Status regarding Budapest ConventionStatus : NA Declarations and reservations : N/A See legal profile
The Government of India has not yet adopted specific national cybercrime policies or strategies. However, on 2nd July 2013, it launched the National Cyber Security Policy, 2013. The vision and mission of National Cyber Security Policy, 2013 are to build a secure and resilient cyberspace for citizens, businesses and Government and also to protect information and information infrastructure in cyberspace and also build capabilities to prevent and respond to cyber terror threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, process, technology and cooperation.
The Indian Government is in the process of formulating the National Cyber Security Strategy 2020 (NCSS 2020) to cover a five-year timeframe (2020-2025).
State of cybercrime legislation
Cybercrime is addressed by the Information Technology Act, 2000 (No. 21 of 2000) as amended by the Information Technology (Amendment) Act, 2008 (No. 10 of 2009). It includes substantive and procedural rules many of which are to further detailed in secondary rules.
The Information Technology Act, 2000 as amended in 2008 & the Indian Penal Code, 1860 are the main substantive laws. The Information Technology Act, 2000 as amended in 2008, includes the following offences:
Tampering with Computer Source Documents (Section 65), Computer Related Offences (Section 66) Sending Offensive Messages Through Communication Service etc (Section 66A), receiving stolen computer resource or communication device (Section 66B), Identity Theft (Section 66C), Cheating by impersonation by using computer resource (Section 66D), Violation of Privacy (Section 66E), Cyber Terrorism (Section 66F), Publishing or transmitting obscene material in electronic form (Section 67), Publishing or transmitting of material containing sexually explicit acts etc in electronic form (Section 67A), Publishing or transmitting a material depicting children in sexually explicit acts etc in the electronic form (Section 67B), Non-preservation and retention of information by intermediaries (Section 67C), Failure to comply with directions issued by the Controller of Certifying Authorities (Section 68), Failure to comply with directions of blocking for public access of any information through any computer resource (Section 69A), Intentionally or knowingly failing to monitor and collect traffic data or information through any computer resource for cyber security (Section 69B), Securing or attempting to secure access to protected system (Section 70), Misrepresentation of material facts from the Controller of Certifying Authorities (Section 71), Breach of privacy and confidentiality (Section 72) Disclosure of information in breach of lawful contract (Section 72A), Publishing electronic signature certificate false in certain particulars (Section 73), Publication of electronic signature certificate for fraudulent purposes (Section 74), Punishment for abetment of offences (Section 84B), Punishment for attempt to commit offences (Section 84C) & Offences by Companies (Section 85).
In addition, the Indian Penal Code, 1860 also includes the following offences:
Public servant framing an incorrect document with intent to cause injury (Section 167), Absconding to avoid service of summons or other proceeding (Section 172), Preventing service of summons or other proceeding, or preventing publication thereof (Section 173), Omission to produce document to public servant by person legally bound to produce it (Section 175), Fabricating false evidence (Section 192), Destruction of document to prevent its production as evidence (Section 204), Voyeurism (Section 354 C), Stalking (Section 354 D), Forgery (Section 463), Making a false document (Section 464), Forgery of record of Court or of public register, etc (Section 466), Forgery for purpose of cheating (Section 468), Forgery for purpose of harming reputation (Section 469), Forged document (Section 470), Using as genuine a forged document (Section 471), Having possession of document described in section 466 or 467, knowing it to be forged and intending to use it genuine (Section 474), Counterfeiting device or mark used for authenticating documents other than those described in section 467, or possessing counterfeit marked material (Section 476), Falsification of accounts (Section 477A).
The main general framework available to all cybercrime investigations is the Indian Information Technology Act, 2000 as amended in2008, and the Code of Criminal Procedure, 1973 (Cr.PC)(http://www.advocatekhoj.com/library/bareacts/codeofcriminalprocedure/index.php?Title=Code%20of%20Criminal%20Procedure%20Act,%201973).
Powers include inter alia:
Art 28 Power to investigate contraventions.
Art 29 Access to computers and data.
Art 76 Confiscation
Art 69B Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security
Art 69 Powers to issue directions for interception or monitoring or decryption of any information through any computer resource
General rules and safeguards apply.
The safeguards of the Code of Criminal Procedure, 1973 and of the Information Technology Act, 2000 (amended 2008) and rules and regulations made thereunder including Information Technology (Intermediary Guidelines) Rules, 2011 and Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 apply.(http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf & http://meity.gov.in/sites/upload_files/dit/files/GSR314E_10511(1).pdf ). In particular, Article 32 & Article 226 of the Constitution of India applies, which stipulates the intervention of a judge to authorize certain procedural measures, if fundamental rights are in danger or violated. (https://www.india.gov.in/sites/upload_files/npi/files/coi_part_full.pdf )
Related laws and regulations
Beside the Information Technology Act, 2000 as amended in 2008, related laws and regulations include:
The Indian Penal Code, 1860 as amended by the Information Technology Act, 2000; Code of Criminal Procedure, 1973; The Information Technology (Electronic Service Delivery) Rules, 2011; The Information Technology (Reasonable Security Practices and Procedures And Sensitive Personal Data Or Information) Rules, 2011; The Information Technology (Intermediaries Guidelines) Rules, 2011; The Information Technology (Guidelines for Cyber Cafe) Rules, 2011, Notification No. S.O.1581(E) dated 26.4.16 regarding Authorisation of CERT-In to monitor and collect traffic data or information in any computer resources u/s 69B, Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, etc.
The Government of India has set up the specialized cybercrime institutions being Indian Computer Emergency Response Team (CERT-In) (http://www.cert-in.org.in/) & The National Critical Information Infrastructure Protection Centre (NCIIPC) (https://meity.gov.in/writereaddata/files/GSR_19%28E%29_0.pdf)
India has also set up various specialized cybercrime police stations throughout India including in Bangalore, Hyderabad, Mumbai, Delhi, Chennai, Lucknow, Trivandrum, Assam, Thane, Pune, Gujarat, Jharkhand, Haryana, Himachal Pradesh, Jammu, Kerala, Meghalaya, Orissa, Bihar, Punjab, Uttar Pradesh, West Bengal, Uttarakhand (Dehradun) etc. (https://www.infosecawareness.in/cyber-crime-cells). The Central Bureau of Investigation has got a cybercrime cell. However, there is no specialized cybercrime office and also no structure regarding Judges trying cybercrimes in India per se.
The Indian Cyber Crime Coordination Centre (I4C) - https://mha.gov.in/division_of_mha/cyber-and-information-security-cis-division/Details-about-Indian-Cybercrime-Coordination-Centre-I4C-Scheme and National Cyber Crime Reporting Portal - https://www.cybercrime.gov.in/ were inaugurated in January 2020 (https://pib.gov.in/PressReleasePage.aspx?PRID=1599067).
Competent authorities and channels
India has not acceded to the Budapest Convention on Cybercrime. However, India is a member of the G7 24/7 network of contact points.
India has concluded Mutual Legal Assistance Treaties (MLAT) with various countries (http://legalaffairs.gov.in/documents/mlat).The Information Technology Act, 2000 as amended 2008 does not provide for specific international cooperation measures, but indicates that some domestic measures can be applied to maintain friendly relations with other States (Article 69).
India has only limited number of convictions for cybercrime. However, some important case law is available. A decision pertaining to electronic evidence is Anvar PK v/s P K Basheer. In the said matter, the Supreme Court of India has categorically held thus:
“Any documentary evidence by way of an electronic record under the Evidence Act, in view of Sections 59 and 65A, can be proved only in accordance with the procedure prescribed under Section 65B. Section 65B deals with the admissibility of the electronic record. The purpose of these provisions is to sanctify secondary evidence in electronic form, generated by a computer. It may be noted that the Section starts with a non obstante clause. Thus, notwithstanding anything contained in the Evidence Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer shall be deemed to be a document only if the conditions mentioned under sub-Section (2) are satisfied, without further proof or production of the original. The very admissibility of such a document, i.e., electronic record which is called as computer output, depends on the satisfaction of the four conditions under Section 65B (2).”
In State of Delhi v. Mohd. Afzal & Others 2003 (3) JCC 1669 which is known as the Parliament House Attack case, the Delhi High Court held that electronic records are admissible as evidence. The appeal was filed in the Supreme Court of India entitled State v Navjot Sandhu(2005) 11 SCC 600, wherein the Hon’ble Supreme Court held that in the said case, the certificate containing the details in Section 65B (4) is not filed, but that does not mean that secondary evidence cannot be given. The law permits such evidence to be given in the circumstances mentioned in the relevant provisions, namely, Ss. 63 and 65 of the Indian Evidence Act 1872.
Further, the Supreme Court of India in K.K.Velusamy vs. N.Palanisamy (2011) 11 S.C.C.275, considered the issue regarding the telephonic conversation recording and came to a conclusion that a disc containing recording of telephonic conversation could be valid evidence according to Section 3 of the Evidence Act and Section 2 (t) of the IT Act. The Hon'ble Supreme Court has further observed that electronically recorded conversation is admissible in evidence, if the conversation is relevant to the matter in issue and the voice is identified and the accuracy of the recorded conversation is proved by eliminating the possibility of erasure addition or manipulation
Sidhartha Vashisht @ Manu Sharma Vs. State (Nct Of Delhi) on 19 April, 2010, Criminal Appeal No. 179 OF 2007, the Supreme Court of India held as follows:
- “153) Summary of our Conclusion:
- 3) Phone calls made immediately after an incident to the police constitutes an FIR only when they are not vague and cryptic. Calls purely for the reason of getting the police to the scene of crime do not necessarily constitute the FIR. In the present case, the phone calls were vague and therefore could not be registered as the FIR. The FIR was properly lodged as per the statement of Shyan Munshi PW-2.
- 11) Every effort should be made by the print and electronic media to ensure that the distinction between trial by media and informative media should always be maintained. Trial by media should be avoided particularly, at a stage when the suspect is entitled to the constitutional protections. Invasion of his rights is bound to be held as impermissible.
Sources and links
The National Cyber Security Policy, 2013- https://meity.gov.in/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf
Information Technology Act, 2000 (No. 21 of 2000)- http://meity.gov.in/content/information-technology-act
Information Technology (Intermediary Guidelines) Rules, 2011- http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011- http://meity.gov.in/sites/upload_files/dit/files/GSR314E_10511(1).pdf
Indian penal code, 1860- https://indiacode.nic.in/bitstream/123456789/2263/1/A1860-45.pdf
Code of Criminal Procedure, 1973- (Cr.PC)-http://www.advocatekhoj.com/library/bareacts/codeofcriminalprocedure/index.php?Title=Code%20of%20Criminal%20Procedure%20Act,%201973
Indian Computer Emergency Response Team (CERT-In)- http://www.cert-in.org.in/
The national critical information infrastructure protection centre (NCIPC)- https://meity.gov.in/writereaddata/files/GSR_19%28E%29_0.pdf
G8 24/7 point of contact- http://www.oas.org/juridico/english/cyb_pry_G8_network.pdf
Mutual Legal Assistance Treaties (MLAT)- http://legalaffairs.gov.in/documents/mlat
Budapest Convention and the Information Technology Act - https://cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.