELEVANCY AND ADMISSIBILITY OF COMPUTER EVIDENCES

EXISTING LEGAL REGIME TO FACILITATE ELECTRONIC COMMERCE AND

Electronic commerce, or e-commerce, (also written as eCommerce) is a type of business

Electronic data interchange (EDI) is the structured transmission of data between

LEGAL ISSUE RELATING TO INTERNET CONTRACT

ESSENTIAL ELEMENTS OF ONLINE CONTRACT

1.) 10A. Validity of Contracts Formed Through Electronic Means. - Where in a

electronic form or by means of an electronic record, such contract shall not be

Case: – Rudder v. Microsoft Corporation: -The plaintiffs commenced a class action

• E signatures which incorporate an Aadhaar ID with an electronic Know-Your-

• The signatory of the e signature must be unique

• Any document listed by the government of India on the official gazette

VALIDITY OF ONLINE CONTRACT

LIABILITY OF INTERNET SERVICE PROVIDER

Copyright liability--legal cases

SPREAD OF OBSCENE MATERIAL IN INTERNET AND LEGAL RESPONSE.

1) Lascivious: It is something which excites lust in a person;

67. Punishment for publishing or transmitting obscene material in electronic

67A. Punishment for publishing or transmitting of material containing sexually explicit

67B. Punishment for publishing or transmitting of material depicting children in sexually

REQUIREMENT OF LAW ON DATA PROTECTION IN THE DIGITAL AGE

What is Data Protection?

Earlier, India witnessed disruptions from cyberattacks through a ransomware, WannaCry.

• Authentication: the origin of a message can be verified.

• Output length is small compared to input

RIGHT TO PRIVACY AND DATA PROTECTION

US Government has been reluctant to impose a regulatory burden on Electronic Commerce

LEGAL RESPONSE FOR INTERNET CRIME

Cybercrime in a broader sense (computer-related crime): Any illegal behaviour committed by

• Any such class of documents or transactions as may be notified by the Central

Here are the case studies for selected IT Act sections.

Section 65 – Tampering with Computer Source Documents

Section 66 – Computer Related offenses

Verdict: The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G

Section 66C – Punishment for identity theft

Section 66D – Punishment for cheating by impersonation by using computer resource

Section 66E – Punishment for violation of privacy

Section-66F Cyber Terrorism

Section 67 – Punishment for publishing or transmitting obscene material in electronic

All sentences were to run concurrently.

Section 67B – Punishment for publishing or transmitting of material depicting children

Section 69 – Powers to issue directions for interception or monitoring or decryption of