Cyber security is an abstract concept comprising everything from desktops to smartphones, software, web and mobile applications, clouds, servers, and the entire infrastructure supporting vital business processes. The growing interaction between people and technology-based services has led to the evolution of cyberspace with people being able to store any type of information (in various forms) and interplay with technology at their convenience. This type of interlinkage, however, can prove to be as fatal as it is beneficial due to its tendency of being misused by cybercriminals. According to the National Crime Records Bureau (NCRB) data released last year, a total of 50,035 cases were registered in 2020 under cybercrime — a rise of 11.8 per cent over 2019 (44,735 cases)
To maintain the integrity of this relationship between man and technology, certain laws and governance frameworks were created and mandated. This article aims at exploring an overview of the cyber law framework in India from the perspective of a victim and how a victim can file a complaint for redressal of grievances. Read on!
What is Cyber Crime?
‘Cyber’ is characterized by anything related to computers, information technology, and virtual reality. Although cyber-crime is not defined in any Indian statute, one can understand by the meaning of cyber as aforementioned that ‘cyber-crimes’ (also called computer crimes) are illegal activities done by engaging tools like computers, information technology, and virtual reality. From an anonymous individual engaging in cyber-bullying or cyber-stalking to an elaborate scheme of an organization to cyber-attack government websites or business groups in order to steal sensitive information- there are various types of cyber-crimes.
Types of cybercrime
With the advancement in technology and computer systems, a plethora of cyber crimes has evolved over time. Some of the most common types of cyber-attacks are listed below:
Phishing Attacks: Phishing attacks involve sending fake communications that seem to be coming from a reliable source. Generally, email is used for this. The intention is to steal private information, such as login details and credit card numbers, or to infect the victim's computer with malware.
Social Engineering: Exploiting human weaknesses to get access to private information and secure computer systems is known as social engineering. Social engineering uses human manipulation rather than computer hacking to access the victim's account. These criminals get in touch with the victims directly, usually by phone or email in order to gain their trust to extract information. This information can be bank account numbers, employer names, passwords, etc. They do so in order to sell the data, register fake accounts in the victim's name, acquire their employer’s trade secrets, exploit national security, etc.
Cyber-stalking and Cyber-bullying: Cyber-stalking refers to the practice of criminals stalking the victim on social media platforms in order to collect their personal data. The variety of techniques to get the information, usually done via obtaining login details, collecting user data from social media, or disseminating phishing emails. This kind of behaviour includes making threats, using defamatory language, slandering someone, harassing them sexually on social media platforms, and engaging in other actions intended to intimidate, control, or frighten the victim, which is called cyberbullying.
Identity Theft: This cybercrime takes place when a cyber-criminal impersonates the victim after obtaining access to their personal data in order to steal money, access private information, or engage in financial fraud. It also involves accessing company databases to steal customers' information by making use of more high-tech methods. They do so to open a phone or internet connection, arrange a crime, apply for government assistance, etc. Identity theft can be performed in a variety of ways; such as phishing, hacking, social engineering, etc; and the victims often have to suffer the consequences of a bad reputation, and lost wealth and credit.
Cyber Obscenity and Pornography: This cybercrime involves sharing and disseminating inappropriate content that is potentially very upsetting and offensive. Sexual activities between adults, violent films, and videos of criminal activity are just a few examples of this kind of offensive content. Materials that promote terrorism-related behaviour and materials that exploit children for child pornography are examples of illegal content- both the public internet and the dark web (an anonymous network) host this kind of content.
Financial Fraud: In financial fraud, the cyber-criminal uses the victim's credit card (or debit card) fraudulently and makes unauthorized and illegal transactions or withdrawals from that person's card to get access to their money. When a criminal obtains the cardholder's personal identification number (PIN) or debit/credit card number, fraudulent activity takes place.
Laws Against Cyber-Crime
There is currently no comprehensive legislation to address cybercrime anywhere in the world because it is a field that is still evolving towards specialization. In India, the Information Technology Act, of 2000 (hereinafter: IT Act) and the Indian Penal Code of 1860 (hereinafter: IPC) are currently in effect that govern malicious online activity which infringes the rights of internet users. Although the entire investigation procedure for policing cyber-crimes is guided by the IT Act, there are times when the Act is insufficient to address particular cyber-crimes, it is then that IPC sections may be used by law enforcement agencies. Therefore, it is not unexpected that many of the provisions of the IT Act and IPC overlap. The relevant sections under both statutes are as follows:
Data theft, virus transmission into a system, hacking, data destruction, and refusing access to the network to an authorised person are all punishable under the IT Act with a maximum sentence of three years or a fine of Rs. 5 lakhs, or both. Data theft is also punishable under the Indian Penal Code, with a maximum sentence of three years or fine, or both; and two years in prison or fine, or both respectively. In addition, violating Section 426 of the IPC can result in up to three months in prison or a fine, or both for denying access to a legitimate person or causing damage to their computer system.
In the case of Poona Auto Ancillaries Pvt Ltd v. Punjab National Bank In 2018, the IT department ordered PNB to reimburse the complainant Rs 45 lakh after the fraudster moved around 80 lakhs using PNB bank services in Pune as the complainant responded to a phishing email. Despite the fact that the complainant himself replied to the mail, the bank was adjudged to have been negligent because no security checks were carried out against accounts formed fraudulently in order to deceive the complaint. In the case of Kumar v. Whiteley In the year 1919, the accused got unauthorised access to the Joint Academic Network, and he modified, added, and removed files from the database during the course of the investigation. Under Sections 420 of the IPC and 66 of the IT Act, he was imprisoned for a year and a fine of Rs 5,000 was levied on him.
Section 354D of the IPC defines and penalises stalking, including physical and online stalking. Cyber-stalking is the practice of following a woman through technology, such as the internet or email or making contact with her despite her lack of interest. For the first-time offence, the crime carries a maximum sentence of three years and a fine; for the second time, it carries a maximum sentence of five years and a fine. A victim in the 2017 case Kalandi Charan Lenka v. the State of Odisha suffered reputational harm as a result of a string of vulgar messages she got from an unidentified caller. Additionally, the accused sent the victim emails and made a false Facebook account with morphed pictures of her. Pursuant to this, the High Court found the accused initially responsible for several offences of cyber-stalking under the IT Act and IPC Section 354D.
Under Section 65 of the IT Act, tampering with the computer source material is a criminal offence. Further, infractions of privacy are punishable under Section 66E. As per this Section, anyone who takes, publishes or distributes pictures of someone's private parts without getting their permission has violated their right to privacy and faces up to three years in prison or a fine of up to 2 lakhs or both.
Moving ahead, cyber-terrorism is the central focus that is addressed by Section 66F of the IT Act. It lists the actions that constitute cyber terrorism, such as denying access, breaking into a network, or sending a virus or malware that could potentially kill or injure someone. All of these actions are done with the intention of endangering the integrity, sovereignty, unity, and security of India or inspiring fear in the citizens of India.
Dishonestly receiving stolen computer resources or equipment is a violation that is covered under Section 66B of the IT Act and Section 411 of the IPC. According to Section 66C of the IT Act, anyone found guilty of using another person's identity credentials for fraud or dishonest behaviour faces a sentence of up to three years and a fine of three lakhs. More so, according to Section 66D of the IT Act, using a computer resource to impersonate someone else is considered cheating. Similar provisions are provided for these offences in Sections 419, 463, 465, and 468 of the IPC. By failing to implement and maintain a reasonable and rigorous method to protect the sensitive data of any person in their control, corporations and individuals are subject to penalties under the IT Act. Such a corporate body is responsible for making restitution to the party who incurred harm as a result of the corporation's carelessness. In the 2005 case of Anil Kumar Srivastava v. Additional Director MHFW, the petitioner falsely signed the AD's signature and then filed a complaint that contained untrue accusations against the same person. The Court determined that the petitioner was accountable under Sections 465 and 471 of the IPC since he tried to pass it off as a legitimate document.
Deficiencies In Infrastructure
Despite a robust legal framework and institutional structures in place, India is still struggling to wage an effective war against cyber crimes- due to a lack-lustre, non-functional infrastructure. Although processes have been put into place, the actual on-ground implementation is far from ideal. Most cybercrime complaints filed online do not get resolved, because there are simply not enough resources to resolve each of these cases. Needless to say, local law enforcement agencies across the country need more hands on deck, specially trained professionals who can handle and process complaints in an effective and conclusive manner. In addition to this, there is a strong need for more judicial officers and lawyers who have an in-depth understanding of these matters so that judicial resolution of cybercrime cases can be expedited to the extent possible.
There are no currently prevailing eligibility criteria for filing a cyber crime complaint- however, it goes without saying that the complaint must be genuine in nature and not be filed with any malafide intention.
How to file a Cyber Complaint in India?
The IT Act stipulates that a cyber-crime is subject to global jurisdiction, hence regardless of where the crime was initially committed or where the victim is currently staying or residing, any cyber cell in India can quickly and easily register the complaint. The complaint may be made to the Crime Investigation Department or Cyber Police in both online and offline mediums. The steps involved in filing a cyber-crime complaint in India are as follows:
Offline filing of the complaint: The first and most important step in offline mode is to register a written complaint with the Cyber Crime Cell of any jurisdiction after filing a complaint against the crime. The complainant will be required to include their name, phone number, and address in the written complaint. After that, the person filing the complaint must address the written complaint to the head of the city's cyber crime cell. Further, the complainant can register an FIR at the nearest police station if they do not have access to any of the existing cyber cells in India.
The informant can also go to the Commissioner or the Judicial Magistrate if the cyber complaint is not accepted by the police. As discussed above, some cybercrime offences fall under the purview of the IPC; therefore, an individual can file an FIR regarding cybercrime at the closest local police station. Regardless of the jurisdiction in which the offence was committed, the police officer is required by Section 154 of the CrPC to record the information provided regarding an offence.
Online filing of the complaint: The government’s online platform handles complaints about child sexual abuse material, child pornography, sexually explicit content like rape or gang rape, social media crimes, online cyber trafficking, financial fraud, hacking, ransomware, and cryptocurrency crimes. The complainant can anonymously report or file a complaint in online mode. The procedures for filing a cyber-crime complaint online are as follows:
Step 1: Visit the official website of the National Cyber Crime Reporting Portal by clicking on this link:
Step 2: Now, from the options available on the homepage of the website, click on the tab that says, ‘Report Other Cyber Crimes.’
Step 3: Now click on the option saying ‘File a Complaint,’ declaring that you want to file a cyber complaint.
Step 4: Now, the informant or the complainant needs to read the terms and conditions before filing an actual complaint; and if they accept the terms then click on ‘I Accept.’
Step 5: Now the informant or the complainant needs to log in with their credentials or register as a new user with the help of their mobile number along with other personal details.
Step 6: Then, the informant or the complainant needs to fill in all the required and relevant details regarding the offence committed. This section is divided into four parts, preview the information filled in and then submit it. Then the user will then be directed to an incident details page. After mentioning the details and supporting evidence of the crime, click on 'Save and Next.'
Step 7: The next page requires information about the alleged suspect if the applicant has any.
Step 8: Once the informant or the complainant has filled in all details, they need to verify it and click ‘submit.’
Step 9: After submitting the complaint, the informant or the complainant can also track the progress of their complaint on the website by clicking on ‘Track your complaint’ on the homepage.
Punishment For Cyber Crimes In India
The punishment for most cyber crimes is clearly laid down in the IT Act. These are as follows:
Section 65 – Tampering with Computer Source Documents- Penalties if found guilty can be imprisonment up to 3 years and/or up to Rs 2 lakh fine. An example of such crime is: Employees of a network company called Bodatone were held guilty by the court for tampering with the Electronic Serial Number of cellphones of another corporate company that had locked the handset before selling it so as to work with its SIM-only.
Section 66 – Hacking with computer systems or unauthorised usage of computer systems and networks- Punishment if found guilty can be imprisonment of up to three years and/or a fine of up to Rs 5 lakh. An example: When a criminal hacked into an academy network with unauthorised access to broadband and modified the passwords of users to deny access. The criminal was punished under Section 66 of the IT Act.
Section 66C – Identity theft using passwords, digital signatures, biometric thumb impressions or other identifying features of another person for fraudulent purposes- An example is – when a criminal obtained the login and password of an online trading account and transferred the profit to his account by doing online transactions in the trading account in an unauthorised manner. The criminal was charged under Section 66C.
Section 66D – Cheating by Personation Using Computer Resources- Punishment if found guilty can be imprisonment of up to three years and/or up to Rs 1 lakh fine. An example: A criminal who posed as a woman and tried to seduce a businessman to extort Rs 96 lakh from him by creating a fake email Id and trapping him in a cyber relationship. The criminal was arrested and charged under Section 66D and various other IPC sections.
Section 66E – Taking pictures of private areas, publishing or transmitting them without a person’s consent is punishable under this section. Penalties if found guilty can be imprisonment up to three years and/or up to Rs 2 lakh fine.
Section 66F – Acts of cyber terrorism- Someone found guilty under this section can be served a sentence of life imprisonment. For example, a threat email was sent to the Bombay Stock Exchange and the National Stock Exchange, which challenged the security forces to prevent a terror attack planned on these institutions. The criminal was apprehended and charged under Section 66F of the IT Act.
Section 67 – Publishing Obscene Information in Electronic Form- In this case, imprisonment is up to five years and a fine of up to Rs 10 lakh. An example: When an accused from Mumbai posted obscene information about the victim on the internet after she refused to marry him. The criminal was implicated under Section 67 of the IT Act in addition to various sections of IPC.
Building a safe space for computer and internet users is a crucial step to ensure safety from cyber crimes. To deal with the enormous variety of cyber crimes that exist, the current system of cyber law in India is still insufficient. Cybercrime is constantly evolving, and new types of crimes are emerging as a result of the rapid technological advancements taking place every day as the nation expands on the ‘Digital India’ initiative. Taking inspiration from the international perspective of the USA or UK, where technological advancement reached much earlier than India, and so did the laws; it would be best to adopt statutes focusing on a specific aspect of cyber-crimes, depending on the sophistication of the crimes i.e. privacy and data protection. To deal with shifting trends, a single piece of legislation cannot suffice and must be regularly amended to deal with novel threats.
Sections 43 and 66, Information Technology Act
Sections 378 and 424
Complaint No. 4 of 2011 dated 09/11/2011
  93 CAR 25
 BLAPL No.7596 of 2016
 2005 (3) ESC 1917