Section 70 of the Information Technology Act, 2000 is the statute's hardest-edged security provision. It lets the appropriate Government, by a simple notification in the Official Gazette, brand a computer resource a protected system — and the moment that ink dries, unauthorised access carries up to ten years' imprisonment and a fine. Yet behind that severe penalty sits a quieter, deeply contested question that reached the Supreme Court in B.N. Firos v. State of Kerala: how far does this power actually run, and can the State use it to swallow a private programmer's copyright? This chapter unpacks the bare provision, the pivotal 2009 amendment that re-anchored Section 70 to Critical Information Infrastructure, the constitutional challenge the section survived, and its place in the architecture built with Sections 70A and 70B.
Where Section 70 sits in the scheme of the Act
Section 70 opens Chapter XI of the Information Technology Act, 2000, the chapter that gathers together the Act's serious offences. It is the bridge between the regulatory machinery of the earlier chapters — digital and electronic signatures, electronic governance and secure electronic records — and the penal core of the statute. While Section 43 deals with civil liability for unauthorised access to any computer, and Section 66 criminalises dishonest or fraudulent access generally, Section 70 carves out a special, fortified category of computer resource and attaches a far heavier sentence to its violation.
The logic is straightforward. Some computers are not like other computers. A payroll database and the control system of a power grid are both "computer resources" within the meaning of the Act, but the consequences of an intruder reaching the second are of a wholly different order. Section 70 is Parliament's instrument for singling out that second category — the systems whose compromise would ripple outward into national life — and ring-fencing them with the criminal law's strongest available protection short of the cyber-terrorism provision in Section 66F. For the foundational definitions that Section 70 borrows from, see the chapter on definitions, and for the Act's overall design, the subject hub.
The bare text of Section 70
Section 70, as it now stands after the Information Technology (Amendment) Act, 2008, reads in substance as follows. Sub-section (1) provides that the appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure to be a protected system. Sub-section (2) empowers the appropriate Government, by order in writing, to authorise the persons who are authorised to access protected systems notified under sub-section (1). Sub-section (3) is the penal limb: any person who secures access or attempts to secure access to a protected system in contravention of the provisions of the section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
An Explanation appended to the section defines the controlling phrase. "Critical Information Infrastructure" means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety. Three features of the drafting repay attention. First, the power is conferred on the "appropriate Government" — a defined expression that allocates the power between the Centre and the States depending on the subject matter. Second, the trigger is a Gazette notification, an act of subordinate legislation, not an individual order. Third, the penal sentence is unusually high for the Act — ten years and fine — reflecting Parliament's view of the stakes.
The appropriate Government and the notification mechanism
The phrase "appropriate Government" is not left to inference; it is a defined term under Section 2(1)(e) of the Act, tying the power either to the Central Government or to a State Government according to the matters enumerated in the Lists of the Seventh Schedule. In practice this means a State can declare a State-run e-governance system a protected system, while infrastructure of national reach — defence networks, the Unique Identification database, national payment systems — falls to the Union. The notification must appear in the Official Gazette; a protected-system status cannot be conferred by an internal memo or an executive instruction that never sees publication.
This insistence on a Gazette notification is more than a formality. Because Section 70(3) is a penal provision, the public is entitled to know precisely which resources are fenced off before criminal liability can attach. A notification that is vague about the boundaries of the protected system — which servers, which networks, which interfaces — risks a due-process objection, because a citizen cannot be convicted for crossing a line that was never clearly drawn. The notification is therefore the hinge on which the entire section turns: it is simultaneously the source of the protection and the source of the criminal exposure.
It is worth contrasting this with the order under sub-section (2). The protected-system status itself is conferred by a notification — a piece of subordinate legislation addressed to the world at large — whereas the authorisation to access is given by an order in writing addressed to specific persons. The two instruments operate at different levels: the notification draws the perimeter, and the written order opens the gate for named individuals. A person who accesses the resource is lawful only if he can point to an authorisation that fits within an order made under sub-section (2); the burden of establishing authorisation, in practice, falls on the person who claims it. This pairing — a public notification defining the protected resource and a written order defining who may lawfully touch it — is the disciplined structure that distinguishes Section 70 from the looser civil-access regime of Section 43.
The 2009 amendment: narrowing the net to Critical Information Infrastructure
As originally enacted in 2000, Section 70(1) was startlingly broad. It allowed the appropriate Government to declare "any computer, computer system or computer network" a protected system, with no statutory yardstick at all governing the choice. On its face, the original text permitted the State to fence off an ordinary office server with the same ten-year penalty reserved for genuinely critical infrastructure. The provision was widely criticised as an open-ended delegation that invited arbitrary use.
The Information Technology (Amendment) Act, 2008 — which received Presidential assent on 5 February 2009 and came into force on 27 October 2009 — substituted a new sub-section (1). The amended text confines the power to a "computer resource which directly or indirectly affects the facility of Critical Information Infrastructure," and the new Explanation supplies the controlling standard: only resources whose incapacitation or destruction would have a debilitating impact on national security, economy, public health or safety qualify. The amendment thus transformed a near-unfettered discretion into a structured one, reading down the scope of Section 70 considerably. As we will see, the Supreme Court in B.N. Firos v. State of Kerala treated this narrowing as one of the safeguards that rescued the provision from constitutional attack.
What counts as Critical Information Infrastructure
The Explanation to Section 70 defines Critical Information Infrastructure functionally rather than by enumeration. The test is consequence-based: would the incapacitation or destruction of this computer resource have a debilitating impact on one of four protected interests — national security, the economy, public health, or public safety? The drafting deliberately avoids a closed list, because the universe of critical systems shifts as society digitises. A telecommunications backbone, a stock-exchange trading engine, an air-traffic control network, a national identity database, a power-grid supervisory control system — each can satisfy the test even though none is named.
Two consequences follow. First, the definition imports a degree of judgment into every notification: the appropriate Government must be satisfied, before notifying, that the resource genuinely meets the debilitating-impact threshold. A notification made without that satisfaction is vulnerable. Second, the phrase "directly or indirectly affects the facility of" Critical Information Infrastructure in sub-section (1) extends the protective reach to ancillary and supporting systems — the logistics, dependencies and supporting installations on which a critical facility relies — not merely the core system itself. This is why, in practice, protected-system notifications often sweep in the entire ecosystem surrounding a critical resource.
B.N. Firos v. State of Kerala: the facts
The leading authority on Section 70 is B.N. Firos v. State of Kerala, (2018) 9 SCC 220, decided by the Supreme Court on 27 March 2018 in Civil Appeal No. 79 of 2008 by a Bench of Ranjan Gogoi and Mohan M. Shantanagoudar, JJ. The dispute grew out of Kerala's ambitious e-governance project called FRIENDS — Fast, Reliable, Instant, Efficient Network for Disbursement of Services — a single-window system for citizens to pay bills due to the Government and its statutory agencies across collection centres in the State.
The application software for FRIENDS was commissioned through Microsoft Corporation (India) Pvt. Ltd., which agreed to supply it free of cost. The appellant, B.N. Firos, proprietor of a software firm and a member of Microsoft's developer forum, had developed the program under contract with Microsoft. The State of Kerala subsequently issued a notification under Section 70(1) declaring the FRIENDS software, as installed in the computer systems and networks at the centres, a protected system. Firos challenged the notification, contending that he was the author and first owner of the copyright in the software under Section 17 of the Copyright Act, 1957, and that the State could not, by declaring it a protected system, appropriate what was his intellectual property.
B.N. Firos: the holding and its reasoning
The Supreme Court dismissed Firos's appeal. Its reasoning unfolded in two connected steps. First, on the copyright question, the Court held that Firos could not claim authorship. The software had been developed for valuable consideration at the instance of the Government, channelled through Microsoft, and therefore fell within the "Government work" framework of the Copyright Act. Under Section 2(k) of the Copyright Act, 1957 a "Government work" includes a work made or published by or under the direction or control of the Government, and Section 17(d) vests the copyright in such a work in the Government in the absence of any agreement to the contrary. The copyright in the FRIENDS software accordingly belonged to the State, not to the developer.
Second, and crucially for Section 70, the Court read the power to notify a protected system as circumscribed by these copyright provisions. The Court accepted that the unamended Section 70 had been broadly worded, but held that the power to declare a protected system must be understood as confined to Government works — that is, to computer resources in which the copyright vests in the Government under Section 2(k) read with Section 17(d) of the Copyright Act. So read, Section 70 does not authorise the State to expropriate a genuinely private programmer's copyright; it operates only where the work already belongs to the Government. The potential clash between the protected-system power and private copyright was therefore resolved not by striking the section down but by harmonising it with the Copyright Act. This interpretive technique — reading the security power in pari materia with the copyright regime — is the doctrinal heart of the decision.
The practical significance of this limitation is considerable. A developer who builds software for the Government on a work-for-hire or commissioned basis, in circumstances that bring the work within Section 2(k), cannot resist a protected-system notification by asserting authorship, because the copyright never vested in him in the first place. Conversely, the Court's reasoning implies that where a private party genuinely retains copyright — where there is an agreement to the contrary preserving the developer's ownership, or where the work falls outside the Government-work definition — the State cannot deploy Section 70 to override that private right. B.N. Firos therefore does double service: it resolves the particular dispute over FRIENDS, and it lays down a principle that prevents Section 70 from being weaponised against legitimate private intellectual property.
Constitutional validity of Section 70
Beyond the copyright dispute, B.N. Firos is significant because the Supreme Court repelled a challenge to the constitutional validity of Section 70 itself. The argument ran that the section, especially in its original form, conferred an unguided and excessive delegation of legislative power, offending Article 14 by permitting arbitrary executive choice of which computers to fence off with a ten-year penalty.
The Court rejected the challenge. It pointed to the 2009 amendment, which had narrowed the provision by tethering it to Critical Information Infrastructure and the debilitating-impact standard, as having furnished precisely the guidance the challengers said was missing. The amended provision, the Court reasoned, supplies an intelligible criterion that channels and confines the discretion; it is no longer a power to notify any computer whatsoever. Coupled with the interpretive limitation that the power reaches only Government works, the section was held to contain adequate safeguards against arbitrary use and therefore to survive scrutiny under Article 14. B.N. Firos thus stands for two propositions of lasting importance: that Section 70 is constitutionally valid, and that its reach is doubly bounded — by the Critical Information Infrastructure standard and by the Government-work limitation.
The offence under Section 70(3) and its penalty
Section 70(3) creates the offence: securing access, or attempting to secure access, to a protected system in contravention of the section. Two elements deserve emphasis. First, the offence captures not only completed access but also the attempt — a person who probes a protected system without authorisation is exposed even if the intrusion fails. Second, the gravamen is the absence of authorisation: access by a person duly authorised under sub-section (2) is lawful, while access by anyone outside that authorisation, however technically accomplished, is criminal.
The punishment is severe by the standards of the Act — imprisonment of either description (simple or rigorous) for a term which may extend to ten years, together with a mandatory fine, the section using "shall also be liable to fine." Unlike the civil compensation route under Section 43 or the lighter sentence under Section 66, the protected-system offence reflects a deliberate legislative escalation. It is worth noting how this dovetails with Section 66F, the cyber-terrorism provision, which itself cross-refers to Critical Information Infrastructure specified under Section 70: an unauthorised intrusion into a protected system that is carried out with intent to threaten the unity, integrity, security or sovereignty of India can be prosecuted as cyber terrorism punishable with imprisonment for life. Section 70 and Section 66F therefore form a graduated pair, with Section 70 addressing the unauthorised access as such and Section 66F addressing the same act when freighted with terrorist intent.
Section 70A and the NCIIPC
The 2008 amendment did not stop at re-drafting Section 70; it added institutional scaffolding. Section 70A empowers the Central Government to designate an organisation as the national nodal agency in respect of Critical Information Infrastructure protection. Pursuant to this power, the National Critical Information Infrastructure Protection Centre (NCIIPC) was constituted, and notified through the Official Gazette on 16 January 2014, as the national nodal agency for the protection of Critical Information Infrastructure in India.
The NCIIPC's mandate is preventive and protective. It is charged with taking all measures, including associated research and development, for the protection of Critical Information Infrastructure against unauthorised access, modification, use, disclosure, disruption, incapacitation or distortion. In substance, Section 70A turns the abstract category created by Section 70 into a governed domain: the same class of resources that may be fenced off as protected systems is also the class that the NCIIPC superintends. The two provisions are best read together — Section 70 supplies the penal fence around a particular resource, while Section 70A supplies the standing institution responsible for the whole landscape of critical infrastructure.
Section 70B and CERT-In: the response counterpart
Section 70B completes the trio. It gives statutory footing to the Indian Computer Emergency Response Team (CERT-In), designating it as the national agency for incident response in respect of cyber security. Where the NCIIPC under Section 70A is oriented towards the protection of Critical Information Infrastructure, CERT-In under Section 70B is oriented towards the open internet at large and towards responding to cyber-security incidents as they occur — collecting and analysing information on incidents, forecasting and issuing alerts, and coordinating emergency measures.
Section 70B also arms CERT-In with compulsory powers. It may call for information from, and give directions to, service providers, intermediaries, data centres, body corporates and other persons for the purpose of carrying out its functions. Crucially, sub-section (7) of Section 70B makes non-compliance an offence: a person who fails to provide the called-for information or to comply with a direction is punishable with imprisonment for a term which may extend to one year, or with fine which may extend to one crore rupees, or with both. Read together, Sections 70, 70A and 70B describe a layered regime — designation and penal protection of specific critical resources (Section 70), a standing protective agency for critical infrastructure (Section 70A, the NCIIPC), and a national incident-response agency for cyberspace generally (Section 70B, CERT-In).
Protected systems in practice
The protected-system mechanism is not a dormant power. Several systems of national significance have been notified under Section 70(1). Most prominently, the facilities, information assets, logistics infrastructure and dependencies of the Unique Identification Authority's Central Identities Data Repository — the backbone of the Aadhaar system — were declared a protected system, fencing the country's largest biometric database with the section's ten-year penalty. Notifications have also extended protected-system status to designated banking and financial-sector IT resources, certain telecommunications networks, and infrastructure operated by the National Informatics Centre.
What these notifications share is fidelity to the post-2009 standard: each concerns a resource whose compromise could be debilitating to national security, the economy or public safety. The practical effect of a notification is twofold. It draws a hard legal perimeter around the resource, beyond which unauthorised access is a serious crime; and it brings the resource within the supervisory orbit of the NCIIPC, which can prescribe the security practices that authorised operators must follow. For the candidate, the takeaway is that Section 70 is the legal instrument by which the State converts a sensitive computer resource into a protected one, and that the conversion carries both a shield (criminal protection) and a discipline (regulatory oversight).
Key takeaways for the exam
Five points anchor an answer on Section 70. First, the power: the appropriate Government may, by Gazette notification, declare a computer resource that directly or indirectly affects Critical Information Infrastructure a protected system, and may authorise persons to access it in writing. Second, the penalty: unauthorised access or attempted access attracts imprisonment up to ten years and fine under Section 70(3). Third, the 2009 amendment: it replaced the original open-ended power over "any computer, computer system or computer network" with one tethered to Critical Information Infrastructure, defined by the debilitating-impact test. Fourth, the case law: B.N. Firos v. State of Kerala, (2018) 9 SCC 220, upheld the section's validity and read its reach as confined to Government works under Section 2(k) and Section 17(d) of the Copyright Act, 1957. Fifth, the architecture: Section 70A established the NCIIPC (notified 16 January 2014) as the protective nodal agency, and Section 70B placed CERT-In on a statutory footing as the incident-response agency, with non-compliance under Section 70B(7) punishable up to one year or a fine up to one crore rupees. Together these provisions form the Act's framework for safeguarding India's most critical digital systems. To revise the conceptual groundwork, return to the chapters on definitions and the introduction to the Act.
Frequently asked questions
What is a protected system under Section 70 of the IT Act?
A protected system is any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure that the appropriate Government has declared as such by notification in the Official Gazette under Section 70(1). Once notified, only persons authorised in writing under Section 70(2) may access it, and unauthorised access or attempted access is punishable under Section 70(3).
What is the punishment for accessing a protected system without authorisation?
Under Section 70(3), a person who secures or attempts to secure access to a protected system in contravention of the section may be punished with imprisonment of either description for a term extending to ten years and shall also be liable to fine. The provision penalises the attempt as well as completed access.
What did the Supreme Court hold in B.N. Firos v. State of Kerala?
In B.N. Firos v. State of Kerala, (2018) 9 SCC 220, the Supreme Court upheld the constitutional validity of Section 70 and held that the FRIENDS software was a Government work whose copyright vested in the State under Section 2(k) read with Section 17(d) of the Copyright Act, 1957. It read the protected-system power as confined to Government works, so the section cannot be used to expropriate a genuinely private copyright.
How did the 2009 amendment change Section 70?
Originally Section 70(1) allowed the Government to declare "any computer, computer system or computer network" a protected system, with no statutory yardstick. The Information Technology (Amendment) Act, 2008 (in force 27 October 2009) substituted a new sub-section limiting the power to a computer resource that directly or indirectly affects Critical Information Infrastructure, defined as a resource whose incapacitation or destruction would have a debilitating impact on national security, economy, public health or safety.
What is the difference between Section 70A and Section 70B?
Section 70A empowers the designation of a national nodal agency for the protection of Critical Information Infrastructure; the NCIIPC was notified under it on 16 January 2014 and performs a preventive, protective role. Section 70B places CERT-In on a statutory footing as the national incident-response agency for cyberspace generally, with power to call for information and issue directions; non-compliance under Section 70B(7) is punishable up to one year or a fine up to one crore rupees.
Is the Section 70 offence connected to cyber terrorism under Section 66F?
Yes. Section 66F, which defines cyber terrorism, cross-refers to Critical Information Infrastructure specified under Section 70. An unauthorised intrusion into a protected system carried out with intent to threaten the unity, integrity, security or sovereignty of India can be prosecuted as cyber terrorism, which is punishable with imprisonment for life, a graver offence than the ten-year sentence under Section 70(3).