If digital signatures and e-governance form the constructive heart of the Information Technology Act, 2000, then Chapter XI - the cluster of penal provisions running from Section 65 to Section 74 - is its coercive spine. These sections convert the abstract harms of cyberspace - tampered source code, hacked databases, stolen identities, obscene transmissions and cyber terror - into cognisable, often non-bailable crimes carrying imprisonment up to life. For the judiciary aspirant, this is the most heavily examined chapter of the entire Act: every section number, every quantum of punishment and every landmark decision from Shreya Singhal to Sharat Babu Digumarti is fair game. This article maps the architecture of cyber offences, distinguishes overlapping provisions, and grounds each proposition in verified bare-Act text and Supreme Court and High Court authority.
The Scheme of Chapter XI: Penalties Versus Offences
The IT Act draws a deliberate line between two kinds of wrongs. Chapter IX (Sections 43 to 47) deals with civil penalties - compensation adjudicated by the Adjudicating Officer for unauthorised access, downloading, contamination, denial of service and the like, where the standard is essentially strict and no mens rea need be proved. Chapter XI (Sections 65 to 74) deals with criminal offences - prosecutions before a Magistrate or Sessions Court, where guilt usually requires a culpable mental state such as dishonesty, fraud or knowledge.
The relationship between the two chapters is intimate. Section 66, for instance, criminalises the very acts listed in the civil provision Section 43, but only when done dishonestly or fraudulently. Thus a single act - say, deleting data from another's server without permission - can attract both civil compensation under Section 43 and criminal liability under Section 66, the difference lying purely in the mental element. Understanding this civil-criminal bifurcation is the conceptual key to the entire chapter, and a recurring theme across the introductory framework of the Act.
Section 77B (inserted by the 2008 Amendment) further provides that offences punishable with imprisonment of three years and above are cognisable and bailable, while Section 78 vests investigative power in officers not below the rank of Inspector. These procedural overlays decide how aggressively each offence can be pursued.
Section 65: Tampering with Computer Source Documents
Section 65 is the oldest surviving penal provision of the Act, untouched by the 2008 Amendment. It punishes whoever knowingly or intentionally conceals, destroys or alters - or causes another to conceal, destroy or alter - any computer source code when that source code is required to be kept or maintained by law for the time being in force. The Explanation defines "computer source code" expansively as the listing of programmes, computer commands, design and layout and programme analysis of computer resources in any form.
The punishment is imprisonment up to three years, or fine up to two lakh rupees, or both. The defining limitation is the statutory-maintenance requirement: the prosecution must show that some law obliged the source code to be preserved.
The leading authority is Syed Asifuddin v. State of Andhra Pradesh, 2005 CriLJ 4314 (AP HC), the celebrated CDMA handset case. Employees of Tata Indicom were accused of tampering with the Electronic Serial Numbers (ESNs) pre-programmed into Reliance Infocomm CDMA handsets so that the phones would migrate to the Tata network. The Andhra Pradesh High Court held that a cellular phone is a "computer" within the meaning of the Act, and that manipulating the ESN amounts to altering computer source code under Section 65. The decision remains the standard illustration of how widely the term "computer" is read, a point developed further in our note on statutory definitions.
Section 66: Computer-Related Offences and the Role of Mens Rea
The original Section 66 was titled "Hacking with computer system". The Information Technology (Amendment) Act, 2008 completely recast it. The present Section 66 reads: "If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both."
Two features deserve emphasis. First, the offence is parasitic on Section 43 - it borrows the catalogue of acts (unauthorised access, downloading, introducing viruses, causing denial of service, tampering, etc.) listed in the civil provision and elevates them to crimes when accompanied by guilt of mind. Second, the Explanation expressly imports the IPC definitions: "dishonestly" carries the meaning in Section 24 of the Indian Penal Code and "fraudulently" the meaning in Section 25. This makes mens rea the dividing line between a Section 43 civil claim and a Section 66 prosecution for the identical conduct.
The deletion of the old word "hacking" was deliberate: Parliament sought to avoid the connotation that all hacking - including ethical or authorised penetration testing - is criminal. After 2008, only dishonest or fraudulent conduct attracts Section 66, aligning Indian law with the international principle that intent, not skill, defines the offence.
Section 66A: The Provision That Was Struck Down
No provision of the IT Act has generated more constitutional litigation than the now-defunct Section 66A. Inserted in 2008, it punished the sending, through a computer resource or communication device, of any information that was "grossly offensive" or had "menacing character", or any information known to be false but sent for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will. The punishment extended to three years' imprisonment and fine.
In Shreya Singhal v. Union of India, AIR 2015 SC 1523 : (2015) 5 SCC 1, a two-judge Bench (Nariman and Chelameswar JJ.) struck down Section 66A in its entirety as unconstitutionally vague and overbroad, violating the right to free speech under Article 19(1)(a) and not saved by the reasonable restrictions in Article 19(2). The Court held that terms like "grossly offensive", "menacing" and "annoyance" had no judicially manageable standards, producing a chilling effect on legitimate expression. Crucially, the Bench drew the distinction between discussion or advocacy (protected) and incitement (restrictable), holding that Section 66A captured the former.
The same judgment read down Section 79(3)(b) and the Intermediary Guidelines, holding that an intermediary loses safe-harbour only upon "actual knowledge" through a court order or government notification, not a private complaint. Despite the 2015 ruling, prosecutions under the dead provision persisted for years, prompting the Supreme Court in People's Union for Civil Liberties v. Union of India (2019 and 2021 orders) to direct all States to cease invoking Section 66A. The provision is now treated as void ab initio - as though it never existed.
Sections 66B to 66D: Stolen Devices, Identity Theft and Cheating by Personation
The 2008 Amendment introduced a cluster of identity-related offences. Section 66B punishes dishonestly receiving or retaining any stolen computer resource or communication device, knowing or having reason to believe it to be stolen, with imprisonment up to three years or fine up to one lakh rupees, or both. It is the cyber analogue of receiving stolen property under Section 411 IPC.
Section 66C deals with identity theft: whoever fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of another person faces imprisonment up to three years and a fine up to one lakh rupees. This is the provision most often invoked in cases of stolen passwords, cloned credentials and misappropriated OTPs.
Section 66D punishes cheating by personation by using a computer resource - imprisonment up to three years and fine up to one lakh rupees. It is the workhorse provision for online financial fraud, phishing and "vishing" scams. Although phishing predates the 2008 amendments, the Delhi High Court in National Association of Software and Service Companies (NASSCOM) v. Ajay Sood, 119 (2005) DLT 596 had already declared phishing an actionable illegal act, defining it as a misrepresentation in the course of trade leading to confusion as to the source and origin of an email. Section 66D now supplies the dedicated criminal hook that NASSCOM found wanting.
Section 66E: Violation of Privacy
Section 66E criminalises the intentional or knowing capturing, publishing or transmission of an image of a private area of any person without consent, under circumstances violating that person's reasonable expectation of privacy. The punishment is imprisonment up to three years or fine up to two lakh rupees, or both.
The Explanation supplies precise definitions: "private area" means the naked or undergarment-clad genitals, pubic area, buttocks or female breast; "capture" with respect to an image means to videotape, photograph, film or record by any means; and a person has a "reasonable expectation of privacy" where he or she could disrobe in privacy without being concerned about surveillance, or where the private area would not be visible to the public regardless of location.
Section 66E is the principal weapon against voyeurism, hidden cameras and the non-consensual circulation of intimate images. Its constitutional underpinning was reinforced by the nine-judge Bench in Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, which recognised informational privacy as a facet of the fundamental right under Article 21 - a principle directly relevant to interpreting the "reasonable expectation of privacy" standard in this section.
Section 66F: Cyber Terrorism
Section 66F, inserted in 2008 in the aftermath of the 26/11 Mumbai attacks, is the gravest offence in the Act, carrying imprisonment which may extend to life. It criminalises two broad categories of conduct. Under sub-section (1)(A), it is cyber terrorism to deny access to authorised persons, attempt to penetrate a computer resource without authorisation, or introduce a computer contaminant, with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people, where the act causes or is likely to cause death, injury, damage to property or disruption of essential supplies and services, or adversely affects critical information infrastructure.
Under sub-section (1)(B), it is cyber terrorism to knowingly penetrate or access a computer resource without authorisation and thereby obtain restricted data or information that may be used to injure the interests of the sovereignty and integrity of India, its security, friendly relations with foreign States, public order, decency or morality.
The provision dovetails with Section 70 on "protected systems" and with the notion of "critical information infrastructure" - computer resources whose incapacitation would have a debilitating impact on national security, the economy, public health or safety. Because of its severity, Section 66F is invoked sparingly and requires the demanding specific intent that distinguishes terrorism from ordinary cyber crime.
Section 67: Publishing or Transmitting Obscene Material
Section 67 is the cyber counterpart of Section 292 of the Indian Penal Code. It punishes the publishing or transmitting, in electronic form, of any material which is lascivious or appeals to the prurient interest or whose effect tends to deprave and corrupt persons likely to read, see or hear it - importing the classic Hicklin-derived test of obscenity. On first conviction the punishment is imprisonment up to three years and fine up to five lakh rupees; on a second or subsequent conviction it rises to imprisonment up to five years and fine up to ten lakh rupees.
The graded provisions Section 67A (material containing sexually explicit acts - five years and ten lakh rupees on first conviction, seven years and ten lakh rupees thereafter) and Section 67B (child sexual abuse material, including browsing, depicting children in sexually explicit acts and facilitating online child abuse) impose heavier penalties. Section 67C obliges intermediaries to preserve and retain information in the manner and duration prescribed, on pain of imprisonment up to three years and fine.
A vital exception runs through all three sections: bona fide material in the interest of science, literature, art or learning, or kept for religious purposes, is exempt - mirroring the savings clause in Section 292 IPC and ensuring that genuine artistic or educational works are not criminalised.
The IT Act Versus the IPC: Sharat Babu Digumarti
A persistent practical question is whether obscenity online can be prosecuted under the general IPC provisions (Sections 292 and 294) instead of, or in addition to, Section 67 IT Act. The saga began with Avnish Bajaj v. State (NCT of Delhi) (2008) - the baazee.com / DPS MMS case - where the Delhi High Court found a prima facie case under Section 67 against the Managing Director of the marketplace through which an obscene clip was offered for sale.
The matter culminated before the Supreme Court in Sharat Babu Digumarti v. Government (NCT of Delhi), (2017) 2 SCC 18. The Court held that Sections 67, 67A and 67B of the IT Act constitute a complete code for obscenity in electronic form. By virtue of the non-obstante clause in Section 81, the special IT Act overrides Section 292 IPC; once an offence has a nexus with electronic records, the IT Act governs and the accused cannot be separately proceeded against under the general penal law. Where no charge is made out under Section 67, the prosecution cannot fall back on Section 292 IPC. This generalia specialibus non derogant reasoning is among the most examined holdings in the entire subject, and it firmly establishes the primacy of the special statute, a theme that runs through the Act's treatment of secure electronic records as well.
Sections 69 and 70: Interception, Decryption and Protected Systems
Some of the most powerful - and constitutionally sensitive - provisions in the Act lie in this group. Section 69 empowers the Central or State Government to direct the interception, monitoring or decryption of any information through any computer resource, in the interest of sovereignty, integrity, defence, security, friendly relations with foreign States, public order or to prevent incitement to a cognisable offence. A subscriber or intermediary who fails to assist faces imprisonment up to seven years and fine. Section 69A permits the blocking of public access to information, and Section 69B authorises monitoring and collection of traffic data for cyber security.
These powers were upheld in Shreya Singhal v. Union of India, which read Section 69A as constitutionally valid because it is hedged with procedural safeguards - a writing requirement, recorded reasons and the Blocking Rules of 2009 - distinguishing it from the vague and unguided Section 66A that was struck down.
Section 70 allows the appropriate Government, by notification, to declare any computer resource that directly or indirectly affects "critical information infrastructure" to be a protected system. Securing or attempting to secure unauthorised access to such a protected system is punishable with imprisonment up to ten years and fine. Together, Sections 69 and 70 form the State-security architecture of the Act.
Sections 71 to 74: Misrepresentation, Breach of Confidentiality and Certificate Offences
The closing provisions of Chapter XI target the integrity of the Act's own machinery. Section 71 punishes misrepresentation to, or suppression of material facts from, the Controller or the Certifying Authority for obtaining a licence or electronic signature certificate - imprisonment up to two years or fine up to one lakh rupees, or both. Section 73 penalises publishing an electronic signature certificate that is false in material particulars or knowingly publishing it for fraudulent purposes, and Section 74 targets the creation, publication or making available of an electronic signature certificate for any fraudulent or unlawful purpose - each carrying imprisonment up to two years or fine up to one lakh rupees. These offences protect the trust infrastructure discussed in our note on digital and electronic signatures.
Section 72 punishes breach of confidentiality and privacy by any person who, having secured access to any electronic record, register, correspondence, information or document in pursuance of powers conferred under the Act, discloses it without consent - imprisonment up to two years or fine up to one lakh rupees, or both. Its narrowness is notable: it binds only those exercising statutory powers, not private parties generally.
That gap was partly filled by Section 72A, inserted in 2008, which punishes any person, including an intermediary, who, while providing services under a lawful contract, discloses personal information with intent to cause or knowing he is likely to cause wrongful loss or gain, without consent or in breach of contract - imprisonment up to three years or fine up to five lakh rupees, or both. Section 72A is the closest the Act comes to a general data-protection penal provision.
Intermediary Liability and the Safe-Harbour Shield
Many cyber offences are committed through platforms rather than by the platform itself, raising the question of intermediary liability. Section 79 grants intermediaries a conditional safe harbour: they are not liable for third-party content if their function is limited to providing access, they do not initiate, select the receiver of, or modify the transmission, and they observe due diligence and government guidelines.
In Shreya Singhal, the Supreme Court read down Section 79(3)(b), holding that the safe harbour is lost only when the intermediary fails to act after receiving actual knowledge via a court order or appropriate government notification - not merely a private takedown demand. This protects intermediaries from being deputised as private censors. The interplay between Section 79 and the obscenity offences was decisive in Sharat Babu Digumarti, where the Court emphasised that once electronic records are in play, both Section 79 and the IT Act's special scheme must be given effect.
The framework is now supplemented by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which prescribe detailed due-diligence and grievance-redress obligations. For the exam, the core proposition remains the Shreya Singhal standard: knowledge through a court or government order is the trigger for intermediary liability.
Procedure, Extra-Territorial Reach and Examination Takeaways
Three procedural features round out the chapter. First, Section 75 gives the Act extra-territorial operation: it applies to offences committed outside India by any person if the act involves a computer, computer system or computer network located in India. Second, Section 78 provides that, notwithstanding the Code of Criminal Procedure, only an officer not below the rank of Inspector shall investigate offences under the Act. Third, Section 77A permits compounding of certain offences, while Section 77B classifies offences punishable with three years or more as cognisable and bailable.
For the judiciary aspirant, the high-yield points are: the civil-criminal split between Sections 43 and 66; the centrality of mens rea ("dishonestly or fraudulently") after 2008; the unconstitutionality of Section 66A in Shreya Singhal; the complete-code and overriding-effect doctrine in Sharat Babu Digumarti; the breadth of "computer" in Syed Asifuddin; and the graded obscenity scheme of Sections 67, 67A and 67B. Mastering these alongside the rest of the Information Technology Act notes series equips you to answer almost any question Chapter XI can pose.
Frequently asked questions
What is the difference between Section 43 and Section 66 of the IT Act?
Both cover the same catalogue of acts - unauthorised access, downloading, introducing viruses, denial of service, tampering and so on. The decisive difference is mental element. Section 43 is a civil provision attracting compensation adjudicated by the Adjudicating Officer, requiring no proof of intent. Section 66 criminalises the identical acts only when done dishonestly or fraudulently, importing the IPC definitions in Sections 24 and 25, and is punishable with imprisonment up to three years or fine up to five lakh rupees, or both.
Why was Section 66A of the IT Act struck down?
In Shreya Singhal v. Union of India, AIR 2015 SC 1523 : (2015) 5 SCC 1, the Supreme Court struck down Section 66A as unconstitutionally vague and overbroad. Terms such as "grossly offensive", "menacing" and "annoyance" had no judicially manageable standards and produced a chilling effect on free speech under Article 19(1)(a), without falling within the reasonable restrictions of Article 19(2). The provision is now treated as void ab initio.
Can obscene content online be prosecuted under Section 292 IPC instead of Section 67 IT Act?
No. In Sharat Babu Digumarti v. Government (NCT of Delhi), (2017) 2 SCC 18, the Supreme Court held that Sections 67, 67A and 67B form a complete code for obscenity in electronic form. By virtue of the non-obstante clause in Section 81, the special IT Act overrides Section 292 IPC. Once an offence has a nexus with electronic records, the IT Act governs, and where no charge is made out under Section 67 the prosecution cannot fall back on Section 292 IPC.
What is the punishment for cyber terrorism under the IT Act?
Section 66F, inserted by the 2008 Amendment, makes cyber terrorism punishable with imprisonment which may extend to life - the gravest penalty in the Act. The offence requires a specific intent to threaten the unity, integrity, security or sovereignty of India or to strike terror, coupled with acts such as denial of access, unauthorised penetration or introduction of a computer contaminant that cause or are likely to cause death, injury or disruption of essential services.
Is a mobile phone a 'computer' under the IT Act?
Yes. In Syed Asifuddin v. State of Andhra Pradesh, 2005 CriLJ 4314, the Andhra Pradesh High Court held that a cellular phone falls within the wide definition of "computer" under the Act, and that manipulating the Electronic Serial Number programmed into a CDMA handset amounts to altering computer source code under Section 65. The case is the standard illustration of how broadly "computer" and "computer source code" are read.
When is an intermediary liable for offences committed on its platform?
Under Section 79 an intermediary enjoys conditional safe harbour for third-party content. In Shreya Singhal, the Supreme Court read down Section 79(3)(b) to hold that the intermediary loses protection only on receiving actual knowledge through a court order or an appropriate government notification, not a mere private complaint. This standard, reinforced in Sharat Babu Digumarti, prevents intermediaries from being turned into private censors.