The Information

Technology Act, 2000

76RR

NDCRTC Team
 Activity

1. How to decide the jurisdiction for offences committed in cyber world?

2. Does it apply to any person who commits offence outside the India?

3. Write possible cyber crimes and prescribe punishment for same.

 History
• Model Law given by UNCITRAL
• Originated as a draft “E-Commerce Act”
• May 2000 - IT Act
• To promote E-commerce
• Legal recognition for electronic records
• Cyber Crime coverage incidental
• 2008 – Focus to cyber security
• At present – Merger with BNS 2023
 Year 2000

94 Sections

13 Chapters

Two Schedules
Structure of Broad Categories
IT Act • E-Commerce
• E-Governance
• Contraventions, Offences
• Penalties, Adjudication
• Cyber-Security

Comprehensively Amended in 2008

Landmark Cases
1. Suhas Katti Vs State of TN - 2004

• First Conviction under IT Act

• Love triangle
• Divorcee lady
• Misuse of Yahoo Messenger
• Filthy calls
• Caller ID
• Cyber Café , eye witness
• Trial in 7 months
• 5 years punishment and fine
 Landmark Cases
1. Bazee.com - 2004

• Responsibility of intermediaries
• Vicarious liability
• IIT Kharagpur Student
• Item 27877408 – DPS Girls
• 292 IPC and 67 IT Act
• CEO Avinash Bajaj
• Tech officer – Sharat Digumati
• IT industry backlash
• Review of IT Act
• 26/11 attack
• Focus from E-commerce to Cyber
Security
 • Jurisdiction

• You are a resident of Delhi with your bank account in Delhi. You were cheated by ‘X’ living in
Bangalore in an online fraud.
Delhi or Bangalore?

• You are a resident of Delhi and are travelling from ‘Agra’ to ‘Hyderabad’ by Train. At Jhansi,
you receive a phishing call from X who dupes you to share the OTP. The SMS informing you
that the money is deducted from your account was received by you at Bhopal.
Delhi /Agra/ Jhansi/ Bhopal/ Hyderabad

• ‘Rajesh’ runs a small company with HQ in Mumbai. He also has a branch office in Guwahati.
The website of the company, which is hosted in AWS at Singapore, has been hacked by ‘X’
from Estonia who posted obscene messages.
Mumbai/Guwahati/Singapore/Estonia
 Scope and Applicability

Sec 1
1930
It shall extend to the whole of India.

Cybercrime.gov.in
Sec 75
It applies also to any offence or contravention committed outside India by any
person - if it involves a computer, computer system or computer network located in
India.
Section 2 of IT act

IMPORTANT DEFINITIONS
Section 2(i) “computer”
means any electronic, magnetic, optical or other high-speed data processing device
or system which performs logical, arithmetic, and memory functions by
manipulations of electronic, magnetic or optical impulses, and includes all input,
output, processing, storage, computer software or communication facilities which
are connected or related to the computer in a computer system or computer network
Section 2(k) “computer resource”
means computer, computer system, computer network, data, computer data base or
software;
Section 2(t) “electronic record”
means data, record or data generated, image or sound stored, received or sent in an
electronic form or microfilm or computer-generated micro fiche;
 Cyber Contraventions
Penalties, Compensation and Adjudication

Chapter IX
 Up to 5 Crore : Before IT
Civil Cases Adjudicator of state
Above 5 Crore : District
Civil Courts

Contraventions
and Violations
Cognizable: Cyber Cell or Local
Criminal PS
Cases
Job of a cop

• Identify any violations of law

• Identify suspect / accused

• Identify, collect, preserve, analyse
and present the evidence
 IT Act 2000/2008 – 26 sections
Section Status Remarks

65 E Tampering with computer source document

66 M Computer related offences

66A N Offensive messages through communication device

66B N Dishonestly receiving stolen computer resource

66C N Identity Theft

66 D N Cheating by personation

66 E N Violation of privacy
 IT Act 2000/2008 – 26 sections
Section Status Remarks

66 F N Cyber Terrorism

67 M Publishing / transmitting obscene material

67 A N Publishing / transmitting sexually explicit electronic content

67 B N Publishing / transmitting sexually explicit electronic content

Involving children
67 C N Preservation and retention of info by intermediaries

68 M Power of controller to give directions

69 M Powers to issue direction for interception

 IT Act 2000/2008 – 26 sections
Section Status Remarks

69 A N Power to issue directions for blocking public access of

information through any computer resource
69 B N Power to authorize to monitor and collect traffic data through
computer resource for cyber security
70 M Protected system

70A N National Nodal Agency

70 B N CERT IN for incidence response

71 E Penalty for misrepresentation

72 E Breach of confidentiality and privacy

 IT Act 2000/2008 – 26 sections
Section Status Remarks

72 A N Punishment for disclosure of information in breach of lawful

contract
73 M Penalty for publishing electronic signature certificate false in
certain particulars
74 E Publication for fraudulent purposes

84 B N Punishment for abetment of offences

84 C N Punishment for attempt to commit offence

IPC 511 – attempt to commit any offence

 Section 65 -Tampering with Computer Source Documents

•Whoever: Knowingly or intentionally

• conceals, destroys or alters
Or
Intentionally or knowingly causes another to conceal, destroy or alter
• any computer source code used for a computer, computer program, computer system or
computer network,
• when the computer source code is required to be kept or maintained by law for the
time being in force,
Shall be punishable up to three years or with fine up to 2 lakhs or both.
Explanation - For the purposes of this section, "Computer Source Code" means the listing
of programmes, Computer Commands, Design and layout and programme analysis of
computer resource in any form.
X created a source code and stored in his laptop. Y changed
the folder properties and hides it.
Yes/No

X developed a software program. The source code files of

program are stored in her computer. Y deletes the folder.
Yes/No
Case Study
• X is a telecom company. Its subscribers get a digital handset and a service bundle for three
years by irreversibly integrating the MIN with ESN in the device. X’s subscribers were
attracted by officials of rival firm Y with some offers. Once the subscriber agrees, he is asked
to meet personally. The customer is then asked to wait a while and the device is
reprogrammed to connect to Y’s network. Y’s officials hacked ESN so as to wean away X’s
customers to Y’s network service.
Whether the manipulation of this ESN programmed into the cell phone instrument
exclusively franchised to X amounts to altering source code used by these mobile
handsets?
Yes/No?

“Prima facie, when the ESN is altered, the offence under Section 65 of I.T. Act is attracted
because every service provider has to maintain its own SID code and gives a MIN to each
instrument. The disjunctive word "or" is used by the Legislature between the phrases "when
the computer source code is required to be kept" and the other phrase "maintained by law for
the time being in force" and, therefore, both the situations are different.”
 Ransomware attack

Computer or website hacking

Examples of
Changing mobile IMEI number
Offences under
Section 65 Changing of MAC address

Crack/ piracy of software etc

 Section 43 and Section 66

• Criminal Prosecution
• Civil Claims -Dishonest [IPC – 24]
- Fraudulently [IPC -25]
Section 43 – Penalty or compensation for damage to
computer or computer system

• If any person without permission • Or any other person who is in

of the owner charge of the computer system
( all apps/google/facebook) /network
 Scenario 1

1. Employee ‘A’ is a good friend of

employee ‘B’. During lunch break
‘A’ is not on his seat and ‘B’ who
knows password of ‘A’ ,accesses his
computer as his computer is not
working. • Is B liable for any civil or criminal
proceeding?

2. B also copies few important office

files that include financial proposals
prepared by A that are to be presented in
next office meeting.
 Scenario 2

• As A and B are friends, A requests B to go to

his computer and check a folder and bring • Is B liable for any civil or criminal
budget file into pen drive in chamber of their proceeding?
common boss. B does it as asked by A. At the
same time, he also copies few other
important documents in another pen drive.
 • Section 43 b –
• Unauthorized copying, extraction,
• Section 43 a – downloading
• Unauthorized access
[ Outgoing IT employees alleged to
have stolen corporate data]
 Section 43 c

Introduces or causes to be
introduced computer
contaminant or computer
virus

[patches]…
 Section 43 – d, e, f – Electronically / Physically
d) Damages or causes to be damaged a
computer system or data inside

e) Disrupts or causes disruption of

computer, computer network or
computer system

f) Denies or causes the denial of access to

computer to any person authorized to
access any computer, computer system or
computer network by any means
 Section 43 g [ sim sellers/ bank staff / any other]

• It makes any person who provides

assistance to another person to
contravene any of the provisions of
Act liable for civil as well as criminal
liability
 Section 43 h

• Charges the services availed by a

person to the account of another by
tempering or manipulation
 Civil Contraventions
Sec 43 - Penalty & Compensation for Damage to Computer
Penalty and compensation
for damage to computer, 43 (a) Unauthorised Access
computer system, etc

If any person without 43 (b) Unauthorised Download/Copying

permission of the owner or
any other person who is in-
charge of a computer,
computer system or computer
network,–
Note: If a person is
authorized to perform some
act, then section 43 cannot be
invoked.
43 (c) Introduces or causes to be introduced
computer contaminant or computer virus
43 (d) Damages or causes to be damaged a
computer system or data inside
43 (e) Disrupts or causes disruption of computer,
computer network or computer system
Sec 43 Penalty & Compensation for Damage to Computer
43 (f) Denies or causes the denial of access to computer to any person
authorized to access any computer, computer system or computer
network by any means

43 (g) Provide assistance to facilitate access to any person in

contravention of provisions of Act, Rules and Regulation

43 (h) Charges the services availed by a person to the account of

another by tempering or manipulation

43 (i) destroys, deletes, or alters any information residing in a

computer resource

43 (j) steals, conceals, destroys or alters or causes any person to steal,

conceal, destroy or alter any computer source code used for a computer
resource with an intention to cause damage
Newly added 2008
• 43 (i) destroys, deletes, or alters any
information residing in a computer • Data Breach
resource • Access of confidential info thus
• 43 (j) steals, conceals, destroys or reducing its value….
alters or causes any person to steal,
conceal, destroy or alter any
computer source code used for a
computer resource with an intention
to cause damage
 If any person,
• dishonestly or fraudulently,
• does any act referred to in section 43,
• he shall be punishable with imprisonment for a term
Computer which may extend to three years or with fine which may
extend to five lakh rupees or with both.
related
offences Section 66 talks about any of the acts in section 43 and not
section 43 in its entirety.
Section 66
Section 66 may get invoked when any of the acts in 43 are
committed even if it is with “authorization of the person in
charge of the computer” but with dishonest and fraudulent
intention.
 • Sanjay Dhande, 65, a member of the National Security
Advisory Board and a Padma Shri awardee for his
contribution to the field of science and technology was
duped of 19 lakhs in 2013.
• The unidentified fraudsters made 22 transactions from
Case Study his ICICI bank account over three days — on September
7, 8 and 9.
• Four of these were money transfers and 18 were
shopping transactions. he did not get any SMS alert for
any of these transactions
 • On 6th September 2013, the cell phone stopped functioning.
• On 7th September 2013, upon contacting Vodafone, it was
informed that the SIM was not functional and need to be replaced.
• September 8th and 9th were holidays, complainant contacted
Vodafone office on 10th September 2013. Complainant applied for
new SIM Card with all the verification proofs such as copy of
Chronology PAN Card and photograph etc. and a new SIM card was issued,
of Events and it started functioning from the evening of 10th September.
• Complainant states that during the period when their mobile was
non-functional, the fraudulent transactions took place, and
amount to the tune of Rs 19 lakhs was siphoned off.
• A fake SIM card was issued by Vodafone on 6th September 2013
at their franchisee office in Nagpur to someone on complainant's
number.
 Fake
Documents
Used
 •Where a body corporate,
• possessing, dealing or handling
• any sensitive personal data or information
• in a computer resource which it owns, controls or operates,
• is negligent in implementing and maintaining reasonable
Sec 43A security practices and procedures and
• thereby causes wrongful loss or wrongful gain to any person,
• such body corporate shall be liable to pay damages by way of
Compensation compensation to the person so affected.

for Failure to • "body corporate" means any company and includes a firm, sole
Protect Data proprietorship or other association of individuals engaged in
commercial or professional activities.

• reasonable security practices and procedures - security practices

and procedures designed to protect such information from
unauthorized access, damage, use, modification, disclosure or
impairment
 • The ADJUDICATING OFFICER shall adjudicate
matters whether any person has committed a
contravention in which the claim for injury or
damage does not exceed rupees 5 crore
Adjudicating • Equivalent to Director to Govt of India
Officer

Section 46 • Hear and decide in four months and to a maximum

of six months

• May get the matter or the report investigated from the

concerned Deputy Superintendent of Police
 Adjudicating Officer’s Order
• At ICICI Bank
• Criminals mainly used accounts of ICICI opened on fake papers to defraud the complainant. KYC
norms were not strictly followed by the Bank
• By Vodafone
• Did not check the authenticity of the claim or reason for issuance of a duplicate SIM card.
• They did not check the picture on the fake license with their database; nor was the sign matched;
• Online File Net system was down for days.
• The person took the blank form, and came back in ten minutes, with forged details, a photo of male
person on scanned normal paper rather than a proper photo;
• The store manager was not in shop but came next day and backdated his signature on the form
• Did not check if the number was in use and active or not.
Sh. Sanjay Govind Dhande v. ICICI Bank and Vodafone India Adjudicating Officer (Mumbai), Complaint No. 30 of
2013 dated 26th September 2013 decided on 16/01/2014
 Verdict

• (c) ICICI Bank has defaulted on multiple counts as enumerated earlier in my Analysis of this
case. Their omissions fall within the ambit of Section 43A of the IT Act. Accordingly, I order
Respondent 1, i.e. ICICI Bank to pay damages to the tune of Rupees 6,00,000 by way of
compensation to the Complainant, within a month of this order, failing which compound
interest of 12 percent compounded monthly will also be chargeable.

• (d) Vodafone i.e. Respondent 3, by not following the reasonable security practices and
procedure and the established guidelines before issuing a duplicate SIM card, has led to the
access of sensitive personal data and information of the Complainant to an unauthorized person
and thereby caused wrongful loss to the Complainant. According to me, this falls within the
ambit of Section 43A of the IT Act. Accordingly, I order Respondent 3, i.e. Vodafone to pay
damages to the tune of Rupees 12,00,000 by way of compensation to the Complainant, within
a month of this order, failing which compound interest of 12 percent compounded monthly will
also be chargeable.
 Matters which can be Admitted by the
Adjudicator

Credit Card Illegal Online

Data Theft Hacking Defamation
fraud Bank Transfer

Spreading of
Privacy Denial of Source Code
Domain Theft Computer
Breach Service Theft
Contaminant

Computer Stealing of
Identity Theft Data Deletion
Theft database etc.
 Telecom Dispute Settlement and Appellate Tribunal
(TDSAT)

Appellate Section 49 – Formation of Cyber Appellate tribunal has

Tribunal been omitted.

Section 61 - Civil Court not to Have Jurisdiction or

Section 48 grant injunction

Appeal against the order of Appellate tribunal lies in the

concerned High Court.
Investigation under IT Act
 Notwithstanding anything contained in the Code of
Criminal Procedure, 1973 (2 of 1974),
Section 77A & 77B
• The offence punishable with imprisonment
Cognizance of
• Less than 3 years – Non-Cognizable and
Offences,
Bailable
Bailability &
Compounding of • Of 3 years – Cognizable and Bailable
Offences • Above 3 years – Cognizable, non-bailable, Non-
compoundable
 Section 78
Notwithstanding anything contained in the
Code of Criminal Procedure, 1973 (2 of
Power to 1974), a police-officer not below the rank
Investigate of Inspector shall investigate any offence
Offences under under this Act.
IT Act 2008

Amendment needed……
 Authorized officer may enter any public
place and search and arrest without warrant
any person who is reasonably suspected of
having committed or of committing or of
Section 80 being about to commit any offence under this
act.

Power of Police Officers Officer other than a police officer have to take
or send the arrested person before magistrate
& Other Officers to Enter, or officer-in-charge of Police station.
Search etc.
Provisions of CrPC shall, apply in relation to
any entry, search or arrest made under this
section.
 Offences by Companies -
Section 85

Contravention committed by a Company - any person

who, at the time the contravention was committed, was
in charge of the company, shall be guilty of the
contravention and shall be liable to be proceeded
against and punished accordingly:

Provided that nothing contained in this sub-

section shall render any such person liable to
punishment if he proves that the contravention
took place without his knowledge or that he
exercised all due diligence to prevent such
contravention.
Avinash Bajaj, CEO, Baazee.com
Case Study
X is a firm involved in development of a particular hospital management software. All
employees of the firm sign a non-disclosure agreement.
The HR manager while going through the profiles for recruitment, found one A who
claims to have developed the similar software earlier.
Suspecting theft of source code, a case was filed with police for investigation.
Investigation revealed that this applicant in cohort with an employee B of X had utilized
the resources/knowledge bank of X firm and developed the software at the instance of rival
firm Y.
FIR was registered u/s 408, 420 IPC and 43, 65, 66 of IT act.
What is the issue here?

[Gagan Harsh Sharma And Anr vs The State Of Maharashtra And Anr on 26 October, 2018, Bombay High Court
Case Study
In a case, a FIR was filed against the Owner of a firm. It was alleged that the firm was in the
possession of obscene material, and they were selling and distributing obscene material.
Later he was chargesheeted u/s 292, 294 IPC and 67 IT Act.
He filed an application in Supreme Court seeking quash of proceedings against him u/s 67 IT
act as he has been accused only on the reason that he is the owner of the firm. Supreme court
dropped charges u/s 67 IT Act.
Subsequently, he filed an application in trial court to drop 292 IPC as 67IT act was dropped.
Trial court disagreed. He went back to Supreme court seeking dropping of charges u/s 292
IPC as 67IT act was dropped.
The question for consideration before the Hon'ble Apex Court was whether the
appellant who has been discharged under Section 67 of the IT Act could be proceeded
under Section 292 of the Indian Penal Code.
[Sharat Babu Digumarti vs Govt Of NCT Of Delhi on 14 December 2016, Supreme Court]
 Retention of • Law provides for mandatory retention of
data under certain conditions
Electronic
• Section 7 of IT act
record/information
• Section 67C of IT act [penal]
 Electronic records shall be retained for a specific period
fulfilling the following requirements:

(a) the information contained therein remains

Retention of accessible so as to be usable for a subsequent
reference;
Electronic
Record (b) the electronic record is retained in the format in
which it was originally generated, sent or received or
in a format which can be demonstrated to represent
Section 7 IT Act accurately the information originally generated, sent or
received;

(c) the details which will facilitate the identification of

the origin, destination, date and time of dispatch or
receipt of such electronic record are available in the
electronic record.
 (1) Intermediary shall preserve and retain such
information as may be specified for such
Retention of duration and in such manner and format as
Information by the Central Government may prescribe.
Intermediaries
(2) Any intermediary who intentionally or
Section 67C IT Act knowingly contravenes the provisions of sub-
section (1) shall be punished with an
imprisonment for a term which may extend
to three years and also be liable to fine.
Criminal Offences
under IT Act
Computer Related Offences
Section 66

• If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with
imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or
with both.
 Objectionable Posts on
Social Media
Two women were arrested alleged to have
posted objectionable comments on Facebook
regarding the complete shutdown of Mumbai
after the demise of an influential political
leader.

Do you think this is an offence?

What if, this post triggers law and order or
violence by the supporters of the leader?
Is it an offence then?
Section 66A was struck down by SC
Scenario

• X has several stolen mobiles phones. He approaches Y who owns mobile

phone store and offers him those stolen mobile phones at half of the market
price. Y buys the stolen mobile phones from X and sells them in his shop for
full market price.

Is there an offence made out here? If so what and by whom?

Scenario
• A is a buyer who goes to Gaffar
Market in Delhi and buys Apple
iPhone 13 at throw away price from
a streetside vendor B.
• A is so elated with price that he does
not demand for bills or receipt.
• One day, a police team arrives at A’s
residence and informs that the phone
was stolen in Bangalore and
proceeds to arrest A.
Did A commit any crime? If so, how?
Yes/ No?
Section 66B
Stolen Computer Resource

Whoever dishonestly
• receives or retains any stolen computer
resource or communication device
• knowing or having reason to believe
• that the same to be a stolen computer
resource or communication device

shall be punished with imprisonment of up

to three years or with fine which may
extend to rupees one lakh or with both.
 In case if a former employee of a firm sells a
crucial source code to a business rival, the former
employee will be liable under which section of IT
Act?
Another Sec-66 r/w 43(j) -(stealing source code with
Illustration dishonest intention) of the Act.
…
What about the business rival, is he liable in
anyway?

The business rival, if he was aware or has reason

to believe that the source code was stolen,
receives or retains will be liable under this
section.
 Scenario

X is a junior employee in a firm.

He oversees his senior Y typing her bank password
into her computer.
Did X commit any crime here?

Later, one day, X logs into the bank account of Y

using her password and transfers money into his
own account.
How about now, did X commit any crime now?
 • Whoever, fraudulently or dishonestly

Punishment • make use of the

• electronic signature,
for Identity • password or
Theft • any other unique identification feature of
any other person,
shall be punished with imprisonment of either
Section 66C description for a term which may extend to three
years and shall also be liable to fine which may
extend to rupees one lakh.
Illustration
• Someone created a fake
Facebook account of A.
• The person was chatting with a
lot of people with her name.
• He also shared her number and
address publicly on the same
fake profile.
• She apparently started receiving
calls from all over the places.
Was there any identity theft in
this case?
Scenario
X, along with two accomplices, was involved in creating fake documents from the
internet. He and his team arranged for a mock medical examination, forged the
signature of Railway Minister using his fake letterhead, and prepared a forged medical
report. He took Rs.20 lakhs from many students in the garb of providing railway jobs.
Is there any identity theft in this case?

The accused were held liable under Section 66C of the Information Technology Act,
2000 and Sections 420, 467, 468, 466, 471, 484 r/w 34 of the Indian Penal Code, 1860.

“Identity brings in authenticity”

Sanjay Jha v. State of Chhattisgarh (2014) 3 SCC 202, 31-01-2014
420 – cheating, 467 –Forgery, 468 – forgery for cheating,466- forgery of court/public record, 471-using forged document as genuine, 484 – counterfeit of mark of public servant, 34 – act with common intention
 Fake Profile on Pornographic Site
Fake profile was created in the name of A’s wife in a pornographic website where
derogatory and obscene comments were posted. Similarly, A’s mobile phone number was
also uploaded which led to receipt of number of unsolicited calls and objectionable
requests.
Investigation revealed that, X opened the account by filling up the details of A’s wife on
the portal and gave A’s numbers.

Can we invoke Section 66C, 67A ? Yes/No

“The identity theft or account take over - means the phenomenon of filling another person
identity”
Jayanta Kumar Das Vs. State of Odisha, Puri SDJM Court
Reporter Vs Money lending firm. Desihunt.com, fake yahoo id, ip address and hard disk
 Section 66D
Cheating by Personation
•Whoever,
• by means of any communication
device or computer resource
• cheats by personation,

•shall be punished with

imprisonment of either description
for a term which may extend to
three years and shall also be liable
to fine which may extend to one
lakh rupees.
Scenario
• X along with his associates placed an
advertisement on OLX, for selling of two and
four wheelers.
• When the buyers contacted them, they falsely
introduced themselves as army personnel, and
after gaining confidence, they used to fix sale
price of the vehicle.
• On one or the other pretext, X would then
request the victim to send an advance amount
through UPI and later switch off their mobile
phones.
Is this Cheating by Personation or Identity
theft?
 Fake Call Center in Bhopal
• Police received a tip that unknown persons are operating an illegal call centre in
Bhopal to dupe the U.S. citizens.
• Many US Citizens had been duped by the accused on pretext of revenue officers
by sending them fake E-Mail/SMS. Accused hid their identities with the help of
proxy internet connections.
• Victims – loan defaulters
How to Proceed further?
 Investigation…

• Data of approx. 01 lakh was bought illegally.

• Nearly 200 documents including fake arrest warrant, fake legal notice, fake summons with the
mono of American Law Enforcement Agencies pasted on it, were seized in the laptops,
desktops, and mobiles of the accused.
• U.S. Embassy, New Delhi was contacted, and assistance of FBI was sought. Based on the
information shared with the F.B.I., they received all the necessary documents from the victims
in U.S.
• All the accused were arrested after an F.I.R. No. 166/18, under section 467, 468, 471 IPC and
66C, 66D IT Act.
• Ex- call centre employees
 Whoever,
• intentionally or knowingly

Section 66E • captures, publishes or transmits

• the image of a private area of any person
• without his or her consent,
Punishment for
Violation of • under circumstances violating the privacy of
that person,
Privacy
shall be punished with imprisonment which may
extend to three years or with fine not exceeding
two lakh rupees, or with both.
Scenario
• A and B, a couple, booked a
room in a hotel at Tehri.
• Just before going to bed, when
they switched off all the lights,
they saw a small red light being
emitted from the fan.
• Upon checking, it turned out to
be a hidden camera.

Can you invoke Section 66E ?

YES/NO?
Section 66F
Punishment for Cyber Terrorism
1) Whoever,–
(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike
terror in the people or any section of the people by–
(i) denying or cause the denial of (DoS/DDoS)
(ii) attempting to penetrate or access a computer resource (Hack)
(iii) introducing or causing to introduce any computer contaminant, (malware)
• and
• by means of such conduct causes or is likely to cause
• death or injuries to persons or
• damage to or destruction of property or
• disrupts or knowing that it is likely to cause damage or disruption of supplies or
services essential to the life of the community or
• adversely affect the critical information infrastructure specified under section 70; or
Section 66F
Punishment for Cyber Terrorism (contd..)
(B) knowingly or intentionally
• penetrates or accesses a computer resource without authorization (hacks)
• and by means of such conduct
• obtains access to information, data or computer data base
• that is restricted for reasons of the security of the State or foreign relations; or may be used
to cause or likely to cause injury to the interests of the sovereignty and integrity of India,
the security of the State, friendly relations with foreign States, public order, decency or
morality, or in relation to contempt of court, defamation or incitement to an offence, or to
the advantage of any foreign nation, group of individuals or otherwise,
•commits the offence of cyber terrorism.

Whoever commits or conspires to commit cyber terrorism shall be punishable with

imprisonment which may extend to imprisonment for life.
1. The attack on the Pathankot air force base,
resulting in at least 6 deaths, was carried out with
a marked degree of foresight and knowledge of
the air base and operations. It has come to light Year Cases
that part of that intelligence gathered for that 2018 21
attack was due to an app called SmeshApp.
2019 12
2. Maharashtra –First Cyber Terrorism
2022 12
Conviction
- IT Engineer
- fake facebook account for chat purpose
- plan to use Thermite bomb
- target “American School “ in Bandra
Kurla Complex”
- life sentence
 Whoever
• publishes or transmits
or
Section 67 • causes to be published or transmitted
• in the electronic form,
• any material which is
Publishing or • lascivious or appeals to the prurient interest
• or if its effect is such as to tend to deprave and
Transmitting corrupt persons who are likely, having regard to
Obscene all relevant circumstances,
• to read, see or hear the matter contained or
Material in embodied in it,
• shall be punished
Electronic Form • on first conviction - three years / five lakhs fine
• second or subsequent conviction - five years/ ten
lakh rupees.
Cyber Obscenity as a Crime

• Anything that is lascivious or appeals to the prurient interest or if its effect is to

deprave and corrupt persons would be ‘obscene’.

• Lascivious: is something that tends to excite lust.

• Appeals to in this context, means “arouses interest”.
• Prurient interest: is characterized by lustful thoughts.
• Effect: means to produce or cause some change or event.
• Tend to deprave and corrupt in the context of this section means “to lead
someone to become morally bad”.
• Persons: here refers to natural persons (men, women and children) and not
artificial persons.
 Whoever
Section 67A
•publishes or transmits
•or causes to be published or transmitted
Punishment for •in the electronic form any material
publishing or •which contains sexually explicit act or conduct
transmitting of
material containing shall be punished on
sexually explicit act, • first conviction - five years /ten lakh rupees
etc., in electronic • second or subsequent conviction - seven years/
form.– ten lakh rupees.
 Whoever,-
Section 67B a) Publishes or transmits or causes to be published
or transmitted material in any electronic form
Punishment for which depicts children engaged in sexually
explicit act or conduct; or
publishing or
transmitting of b) creates text or digital images, collects, seeks,
material depicting browses, downloads, advertises, promotes,
children in sexually exchanges or distributes material
explicit act etc - in c) Cultivates, entices or induces children to online
electronic form relationship with one or more children for and on
sexually explicit act or in a manner that may offend
a reasonable adult on the computer resource; or
 Section 67B
d) Facilitates abusing children online; or
e) Records in any electronic form own abuse or
Punishment for that of others pertaining to sexually explicit act
publishing or with children,
transmitting of shall be punished on
material depicting
first conviction – up to five years and fine ten lakh
children in sexually rupees
explicit act etc - in
electronic form second or subsequent conviction – up to seven
years and fine ten lakh rupees
 (1) Intermediary shall preserve and retain such
information as may be specified for such
Retention of duration and in such manner and format as
Information by the Central Government may prescribe.
Intermediaries
(2) Any intermediary who intentionally or
Section 67C IT Act knowingly contravenes the provisions of sub-
section (1) shall be punished with an
imprisonment for a term which may extend
to three years and also be liable to fine.
Digital Signatures
Section 3
 Before we proceed, What is a
Signature ???
What are its Characteristics?
• A physical signature of a signer
• Identifies the Signer
• Is Unique to the Signer
• Signer cannot deny the signature
• Should not be forged
• Is verifiable by comparing with sample
signatures
• Authenticates and establishes the integrity
of the content of the signed letter
In Cyber Space, how to ensure all the above for
an electronic document?
Digital Signature
A Digital Signature serves three purposes
• Authentication – identifies the signer
• Integrity – to ensure the message is not
altered
• Non-repudiation – Signer cannot deny
signing of the document
 Symmetric and Asymmetric
Key Encryption
[Used for authenticating the signer]

• Encryption – converting data into

unreadable form that can only be read with
authorized access.

• Symmetric key encryption – same shared

key.

• Asymmetric key encryption - a public-

private key pair where one key is used to
encrypt and the other to decrypt.
 Asymmetric cryptography
can be used both
for
secured communication or
authenticating the signer on
the Internet
 Hash Function
[Used for ensuring Integrity of Data]

Hashing is the process of transforming data

into a fixed string of characters.

The three characteristics of an efficient hash

function:
• Deterministic : Same hash result every
time for same input data
• Unidirectional : Deriving input message
from hash should not possible
• Two different messages should not have
the same hash.
Authentication of Electronic Records
Section 3

Any subscriber may authenticate an electronic record by affixing his digital signature

The authentication of the electronic record shall be effected by the use of asymmetric
crypto system and hash function which envelop and transform the initial electronic
record into another electronic record.

Any person by the use of a public key of the subscriber can verify the electronic record.

The private key and the public key are unique to the subscriber and constitute a
functioning key pair.
Creation of Digital Signature
Rule 4 of Information Technology (Certifying Authorities) Rules, 2000

https://www.youtube.com/watch?v=JR4_RBb8A9Q – Let’s understand digital signature

To sign an electronic record or any other item of information, the signer shall first apply the
hash function in the signer's software; the hash function shall compute a hash result of
standard length which is unique (for all practical purposes) to the electronic record; the
signer's software transforming the hash result into a Digital Signature using signer's private
key; the resulting Digital Signature shall be unique to both electronic record and private key
used to create it; and the Digital Signature and the Digital Signature Certificate shall be
attached to its electronic record and stored or transmitted with its electronic record.
 Working Process of a Digital Signature
Rule 4 of Information Technology (Certifying Authorities) Rules, 2000
1. Alice selects a letter to send it to Bob.
2. A hash value of the letter’s contents is
generated by Alice’s computer.
3. This hash value is encrypted with Alice’s
private key to create a digital signature.
4. The letter and the digital signature are sent
to Bob.
5. When Bob opens the file, in order to
identify the signer, Bob decrypt’s the digital
signature using Alice’s public key. This
reveals the hash string of the letter.
6. Bob’s computer then separately calculates
the hash of the letter which was received
and compares the hash it generated to the
decrypted hash in step 5 above. Keep in mind, digital signature is not about
7. Any difference in the hash values means encrypting document, its just like a paper-
there has been a tampering of the file. based signature.
But what if…
• Ram, a sales head of an importing firm XYZ in India, places an order on a firm B in
Argentina. It is important to note that A and B do not identify each other. A sends a
letter with digital signature signed using his private key.
• An employee of the firm in B who received this letter, opened it and wanted to
verify the signature. B tries to open the letter with the public key of sender and
checks for the name of the sender. The name is revealed as Rajneesh claiming to
be the employee of the firm XYZ. The keys are verified and B now delivers to
Rajneesh.
How could this happen?
How to establish the authenticity of identity of the sender. Public-private key only
enables us to verify the signer who he claims to be. But how to ensure the
authenticity of the identity itself?
 Digital Signature Certificates PKI
Architecture
Anyone can pretend he/she is the sender.

Hacker can drop the original message and

replace it with his own message. Digital certificate ensures the identity of
He signs it with his own private key, the signer by verifying the owner of the
thereby making Alice believe that he is the public key.
original sender.
Trusted Third Party
Certificate Issuer
• A trusted third-party agency to verify
the signer. Like passport issuer.
• Bob Signs the message with his
private key and attaches the digital
certificate issued to him by CA.

• The certificate will contain

• Certificate Owner’s name
• Owner’s public key and expiry date
• Certificate issuer’s name
• Certificate issuer’s digital certificate
 (a) The self signed certificate generated by the Controller,
which begins the trust chain for the public key infrastructure,
shall be used to verify the authenticity of the public key
Verification of certificate of the licensed Certifying Authorities;
Digital Signature (b) the public key certificate of the licensed Certifying
Certificate Authorities shall be used to verify the authenticity of the digital
signature certificate issued to the subscribers;
(c) the certificate revocation list maintained by the licensed
Rule 5A Certifying Authorities shall be checked to confirm whether the
of certificate is valid or whether it has been revoked under
IT(Certifying section 38 of the Act;
Authorities) Rules, (d) while verifying the validity of a digital signature the
2000 corresponding digital signature certificates should chain up
through the public key certificate of the issuing Certifying
Authority to the self signed certificate of the Controller and
if any of the certificates in the trust chain is not trusted the
signature will not be verified.
 E-sign using Aadhar
1. e-authentication technique using Aadhaar
2. vide Gazette Notification No. 2015 Jan – GSR 61(E)). The government did so, under its powers in Section 3A
of the Information Technology Act.
 Framework for Digital Signatures under IT Act

Controller
of
Central Certifying Certifying
Subscribers
Governmen Authorities Authorities
Use the
t Appoints Gives Give Digital
Digital
Controller license to Signatures to
Signature
(Section 17) Certifying Subscribers
Authorities
(Section 21)
 Offences Related to Digital Signatures
Section 71 Penalty for Misrepresentation
• If anyone provides wrong information or withholds any fact from the Controller or the Certifying
Authority for obtaining the license or Electronic Signature Certificate, is liable to be punished with
imprisonment for up to 2 years or fine up to Rs. 1 Lakh or both.
Penalty for publishing Electronic Signature Certificate false in
Section 73 certain particulars
• If any person publishes or gives an Electronic Signature Certificate without the certifying authority
issuing it, subscriber accepting it or that which is revoked or suspended, is liable to be punished with
imprisonment for up to 2 years or fine up to Rs. 1 Lakh or both.

Section 74 Publication for Fraudulent purpose

• Anyone who knowingly creates, publishes or gives an Electronic Signature Certificate for any fraudulent
or unlawful purpose is liable to be punished with imprisonment for up to 2 years or fine up to Rs. 1 Lakh
or both.
Interception and Cyber
Security
under IT Act
1. Connected world
2. 5 Bn people out of 7.9 Bn have access to Internet
3. Any domain name can be purchased from anywhere
4. 450 Crores social media users
5. 20 Crores active websites
6. 30 lakh apps on Android
7. India – 50 Crore use whatsapp and 30 Crore use FB…..

8. Anyone can upload anything from any part of the world !!!!
 What resides on Internet
1. Useful information and utility services

but it also has following

2. False / Fake / derogatory / misleading / incorrect /
glamorizing / potential breach of privacy content

3. Info against – Government/ Organization/ Individual

4. Demand for blocking or removing the content

5. Need to know the person who uploaded the content

6. Freedom of speech and role of Intermediaries

 Speed of
Technology
 Online Harm /
1. Online Radicalization
Illegal content
2. Showing our armed forces in poor light

3. Hatred in name of religion / caste / language

4. Child porn / rape videos / extreme obscenity

5. Non-consensual explicit imagery on social media

6. Pornographic websites

7. Saree challenge
 Online harm
1. Copyright

2. Cigarette , Tobacco , Alcohol ads

3. Escort services, Gambling, weapons,

4. File sharing, freeware

5. Virtual games – Blue whale

6. Money lending apps

7. Apps stealing data - TikTok

 Original – passportindia.gov.in

Fake websites Fake websites

Indiapassport.org Passportsevaindia.com

Online-passportindia.com Indianpassportseva.co.in

Passportindiaportal.in Passportindiaonline.com

Passport.india.in Indianpassportonline.com

Passport.seva.in Indiapassport.ind.in

Applypassport.org Passportsevaindia.in
 Field examples
1. State Police – received complaint that 5 sites are hosted from hostile neighboring country
2. 4 pornographic and 1 online gaming
3. State Police wrote to ISP to block same
4. Few ISP’s blocked and few did not…
5. People approached Meity and they in turn asked DOT
6. Police do not have power to do so
7. Court order , Meity or CERT-IN can only block website under 69 A
8. Content hosting platforms can be intimated about illegality of the content through notice so
that they are aware of it and fall in category of liability of intermediary
9. A search engine can not block the third party website. It can only de-index what it has indexed.
• ARTICLE 19:
Protection of certain rights regarding freedom of speech etc:
1. All citizens shall have the right
a) To freedom of speech and expression;

• 2. Nothing in sub clause (a) of clause (1) shall affect the operation of any existing law, or
prevent the State from making any law, in so far as such law imposes reasonable restrictions on
the exercise of the right conferred by the said sub clause in the interests of the sovereignty and
integrity of India, the security of the State, friendly relations with foreign States, public order,
decency or morality or in relation to contempt of court, defamation or incitement to an offence.
 Blocking Access on Internet

• 1. Remove or disable the information from the platform where it exists. E.g. facebook or twitter
post
• Remove or deregister the website ( in domain)
• Block the information through ISPs
• Remove or de-index in the search results ( website or url will not show in the search results)
 Block the content

• At the end user level ( through end user filters) - https://www.netnanny.com/

• Organizational level through firewall ( dating sites, gaming sites)
• State /Country level
• Completely

• Blocking can be only country specific or complete all together

 Basis of blocking / removal of content

• Provisions of IT Act
1. Section 69 A – Powers to issue blocking directions
2. Section 79 – Exemption from intermediary liabilities
3. Section 79 (3)(b) – Intermediaries to loose their immunity if they fail to act swiftly
4. Blocking online news platforms and VoD/OTT platforms
 Section 69 A
• Meity and MIB empowered agencies
• Can ask for blocking of the content – Website/ URL/ Social Media account
• Conditions to invoke 69A act
• Defense of India
• Sovereignty and Integrity of India
• Security of State
• Friendly relations with foreign states
• Public order
• Preventing incitement to commit any offence
• Punishment of 7 years for non compliance
 69 A Rules

• 1. IT [ Procedure and Safeguards for Blocking Access of Information by Public] Rules 2009
2. Powers of Central Govt are exercised through Meity and MIB
3. Secretary Meity is the competent authority
4. Govt. has notified a designated officer who is competent authority to issue orders
5. Nodal officers nominated from Ministries / Departments and States – 40
6. Their list available on Meity Site
7. Inter-Ministry Committee – JS from CERT, MHA, MIB and DLA
 Normal Blocking Process

1. Request with full justification received through nodal officers

2. Advance notice is given to owner/ custodian (intermediary)
3. Any recommendations are made by the committee after hearing views of requesting agency/
justification, information owner/custodian before committee makes recommendations
4. Quasi judicial process
5. Review of 69A orders at Cab Sec led committee
6. Process and outcomes are confidentiala
7. Subjective and highly impartial
8. Section 69A is constitutionally upheld
Rule 7 – Committee Meeting
Rule 9 – Emergency Meeting
a. Request through nodal Rule 10 – Court Order
officer
a. DO examines request
b. Form 6(2) and screenshot a. Initiate action as directed
b. Approval by Secretary
c. Members – DOs u/s 69A, by the court
c. Interim direction for
other Ministries and CERT- b. Approval by Secretary
blocking issued
IN c. Direction for blocking
d. Confirmed by committee
d. Approved by Secretary issued
mentioned in Rule 7
e. Direction for blocking
content given by DO

Court – That has power to give punishment of 7 years and above - CJM
 Key aspects of blocking

1. Each URL is reviewed

2. Justification is asked for every URL
3. For each account level blocking, multiple evidences reviewed.
4. IB, MHA, J&K Police, Punjab Police, AP, TS, Maharashtra ATS, Delhi Police
Prerogative of Chief Secretary . Maharashtra has 3 nodal officers.
It can be designation based than based on Individual. Avoid gmail
 Year URL URL blocked Facebook Instagram Twitter YouTube Others
requested

2017 2025 1385 526 87 588 103 81

2018 4192 2799 1555 379 224 161 480

2019 5891 3635 2049 75 1041 409 61

2020 11449 9849 1717 1273 2731 2175 1953

2021 7898 6096 1082 464 2851 1121 578

1. J&K
2. PoK
3. Khalistan
4. PFI
5. Proactive activities
6. Mobile apps stealing customer data
 What is not covered under 69 A?
1. Information violative of one’s privacy
2. Pornographic material in different forms
3. Copyright violations
4. Private requests for content removal
5. Defamation
6. Malware related activities
7. Fake websites
8. Phishing websites
9. Tobacco, alcohol, cigarette, escort services, gambling websites
 Section 79 – Intermediary liability and
exemption

1. If Intermediary does not

- initiate the transmission
- select the receiver of the transmission
- select or modify the content in information
2. Due diligence – IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021
which has superseded the IT (intermediary guidelines)Rules 2021
 Agencies Empowered under Section 69 and Rule 4
[MHA Order S.O. 6227(E) on 20th December 2018]

Intelligence Narcotics Control Enforcement Central Board of

Bureau Bureau Directorate Direct Taxes

Directorate of National
Central Bureau of Research and
Revenue Investigation
Investigation Analysis Wing
Intelligence Agency

Directorate of
Signal Intelligence Commissioner of
(in J-K, NE and Police, Delhi
Assam)
8146 Facebook links, 2546 Instagram links, 10264 Twitter links, 4675 YouTube links,
and 3523 links to other social media and internet intermediaries between 2018 and
2022 including 250+ Chinese apps.
Banning of Apps/ Websites/Twitter links
Section 69A
Blocking of Information for Public Access
The government or any officer specially authorized on its behalf (Director, NCCC)
• Can direct any Government agency or intermediary to block for access by the public,
any information generated, transmitted, received, stored or hosted in any computer
resource
• The reasons for this order are to be recorded in writing, and the Government must be
satisfied that this order is necessary:
• In the interest of sovereignty or integrity or defense of India, or
• In the interest of the security of the state , or
• In the interest of friendly relations with foreign States, or
• In the interest of public order, or
• For preventing incitement to the commission of any cognizable offence relating to
the above
• Failure to block attracts up to 7 years of imprisonment and fine.
 The IT (Procedure and Safeguards for Blocking for Access of Information by
Public)
• Rule 3 and Rule 5 – Designated officer Rules,
to issue 2009 > Joint Secretary to GoI. DIT shall
directions.
issue order based on request from nodal officer or court. Shall acknowledge the request within 24
hours.
• Rule 4 – Nodal officer in every organization to be nominated and informed to DIT/MeitY.
• Rule 6 – Any person can make a request through the nodal officer to the designated officer for
blocking.
• Rule 7 – committee headed by Designated officer shall look into the complaint.
• Rule 8 - Shall issue a notice to the intermediary to reply/clarifications if any within 48 hours.
Thereon, the committee will submit recommendations to Secretary, DIT for issuance of order.
• Rule 9 - In emergencies, the DO can submit recommendations to Secy, DIT for issuance of
interim orders and which shall be later brought to the committee within 48 hours. Final order is
later issued.
• Rule 10 – In case of court order (certified copy), the DO shall submit to Secy, DIT for issuance of
orders and action.
• Rule 11 – Request from nodal officer has to be disposed within 7 days.
• Rule 13 – Intermediary shall designate at least one person to receive and acknowledge in 2 hours.
• Rule 14 – A review committee once in every 2 months shall review the orders issued.
 The Central Government may, to enhance cyber security and
Section 69B
for identification, analysis and prevention of intrusion or
spread of computer contaminant in the country,
Power to authorize to - authorize any agency of the Government to monitor and
monitor and collect
collect traffic data or information generated, transmitted,
traffic data or
received or stored in any computer resource.
information through any
computer resource for The intermediary - shall, provide technical assistance and
cyber security extend all facilities
Punishment - imprisonment for a term which any extend
to three years and shall also be liable to fine.
The IT (Procedure and
safeguard for Monitoring National Cyber Coordination Centre:
and Collecting Traffic To deal with malicious cyber-activities by acting as an
Data or Information) Internet traffic monitoring entity that can fend off
Rules, 2009 domestic or international attacks
 The IT (Procedure and safeguard for Monitoring and Collecting
Traffic Data or Information) Rules, 2009
The competent authority may issue directions for monitoring for any or all of the following
purposes related to cyber security namely-
(a) forecasting of imminent cyber incidents.
(b) monitoring network application with traffic data or information on computer resource;
(c) identification and determination of viruses or computer contaminant.
(d) tracking cyber security breaches or cyber security incidents;
(e) tracking computer resource breach cyber security or spreading virus or computer
contaminants;
(f) identifying or tracking of any person who has breached, or is suspected of having
breached or bang likely to breach cyber security;
(g) undertaking forensic of the concerned computer resource as a part of investigation or
internal audit of information security practices in the computer resource.
(h) accessing a stored information for enforcement of any provisions of the laws relating to
cyber security for the time being in force,
(i) any other matter relating to cyber security.
 The appropriate Government may,
- declare any computer resource
- which directly or indirectly affects the facility of Critical Information
Infrastructure,
Section 70 - to be a protected system.
• Critical Information Infrastructure means the computer resource,
• the incapacitation or destruction of which,
Protected
• shall have debilitating impact on national security, economy, public
System health or safety.
• The appropriate Government may authorize persons to access the
protected system.
•Unauthorized access – punishment which may extend to ten years/fine
 Critical Information
Infrastructures
• UIDAI’s Central Identities Data
Repository facilities
• TETRA Secured Communication
System Network, Delhi
• Long Range Identification and
Tracking (LRIT) system under
the Ministry of Shipping
• ICICI Bank
• HDFC Bank
• NPCI

The IT (Information Security

Practices and Procedures for
Protected System) Rules, 2018
Section 70A
National Nodal Agency - NCIIPC

• A nodal agency in respect of Critical Information

Infrastructure Protection.

• Responsible for all measures including Research

and Development relating to protection of Critical
Information Infrastructure.

• Works within NTRO under the NSA

• The IT (Information Security Practices and

Procedures for Protected System) Rules, 2018
01/14/2024
Section 70B – CERT-In
Indian Computer Emergency Response Team - national agency for incident response

• Following functions:
– collection, analysis and dissemination of information on cyber incidents;
– forecast and alerts of cyber security incidents;
– emergency measures for handling cyber security incidents;
– coordination of cyber incidents response activities;
– issue guidelines, advisories, vulnerability notes and white papers relating to
information security practices, procedures, prevention, response and reporting of
cyber incidents;
• Failure to provide information to CERT-In by any service provider, intermediaries,
data centers, body corporate or person – imprisonment up to one year / one lakh
• No Court shall take cognizance of any offence under this section, except on a
complaint made by an officer authorized in this behalf by the agency
 Any person who,
Section 72 • in pursuant of any of the powers conferred
• has secured access to
• any electronic record, book, register,

Breach of correspondence, information, document or other

material,

Confidentiality • without the consent of the person concerned

• discloses to any other person
and Privacy shall be punished with imprisonment for a term
which may extend to two years, or with fine which
may extend to one lakh rupees, or with both.
 Intermediaries and Liability
Section 79 of IT Act

Image Source: factor daily

Definitions
Section 2(w) : Intermediary

Intermediary with respect to any particular electronic

records, means any person who
• on behalf of another person
• receives, stores or transmits that record
• or
• provides any service with respect to that record.

Includes
telecom service providers, network service providers,
internet service providers, web-hosting service providers,
search engines, online payment sites, online-auction sites,
online-market places and cyber cafes;
Section 79
Exemption from Liability of Intermediary in certain cases
1) Subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for
any third-party information, data, or communication link made available or hosted by him..
2) Sub-Section (1) shall apply only if
(a) the function of the intermediary is limited to providing access to a communication system
over which information made available by third parties is transmitted or temporarily stored or
hosted
(b) the intermediary does not-
 Initiate the transmission
 Select the receiver of the transmission, and
 Select or modify the information contained in the transmission;
(c) The intermediary observes due diligence while discharging his duties under this Act and
also observes such other guidelines as the Central Government may prescribe in this
behalf.
Section 79 - Intermediary shall be liable if….
(3) The provisions of sub-section (1) SHALL NOT APPLY if-
(a) The intermediary has conspired or abetted or aided or induced whether by threats or
promise or otherwise in the commission of the unlawful act ;
(b) upon receiving actual knowledge,
or
on being notified by the appropriate Government or its agency
that any information, data or communication link residing in or connected to a computer
resource controlled by the intermediary
• is being used to commit the unlawful act,
• the intermediary fails to expeditiously remove
• or
• disable access to that material on that resource
• without vitiating the evidence in any manner.
The Information Technology
(Intermediary Guidelines and Digital Media Ethics Code)
Rules, 2021 [as amended in Oct 2022]
 Part II - Due Diligence and Grievance Redressal by an Intermediary
Rule 3 - To observe the following:—
a) prominently publish the rules, privacy policy, user agreement
b) Shall make efforts that its user - not to host, display, upload, modify, publish, transmit, store, update or
share any information that,—
(i) belongs to another person and to which the user does not have any right;
(ii) is obscene, invasive of another’s privacy including bodily privacy, insulting or harassing on the
basis of gender, racially or ethnically objectionable, relating or encouraging money laundering or
gambling, or promoting enmity between different groups on the grounds of religion or caste with the
intent to incite violence;
(iii) is harmful to child;
(iv) infringes any patent, trademark, copyright or other proprietary rights;
(v) False in nature or is a misinformation
(vi) impersonates another person;
(vii) threatens the unity, integrity, defense, security or sovereignty of India, friendly relations with
foreign States, or public order, or causes incitement to the commission of any cognizable offence, or
prevents investigation of any offence, or is insulting other nation;
(viii) contains software virus or any other computer code, file or program designed to interrupt, destroy
or limit the functionality of any computer resource;
(ix) violates any law for the time being in force;
Rule 3 Continued…
d) shall remove or disable access upon being notified within 36 hours
g) Preserve evidence of any removed content or a user information of cancelled/withdrawal
content for a period of 180 days or for such longer period as may be required by the court
or by Government agencies who are lawfully authorised. The intermediary shall maintain
user information for a period of 180 days after cancellation/withdrawal of registration.
j) Provide information in not more than 72 hours to LEAs.
Grievance Appellate Committee
[Amended on 28 Oct 2022]
Rule 3A

• Can file an appeal within 30 days to the GAC (3 committees

have been notified in each MHA, MeitY and MIB on 29 Jan
2023)
• GAC will endeavour to resolve the appeal in 30 days.
• https://gac.gov.in/ [will start functioning from March 1st, 2023]
Rule 4 : Additional due diligence to be observed by “significant
social media intermediary” [50 lakh registered users in India]

• Appoint the following officers who are resident in India within 3 months from the
notification of the threshold. (ended on 25th May 2021)
• Chief Compliance Officer – senior managerial person liable in proceedings
• Nodal contact person for 24x7 to liaise with LEAs
• Resident Grievance Officer

• To have physical contact address in India

SSMI in the form of a Messaging Platform - [Rule 4(2)]

• shall enable the identification of the first originator of the information on its computer
resource - as may be required by a judicial order passed by a court of competent
jurisdiction or an order passed under section 69 by the Competent Authority.
• Provided that an order shall only be passed for the purposes of prevention, detection,
investigation, prosecution or punishment of an offence related to the sovereignty and
integrity of India, the security of the State, friendly relations with foreign States, or public
order, or of incitement to an offence relating to the above or in relation with rape, sexually
explicit material or child sexual abuse material, punishable with imprisonment for a term of
not less than five years
• Shall not be required to disclose the contents of any electronic message, any other
information related to the first originator, or any information related to its other users
• The first originator of that information within the territory of India be deemed to be the first
originator.
Other Responsibilities of
Significant Social Media Intermediaries

• Shall endeavor to put in place technology-based tools and appropriate human

oversight to ensure identify information related to rape/child sexual abuse etc. To
identify information that has been previously removed or access disabled and user
to be notified accordingly.

• Should provide appropriate mechanism for receiving grievances and enable

complaint tracking and details of action taken/not taken.

• Shall enable users from India to voluntarily verify their accounts using
appropriate mechanisms including active Indian Mobile number and this verified
accounts shall be made visible by a mark.
Notification of other Intermediaries
Rule 6
1. The Ministry may by order, for reasons to be recorded in writing, require any
intermediary, which is not a significant social media intermediary, to comply with
all or any of the obligations mentioned under rule 4, if the services of that intermediary
permits the publication or transmission of information in a manner that may create a
material risk of harm to the sovereignty and integrity of India, security of the State,
friendly relations with foreign States or public order.

2. Assessment of material risk of harm shall be made having regard to the nature of
services provided by the intermediary, if they permit
a) Interaction between users
b) Transmission/publication of information would likely result in widespread
dissemination to a significant number of users.
 Part III - Code of Ethics and Procedure & Safeguards in relation to
• Rule 8 Digital Media
• Applies to Publishers of news and current affairs content and to online curated content
• Administered by MI&B and applicable to publishers who operate in India (physical
presence)

• Rule 9
• Publisher shall adhere to code of ethics laid down in Appendix annexed to the rules.
• For ensuring observance and adherence to the Code of Ethics by publishers operating in
the territory of India, and for addressing the grievances made in relation to publishers
under this Part, there shall be a three-tier structure as under—
(a) Level I - Self-regulation by the publishers;
(b) Level II – Self-regulation by the self-regulating bodies of the publishers; (headed
by
Retd supreme court judge or high court or an eminent media person)
 • Publisher – shall Acknowledge complaint within 24hrs and
resolve within 15 days.
• Self-Regulating Body – appeal by the complainant. Inform
Decision in 15 days.
• Decisions in the form of Warning, guidance,
Grievance Redressal advisories, apologies, requiring disclaimers,
Mechanism under reclassification etc.
Code of Ethics • Can refer content to Ministry for consideration of
oversight mechanism for modification/deletion to
prevent incitement of offences related to public order
or for reasons u/s69A(1) (blocking).
• Oversight Mechanism in M&IB – Prefer appeal/references
over the decision of self-regulating body.
 Self-Classification of online curated content
based on themes as mentioned in the Schedule

The OTT platforms, called as the publishers of

online curated content in the rules, would self-
classify the content into five age-based
categories-
• U (Universal),
• U/A 7+
• U/A 13+
• U/A 16+, and
• A (Adult).
Platforms would be required to
implement parental locks for content classified
as U/A 13+ or higher, and reliable age
verification mechanisms for content classified
as “A”.
Thank You