IT toACT

Click 2000 SALIENT FEATURES

add text

Kumar Gaurav
Assistant Professor of Law
Chanakya National Law University, Patna
 SCHEME OF THE ACT
 Chapter – I – Preliminary
 Chapter – II – Digital Signature and Electronic Signature (Sections 3 & 3A) 29
 Chapter – III – Electronic Governance (Sections 4 to 10A)
 Chapter – IV – Attribution, Acknowledgement and Dispatch of Electronic Records
(Sections 11 to 13)
 Chapter – V – Secure electronic records and secure electronic signatures (Sections
14 to 16)
 Chapter – VI – Regulation of Certifying Authorities (Sections 17 to 34)
 Chapter – VII – Electronic Signature Certificates (Sections 35 to 39)
 First Schedule – Documents or Transactions to which the Act shall not apply
 Second Schedule – Electronic signature or Electronic authentication technique or
procedure
 CONTINUED….
 Chapter – VIII – Duties of Subscribers (Sections 40 to 42)
 Chapter – IX – Penalties, Compensation and Adjudication (Sections
43 to 47)
 Chapter X – The Cyber Appellate Tribunal (Sections 48 to 64)
 Chapter XI – Offences (Sections 65 to 78)
 Chapter XII – Intermediaries not to be liable in certain cases (Section
79)
 Chapter XIIA – Examiner of Electronic Evidence (Section 79A)
 Chapter XIII – Miscellaneous (Sections 80 to 90)
 IT ACT ,2000- HIGHLIGHTS
 LEGAL RECOCGNITION OF E-DOCUMNT AND
AUTHENTICATION MECHANISMS
 CYBER OFFENCES VS CYBER CONTRAVENTION
 DATA PROTECTION AND PRIVACY
 CYBER SCEURITY
 INTERMEDIARY’S LIABILITY
 SURVEILLENCE AND ENCRYPTION
 LEGAL RECOCGNITION OF E-DOCUMNT AND AUTHENTICATION MECHANISMS

 SECTION 2 (1) (r) ―Electronic form

-with reference to information, means any information generated, sent,
received or stored in media, magnetic, optical, computer memory, micro film,
computer generated micro fiche or similar device;
 SECTION 2 (1)(t) ―Electronic record-
means data, record or data generated, image or sound stored, received or sent
in an electronic form or micro film or computer generated micro fiche;
 CONTINUED….
 SECTION 4. Legal recognition of electronic records.—
Where any law provides that information or any other matter
shall be in writing or in the typewritten or printed form, then,
notwithstanding anything contained in such law, such
requirement shall be deemed to have been satisfied if such
information or matter is–
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference
CONTINUED….
 SECTION 5. Legal recognition of [electronic signatures].—
• Where any law provides that information or any other matter shall be
authenticated by affixing the signature or any document shall be signed or bear
the signature of any person, then, notwithstanding anything contained in such
law, such requirement shall be deemed to have been satisfied, if such
information or matter is authenticated by means of [electronic signature] affixed
in such manner as may be prescribed by the Central Government.
• Explanation.–For the purposes of this section, ―signed, with its grammatical
variations and cognate expressions, shall, with reference to a person, mean
affixing of his hand written signature or any mark on any document and the
expression ―signature shall be construed accordingly.
 CONTINUED….
 SECTION 2 (1) (ta) ―Electronic Signature
means authentication of any electronic record by a
subscriber by means of the electronic technique
specified in the Second Schedule and includes digital
signature;
FUNCTIONS OF SIGNATURE
 to identify a person;
 to provide certainty as to the personal involvement of that person in the act of
signing;
 to associate that person with the content of a document
 to attest to the intent of a party to be bound by the content of a signed contract;
 to attest the intent of a person to endorse authorship of a text (thus displaying
awareness of the fact that legal consequences might possibly flow from the act of
signing);
 to attest the intent of a person to associate itself with the content of a document
written by someone else;
 to prove the fact as to the time when a person was present at a given place for the
signature
DIGITAL SIGNATURE
• Further, digital signatures authenticate the source of messages like an electronic mail or a
contract in electronic form.

• The three important features of digital features are:

• Authentication – They authenticate the source of messages. Since the ownership of a

digital certificate is bound to a specific user, the signature shows that the user sent it.
• Integrity – Sometimes, the sender and receiver of a message need an assurance that the
message was not altered during transmission. A digital certificate provides this feature.
• Non-Repudiation – A sender cannot deny sending a message which has a digital
signature.
 4. Creation of Digital Signature.-

• To sign an electronic record or any other item of information, the

signer shall first apply the hash function in the signer’s software;
• the hash function shall compute a hash result of standard length
which is unique (for all practical purposes) to the electronic record;
• the signer’s software transforming the hash result into a Digital
Signature using signer’s private key; the resulting Digital Signature
shall be unique to both electronic record and private key used to
create it;
• and the Digital Signature shall be attached to its electronic record and
stored or transmitted with its electronic record.
 5. Verification of Digital Signature.-

• The verification of a Digital Signature shall be accomplished by

computing a new hash result of the original electronic record by
means of the hash function used to create a Digital Signature and by
using the public key and the new hash result, the verifier shall check-
• i. if the Digital Signature was created using the corresponding
private key; and
• ii. if the newly computed hash result matches the original result
which was transformed into Digital Signature during the signing
process. The verification software will confirm the Digital Signature
as verified if:-
CONTINUED…
• a. the signer’s private key was used to digitally sign the
electronic record, which is known to be the case if the signer’s
public key was used to verify the signature because the signer’s
public key will verify only a Digital Signature created with the
signer’s private key; and
• b. the electronic record was unaltered, which is known to be
the case if the hash result computed by the verifier is identical
to the hash result extracted from the Digital Signature during
the verification process.
6. Standards.-

• The Information Technology (IT) architecture for

Certifying Authorities may support open standards
and accepted de facto standards; the most important
standards that may be considered for different
activities associated with the Certifying Authority’s
functions are as under:
The product
Public Key Infrastructure
Digital Signature Certificates
and Digital Signature revocation list
Directory (DAP and LDAP)
Database Management Operations
Public Key algorithm
Digital Hash Function
RSA Public Key Technology
Distinguished name
Digital Encryption and Digital Signature
Digital Signature Request Format
The standard
PKIX
X.509. version 3 certificates as specified in ITU RFC 1422
X500 for publication of certificates and Certification Revocation Lists (CRLs)
Use of generic SQL
DSA and RSA
MD5 and SHA-1
PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit)
PKCS#5 Password Based Encryption Standard
PKCS#7 Cryptographic Message Syntax standard
PKCS#8 Private Key Information Syntax standard
PKCS#9 Selected Attribute Types
PKCS#10 RSA Certification Request
PKCS#12 Portable format for storing/transporting a user’s private keys and certificates
X.520
PKCS#7
PKCS#10
 DIGITAL SIGNATURE
(CREATION & VERIFICATION FLOCHART)
 DIGITAL SIGNATURES ARE CATEGORIZED INTO
FOUR CLASSES;

 Class 0: Digital Certificates under this class shall be issued for “test purpose” or for the
“demonstration purpose” only not otherwise.
 Class 1: Digital Certificates under this class do not hold any legal recognition, however these
are considered to be valid on the basis of a valid e-mail not on the direct verification. These
certificates shall be issued to the private subscriber or individual.
 Class 2: Digital Signature Certificate under this class can be issued for both – for private
individual use and for business personnel. This class has a pre-verified database which is used
to verify the identity of the person.
 Class 3: This class of Certificate is considered as a top class, these are high assurance
Certificate that are preliminary projected for Electronic Commerce applications. This class of
Certificate will be issued to individuals as well as to organizations. This class requires personal
verification means person need to present himself before Registration Authority (RA) to prove
his identity.
Creation of Digital Signature

• If, a Sender ‘A’ wants to send a document to Recipient ‘B’ and wish to authenticate that

electronic document by the use of Digital Signature then, ‘A’ will perform following functions

• I. ‘A’ will generate a hash value by applying hash function on an electronic document.

• II. ‘A’ will encrypt the hash value with its Private Key. Encrypted hash value is known as

Digital Signature.

• III. ‘A’ will append Digital Signature with the electronic document and send it to the recipient

‘B’.
Verification of Digital signature by the recipient end involves following steps

• I. ‘B’ receives the Digital signature along with electronic document.

• II. ‘B’ will generate a hash value by applying hash function on the electronic

document received in its original form.

• III. Then ‘B’ will decrypt the Digital Signature by applying ‘A’’s (Sender’s)Public

Key and recovers the hash value that was calculated by ‘A’. IV. If, both hash values

obtained in step I and II are same then, the received document is authentic i.e. it was

sent by ‘A’only and was not tampered with during transit.

 CYBER OFFENCES VS CYBER
CONTRAVENTION
•Cyber CYBER OFFENCES CYBER CONTRAVENTION
Violation of law or a rule of procedure.

Serious violation of law or commission of act Sec 43 (a)to (j) , 43 A, 44-45 of the IT Act,2000.
Civil suit
prohibited by law. Adjudicating officer up to 5 crores and Any competent court above 5 crore

Sec 65 to 74 of the IT Act,2000. (Section 46)
The Controller or officer appointed by the controller as defined in section 28 of the

Criminal Prosecution IT Act,2000.
Compounding of contravention (Section 63)

Any competent court offender is liable to pay damages by way of penalty and compensation to the

Police officer not below the rank of inspector as person so affected.
Provision of appeal
defied in section 78 of the IT Act,2000.

Compounding offence to a limited extent (Section
77 A)

Punishable with imprisonment term or fine or both.

Provision of appeal
•Cyber Contravention
Cyber Contraventions/Civil Wrongs
 Chapter IX of IT Act, Penalties, Compensation And Adjudication
 Section 43 : Penalty and Compensation for damage to computer, computer system, etc.
 Whoever without permission of owner of the computer
 (a)Secures access (mere U/A access)
 Not necessarily through a network
 (b)Downloads, copies, extracts any data
 (c)Introduces or causes to be introduced any viruses or contaminant
 (d)Damages or causes to be damaged any computer resource
 Destroy, alter, delete, add, modify or rearrange
 Change the format of a file
 (e)Disrupts or causes disruption of any computer resource
 Preventing normal continuance of computer
 (e)Denies or causes denial of access by any means
• Denial of service attacks
(f)Assists any person to do any thing above
• Rogue Websites, Search Engines, Insiders providing vulnerabilities
(g)Charges the services availed by a person to the account of another person by tampering or
manipulating any computer resource
• Credit card frauds, Internet time thefts
(h)destroys, deletes or alters any information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means (Inserted vide ITAA-2008)
(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any
computer source code used for a computer resource with an intention to cause damage,
(Inserted vide ITAA 2008)
• he shall be liable to pay damages by way of compensation to the person so affected.(upper limit
of 1 crore was removed in the IT (Amendment) Act,2008)
 SEC 43 A: COMPENSATION FOR FAILURE TO
PROTECT DATA
 Where a body corporate, possessing, dealing or handling
any sensitive personal data or information in a computer
resource which it owns, controls or operates, is negligent
in implementing and maintaining reasonable security
practices and procedures and thereby causes wrongful
loss or wrongful gain to any person, such body corporate
shall be liable to pay damages by way of compensation,
to the person so affected.
 CONTINUED..
• Explanation: For the purposes of this section
• (i) "body corporate" means any company and includes a firm, sole proprietorship or other
association of individuals engaged in commercial or professional activities
• (ii) "reasonable security practices and procedures" means security practices and procedures
designed to protect such information from unauthorized access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement between the parties or as may be
specified in any law for the time being in force and in the absence of such agreement or any law,
such reasonable security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it may deem fit.
• (iii) "sensitive personal data or information" means such personal information as may be
prescribed by the Central Government in consultation with such professional bodies or
associations as it may deem fit.
 CONTINUED..
• The Information Technology (Reasonable security
practices and procedures and sensitive personal data or
information) Rules, 2011.

• Sec 2(1) (i) "Personal information" means any information that

relates to a natural person, which, either directly or indirectly, in
combination with other information available or likely to be
available with a body corporate, is capable of identifying such
person.
• The Personal Data Protection Bill, 2019
• (28) "personal data" means data about or relating to a natural
person who is directly or indirectly identifiable, having regard
to any characteristic, trait, attribute or any other feature of the
identity of such natural person, whether online or offline, or
any combination of such features with any other information,
and shall include any inference drawn from such data for the
purpose of profiling;
• (36) "sensitive personal data" means such personal data, which may, reveal,
be related to, or constitute— (i) financial data; (ii) health data; (iii) official
identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii)
genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe;
(xi) religious or political belief or affiliation; or (xii) any other data
categorised as sensitive personal data under section 15. Explanation.— For
the purposes of this clause, the expressions,— (a) "intersex status" means
the condition of a data principal who is— (i) a combination of female or
male; (ii) neither wholly female nor wholly male; or (iii) neither female nor
male;
 3. SENSITIVE PERSONAL DATA OR INFORMATION

 Sensitive personal data or information of a person means such personal information which consists of
information relating to;—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument
details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or
processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public domain or furnished under the
Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive
4. BODY CORPORATE TO PROVIDE POLICY FOR PRIVACY AND
DISCLOSURE OF INFORMATION

 Rule 4 places an obligation on organizations collecting and

dealing with any kind of sensitive personal data or information to
draft and publish a privacy policy detailing
 Type of information collected
 Purpose of collecting such information
 Details about disclosure of collected information to any third
party
 Reasonable security practices and procedures taken by the
organization to protect the data
5. COLLECTION OF INFORMATION
 A body corporate or any person must obtain the consent of an information provider before collecting any

sensitive personal data or information.

 A person shall not collect any sensitive personal data or information of an individual unless there is a connected

lawful purpose.

 The information provider must be provided with an alternative to not to give sensitive personal data or

information.

 The data collected shall not be used for any purpose other than specified at the time of its collection.

 A body corporate must appoint a grievance officer to address the complaints. The contact details of such officer

must be available on the website of a body corporate.

 6. DISCLOSURE OF INFORMATION
 Rule 6 focusses on the disclosure of information to third
parties. 
 It says that disclosure of any sensitive personal data or
information to any third party requires prior permission of the
information provider, except in the cases where the data is
requested by a government agency for the purpose of identity
verification, or for preventing, detecting, investigating crimes.
 Also, a third party receiving sensitive personal data or information
must not publish or further disclose that data.
7. TRANSFER OF INFORMATION
 A body corporate is allowed to share or transfer sensitive
personal data or information of an individual to a body corporate
registered in India or outside that undertakes to ensure the
protection of data at the same level as provided for under these
Rules.
 The transfer is allowed when the transfer of data is essential for
the performance of a lawful contract, or the transfer is
undertaken subsequent to the consent of an information provider.
8. Reasonable Security Practices and Procedures.—

• The international Standard IS/ISO/IEC 27001 on

"Information Technology - Security Techniques -
Information Security Management System -
Requirements" is one such standard referred to in
sub-rule (1).
ACTUS REUS
• Actus reus may be defined as “such result of human
conduct as the law seeks to prevent”.
• The actus reus of cyber crime is very dynamic and
varied. In simple terms, it means a physical result of
human conduct and includes all the elements except
the mental element.
 ACTUS REUS IN CYBER CRIMES
• The element of actus reus in internet crimes is relatively easy to
identify, but is very difficult to prove.
• The fact of the occurrence of the act that can be termed as a crime
can be said to have taken place
• when a person is making use of computer function;
• or accessing data stored on a computer
• or from a computer which has access to data stored outside;
• or attempt to gain access through internet
• or passes signals through various computers.
 MENS REA
 'a guilty mind'.
 Mens rea, “guilty mind”, refers to the mal intent of the individual who committed the act. The act remains the same
while the state of mind makes the act ‘reus’ and hence an offence.
 Every offence require a particular state of mind expressed in the particular provision of the law by the words:
 ‘with intent’,
 ‘recklessly’, ‘
 unlawfully’,
 ‘maliciously’,
 ‘wilfully’,
 ‘knowingly’,
 ‘fraudulently’,
 ‘knowing or believing’,
 ‘dishonestly’,
 ‘corruptly’,
 ‘allowing’ and ‘permitting’ expressing various states of mind which are different from each other.
MENS REA IN CYBER CRIMES
• The mens rea in case of cyber crimes comprises two
essential elements.
• First, there must be ‘intent to secure access to any
programme or data held in any computer, computer
system or computer network.
• Secondly, the person must know at the time that he
commits the actus reus that the access he intends to
secure is unauthorised.
SECTION 65. TAMPERING WITH COMPUTER SOURCE DOCUMENTS

 Section 65: Any person tamper, conceal, destroy, or

alter any computer source document intentionally,
then he shall be liable to pay penalty up
to Rs.2,00,000/-, or Imprisonment up to 3 years, or
both.
Sec. 66 Computer Related Offences
 If any person, dishonestly, or fraudulently, does any act referred to in
section 43, he shall be punishable with imprisonment for a term which
may extend to three years or with fine which may extend to five lakh
rupees or with both.
 Explanation:
 For the purpose of this section,-
 a) the word "dishonestly" shall have the meaning assigned to it in section
24 of the Indian Penal Code;
 b) the word "fraudulently" shall have the meaning assigned to it in section
25 of the Indian Penal
 CONTINUED…

• Sec 24/25 of IPC

• 24. "Dishonestly"
• Whoever does anything with the intention of causing
wrongful gain to one person or wrongful loss to another
person, is said to do that thing "dishonestly".
• 25. "Fraudulently“
• A person is said to do a thing fraudulently if he does that
thing with intent to defraud but not otherwise
 Section – 66 A Punishment for sending offensive
messages through communication service, etc.
-Any person who sends, by means of a computer resource or a communication device,-
(a) any information that is grossly offensive or has menacing character; or
• (b) any information which he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will,
persistently by making use of such computer resource or a communication device; or
• (c) any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of such
messages, shall be punishable with imprisonment for a term which may extend to three years and with
fine.
• Explanation. -For the purpose of this section, terms "electronic mail" and "electronic mail message"
means a message or information created or transmitted or received on a computer, computer system,
computer resource or communication device including attachments in text, image, audio, video and
any other electronic record, which may be transmitted with the message.
Shreya Singhal v. Union of India AIR 2015 SC 1523.

• Bench Justice Jasti Chelameswar, Justice  Rohinton Fali Nariman

• In Shreya Singhal v. Union of India judgement, Justices Rohinton F. Nariman and J. Chelameswar had observed that the
weakness of Section 66A lay in the fact that it had created an offence on the basis of undefined actions: such as causing
“inconvenience, danger, obstruction and insult”, which do not fall among the exceptions granted under Article 19 of
the Constitution, which guarantees the freedom of speech.
• The court also observed that the challenge was to identify where to draw the line. Traditionally, it has been drawn at
incitement while terms like obstruction and insult remain subjective.

• In addition, the court had noted that Section 66A did not have procedural safeguards like other sections of the law with
similar aims, such as :
– The need to obtain the concurrence of the Centre before action can be taken.
– Local authorities could proceed autonomously, literally on the whim of their political masters.

• The judgment had found that Section 66A was contrary to both Articles 19 (free speech) and 21 (right to life) of the
Constitution. The entire provision was struck down by the court.
 FACTS OF THE CASE:

 There was a Bandh declared by Shiv Sena in Maharashtra on death of the political leader Bal
Thakery.
 Two girls named Shaheen Dhada and Rinu Shrinivasan expressd their displeasure against the
bandh by posting a comment on Facebook and liking it.
 They were arrested by Mumbai Police immediately under section 66 A of Information Technology
Act for posting and liking comment which could cause annoyance & hatred in minds of public at
large.
 Soon the girls were released but it attracted a large public protest and media attention claiming that
it was violative of Freedom of Speech and Expression guaranteed under Article 19 of Constitution.
 It was also asserted that the police authorities abuse their power by invoking Section 66 A of I.T
Act which allow the police authorities to investigate a case without any warrant. It has led to large
arrest of innocent people for mere expressing their opinion and views which according to the
Government was Obnoxious Content.
 CONTINUED…
 After this incident in 2013 the Central Government issued an
advisory under which no person can be arrested without the
prior approval of Inspector General of Police.
 Soon several petitions were filed together under Article 32 of
the constitution challenging the validity of Section 66 – A of
the I.T act.
 The Supreme Court clubbed all these petitions under a single
P.I.L and the case was named as Shreya Singhal vs. Union of
India.
 CONTENTIONS
The Petitioners argued that Section 66A was unconstitutional because its intended protection against
annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, or ill-will fall outside the
purview of Article 19(2). They also argued that the law was unconstitutionally vague as it fails to specifically
define its prohibitions. In addition, they contended that the law has a “chilling effect” on the right to freedom
of expression. [para. 5]

The government, on the other hand, argued that the legislature is in the best position to fulfill the needs of
people and courts may interfere with legislative process only when “a statute is clearly violative of the rights
conferred on the citizen under Part-III of the Constitution.” [para. 6] The government contended that mere
presence of abuse of a provision may not be a ground to declare the provision as unconstitutional. Also, the
government was of the opinion that loose language of the law could not be a ground for invalidity because
the law is concerned with novel methods of disturbing people’s rights through internet. According to the
government, vagueness cannot not a ground to declare a statute unconstitutional “if the statute is otherwise
legislatively competent and non-arbitrary.” [para. 6]
 Courts view
 The Court first discussed three fundamental concepts in understanding the freedom of expression: discussion,
advocacy, and incitement. According to the Court, “[m]ere discussion or even advocacy of a particular cause
howsoever unpopular is at the heart” of the right. [para. 13] And, the law may curtail the freedom only when a
discussion or advocacy amounts to incitement. [para. 13]
 As applied to the case in hand, the Court found that Section 66A is capable of limiting all forms of internet
communications as it makes no distinction “between mere discussion or advocacy of a particular point of view, which
may be annoying or inconvenient or grossly offensive to some and incitement by which such words lead to an
imminent causal connection with public disorder, security of State etc.” [para. 20]
 The Court further held that the law fails to establish a clear proximate relation to the protection of public order.
According to the Court, the commission of an offense under Section 66A is complete by sending a message for the
purpose of causing annoyance or insult. As a result, the law does not make distinction between mass dissemination
and dissemination to only one person without requiring the message to have a clear tendency of disrupting public
order.
 As to whether Section 66A was a valid attempt to protect individuals from defamatory statements through online
communications, the Court noted that the main ingredient of defamation is “injury to reputation.” It held that the law
does not concern this objective because it also condemns offensive statements that may annoy or be inconvenient to
an individual without affecting his reputation. [para. 43
 CONTINUED…
 The Court also held that the government failed to show that the law intends to prevent communications  that incite
the commission of an offense because  “the mere causing of annoyance, inconvenience, danger etc., or being
grossly offensive or having a menacing character are not offences under the Penal Code at all.” [para. 44] 
 As to petitioners’ challenge of vagueness,  the Court followed the U.S. judicial precedent, which holds that “where
no reasonable standards are laid down to define guilt in a Section which creates an offense, and where no clear
guidance is given to either law abiding citizens or to authorities and courts, a Section which creates an offense and
which is vague must be struck down as being arbitrary and unreasonable.” [para. 52]  The Court found that Section
66A leaves many terms open-ended and undefined, therefore making the statute void for vagueness. 
 The Court also addressed whether Section 66A is capable of imposing chilling effect on the right to freedom of
expresssion. It held that because the provision fails to define terms, such as inconvenience or annoyance, “a very
large amount of protected and innocent speech” could be curtailed. [para. 83] 
 The Court also noted the intelligible difference between information transmitted through internet and other forms of
speech, which permits the government to create separate offenses related to online communications. Accordingly,
the Court rejected petitioners’ argument that Section 66A was in violation of Article 14 of the Constitution against
discrimination. [para. 98] 
 Observation
 Definition of information as per IT act does not refer to what the content of information can be. It
refers only to the medium through which such information is disseminated. It is clear, therefore, that
the petitioners are correct in saying that the public's right to know is directly affected by Section
66A.

 It is clear that Section 66A is intended to punish any person who uses the internet to disseminate any
information that falls within the sub-clauses of Section 66A. It will be immediately noticed that the
recipient of the written word that is sent by the person who is accused of the offence is not of any
importance so far as this Section is concerned.

 It will be noticed that for something to be defamatory, injury to reputation is a basic ingredient.
Section 66A does not concern itself with injury to reputation. Something may be grossly offensive
and may annoy or be inconvenient to somebody without at all affecting his reputation. It is clear
therefore that the Section is not aimed at defamatory statements at all.
 CONTINUED….
 Penal law is void for vagueness if it fails to define the criminal offence with sufficient
definiteness. Ordinary people should be able to understand what conduct is prohibited and
what is permitted. Also, those who administer the law must know what offence has been
committed so that arbitrary and discriminatory enforcement of the law does not take place.

 It is held that the Section is unconstitutional also on the ground that it takes within its
sweep protected speech and speech that is innocent in nature and is liable therefore to be
used in such a way as to have a chilling effect on free speech and would, therefore, have to
be struck down on the ground of over breadth.

 Section 66A of the Information Technology Act, 2000 is struck down in its entirety being
violative of Article 19(1) (a) and not saved under Article 19(2).
 CONTINUED….
 Penal law is void for vagueness if it fails to define the criminal offence with sufficient
definiteness. Ordinary people should be able to understand what conduct is prohibited and
what is permitted. Also, those who administer the law must know what offence has been
committed so that arbitrary and discriminatory enforcement of the law does not take place.

 It is held that the Section is unconstitutional also on the ground that it takes within its
sweep protected speech and speech that is innocent in nature and is liable therefore to be
used in such a way as to have a chilling effect on free speech and would, therefore, have to
be struck down on the ground of over breadth.

 Section 66A of the Information Technology Act, 2000 is struck down in its entirety being
violative of Article 19(1) (a) and not saved under Article 19(2).
 CONTINUED .….
 Section 69A and the Information Technology
(Procedure & Safeguards for Blocking for Access of
Information by Public) Rules 2009 are constitutionally
valid.

 Section 69A is held to be valid and section 79 is also

declared valid subject to provisions of Section 79(3)(b).
AFTER SHREYA SINGHAL VERDICT
• The Supreme Court sought the Centre’s response to a plea alleging that despite the striking
down of draconian Section 66A of the IT Act in 2015 by the apex court, police in various
states were still invoking it in FIRs to clamp down on free speech on social media platforms.
• The petition said a recent working paper by the Internet Freedom Foundation demonstrated
that pending prosecutions under Section 66A had not been terminated, and further it
continued to be invoked by police across India in FIRs registered after the 2015 judgment.
• The petition said there had been a huge communication gap at the ground level and many
officials may not even know about the Supreme Court verdict.
• It said trial courts and prosecutors were not actively implementing the verdict and the
burden of terminating illegal prosecutions based on Section 66A fell on the accused
persons.
 SECTION 66 B.STOLEN COMPUTER

• Whoever dishonestly receives or retains any stolen

computer resource or communication device
knowing or having reason to believe that the same to
be a stolen computer resource or communication
device, shall be punished with imprisonment of
either description for a term which may extend to
three years or with fine which may extend to rupees
one lakh or with both.
• Section 416 in The Indian Penal Code
• 416. Cheating by personation.—
• A person is said to “cheat by personation” if he cheats by pretending to be some other
person, or by knowingly substituting one person for another, or representing that he or
any other person is a person other than he or such other person really is.
• Explanation.—The offence is committed whether the individual personated is a real or
imaginary person.
• Illustration
• (a) A cheats by pretending to be a certain rich banker of the same name. A cheats by
personation.
• (b) A cheats by pretending to be B, a person who is deceased. A cheats by personation.
 IDENTITY THEFT & IMPERSONATION

 Section 66 C: Identity Theft

Whoever, fraudulently or dishonestly make use of the electronic signature, password

or any other unique identification feature of any other person, shall be punished with
imprisonment of either description for a term that extends up to three years and shall
also be liable to fine which may extend to rupees one lakh.

 Sec 66 D: Impersonation
Whoever by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term which
may extend to three years and shall also be liable to fine which may extend to one lakh
rupees.
 SECTION 66 E: VIOLATION OF PRIVACY
 Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of
any person without his or her consent, under circumstances violating the privacy of that persons, shall be
punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees
or with both.
Explanation:- For the purposes of this section,
(a) "transmit" means to electronically send a visual image with the intent that it be viewed by a person or
persons:
(b) "capture" with respect to an image, means to video tape, photograph, film or record by any means
(c) "private area" means the naked or undergarment clad genitals, pubic area, buttocks or female breast
(d) publishes" means reproduction in the printed or electronic form and making it available to public
(e) "under circumstances violating privacy" means circumstances in which a person can have a
reasonable expectation that (i)  he or she could disrobe in privacy, without being concerned that an image of
his private area was being captured; or (ii) any part of his or her private area would not be visible to the
public, regardless of whether that person is in a public or private place.
 Section 354 C. Voyeurism.

• Any man who watches, or captures the image of a woman engaging in a private act in circumstances where
she would usually have the expectation of not being observed either by the perpetrator or by any other
person at the behest of the perpetrator or disseminates such image shall be punished on first conviction
with imprisonment of either description for a term which shall not be less than one year, but which may
extend to three years, and shall also be liable to fine, and be punished on a second or subsequent
conviction, with imprisonment of either description for a term which shall not be less than three years, but
which may extend to seven years, and shall also be liable to fine.
• Explanation 1.—For the purpose of this section, "private act" includes an act of watching carried out in a
place which, in the circumstances, would reasonably be expected to provide privacy and where the victim's
genitals, posterior or breasts are exposed or covered only in underwear; or the victim is using a lavatory; or
the victim is doing a sexual act that is not of a kind ordinarily done in public.
• Explanation 2.—Where the victim consents to the capture of the images or any act, but not to their
dissemination to third persons and where such image or act is disseminated, such dissemination shall be
considered an offence under this section.
 Section 72 in The Information Technology Act, 2000

• 72. Penalty for breach of confidentiality and privacy.-

• Save as otherwise provided in this Act or any other law for the time being
in force, if any person who, in pursuance of any of the powers conferred
under this Act, rules or regulations made thereunder, has secured access to
Click to add text
any electronic record, book, register, correspondence, information,
document or other material without the consent of the person concerned
discloses such electronic record, book, register, correspondence,
information, document or other material to any other person shall be
punished with imprisonment for a term which may extend to two years, or
with fine which may extend to one lakh rupees, or with both.
 CONTINUED…
• (1) It applies to persons who have secured access to some information
in pursuance of a power granted under the IT Act or its allied laws (e.g.
police, adjudicating officers, Controller etc.).
• Officers under following provisions:
• SCETION-
• 17-18, 27,31,46,48,69,69 A,69 B,70,70 A,70 B, 79 A, 78,80,
• (2) Such persons must disclose this information to a third person
without authorisation.
• (3) There must be no law which permits such disclosure of information.
Section 72A Punishment for disclosure of information in breach of lawful contract.

• Save as otherwise provided in this Act or any other law for the time
being in force, any person including an intermediary who, while
providing services under the terms of lawful contract, has secured
access to any material containing personal information about another
person, with the intent to cause or knowing that he is likely to cause
wrongful loss or Wrongful gain discloses, without the consent of the
person Concerned , or in breach of a lawful contract, such material to
any other person, shall be punished with imprisonment for a term
which may extend to three years, or with fine which may extend to
five lakh rupees, or with both.
 CONTINUED…
 This section applies to: any person (including an intermediary) who, while
providing services under the terms of lawful contract, has secured access to
any material containing personal information about another person. This
person will be penalised if he discloses such material:
(1) without the consent of the person concerned, or in breach of a lawful
contract, and
(2) with the intent to cause or knowing that he is likely to cause wrongful
loss or wrongful gain.
 This section does not apply if the person reveals this information in
compliance with any law.
• Section 10 in The Indian Contract Act, 1872
• 10. What agreements are contracts.—All agreements are contracts if they
are made by the free consent of parties competent to contract, for a lawful
consideration and with a lawful object, and are not hereby expressly
declared to be void. —All agreements are contracts if they are made by the
free consent of parties competent to contract, for a lawful consideration and
with a lawful object, and are not hereby expressly declared to be void."
Nothing herein contained shall affect any law in force in 1[India], and not
hereby expressly repealed, by which any contract is required to be made in
writing 2or in the presence of witnesses, or any law relating to the
registration of documents.
 INTERMEDIARY

• 2(1) w. "intermediary" with respect to any particular

electronic record, means any person who on behalf of
another person receives, stores or transmits that record
or provides any service in respect to that record and
includes telecom service providers, network service
providers, internet service providers, webhosting service
providers, search engines, online payment sites, online
auction sites, online market places and cyber cafes;
 CONTINUED…
Section 11 in The Indian Penal Code

“Person”.—The word “person” includes any Company or

Associa­tion or body of persons, whether incorporated or not.

 CONTINUED…
• Internet Service Providers(ISP) – ISPs like Airtel and MTNL help
users to get connected to the internet by means of wired or wireless
connections.
• Search engines – These are web sites like Google and Bing that help
users to search for specific information on the web and provide links to
web-sites having content relevant to the search terms given bye the
user.
• DNS providers – These service providers translate the domain
names(eg. www.sflc.in) to addresses (eg. 64.202.189.170) that can be
understood by computers.
 CONTINUED..
• Web hosts – These are service providers like Godaddy.com that provide
space on server computers to place files for various web sites so that these
sites can be accessed by users
• Interactive websites: This includes social media sites like Facebook and
Twitter that act as platforms to store and retrieve content, blogging
platforms like Blogspot and Wordpress, auction sites like eBay, and
payment gateways like PayPal.
• Cyber Cafes – It means any facility from where access to the internet is
offered by any person in the ordinary course of business to the members of
the public. The Information Technology Act, 2000 includes cyber cafes
also under the ambit of the definition of intermediaries.
• (b) "addressee" means a person who is intended by
the originator to receive the electronic record but
does not include any intermediary;
• (za) "originator" means a person who sends,
generates, stores or transmits any electronic message;
or causes any electronic message to be sent,
generated, stored or transmitted to any other person
but does not include an intermediary;
• 79 Exemption from liability of intermediary in certain cases. -
• (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions
of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or
communication link made available or hosted by him.
• (2) The provisions of sub-section (1) shall apply if-
• (a) the function of the intermediary is limited to providing access to a communication system over which
information made available by third parties is transmitted or temporarily stored or hosted; or
• (b) the intermediary does not-
• (i) initiate the transmission,
• (ii) select the receiver of the transmission, and
• (iii) select or modify the information contained in the transmission;
• (c) the intermediary observes due diligence while discharging his duties under this Act and also observes
such other guidelines as the Central Government may prescribe in this behalf.
• (3) The provisions of sub-section (1) shall not apply if-
• (a) the intermediary has conspired or abetted or aided or induced, whether by threats
or promise or othorise in the commission of the unlawful act;
• (b) upon receiving actual knowledge, or on being notified by the appropriate
Government or its agency that any information, data or communication link residing
in or connected to a computer resource, controlled by the intermediary is being used
to commit the unlawful act, the intermediary fails to expeditiously remove or disable
access to that material on that resource without vitiating the evidence in any manner.
• Explanation. -For the purpose of this section, the expression "third party
information" means any information dealt with by an intermediary in his capacity as
an intermediary.
 Cyber terrorism has some universal characteristics, which are as follows :
(INFORMATION TECHNOLOGY ACT AND CYBER TERRORISM: A CRITICAL REVIEW Debarati Halder )

 1. It is done to convey a particular destructive or disruptive message to the

government(s).
 2. There are various methods to convey this message, viz., through denial of
services, sending threatening emails, defacing of government websites,
hacking and cracking of crucial governmental systems or ‘protected systems’,
disrupting the civil amenities through destroying the proper working of the
digital information systems, etc.
 3. It could affect the computers and the networks as a whole, it could also
affect the governing system, and it could affect the population of target area to
create threat.
 4. Computer and digital communication technology
are used as a main tool to achieve extremist purposes.
 5. The whole act could be motivated by religious,
social or political ideologies.
 6. It is mostly done by hi-tech offenders.
 SECTION 66 F:CYBER TERRORISM
 (1) Whoever,-
(A) with intent to threaten the unity, integrity, security or sovereignty of India or to
strike terror in the people or any section of the people by-
(i) denying or cause the denial of access to any person authorised to access computer
resource; or
(ii) attempting to penetrate or access a computer resource without authorisation or
exceeding authorised access; or
(iii) introducing or causing to introduce any computer contaminant; and by means of
such conduct causes or likely to cause death or injuries to persons or damage to or
destruction of property or disrupts or knowing that it is likely to cause damage or
disruption of supplies or services essential to the life of the community or adversely
affect the critical infrastructure specified under Section 70, or
 CONTINUED……

• (B) knowingly or intentionally penetrates or accesses a computer resource without

authorization or exceeding authorised access, and by means of such conduct obtains
access to information, data or computer database that is restricted for reasons of the
security of the state or foreign relations or any restricted information data or
computer data base with reasons to believe that such information, data or computer
data base so obtained may be used to cause or likely to cause injury to the interests
of the sovereignty and integrity of India, the security of the state, friendly relations
with foreign states, public order, decency or morality or in relation to contempt of
court, defamation or incitement to an offence or to the advantage of any foreign
nation, group of individuals or otherwise, commits the offence of Cyber Terrorism
• (2) Whoever commits or conspires to commit cyber terrorism shall be punishable
with imprisonment which may extend to imprisonment for life
67. PUNISHMENT FOR PUBLISHING OR TRANSMITTING
OBSCENE MATERIAL IN ELECTRONIC FORM.–

 Whoever publishes or transmits or causes to be published or transmitted

in the electronic form, any material which is lascivious or appeals to the
prurient interest or if its effect is such as to tend to deprave and corrupt
persons who are likely, having regard to all relevant circumstances, to
read, see or hear the matter contained or embodied in it, shall be
punished on first conviction with imprisonment of either description for
a term which may extend to three years and with fine which may extend
to five lakh rupees and in the event of second or subsequent conviction
with imprisonment of either description for a term which may extend to
five years and also with fine which may extend to ten lakh rupees.
67A. Punishment for publishing or transmitting of material containing
sexually explicit act, etc., in electronic form.–

 Whoever publishes or transmits or causes to be published or

transmitted in the electronic form any material which contains
sexually explicit act or conduct shall be punished on first
conviction with imprisonment of either description for a term
which may extend to five years and with fine which may
extend to ten lakh rupees and in the event of second or
subsequent conviction with imprisonment of either description
for a term which may extend to seven years and also with fine
which may extend to ten lakh rupees.
 67B. PUNISHMENT FOR PUBLISHING OR TRANSMITTING OF MATERIAL
DEPICTING CHILDREN IN SEXUALLY EXPLICIT ACT, ETC., IN
ELECTRONIC FORM

 Whoever,– (a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children
engaged in sexually explicit act or conduct; or
 (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any
electronic form depicting children in obscene or indecent or sexually explicit manner; or 26
 (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner
that may offend a reasonable adult on the computer resource; or
 (d) facilitates abusing children online, or
 (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first
conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh
rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven
years and also with fine which may extend to ten lakh rupees:
 Provided that provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing,
painting representation or figure in electronic form–
 (i) the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing,
drawing, painting representation or figure is the interest of science, literature, art or learning or other objects of general concern; or
 (ii) which is kept or used for bona fide heritage or religious purposes. Explanation–For the purposes of this section, ―children‖ means a
person who has not completed the age of 18 years.
 CYBER SECURITY
 2(1) (nb) ―cyber security- means protecting information, equipment, devices,
computer, computer resource, communication device and information stored
therein from unauthorised access, use, disclosure, disruption, modification or
destruction;

 2(1) (ze) ―secure system -means computer hardware, software, and procedure
that– (a) are reasonably secure from unauthorised access and misuse; (b) provide
a reasonable level of reliability and correct operation; (c) are reasonably suited to
performing the intended functions; and (d) adhere to generally accepted security
procedures;
 SECTION 70 PROTECTED SYSTEM
• [(1) The appropriate Government may, by notification in the Official Gazette, declare any computer
resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a
protected system. Explanation. -For the purposes of this section, "Critical Information
Infrastructure" means the computer resource, the incapacitation or destruction of which, shall have
debilitating impact on national security, economy, public health or safety.]
• (2) The appropriate Government may, by order in writing, authorise the persons who are authorised
to access protected systems notified under sub-section (1).
• (3) Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.
• 86 [(4) The Central Government shall prescribe the information security practices and procedures for
such protected system.]
• ‘Rules for the Information Security Practices and Procedures for Protected System’, promulgated vide
Gazette Notification dated 22 May 2018 (Regd No D.L.- 33004/99),
SECTION 70 A NATIONAL NODAL AGENCY

• (1) The Central Government may, by notification published in the

Official Gazette, designate any organisation of the Government as the
national nodal agency in respect of Critical Information Infrastructure
Protection.
• (2) The national nodal agency designated under sub-section (1) shall be
responsible for all measures including Research and Development
relating to protection of Critical Information Infrastructure.
• (3) The manner of performing functions and duties of the agency
referred to in sub-section (1) shall be such as may be prescribed.]
 SECTION -70B INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO
SERVE AS NATIONAL AGENCY FOR INCIDENT RESPONSE. -

 (1) The Central Government shall, by notification in the Official Gazette, appoint an agency of the Government to
be called the Indian Computer Emergency Response Team.
 (2) The Central Government shall provide the agency referred to in sub-section (1) with a Director-General and
such other officers and employees as may be prescribed.
 (3) The salary and allowances and terms and conditions of the Director- General and other officers and employees
shall be such as may be prescribed.
 (4) The Indian Computer Emergency Response Team shall serve as the national agency for performing the
following functions in the area of cyber security,-
 (a) collection, analysis and dissemination of information on cyber incidents;
 (b) forecast and alerts of cyber security incidents;
 (c) emergency measures for handling cyber security incidents;
 (d) coordination of cyber incidents response activities;
 CONTINUED…
 (e) issue guidelines, advisories, vulnerability notes and whitepapers relating to information security
practices, procedures, prevention, response and reporting of cyber incidents;
 (f) such other functions relating to cyber security as may be prescribed.
 (5) The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such
as may be prescribed.
 (6) For carrying out the provisions of sub-section (4), the agency referred to in sub-section (1) may call for
information and give direction to the service providers, intermediaries, data centres, body corporate and
any other person.
 (7) Any service provider, intermediaries, data centres, body corporate or person who fails to provide the
information called for or comply with the direction under sub-section (6), shall be punishable with
imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees
or with both.
 (8) No court shall take cognizance of any offence under this section, except on a complaint made by an
officer authorised in this behalf by the agency referred to in sub-section (1).
 69 POWER TO ISSUE DIRECTIONS FOR INTERCEPTION OR MONITORING OR
DECRYPTION OF ANY INFORMATION THROUGH ANY COMPUTER RESOURCE.

 (1) Where the Central Government or a State Government or any of its officers specially
authorised by the Central Government or the State Government, as the case may be, in this
behalf may, if satisfied that it is necessary or expedient to do in the interest of the
sovereignty or integrity of India, defence of India, security of the State, friendly relations
with foreign States or public order or for preventing incitement to the commission of any
cognizable offence relating to above or for investigation of any offence, it may, subject to
the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any
agency of the appropriate Government to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information generated, transmitted, received or
stored in any computer resource.
 (2) The procedure and safeguards subject to which such interception or monitoring or
decryption may be carried out, shall be such as may be prescribed.
 CONTINUED….
 (3) The subscriber or intermediary or any person in-charge of the computer
resource shall, when called upon by any agency referred to in sub-section
(1), extend all facilities and technical assistance to-
 (a) provide access to or secure access to the computer resource generating,
transmitting, receiving or storing such information; or
 (b) intercept, monitor, or decrypt the information, as the case may be; or
 (c) provide information stored in computer resource.
 (4) The subscriber or intermediary or any person who fails to assist the
agency referred to in sub-section (3) shall be punished with imprisonment
for a term which may extend to seven years and shall also be liable to fine.]
69A POWER TO ISSUE DIRECTIONS FOR BLOCKING FOR PUBLIC
ACCESS OF ANY INFORMATION THROUGH ANY COMPUTER
RESOURCE. –

 (1) Where the Central Government or any of its officer specially authorised by it in this behalf
is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and integrity
of India, defence of India, security of the State, friendly relations with foreign States or public
order or for preventing incitement to the commission of any cognizable offence relating to
above, it may subject to the provisions of sub-section (2) for reasons to be recorded in writing,
by order, direct any agency of the Government or intermediary to block for access by the
public or cause to be blocked for access by the public any information generated, transmitted,
received, stored or hosted in any computer resource.
 (2) The procedure and safeguards subject to which such blocking for access by the public may
be carried out, shall be such as may be prescribed.
 (3) The intermediary who fails to comply with the direction issued under sub-section (1) shall
be punished with an imprisonment for a term which may extend to seven years and shall also
be liable to fine.
 69 B POWER TO AUTHORISE TO MONITOR AND COLLECT TRAFFIC
DATA OR INFORMATION THROUGH ANY COMPUTER RESOURCE FOR
CYBER SECURITY. -
 (1) The Central Government may, to enhance cyber security and for identification, analysis and prevention of intrusion
or spread of computer contaminant in the country, by notification in the Official Gazette, authorise any agency of the
Government to monitor and collect traffic data or information generated, transmitted, received or stored in any
computer resource.
 (2) The intermediary or any person in-charge of the computer resource shall, when called upon by the agency which has
been authorised under sub-section (1), provide technical assistance and extend all facilities to such agency to enable
online access or to secure and provide online access to the computer resource generating, transmitting, receiving or
storing such traffic data or information.
 (3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be
prescribed.
 (4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished
with an imprisonment for a term which may extend to three years and shall also be liable to fine. Explanation. -For the
purposes of this section,-
 (i) "computer contaminant" shall have the meaning assigned to it in section 43;
 (ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer
network or location to or from which the communication is or may be transmitted and includes communications origin,
destination, route, time, data, size, duration or type of underlying service or any other information.
 Section 87. Power of Central Government to make rules.–

 (1) The Central Government may, by notification in the Official

Gazette and in the Electronic Gazette, make rules to carry out
the provisions of this Act. (2) In particular, and without
prejudice to the generality of the foregoing power, such rules
may provide for all or any of the following matters, namely:–
 (za) the procedure and safeguards for monitoring and collecting
traffic data or information under sub-section (3) of section 69B;
 Information Technology (Procedure and safeguard for Monitoring and
Collecting Traffic Data or Information) Rules, 2009

• (k) “monitor” with its grammatical variations and cognate expressions, includes to view or inspect
or to record or collect traffic data or information generated, transmitted, received or stored in a
computer resource by means of a monitoring device;
• 3. Directions for monitoring.—
• 4. Authorised agency of government for monitoring and collection of traffic data or information.—
• 5. Intermediary to ensure effective check in handling monitoring or collection of traffic data or
information.—
• 6. Responsibility of intermediary.
• 7. Review of directions of competent authority.—
• 8. Destruction of records.—
• 9. Prohibition of monitoring or collection of traffic data or information without authorisation.—
• 10. Prohibition of disclosure of traffic data or information by authorised agency.— 
• 11. Maintenance of confidentiality.
 3. Directions for monitoring.—

• (1) No directions for monitoring and collection of traffic data or information under sub-section (3) of
• section 69B of the Act shall be issued, except by an order made by the competent authority.
• (2) The competent authority may issue directions for monitoring for any or all of the following
• purposes related to cyber security, namely:-
• (a) forecasting of imminent cyber incidents;
• (b) monitoring network application with traffic data or information on computer resource;
• (c) identification and determination of viruses or computer contaminant;
• (d) tracking cyber security breaches or cyber security incidents;
• (e) tracking computer resource breaching cyber security or spreading virus or computer
• contaminants;
• (f) identifying or tracking of any person who has breached, or is suspected of having breached or
• being likely to breach cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal
• audit of information security practices in the computer resources;
• (h) accessing a stored information for enforcement of any provisions of the laws relating to cyber
• security for the time being in force;
• (i) any other matter relating to cyber security.
• (3) Any direction issued by the competent authority under sub-rule (2) shall contain reasons for such
• direction and a copy of such direction shall be forwarded to the Review Committee withing a period of
• seven working days.
• (4) The direction of the competent authority for monitoring and collection of traffic data or
• information may include the monitoring and collection of traffic data or information from any person
• or class of persons or relating to any particular subject whether such traffic data or information, or
• class of tra?ic data of information, are received with one or more computer resources, being a
• computer resource likely to be used for generation, transmission, receiving, storing of traffic data or
• information from or to one particular person or one or many set of premises.
4. Authorised agency of government for monitoring and collection of traffic data or information.

• —
• (1) The competent authority may authorise any agency of the government for monitoring and
• collection of traffic data or information generated, transmitted, received or stored in any computer
• resource.
• (2) The agency authorised by the competent authority under sub-rule (1) shall designated one or
• more nodal oficer, not below the rank of Deputy Secretary to the Government of India, for the
• purpose to authenticate and send the requisition conveying direction issued under rule 3 to the
• designated oficers of the concerned intermediary or person in-charge of computer resources.
• (3) The requisition under sub-rule (2) shall specify the name and designation of the o?icer or the
• agency to whom the monitored or collected tra?ic data or information is to be disclosed.
• (4) The intermediaries or person in-charge of computer resource shall designate one or more o?icers
• to receive requisition and to handle such requisition from the nodal o?icer for monitoring or
• collection of tra?ic data or information.
• (5) The requisition conveying directions for monitoring shall be conveyed to the designated o?icers of
• the intermediary or person in-charge of computer resources, in writing through letter or fax by the
• nodal o?icer or delivered, (including delivery by email signed with electronic signature), by an o?icer
• not below the rank of Under Secretary or o?icer of the equivalent rank.
6. Responsibility of intermediary.—
• The intermediary or person in-charge of computer resource
shall be responsible for the actions of their employees also,
and in case of violation of the provision of the Act and rules
made thereunder pertaining to maintenance of secrecy and
confidentiality of information or any unauthorised
monitoring or collection of traffic data or information, the
intermediary or person in-charge of computer resource shall
be liable for any action under the relevant provision of the
laws for the time being in force.
8. Destruction of records.—

• (1) Every record, including electronic records pertaining to such directions for monitoring or
collection of traffic data shall be destroyed by the designated officer after the expiry of a period of
nine months from the receipt of direction or creation of record, whichever is later, except in a
case where the traffic data or information is, or likely to be, required for functional requirements.

• (2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or
• legal proceedings the intermediary or the person in-charge of computer resource shall destroy
• records pertaining to directions for monitoring or collection of information within a period of six
• months of discontinuance of the monitoring or collection of traffic data and in doing so they shall
• maintain extreme secrecy.
 CONTINUED…
• (f) “cyber security incident” means any real or suspected adverse event in
relation to cyber security that violates an explicitly or implicitly applicable
security policy resulting in unauthorised access, denial of service/disruption,
unauthorised use of a computer resource for processing or storage of
information or changes to data, information without authorisation;

• (g) “cyber security breaches” means unauthorised acquisition or

unauthorised use by a person of data or information that compromises the
confidentiality, integrity or availability of information maintained in a
computer resource;
Section 69 , 69 A, 69 B