Information Technology and Cybersecurity Basics

Cyberspace is not a law-free zone, and for the Indian judiciary the question is rarely whether the law applies but which law applies, and how its proof is established. The Information Technology Act, 2000 (amended substantially in 2008) is the spine of this field: it gives legal recognition to electronic records and digital signatures, criminalises a graded list of cyber-offences, shields intermediaries through a conditional safe harbour, and empowers the State to block and intercept. Around it cluster the constitutional right to privacy recognised in K.S. Puttaswamy, the free-speech limits set in Shreya Singhal, the law of electronic evidence now restated in the Bharatiya Sakshya Adhiniyam, and the new data-protection regime of the DPDP Act, 2023. This note maps the whole terrain for the judiciary and CLAT-PG aspirant, anchoring every proposition to a bare provision or a verified judgment, and sits within the broader Science & Technology for Judiciary hub.

The scheme and reach of the IT Act, 2000

The Information Technology Act, 2000 came into force on 17 October 2000 to give legal effect to electronic commerce and to curb computer-related crime. It was enacted partly to implement the UNCITRAL Model Law on Electronic Commerce. Its early Chapters confer legal recognition on electronic records (Section 4) and on electronic and digital signatures (Sections 5 and 3A, the latter inserted by the 2008 amendment), and the Act provides for the attribution, acknowledgement and dispatch of electronic records (Sections 11 to 13).

The Act's penal architecture sits in two layers. Chapter IX (Sections 43 to 47) creates civil liability and adjudication for unauthorised access, damage to computer systems, and the like, with adjudicating officers empowered to award compensation. Chapter XI (Sections 65 onwards) creates criminal offences. The 2008 amendment, prompted partly by the Mumbai terror attacks and by the gaps exposed in early cybercrime prosecutions, overhauled the offence sections, introduced data-protection duties on body corporates (Section 43A), and recast the intermediary safe harbour (Section 79). Crucially, Section 81 contains a non-obstante clause giving the Act overriding effect, a feature the Supreme Court relied on in Sharat Babu Digumarti to hold that the IT Act, as a special law, prevails over the general penal law where the same act is covered by both.

The catalogue of cyber-offences

The criminal heart of the Act is a graded catalogue. Section 66 punishes the dishonest or fraudulent commission of any act referred to in Section 43 (commonly called hacking and unauthorised access) with imprisonment up to three years or fine up to one lakh rupees, or both. The 2008 amendment added a cluster of targeted offences: Section 66C punishes identity theft, that is, the fraudulent use of another's electronic signature, password or other unique identification feature; Section 66D punishes cheating by personation using a computer resource or communication device; and Section 66E punishes the violation of bodily privacy through capturing or publishing images of a private area without consent. Section 66F creates the grave offence of cyber-terrorism, punishable with imprisonment which may extend to life.

Sections 67, 67A and 67B address obscenity and sexually explicit material in electronic form, with Section 67B specifically targeting child sexual abuse material; punishments escalate from three years for ordinary obscene material to five years and beyond for sexually explicit and child-related content, with enhanced terms on second conviction. Section 65 punishes tampering with computer source documents. Together these provisions translate familiar physical-world wrongs, theft, fraud, obscenity, terrorism, into the idiom of the network. A recurring examination point is the mental element: most of these offences require dishonesty or fraud as defined by reference to the Indian Penal Code, so mere unauthorised access without the requisite intent may sound in civil liability under Section 43 rather than crime under Section 66. The companion note on electricity and magnetism basics explains the physical substratum on which all of this data ultimately travels.

Section 66A and the free-speech limit: Shreya Singhal

No provision of the IT Act has been more consequential in its death than Section 66A. The provision criminalised sending, through a computer or communication device, information that was grossly offensive, menacing, or which the sender knew to be false but sent to cause annoyance, inconvenience, danger, obstruction, insult, injury or ill-will. Its open-ended adjectives invited abuse, and a string of arrests for ordinary social-media posts triggered a constitutional challenge.

In Shreya Singhal v. Union of India, (2015) 5 SCC 1, decided on 24 March 2015, a two-judge bench of Justices J. Chelameswar and R.F. Nariman struck down Section 66A in its entirety as violative of Article 19(1)(a). The Court held the section unconstitutionally vague and overbroad, and not saved by the reasonable-restriction grounds in Article 19(2): terms such as "grossly offensive" and "annoyance" had no settled meaning and chilled protected speech. The judgment is the cornerstone of digital free-speech law in India and is studied alongside the constitutional reasoning that also informs the Science & Technology for Judiciary syllabus more broadly. Despite being void since 2015, the section continued to be invoked by police for years, prompting the Supreme Court to issue fresh directions to halt prosecutions under the dead letter.

Intermediary safe harbour: Section 79 and its reading down

Section 79, in its post-2008 form, grants intermediaries conditional immunity from liability for third-party information they host or transmit, provided they do not initiate, select or modify the transmission and observe due diligence. The immunity is forfeited if the intermediary conspires, abets or aids the unlawful act, or fails to expeditiously remove content on receiving "actual knowledge" or being notified by the appropriate Government.

The same Shreya Singhal judgment that felled Section 66A read down Section 79(3)(b). The Court held that "actual knowledge" cannot mean a private complaint from any aggrieved person, which would force intermediaries to adjudicate millions of takedown demands; instead, the trigger is a court order or a government notification that the content falls within the restrictions permissible under Article 19(2). This reading transformed intermediary practice. The Delhi High Court applied a similar logic in Myspace Inc. v. Super Cassettes Industries Ltd. (2016), holding that an intermediary's obligation to act arises on specific knowledge of identified infringing material rather than a general awareness, harmonising copyright takedown with the safe-harbour scheme.

From Bazee.com to Digumarti: intermediaries and special-law primacy

The early jurisprudence grew out of a single notorious episode. In late 2004 an obscene MMS clip was listed for sale on Bazee.com (an eBay subsidiary) by a student-seller; the listing was deactivated within roughly thirty-six hours but a prosecution followed. In Avnish Bajaj v. State (NCT of Delhi) (2008), the Delhi High Court discharged the company's Managing Director under the IPC obscenity provisions, reasoning that the Penal Code did not then recognise automatic vicarious liability of a director where the company itself was not arraigned, though the IT Act charge survived at that stage. The case directly exposed the inadequacy of the law and is widely credited with catalysing the 2008 strengthening of Section 79.

The saga reached the Supreme Court in Sharat Babu Digumarti v. Government of NCT of Delhi, (2017) 2 SCC 18 (decided 14 December 2016), concerning the Bazee.com employee in charge of trust and safety. The Court quashed the proceedings under Section 292 IPC, holding that once obscenity in electronic form is squarely covered by Section 67 of the IT Act, the special law, with its overriding non-obstante clause in Section 81, displaces the general provisions of the Penal Code for the same act. Digumarti is the leading authority on the IPC-versus-IT-Act overlap and a frequent examination favourite.

Blocking, interception and surveillance powers

The State's coercive powers over the network rest mainly on three sections. Section 69 empowers the Central or State Government to intercept, monitor or decrypt information through any computer resource where necessary in the interest of sovereignty, integrity, defence, security, friendly relations, public order, or to prevent incitement to a cognisable offence. Section 69A empowers the Central Government to block public access to online information on similar grounds, and Section 69B permits monitoring and collection of traffic data for cybersecurity. Each power is hedged by procedural rules and, in the case of blocking, by confidentiality of the orders.

The constitutional limits on these powers were clarified in Anuradha Bhasin v. Union of India, (2020) 3 SCC 637, arising from the prolonged internet shutdown in Jammu and Kashmir after the 2019 abrogation of Article 370. The Supreme Court held that freedom of speech and the freedom to carry on trade through the internet are protected under Articles 19(1)(a) and 19(1)(g), that an indefinite suspension is impermissible, and that any restriction must satisfy the test of proportionality and be subject to periodic review and publication of orders. The judgment did not declare internet access itself a free-standing fundamental right, but it firmly subjected shutdowns to judicial review.

The IT Rules, 2021 and the new compliance grid

The framework of intermediary duty has been thickened by delegated legislation. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, notified in February 2021, prescribe due-diligence obligations as a condition of safe harbour. Every intermediary must publish its rules and a privacy policy, appoint a Grievance Officer who acknowledges complaints within 24 hours and disposes of them within 15 days, and remove certain unlawful content within fixed timelines on receiving a court order or government notification, consistent with the Shreya Singhal reading of "actual knowledge".

The Rules create an additional tier for "significant social media intermediaries" above a notified user threshold. Such platforms must appoint three India-resident officers: a Chief Compliance Officer, a Nodal Contact Person for law-enforcement coordination, and a Grievance Officer; they must also enable identification of the first originator of information where ordered, and publish monthly compliance reports. Part III of the Rules extends a Digital Media Ethics Code to online news publishers and curated-content (OTT) platforms, a portion that has faced High Court challenges on the ground that it exceeds the parent Act. These Rules are administrative law layered on the statute, and their validity remains partly sub judice.

Electronic evidence: the Section 65B certificate and Anvar P.V.

A cyber-offence is only as strong as the proof of it, and electronic records demand special rules of admissibility. Section 65B of the Indian Evidence Act, 1872 (inserted by the IT Act) deemed computer output to be a "document" admissible without proof of the original, provided the conditions in Section 65B(2) were met and a certificate under Section 65B(4) was furnished identifying the record, the device and the manner of production, signed by a responsible person.

In Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473, a three-judge bench held that the certificate under Section 65B(4) is a mandatory condition precedent for the admissibility of secondary electronic evidence, overruling the contrary view in State (NCT of Delhi) v. Navjot Sandhu alias Afsan Guru, (2005) 11 SCC 600, which had allowed such evidence under Sections 63 and 65 without the certificate. The Court drew the crucial distinction: where the original device itself is produced as primary evidence the certificate is unnecessary, but printouts, copies and downloads tendered as secondary evidence require strict compliance with Section 65B.

Arjun Panditrao Khotkar and the move to Section 63 BSA

The law on the certificate was settled, after a period of conflicting benches, in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1. A three-judge bench affirmed that Anvar P.V. was correctly decided and that the Section 65B(4) certificate is mandatory for secondary electronic evidence, clarifying the earlier discordant note in Shafhi Mohammad v. State of Himachal Pradesh. The Court also held that where a party is unable to obtain the certificate from the person controlling the device, it may apply to the court to summon its production, so that the requirement does not become an instrument of injustice.

This jurisprudence has now been carried forward into the new evidence code. The Bharatiya Sakshya Adhiniyam, 2023, which came into force on 1 July 2024 and replaced the Evidence Act, restates the regime in Section 63. The successor provision retains the certificate requirement but, notably, requires the certificate to be signed both by the person in charge of the device and by an expert, adding a layer of technical authentication absent from the old Section 65B. The substantive learning of Anvar and Arjun Khotkar continues to govern, now read through the text of Section 63.

Privacy as a fundamental right: Puttaswamy

Underlying the entire field of data and surveillance law is the constitutional status of privacy. In Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, a nine-judge bench unanimously held that the right to privacy is a fundamental right protected as an intrinsic part of the right to life and personal liberty under Article 21 and of the freedoms under Part III, overruling the contrary holdings in M.P. Sharma and Kharak Singh. The bench laid down that any State intrusion upon privacy must satisfy a threefold test: legality (a law must authorise it), a legitimate State aim, and proportionality between the means and the object.

This test now governs every interception order under Section 69, every blocking direction under Section 69A, and every data-collection scheme. A second Puttaswamy bench in 2018 applied the same standard to uphold the core of the Aadhaar scheme while reading down parts of it. The proportionality framework forged in Puttaswamy is the constitutional lens through which all cybersecurity and data measures must now be examined, and it informs cognate debates in public-health data and disease surveillance.

The Digital Personal Data Protection Act, 2023

The legislative answer to Puttaswamy is the Digital Personal Data Protection Act, 2023 (Act 22 of 2023), India's first comprehensive data-protection statute, enacted after the withdrawal of earlier bills. It applies to the processing of digital personal data within India and, in some circumstances, to processing outside India connected with offering goods or services to data principals in India. The Act builds on the consent-and-purpose model: a "data fiduciary" (the entity deciding the purpose and means of processing) must obtain the free, specific, informed and unambiguous consent of the "data principal", preceded by a clear notice under Section 5, and may process data only for the stated lawful purpose.

The Act recognises "legitimate uses" for which consent is not required, such as voluntary provision of data or processing by the State for benefits and services, and provides exemptions under Section 17 for, among others, courts, enforcement of legal rights, and certain research. It grants data principals rights of access, correction, erasure and grievance redressal, imposes heightened obligations on "Significant Data Fiduciaries", restricts the processing of children's data, and establishes a Data Protection Board of India to adjudicate breaches and levy substantial monetary penalties. The Act is to be operationalised through the DPDP Rules.

CERT-In and the institutional cybersecurity architecture

Cybersecurity in India is not only criminal and constitutional but also institutional and preventive. Section 70B of the IT Act designates the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for cybersecurity incident response, empowered to collect and analyse information on cyber incidents, issue alerts and advisories, and call for information from service providers, intermediaries and data centres. The CERT-In Directions of April 2022 require, controversially, mandatory reporting of specified cyber-incidents within six hours and prescribe log-retention obligations.

Section 70 allows the Government to declare "protected systems" (critical information infrastructure), unauthorised access to which attracts enhanced punishment, and the National Critical Information Infrastructure Protection Centre (NCIIPC) was constituted under Section 70A to guard sectors such as power, banking and telecom. The Act also created the Controller of Certifying Authorities under Section 17 to licence and supervise the issuers of digital-signature certificates, building the trust layer for electronic transactions. A further layer is sectoral: the Reserve Bank, SEBI and the telecom regulator issue their own cybersecurity and breach-notification norms for regulated entities, which operate alongside the IT Act rather than displacing it. This preventive architecture complements the punitive sections and is the part of the field most likely to be tested through current-affairs questions.

Adjudication, penalties and appeals

For the civil wrongs in Chapter IX the Act provides a self-contained remedial route. Section 46 empowers an adjudicating officer (an officer not below the rank of Director to the Government) to adjudge contraventions and award compensation under Section 43 where the claim does not exceed five crore rupees, with the civil courts taking jurisdiction above that. Section 43A separately fastens liability on a body corporate that, while possessing or handling sensitive personal data, is negligent in maintaining reasonable security practices and thereby causes wrongful loss or gain, a provision now overlaid by the DPDP regime.

Appeals from adjudicating officers lie to the Appellate Tribunal under Section 57; following the merger of tribunals, this function vests in the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). A further appeal lies to the High Court under Section 62 on questions of fact or law. Companies and their officers may face liability under Section 85, subject to the familiar due-diligence defence. Candidates should be able to trace this ladder, from adjudicating officer to TDSAT to High Court, and to distinguish it from the criminal trial route for the Chapter XI offences.

Exam takeaways and cross-links

For the judiciary aspirant the field reduces to a few reliable anchors. Memorise the offence sections by number: 65 (source-code tampering), 66 (computer offences/hacking), 66C (identity theft), 66D (cheating by personation), 66E (privacy of images), 66F (cyber-terrorism), 67/67A/67B (obscene, sexually explicit and child material), and the State-power trio 69/69A/69B. Pair each landmark with its proposition: Shreya Singhal (66A void, 79 read down), Sharat Babu Digumarti (special law prevails), Anuradha Bhasin (proportionality of shutdowns), Anvar P.V. and Arjun Panditrao Khotkar (mandatory 65B certificate, now Section 63 BSA), and Puttaswamy (privacy as a fundamental right).

Keep the statutory updates current: the Evidence Act has yielded to the Bharatiya Sakshya Adhiniyam, 2023 (Section 63 with dual certification), and the DPDP Act, 2023 now governs personal data. Understanding the underlying technology repays effort; the foundational concepts in general physics and electricity and magnetism illuminate how data is stored and transmitted, while the privacy reasoning connects to public-health surveillance. The whole syllabus is collected at the Science & Technology for Judiciary hub.