JAMIA MILLIA ISLAMIA

Clinical Course III Project

INVESTIGATION AND ADJUDICATION

OF CYBER CRIMES IN INDIA AND
ROLE OF CERTIFYING AUTHORITY

Submitted to Professor Ghulam Yazdani

Submitted by:
Shazadi Halima Sadiya
V Year, Roll No. 29, Sec A
Faculty of Law

Page 1 of 29
 INDEX

S. No. Particulars Page No. Remarks

1. Acknowledgement

2. Introduction

3. Cyber Crimes: India and the world

 History of Cyber Crimes
 Evolution of Cyber Laws
 Cyber Law in India
 Information Technology Act, 2000
 Acts amended by Information
Technology Act, 2000
 Important offences and Penalties
under the Act, 2000.

4. Investigation and Adjudication of Cyber

Crimes in India
 Investigation and Adjudication
 Condition of Cyber Appellate
Authority
 Adjudication Authority of no use
 Landmark Cases

5. Data Analysis

Page 2 of 29
6. Role of Certifying Authority

7. Conclusion

8.. Bibliography

Page 3 of 29
 ACKNOWLEDGMENT

First of all I would like to thank Almighty Allah for giving me all strength, energy
and courage to take up this burning topic, work on it and finish it on time.

I would also like to express my sincere gratitude to my Law and Information

Technology Professor Ghulam Yazdani for giving me his time and making me
understand the rules of research in depth and providing her invaluable guidance,
comments and suggestions throughout the course of the paper/ project and
constantly motivating me to work harder. I would specially thank Ms. Mahjabeen
(Advocate) for giving me the practical aspect of the areas of the paper/ project.

I would further like to thank all my friends and neighbors for giving me their
opinions and personal experiences they had on this actual practice. I would also
like to thank my classmates for all the enriching discussions on the present topics
and their recommendations on my Project.

Shazadi Halima Sadiya

BALLB V year

Page 4 of 29
 INTRODUCTION
At present times, computer and internet is being used for different purposes and
reasons depending on the person‟s skill, necessities and wants. When you look at
the population of the people who use computers in the world, the numbers are
astonishingly high. It is increasing every day and as every second passes,
technologies are increasing and something better is being added to it. Let‟s take
China for example an article which says “There are nearly 300 million inter users
only in China”.1 The number of internet users in India is expected to reach 500
million by June 2018. The number of Internet users stood at 481 million in
December 2017 as per report of Internet and Mobile Association of India (IAMAI)
and Kantar IMRB.2 So with this population of computer and cyber users, there is
no wrong in saying cyber and computer crime will keep on increasing as it is
networked internationally, which makes computer criminals to get access to it
easily. Thus we can do nothing but notice that not only government and
Businessmen rely on computers but also criminals which are utilizing it for
committing cyber-crimes on mass level smoothly without fear of getting caught.3

This brings our attention to one important topic, that is, measures to bring down the
rate of commission of cyber-crimes which is becoming hub of techno savvy
criminals who are getting new and better opportunities of committing crimes
without physical presence and with full anonymity when different countries are
tricked into solving their territorial jurisdiction for trying the offence. The
procedure for investigation and adjudication of cyber Crime is another important
aspect.

1
Eliza Strickland,”population of internet users in china” New York Times ,1 July, 2009
2
India to have 500 million internet users Available at: https://indianexpress.com/article/technology/tech-
news-technology/india-to-have-over-500-million-internet-users-by-june-2018-iamai-report/ (last modified
th
on 20 February 2018)
3
A Cyber Crime and Computer Crime available at https://www.ukessays.com/essays/information-
technology/a-cyber-crime-and-computer-crime-information-technology-essay.php (Visited on 15th
October 2018)

Page 5 of 29
 Cyber Crimes: India and the world
“The boundaries of acceptable behaviors, or even ethical behavior, in cyberspace
are not yet clearly defined. Nor does there exist a consensus on what types of
information can and should be considered property on the network, and what
constitutes theft or interference with this property”.4

History of Cyber Crimes:

The first recorded cyber-crime took place in the year 1820. That is not surprising
considering the fact that the abacus, which is thought to be the earliest form of
computer, has been around since 3500 B.C. in India, Japan and China. The era of
modern computers, however, began with the analytical engine of Charles Babbage.
In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, Produced the
loom. This device allowed the repetition of a series of steps in the weaving of
special fabrics. This resulted in a fear amongst Jacquard‟s employees that their
traditional employment and livelihood were being threatened. They committed acts
of sabotage to discourage Jacquard from further use of the new technology. This is
known as the first recorded cyber-crime in the history. Actually the physical
damages to computer systems and subversion of the long distance telephone
networks were involved in the early computer crimes.5

U.S. is the birthplace of the Internet and experienced the first computer facilitated
crime in the year 1969. After this in the time period of 1960s and 1970s, a litany of
early physical attacks on computer systems was catalogued by Thomas Whiteside.
Those cyber criminals who were involved in telephone phreakers became hackers
in the 1960‟s because they had an extra curiosity to know about computer,
computer system and its use for their own ends in the early 1960‟s. They went on
their work with the curiosity to learn the change of computer code of the system.
But in the early stage of this new technology these crimes were committed by

4
Ritu, “Cyber crimes National and International perspective” (2017) (Unpublished PhD thesis Kurukshetra
University)
5
ibid

Page 6 of 29
technology experts who directly attack into the computer, computer system or
computer network. In the year 1970, the malicious association became evident with
the purpose of hacking and at that time the early computerized phone system were
the target.6

Robert Morris in the year 1986 discovered worm virus. In United States v. Robert
Tappan Morris7, Morris was pursuing Ph.D from the Cornell University in
computer science in the year 1988. The Cornell University has given him an
account on the computer to use it and after that he has discovered “worm” called as
one form of “virus” which may be used to demonstrate the inadequacies of security
systems and networks. Then, he released the worm through a computer at the
Massachusetts Institute of Technology (MIT) on 2nd November 1988 which caused
damage and infection very fast to other computers. The court found him guilty
under title, 18 USC s. 1030(a)(5)(A) and was sentenced to 3 years of probation,
400 hours of community service, a fine of $10,050 and the costs of his supervision.

Evolution of Cyber Law:

In the case of “R v Gold & Schifreen”8 the defendants had gained unauthorized
access to the computer network. The defendants were charged under the forgery
and counterfeiting act, 1981 for “defrauding” by manufacturing a “false
instrument”. It was held by house of lords that:
“We have accordingly come to the conclusion that language of the act was not
intended to apply to the situation which was shown to exist in this case …..
The procrustean attempt to force these into the language of the act not designed to
fit them produced grave difficulties for both judge and jury which we would not
wish to see repeated. The appellants conduct amounted in essence, as already
stated, to dishonestly gaining access to the relevant Prestel data bank by a trick.

6
Supra Note 4
8
1988 a AC 1063 [1988] WLR 984

Page 7 of 29
 This is not a criminal offence. If it is thought desirable to make it so, that is manner
for legislature rather than the courts.”9
This judgment brought the possibilities of cybercrime and inadequacy of existing
laws to deal with them to the notice of legislature of Great Britain. It led to the
enactment of the computer misuse act, 1990. This was among the first cyber laws
enacted. It recognized the following offences: Unauthorized access to computer
material, Unauthorized access with intent to commit or facilitate commission of
further offences and Unauthorized acts with intent to impair, or with recklessness
as to impairing, operation of computer etc. 10

Uniform International standards for Cyber Law: UNICETRAL Model Law

on Electronic Commerce, 1996
With the globalization of business, the international community felt a need for the
law which would set uniform standards for electronic commerce. This led to the
adaptation of UNICETRAL Model Law on Electronic Commerce by the UN
general assembly (the „Model Law‟). 11

Beside the aforesaid, there are following conventions and international law formed
by the group of countries:
1. Convention on cyber crime
2. Commonwealth Computer related Crimes Model Law
3. Standerd draft convention
In view of the urgent need and the international pressure India‟s government came
up with the first law to regulate the information Technology - Information
Technology Act, 2000.

Cyber Law in India

When we curb abuse we will expand freedom” – Ashley Judd.

9
R V Gold & Schifreen 1988 a AC 1063 [1988] WLR 984
10
Anirudhh Rastogi, “Cyber Law, Law of Information Technology and Internet” (Lexis Nexis, First Edition,
2014)
11
ibid

Page 8 of 29
The New Shorter Oxford Dictionary explains the expressions „Cyber Space‟ as
„notional environment within which electronic communication occurs especially
when represented as the inside of a computer system, space perceived as such by an
observer, but generated by a computer system and having no real existence, the
space of virtual reality‟. 12

Cyber Crime is not defined in Information Technology Act 2000 or in the I.T.
Amendment Act 2008 or in any other legislation in India. In fact, it cannot be too.
Offence or crime has been dealt with elaborately listing various acts and the
punishments for each, under the Indian Penal Code, 1860 and quite a few other
legislations too. Hence, to define cybercrime, we can say, it is just a combination
of crime and computer. To put it in simple terms „any offence or crime in which
a computer is used is a cybercrime‟.

Information Technology Act, 2000

The Information Technology Act, 2000 comprises 94 sections which is divided into
13 chapters. The Act has four schedules that lay down the relative amendments to
be in the Indian Penal Code, Indian Evidence Act, Banker‟s Book Evidence Act,
and the Reserve Bank of India Act. This is an Act to provide legal recognition for
transactions carried out by means of electronic data interchange and other means of
electronic communication, commonly referred to as “electronic commerce”, which
involve the use of alternatives to paper-based methods of communication and
storage of information, to facilitate electronic filing of documents with the
Government agencies.

Acts amended by the Information Technology Act, 2000:

 The Indian Penal Code, 1860:
 The Indian Evidence Act 1872:
 The Bankers‟ Books Evidence(BBE) Act 1891-
12
The New Shorter Oxford Dictionary

Page 9 of 29
  Reserve Bank of India Act, 1934-

Important Offences under Information Technology Act, 2000 and and

Penalties
Chapter IX dealing with Penalties, Compensation and Adjudication is a major
significant step in the direction of combating data theft, claiming compensation,
introduction of security practices etc. Section 43 deals with penalties and
compensation for damage to computer, computer system etc. This section is the
first major and significant legislative step in India to combat the issue of data
theft. This Section addresses the civil offence of theft of data. Writing a virus
program or spreading a virus mail, a bot, a Trojan or any other malware in a
computer network or causing a Denial of Service Attack in a server will all come
under this Section and attract civil liability by way of compensation. Under this
Section, words like Computer Virus, Compute Contaminant, Computer database
and Source Code are all described and defined.13

Questions like the employees‟ liability in an organisation which is sued against for
data theft or such offences and the amount of responsibility of the employer or the
owner and the concept of due diligence were all debated in the first few years of
Act. Thus the new Section 43-A, dealing with compensation for failure to protect
data was introduced in the Amendment Act -2008. The criminal provisions of the
IT Act and those dealing with cognizable offences and criminal acts follow from
Chapter IX titled “Offences”.

Section 65: Tampering with source documents is dealt with under this section.
Fabrication of an electronic record or committing forgery by way of interpolations
in CD produced as evidence in a court14

13 th
Indian Institute of Banking and Finance, “IT Security”, (Taxmann, Mumbai, 2016, 6 Edition)
14
Bhim Sen Garg vs State of Rajasthan and others, 2006, Cri LJ, 3463, Raj 2411

Page 10 of 29
Section 66: Computer related offences are dealt with under this Section. Data
theft stated in Section 43 is referred to in this Section. The act of data theft or the
offence stated in Section 43 if done dishonestly or fraudulently becomes a
punishable offence under this Section and attracts imprisonment upto three years or
a fine of five lakh rupees or both. Earlier hacking was defined in Sec 66 and it was
an offence.

Section 66A- Sending offensive messages through communication service, causing

annoyance etc. this has been declared unconstitutional by Supreme Court.

Section 66B- Dishonestly receiving stolen computer resource or communication

device attracts punishment up to three years or one lakh rupees as fine or both.

Section 66C- it provides electronic signature or other identity theft like using
others‟ password or electronic signature etc. Punishment is three years
imprisonment or fine of one lakh rupees or both.

Section 66D- it provides for Cheating by personation using computer resource or a

communication device shall be punished with imprisonment of either description
for a term which extend to three years and shall also be liable to fine which may
extend to one lakh rupee.

Section 66E it provides for Privacy violation – Publishing or transmitting private

area of any person without his or her consent etc. Punishment is three years
imprisonment or two lakh rupees fine or both.

Section 66F it provides for Cyber terrorism – Intent to threaten the unity, integrity,
security or sovereignty of the nation and denying access to any person authorized
to access the computer resource or attempting to penetrate or access a computer
resource without authorization. Acts of causing a computer contaminant (like virus
or Trojan Horse or other spyware or malware) likely to cause death or injuries to

Page 11 of 29
persons or damage to or destruction of property etc. come under this Section.
Punishment is life imprisonment.

It may be observed that all acts under S.66 are cognizable and non-bailable
offences. Intention or the knowledge to cause wrongful loss to others is the
existence of criminal intention and the evil mind is concept of mens rea,
destruction, deletion, alteration or diminishing in value or utility of data are all the
major ingredients to bring any act under this Section.

Section 67 deals with publishing or transmitting obscene material in electronic

form. The earlier Section in the Act was later widened as per Amendment Act,
2008 in which child pornography and retention of records by intermediaries were
all included. This Section is of historical importance since the landmark judgment
in what is considered to be the first ever conviction under I.T. Act 2000 in India,
was obtained in this Section in the famous case “State of Tamil Nadu vs Suhas
Katti”.15

Section 67A- This section deals with publishing or transmitting of material

containing sexually explicit act in electronic form. Contents of Section 67 when
combined with the material containing sexually explicit material attract penalty
under this Section. Child Pornography has been exclusively dealt with under
Section 67B. Penalty for breach of confidentiality and privacy is discussed in
Section 72 with the punishment being imprisonment for a term up to two years or a
fine of one lakh rupees or both.

Section 67C fixes the responsibility to intermediaries that they shall preserve and
retain such information as may be specified for such duration and in such manner
as the Central Government may prescribe. Liability of intermediaries and the
concept of Due Diligence has been discussed in Section 79.

15
2004 2 SCC 345

Page 12 of 29
 Investigation and Adjudication of Cyber
Crimes in India
Investigation and Adjudication
Adjudication powers and procedures have been dealt in Sections 46 and thereafter
which specially applies to the Civil matters. As per the Act, the Central
Government may appoint any officer not below the rank of a director to the
Government of India or a state Government as the adjudicator. The I.T. Secretary
in any state is normally the nominated Adjudicator for all civil offences arising out
of data thefts and resultant losses in the particular state. Very few applications were
received during first 10 years of existence of the Act, that too in the major metros
only. The first adjudication obtained under this provision was in Chennai, Tamil
Nadu, in a case involving ICICI Bank in which the bank was told to compensate
the applicant with the amount wrongfully debited in Internet Banking, along with
cost and damages. There is an appellate procedure under this process and the
composition of Cyber Appellate Tribunal at the national level, has also been
described in the Act. Every adjudicating officer has the powers of a civil court and
the Cyber Appellate Tribunal has the powers vested in a civil court under the Code
of Civil Procedure.16

When we come to Cognizable offences, According to Information Technology

Act, a cybercrime has global jurisdiction and the complaint for the cybercrime can
be file at any cyber cell. At the initial level, the complainant can approach the
cyber-crime police stations, or to a police station in its absence. Once the
information reveals the commission of a cognizable offence under the Information
Technology (Amendment) Act, 2000, the details regarding the nature/modus
operandi of the cyber- crime is recorded in the complaint, e.g., profile name in case

16
Rohit K. Gupta, “An Overview Of Cyber Laws vs. Cyber Crimes: In Indian Perspective”
http://www.mondaq.com/india/x/257328/Data+Protection+Privacy/An+Overview+Of+Cyber+Laws+vs+Cy
ber+Crimes+In+Indian+Perspective (last visited on 31.10.2018 at 12:09 pm)

Page 13 of 29
of social networking abuse, with the allied documents like, server logs, copy of
defaced web page in soft copy and hard copy etc. Subsequent to this, a preliminary
review of the entire scene of the offence is done to identify and evaluate the
potential evidences. A pre-investigation technical assessment is also conducted to
make the Investigating Officer fully aware about the scope of the crime, following
which a preservation notice is sent to all the affected parties for preserving the
evidence. To ensure the integrity of the evidence, containment steps are taken to
block access to the affected machines. Affecting the evidentiary value of the digital
evidence, maintaining the chain of custody and a documentation record of the same
is in the nature of a mandate on the Investigating Officer, since its non-observance
might expose the IO to criminal liability under Section 72 of the IT (Amendment)
Act, 2008. After filing the complaint the, the procedure will go according to the
Criminal Procedure Code , the , the case will be brought to District and Session
Court and then , the Court will do the further proceedings of the case. The
Jurisdiction of the Court cannot be challenged because there is no particular
jurisdiction of cyber Crimes happening globally. Cybercrime by its very nature can
be perpetrated in practically any location in the world. A cybercriminal can sit in
one place and commit a crime the effect of which are felt elsewhere, or can malign
the name or identity of another person located elsewhere, or even create the false
impression that someone else has committed the crime. In such circumstances, it is
very necessary that the investigating machinery should take care while
investigating, particularly in light of the highly stringent provisions of the IT Act,
which prescribe bailable but cognizable offences. The investigations are also
dependent on intermediaries such as Internet service providers. There are no proper
provisions to ensure accountability of intermediaries for their functions in aiding
police investigations. The procedure will be followed as mentioned in Criminal
Procedure Code.17

17
“ Courts to approach during Cybercrimes”
http://www.beingyourlawyer.com/Which%20Court%20can%20you%20approach%20in%20cyber%20crime
.php (Last Visited 27.11.2018 at 12:58 pm)

Page 14 of 29
Critical Information Infrastructure and Protected System have been discussed in
Section 70. The Indian Computer Emergency Response Team (CERT-In) coming
under the Ministry of Information and Technology, Government of India, has been
designated as the National Nodal Agency for incident response. By virtue of this,
CERT-In will perform activities like collection, analysis and dissemination of
information on cyber incidents, forecasts and alerts of cyber security incidents,
emergency measures for handling cyber security incidents etc. The role of CERT-
In in e-publishing security vulnerabilities and security alerts is remarkable.
Considering the global nature of cybercrime, Section 75 clearly states that the Act
applies to offences or contravention committed outside India, if the contravention
or the offence involves a computer or a computer network located in India. This
Act has over-riding provisions especially with regard to the regulations stipulated
in the Code of Criminal Procedure. As per Section 78, notwithstanding anything
contained in the Code of Criminal Procedure, a police officer not below the rank of
an Inspector shall investigate an offence under this Act.

The Act is applicable to electronic cheques and truncated cheques (i.e. the image of
cheque being presented and processed curtailing and truncating the physical
movement of the cheque from the collecting banker to the paying banker).
Overriding powers of the Act and the powers of Central Government to make rules
and that of State Governments to make rules wherever necessary have been
discussed in the Sections that follow. 18

This act, under Section 80, talks of power of police office to have the power of
search and seizure if specially empowered by central and state government without
having warrant of such search. Further section 81 of the said act talks of act having
overriding effect over any other act.

Section 69 is an interesting section in the sense that it empowers the Government

or agencies as stipulated in the Section, to intercept, monitor or decrypt any

18
ibid

Page 15 of 29
information generated, transmitted, received or stored. Section 69A, vests with the
Central Government or any of its officers with the powers to issue directions for
blocking for public access of any information through any computer resource,
under the same circumstances as mentioned above. Section 69B discusses the
power to authorize to monitor and collect traffic data or information through any
computer resource.

Condition of Cyber Crime Appellate Tribunal

The ministry of communication and information technology‟s Cyber Appellate
Tribunal (CyAT) was established in 2006 as “a specialised forum to redress cyber
fraud”. From 2011, however, the tribunal has barely been functioning. It still pays
out salaries to its employees but no judicial order has been passed nor has any case
been heard for the last five years. A recent Comptroller and Auditor General audit
has noted that after the retirement of the CyAT‟s last chairperson in June 2011,
there has been no replacement appointed as of June 2016. The CyAT was initially
set up as a statutory organisation, under the control of the IT ministry, in
accordance with Section 48 (1) of the Information Technology Act, 2000. For the
purposes of discharging its functions, the tribunal was vested with the same powers
that are vested in a civil court.In April 2015, the IT ministry appointed S.S. Chahar,
an officer of the Indian Legal services, to assume the post of “Member (Judicial)
Cyber Appellate Tribunal”. Take November 18, 2016. According to the tribunal‟s
case status notice, an appeal in the matter of Vodafone India Ltd versus Sh
Prabhakar Sadekar was heard by the cyber tribunal. Counsel for the appellant
Saransh Jain was present, according to the notice. However, the matter was just
quickly adjourned. As the notice below shows, “since the bench is not assembling
due the non-availability of the Hon’ble Chairperson, this application is adjourned
to December 9th, 2016”.When complaints aren‟t resolved through the organisation
or financial institution in question, most customers head to either their local cyber-
crime police cell or decide to go to a consumer forum or their local district or high
court. Most of these options are either time-consuming or logistical nightmares.
The cyber-crime divisions of city police stations are often grappling with all sorts

Page 16 of 29
of cyber crime, including online harassment, in addition to cyber fraud. Going to a
high court, most of which are already overburdened, takes time and patience. In the
2017 budget, CyAT was merged with TDSAT but TDSAT had not started hearing
any of the pending cases. Now it appears that the files have started moving in
TDSAT and from the beginning of this month, TDSAT has started sending notices
regarding pending cases for preliminary listing. Let‟s hope that the litigants who
are waiting for a long time now will at last see justice. During the last 7 years the
scenario in Cyber Crimes in India has changed and this is likely to have its impact
on the pending cases. We hope that TDSAT will interpret the provisions of the Act
2000 which were designed to make the judicial process simple in a manner that
upholds the intention of those who framed the Act, 2000. 19

Adjudicting Authority of no use- Section 46

If at all one section can be criticized to be absolutely lacking in popularity in the IT
Act, it is this provision. In the first ten years of existence of the ITA, there have
been only a very few applications made in the nation, that too in the major metros
almost all of which are under different stages of judicial process and adjudications
have been obtained in possibly less than five cases. It is time the state spends some
time and thought in enhancing awareness on the provision of adjudication for civil
offences in cyber litigations like data theft etc so that the purpose for which such
useful provisions have been made, are effectively utilized by the litigant public.

Landmark Judgments
In 2004, in India the landmark case which is considered to be the first case of
conviction under section 67 of Information Technology Act which makes this
section is of the historical importance is State of Tamil Nadu v. Suhas Katti20. In
this case, some defamatory, obscene and annoying messages were posted about the
victim on a yahoo messaging group which resulted in annoying phone calls to her.

19
“Tragic comedic functioning of india’s cyber appellate tribunal” available at
https://thewire.in/banking/tragic-comedic-functioning-indias-cyber-appellate-tribunal (last modified on
th
20 February 2018)
20
2005 2 SCC 145

Page 17 of 29
She filed the FIR and the accused was found guilty under the investigation and was
convicted under section 469, 509 of Indian Penal Code and section 67 of
Information Technology Act. In 2005, in India the first case which was registered
under section 65 of the Information Technology Act is Syed Asifuddin and Ors. v.
State of Andhra Pradesh and Anr.21 In this case the court held that the cell phones
fulfilled the definition of „computer‟ under the Information Technology Act and the
unique Electronic Serial Numbers which are programmed into each handset like
ESN, SID (System Identification Code), MIN (Mobile Identification Number) are
the „computer source code‟ within the definition under the Information Technology
Act which is required to be kept and maintained by the law.

In the phase of 2006 to 2008, cybercriminals started organizing into gangs with a
growing amount of money at stake. Even some cybercriminals had a Mafia-like
structure with malicious hackers, programmers and data sellers reporting to
managers and that person in turn reported to a boss who was in charge of
distributing cybercrime kits. That‟s why this time period is remembered as lure of
money through gangs and discretion. In 2006 the Indian court held that fabrication
of an electronic record or committing forgery by way of interpolations in CD
produced as evidence in a court attract punishment under section 65 of the
Information Technology Act in the case of Bhim Sen Garg v. State of Rajasthan
and Others22.

Similarly, in Rajeev Chandrashekhar v. Union of India23 and Common Cause v.

Union of India24 case, a writ petition was filed in public interest under Article 32
of the Constitution of India by challenging section 66A of the Information
Technology Act, 2000 and Rules 3(2), 3(3), 3(4) and 3(7) of the Information
Technology (Intermediaries Guidelines) Rules, 2011 as unconstitutional. In this
case the Petitioner, a serving Member of Parliament submits that Section 66A
21
MANU/AP/0660/2005
22
2006, Cri LJ, 3463, Raj 2411
23
2013 15 SCC 243
24
2013 5 SCC 134

Page 18 of 29
contains several words/terms that are undefined, vague, open to misinterpretation,
and thus problematic. This imposes statutory limits on the exercise of internet
freedom which are well beyond the Constitutional parameters of „reasonable
restrictions‟ enshrined in Article 19(2) and the Intermediaries Guidelines Rules,
Rule 3(2) lists the various types of information that ought not to be carried on a
computer system which violates Article 14 in being arbitrary and overly broad.

Shreya Singhal v. Union of India25 is the case where the writ petition was filed in
public interest under Article 32 of the Constitution of India for seeking to strike
down Section 66A as unconstitutional by arguing that section 66A is so wide,
vague and incapable of being judged on objective standards that it is susceptible to
wanton abuse. It was further argued that the terms „offensive‟, „menacing‟,
„annoyance‟, „danger‟, „obstruction‟ and „insult‟ have not been defined in the
Information Technology Act, General Clauses Act or any other legislation. Citing
the arrests made under section 66A, the petitioner submits that the wide legislative
language of the Section severely disincentives citizens from exercising their
Constitutionally protected right to free speech for fear of frivolous prosecution (the
„chilling effect‟), which violates the Freedom of Speech and Expression guaranteed
under Article 19(1)(a) of the Constitution. Furthermore, whether or not section
66A meets the test of „reasonableness‟ laid down under Article 19(2), it is
nonetheless violative of Articles 14 (Right to Equality) and 21 of the Constitution.
It held section 69 and 79 constitutional.

25
AIR 2015 SC 1523

Page 19 of 29
 Data Analysis
In 2017, The National Crime Records Bureau (NCRB), Ministry of Home Affairs
in India released Cyber Crime Statistics for the year 2016, which again shows rapid
increase in cybercrime by 6% on year to year basis from 2015. There are 12,317
cases registered in the category of Cyber crimes. The statistics mainly show cases
registered under cybercrimes by motives and suspects. The maximum offenders
came from the 18-30 age groups. Among states, the highest incidents of cybercrime
took place in Uttar Pradesh (2639) amounting to 21.4% Maharashtra with 19.3% or
2,380 cases and Karnataka with 8.9% or 1,101 cases in 2016. The maximum
cybercriminal arrested under the IT Act in Maharashtra (426) and AP (296)
followed by UP (283). Interestingly, mostly all the union territories have seen
decline in the number of registered cases. The Delhi city has registered 98 cases of
cybercrime which is an decresed from last year case which were 117 in 2015 and
226 in 2014. Also cybercrime activities seem to rare in the north eastern states. In
2013, only one case each was registered in Nagaland and Mizoram. Thus this study
clears that there is no faith of people in the system.26

As per the study/survey of KPMG International done on the different security

professionals, it is amply clear:
1. 79% of the organizations surveyed have indicated that cyber security was among
the top 5 security risks.
2. Only 3% of the organizations have reported cyver security relation incident to the
local enforcement agency.
3. Only 13% of the organisations think that they are cyber attack ready.
4. Finantial Gain have topped the chart as the most occurred cyber crime, seconded by
Fraudulent activities. Then comes Disruption, cyber terrorism, defamation and
fun.27
The conviction rate in cybercrime cases was 18.47% in the state between 2012 and
July 2017, showed data obtained from the Mahrashtra police. Of the 10,419 cases
26
NCRB Report 2016 (Ministry of Home Affairs)
27
KPMG International Report, “Cyber Crime Survey Report” (2017)

Page 20 of 29
filed, trial was completed in just 184 cases and conviction was secured in just 34 cases.
The police have filed charge sheets in 2,279 cases (22%), while investigations are
underway in the rest. If the total number of cases is divided by the 34 convictions, the
rate falls to 0.3%.Another alarming fact, which had been reported by HT earlier this
month, is the poor detection rate. In the past five-and-a-half years, 3,167 cases or 30%
were detected. Experts condemned the „poor‟ conviction and detection rates and
demanded more resources to improve them. Former director general of police D
Sivanandhan said, “The picture is abominable. The detection rate is extremely poor. It
is calculated on the tried cases. If we calculate it on the number of cases, what would
be the percentage? I have been reiterating that the police need advanced technology.”to
28
lack of technical skills.

28
“ 10,000 cybercrime cases, only 34 convictions in Maharashtra between 2012 and 2017”,
https://www.hindustantimes.com/mumbai-news/10-000-cybercrime-cases-only-34-convictions-in-
maharashtra-between-2012-and-2017/story-IfzZbXmzVlqrG8dclkwzeO.html (Last Visited on 17.10.2018 at
08:00 pm)

Page 21 of 29
 ROLE OF CERTIFYING AUTHORITY
A certifying authority (herein after referred to as “CA”) is an entity/authority in a
network that issues digital signature certificates (DSCs) for use by other parties
(subscribers) and manages their security credentials. CAs are characteristic of
many public key infrastructure schemes. As part of a public key infrastructure, a
CA checks with a Registration Authority (RA) to verify information provided by
the requestor of a digital certificate. If the RA verifies the requestor's information,
the CA can then issue a certificate. Aside from commercial CAs, some providers
issue digital certificates to the public at no cost. Large institutions or government
entities may have their own. Depending on the public key infrastructure
implementation, the certificate includes the owner's public key, the expiration date
of the certificate, the owner's name, and other information about the public key
owner. 29

Criterion To Become Certifying Authority

The Information Technology (Certifying Authority) Rules, 2000(Rule 8) provides
that following persons can become CA:
1) Individual who is citizen of India and whose capital in his business or profession
is not less than rupees 5 crore.
2) Partnership firm: (a) whose capital in business or profession should not be less
than rupees 5 crore and (b)whose net wealth should not be less than rupees 50
crore.
3) Company: (a) whose capital in business or profession is not less than rupees 5
crore (b) and net wealth is not less than rupees 50 crore.
4) Government: central government or state government or any government office
or agency.

29
Akansha Sharma, “ROLE OF CERTIFYING AUTHORITY “, https://s3-ap-southeast-
1.amazonaws.com/erbuc/files/5436_b7b04385-88aa-4acc-b8fc-c481bb056acb.pdf (last visited on
07.11.2018 at 09:30 pm)

Page 22 of 29
Role Of Certifying Authority

1. To Maintain Standard Practice [SECTION 30]

• He must use such hardwares or softwares and other procedures which are free
from intrusion or misuse.
• He must provide reasonable level of reliability in his service as is essential to
perform his functions under this act.
• He must follow those security measures to ensure secrecy and privacy of
electronic signature
• He must publish practice regarding Electronic Signature Certificates, number of
ESC‟s issued by him and their present status.
• He has to act as repository of ESC‟s issued by him.
• He will follow the standards as laid down by Controller of Certifying Authority
for this purpose.

2. To Ensure The Compliance Of Provisions Of This Act [SECTION 31]:

Certifying Authority must ensure that every person employed or engaged by him
must comply (observe or follow) with the provisions of this act or rules or
regulation made thereunder in the course of employment or engagement and in case
he fails to do so it is an offence under this act.

Controller of Certifying Authority [Section 17] is appointed by the central

government. The Controller of Certifying Authority performs all those functions
[Section 17 (2)] as mentioned under this act under the general conditions and
control of central government.

3.ROLE REGARDING DISPLAY OF LICENSE [SECTION 32]:

CA must display his license at conspicuous part of his business premises so that
public should know about his license.

4.ROLE REGARDING RENEWAL OF LICENSE [SECTION 23]:

Page 23 of 29
• Application for renewal must be made in the form as prescribed by the central
government for this purpose. (Schedule I)
• Must be accompanied with fee of rupees 5000.
• Application of renewal must be given not less than 45 days before the expiry of
validity of license.

5.Role To Surrender His License [SECTION 33]:

In case CA‟s license has been suspended or revoked then he must immediately
surrender his license to CCA.
Section 25(2)
It says where CCA has reasons to believe that any ground for revocation of license
exists then he may suspend the license of CA. Simultaneously he will start inquiry
against CA. License cannot be suspended after 10 days unless notice is given to
that CA. During suspension CA will not issue any ESC.
Section 25(1)
If after conducting inquiry CCA is satisfied that any ground exist for revocation
then he shall revoke the license. Grounds of revocation are a) Statement in
certification practice statement is false, misleading and incorrect. b) Conditions of
requirements subject to which license was granted has been violated. c) CA failed
to maintain standards and other security procedure as sequence under this act. d)
CA has violated any provisions of this act and rules or regulations made
thereunder.

6.Disclosure [SECTION 34]:

Every Certifying Authority shall disclose following in the manner laid down under
the regulation:
ESC‟s issued by him, Certification Practice Statement (CPS), Any notice of
suspension or revocation of his license or CA‟s certificate, Any material fact which
is likely to offend reliability of ESC issued by him. The term certification practice
statement (CPS) is defined as "A statement of the practices which a certification
authority employs in issuing certificates."

Page 24 of 29
7. Notification: WHERE IN CA‟S OPINION any situation has arisen or occurred
which is likely to affect his electronic system then he shall immediately give
notification to any person who is likely to be affected by such event or situation
then he would act in the manner mentioned in his certification practice statement.

8.Issuing Of Digital Certificate:

A CA issues digital certificates that contain a public key and the identity of the
owner. The matching private key is not similarly made available publicly, but kept
secret by the end user who generated the key pair. The certificate is also an
attestation by the CA that the public key contained in the certificate belongs to the
person, organization, server or other entity noted in the certificate. A CA's
obligation in such schemes is to verify an applicant's credentials, so that users and
relying parties can trust the information in the CA's certificates. CAs use a variety
of standards and tests to do so. In essence the Certificate Authority is responsible
for saying "yes, this person is who they say they are, and we, the CA, verify that".
If the user trusts the CA and can verify the CA's signature, then he can also verify
that a certain public key does indeed belong to whoever is identified in the
certificate. 30

30
Supra Note 29

Page 25 of 29
 CONCLUSION
Thus, the cybercrime is an evil having its origin in the growing dependence on
computer in modern life. There is a wide range of offences that can be committed
through communication technology. It is not going to stop anytime soon and it
seems like it will just continue to grow until new methods of fighting it are
introduced. Because it is found that at some point of time history become current
events. Today, it is found that due to the technology of the Internet era there are
very few people whose lives are not affected whether it is beneficially or harmfully.
There is also the positive side of this technology as well as negative. By the
positive side it is found that there is tremendous increase in the ability to share and
exchange information instantaneously which led to provide unprecedented benefits
in the areas of education, commerce, entertainment and social interaction and on
the negative side, it is felt that there is the increase in opportunities for the
commission of crimes because this latest technology has encouraged the potential
criminals to commit crimes through computer, computer system or computer
network with almost no monetary cost and with lesser risk of being caught.

The Information Technology Act, 2000 has been proved to be a highly

controversial piece of legislation. The Act has managed to draw considerable
criticism from the legal community and the general public. It is alleged to contain a
whole spectrum of flaws, shortcomings and pitfalls ranging from being inefficient
in tackling cybercrimes to placing unfair curbs on the civil liberties of citizens.
Though since 2000 the Information Technology Act is in place in India for curbing
cybercrimes, but the problem is that still this statute is more on papers than on
execution because lawyers, police officers, prosecutors and Judges feel
handicapped in understanding its highly technical terminology. It was enacted as
the basic law for the cyberspace transactions in India but due to some weaknesses it
was amended in the year 2008.

Page 26 of 29
 13. Bibliography
Primary Sources
A. Acts/ Laws-
1. The Indian Penal Act, 1860
2. The Information Technology Act, 2000
3. The Constitution of India, 1950

Secondary Sources
A. Books:
1. Indian Institute of Banking and Finance, “IT Security”, Taxmann, Mumbai, 2016,
6th Edition

2. Aparna Viswanathan, “Cyber Law, Indian and International Perspectives on key

topics including Data Security, E-Commerce, Cloud Computing and Cyber Crimes,
Lexis Nexis, Haryana, 2015, First Edition

3. Nandam Kamath, “Guide to Information Technology Act, 2000, Universal Law

Publishing Co. Pvt. Ltd., Allahabad, 2000, First Edition

4. Anirudhh Rastogi, “ Cyber Law”, Lexis Nexis, Haryana, 2014, First Edition

5. Denzy P. Dayal, “Handbook of Cyber Crimes”, Dominant Publishers &

Distributers Pvt. Ltd., 2014 Edition

B. Websites:
1. http://www.mondaq.com/india/x/257328/Data+Protection+P
rivacy/An+Overview+Of+Cyber+Laws+vs+Cyber+Crimes+In+Indian+Perspective
2. http://cybercrime.org.za/international-resources/
3. https://www.oas.org/juridico/PDFs/cyb9_unodc_Dec16_v1.pdf
4. http://media.hoover.org/sites/default/files/documents/0817999825_35.pdf
5. http://www.itu.int/ITU-
D/cyb/cybersecurity/docs/Cybercrime%20legislation%20EV6.pdf
Page 27 of 29
6. https://unctad.org/meetings/en/SessionalDocuments/Cybercrime%20Nayelly%20L
oya%20(UNODC).pdf
7. https://www.researchgate.net/publication/315658396_Information_Technology_Ac
t_in_India_E-commerce_value_chain_analysis
8. https://web.archive.org/web/20080507070939/http://www.cli.org/X0025_LBFIN.ht
ml
9. http://www.iibf.org.in/documents/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf
10. https://www.researchgate.net/publication/315658396_Information_Technology_Ac
t_in_India_E-commerce_value_chain_analysis
11. https://gadgets.ndtv.com/internet/news/supreme-courts-section-66a-verdict-a-
victory-for-300-million-internet-users-674307
12. https://www.huffingtonpost.in/pavan-duggal-/2015-a-landmark-year-for-
_b_8898122.html
13. http://www.nishithdesai.com/fileadmin/user_upload/pdfs/NDA%20Hotline/IT_Act
_Hotline_March_26_2015.pdf
14. https://en.wikipedia.org/wiki/Shreya_Singhal_v._Union_of_India
15. https://www.dnaindia.com/india/report-landmark-judgement-by-sc-strikes-down-
section-66a-of-it-act-2071523
16. https://sflc.in/information-technology-act-and-rules-time-to-change
17. http://www.itlaw.in/judgements/
18. https://www.huffingtonpost.in/pavan-duggal-/2015-a-landmark-year-for-
_b_8898122.html
19. https://www.huffingtonpost.in/pavan-duggal-/2015-a-landmark-year-for-
_b_8898122.html
20. www.nishithdesai.com/fileadmin/user_upload/pdfs/NDA%20Hotline/IT_Act_Hotli
ne_March_26_2015.pdf
21. https://aboutssl.org/certificate-authority/
22. https://www.signix.com/blog/bid/92791/the-difference-between-digital-signatures-
and-electronic-signatures
23. http://www.iamwire.com/2014/09/digital-signature-laws-india/100694
24. https://www.thesslstore.com/blog/2018-cybercrime-statistics/

Page 28 of 29
25. https://thewire.in/banking/tragic-comedic-functioning-indias-cyber-appellate-
tribunal
26. http://docs.manupatra.in/newsline/articles/Upload/4CF7696D-4B8E-4ABA-
BCBA-E12AE1C7988F.pdf
27. https://www.cybercrimechambers.com/cyber-adjudication.php
28. shodhganga.inflibnet.ac.in/bitstream/10603/203654/8/08_chapter%203.pdf
29. https://www.livemint.com/Politics/ayV9OMPCiNs60cRD0Jv75I/11592-cases-of-
cyber-crime-registered-in-India-in-2015-NCR.html
30. https://www.hindustantimes.com/mumbai-news/10-000-cybercrime-cases-only-34-
convictions-in-maharashtra-between-2012-and-2017/story-
IfzZbXmzVlqrG8dclkwzeO.html
31. www.beingyourlawyer.com/Which%20Court%20can%20you%20approach%20in
%20cyber%20crime.php

Page 29 of 29