Information

Technology Law
LECTURED BY RUSHIL CHANDRA, ASST. PROF. OF LAW AT SYMBIOSIS
LAW SCHOOL, NAGPUR.
Introduction

► Cyber space
► WWW
► Amendments
► IT Rules, 2011
► Intermediary Guidelines Rules, 2011
► Important Sections
► Case Laws
UNCITRAL Model Law and E-Commerce

► Uniform law for all the nations so as to make smooth electronic communications
with identical laws.
► E-Commerce through e-contracts
► Requirements as per Section 10A
► The requirements are the same as those mentioned in the Indian Contract Act for
any pen-and-paper contract
DCS and ESC

► Digital Signature Certificate and Electronic Signature Certificate

► Certifying Authorities
► Controller of Certifying Authorities (CCA)
► The hierarchy of control follows as below:

Controller of
CG (Central Certifying Deputy and Assistant
Government) Authorities Controllers
(CCA)
Digital Signatures

► The Information Technology Act, 2000 (IT Act) prescribes digital signatures as a
means of authentication of electronic records. A digital signature is basically a
way to ensure that an electronic document is authentic.
► A digital signature is an electronic form of a signature that can be used to
authenticate the identity of the sender of a message or the signer of a document,
and also ensure that the original content of the message or document that has been
sent is unchanged. Digital signatures are easily transportable and cannot be
imitated by someone else.
Digital Signatures provide the following
three features:-

► i. Authentication- Digital signatures are used to authenticate the source of

electronic messages. The ownership of a digital signature key is bound to a
specific user and thus a valid signature shows that the message was sent by that
user.
► ii. Integrity - In many scenarios, the sender and receiver of a message need
assurance that the message has not been altered during transmission. Digital
Signatures provide this feature by using cryptographic hash functions.
► iii. Non Repudiation – Digital signatures ensure that the sender who has signed the
information cannot at a later time deny having signed it.
Utility of Digital Signatures (DS)

► We see that a lot of Government submissions in India do require documents to be

authenticated by digital signatures.
► All the official filings at the Income Tax Department, Registrar of Companies,
Trademarks, Patents, Copyrights require digital signatures to be affixed on
documents.
Asymmetric Crypto Systems - S.2(1)(f)
► The Digital Signatures require a key pair called the Public and Private Key. Just as physical keys
are used for locking and unlocking, in cryptography, the equivalent functions are encryption and
decryption. The private key is kept confidential with the owner usually on a secure media like
crypto smart card or crypto token. The public key is shared with everyone. Information encrypted
by a private key can only be decrypted using the corresponding public key.
► In order to digitally sign an electronic document, the sender uses his/her Private Key. In order to
verify the digital signature, the recipient uses the sender’s Public Key.
For example, you need to send a confidential document
to your colleague in another town and want to give
assurance that it was unchanged from what you had
sent, you will:
► Step 1. Copy and paste the contract into an e-mail note.
Get electronic form of a document. (Eg.: - word, pdf).
► 2. Using special software, you obtain a message hash
(fixed size bit string) of the contract.
► 3. You then use your private key to encrypt the hash.
► 4. The encrypted hash becomes your digital signature of
the contract and is appended to the contract.
At the other end, your colleague receives
the message.
► 4. To make sure the contract is intact and from you,
your colleague generates a hash of the received
contract.
► 5. He then uses your public key to decrypt the Digital
Signature received with the contract.
► 6. If the hash generated from the Digital Signature
matches the one generated in Step 1, the integrity of
the received contract is verified.
Cryptography -
► Cryptography encrypts and decrypts data.
Cryptography enables you to store sensitive
information or transmit it across insecure networks,
like the Internet, so that it cannot be read by anyone
except the intended recipient.
Encryption
► In a typical cryptographic exchange, information
that is meant to be hidden for whatever reason is
encrypted, or ciphered into a difficult-to-interpret
form. This conversion is known as Encryption
because it involves the change of clear text, or
understandable data, into cipher text, or
difficult-to-interpret data. The encryption process
is one-half of the entire cryptographic exchange.
Decryption

► At the other end of the process is decryption,

or the conversion of cipher text into clear
text. Decryption is not always a part of
encryption, however – some algorithms are
called “hashes” as they only apply encryption
(that is, from clear to cipher text) and have no
means of deciphering the information.
Utility of cryptography
► i. Confidentiality is used to keep the content of information secret from
unauthorized persons. This is achieved through symmetric and asymmetric
encryption.
► ii. Data integrity addresses the unauthorized alteration of data, this is addressed by
Hash functions.
► iii. Authentication is related to identification. This function applies to both entities
and information itself and is achieved through Digital Signatures Certificates
(DSC) and Digital Signatures.
► iv. Non-repudiation prevents someone from denying previous commitments or
actions and is achieved through DSC and Digital Signatures.
Symmetric Cryptography -

Encryption Decryption

Original Data Scrambled Data Original Data

Public Key Public Key

Symmetric key encryption

► Symmetric key ciphers are valuable because it is relatively inexpensive to produce

a strong key for these ciphers, the keys tend to be much smaller for the level of
protection they afford and the algorithms are relatively inexpensive to process.
► Therefore, implementing symmetric cryptography can be highly effective because
you do not experience any significant time delay as a result of the encryption and
decryption. Symmetric cryptography also provides a degree of authentication
because data encrypted with one symmetric key cannot be decrypted with any
other symmetric key. Therefore, as long as the symmetric key is kept secret by the
two parties using it to encrypt communications, each party can be sure that it is
communicating with the other as long as the decrypted messages continue to make
sense.
► Typically, with a symmetric key, you can exchange the key with another trusted participant;
usually you produce a unique key for each pair of participants. You can be assured that any
messages that you exchange, which are encrypted in a specific key, between the participants can
only be deciphered by the other participant that has that key. In this way, the key must be kept
secret to each participant. Consequently, these keys are also referred to as secret-key ciphers. If
anyone else finds the key, it affects both confidentiality and authentication. A person with an
unauthorized symmetric key not only can decrypt messages sent with that key, but can encrypt
new messages and send them as if they came from one of the two parties who were originally
using the key.
The major drawback to secret-key ciphers
:
► The major drawback to secret-key ciphers is in exchanging the secret key because
any exchange must retain the privacy of the key. This usually means that the secret
key must be encrypted in a different key, and the recipient must already have the
key that will be needed to decrypt the encrypted secret-key. This can lead to a
never-ending dependency on another key.
Asymmetric Cryptography

Encryption
Decryption

► Original Data Scrambled Data Original Data

Public Key Private Key

 S. 2(1)(f) and S. 2(1)(x)
► Asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys,
one of which is private and one of which is public. Although different, the two parts of this key pair
are mathematically linked.
► Any message that is encrypted by using the public key can only be decrypted by applying the same
algorithm, but by using the matching private key. Any message that is encrypted by using the private
key can only be decrypted by using the matching public key.
► The benefit of public key cryptography is that it allows people who have no pre-existing security
arrangement to exchange messages securely. The need for sender and receiver to share secret keys
via some secure channel is eliminated; all communications involve only public keys and private key
is never shared.
Digital Signature Certificate (DSC)

► User – RA – CA – User

► RA - A registration authority (RA) is an authority in a network

that verifies user requests for a digital certificate and tells the
certificate authority (CA) to issue it. RAs are part of a public
key infrastructure (PKI), a networked system that enables
companies and users to exchange information and money
safely and securely. The digital certificate contains a public key
that is used to encrypt and decrypt messages and digital
signatures.
Procedure to obtain an individual DSC

► DSC Form can be downloaded from website of the Certifying Authority (“CA”)
► 2. For Class 3 certificate, the applicant has to submit the completed forms in person at the RA
(Registration Authority)
► 3. On successful processing by the RA, the Username and password are sent to applicant mailbox
in order for him/her to log onto CA website. The cryptographic device is handed over to the user
for storing the private key.
► 4. The applicant installs the device drivers for the device (for storing the private key) from CA
website. For example:- crypto token, smart card reader
► 5. User generates the key pair and uploads his Certificate Signing Request (CSR) request into
his/her account on the CA Website
► 6. CA generates the DSC after verification. The user downloads from his/her account on the CA
website.
Storage of the DSC

► It is recommended to store the private key on secure medium, for example, smart
cards / crypto tokens etc. The crypto token connects to the user computer through
the USB interface. For smart cards a compatible smartcard reader needs to be
installed on the user computer if not already present. The secure media available
for the storing the private key may vary per each Certifying Authority.
► The cost of the Digital Signature Certificate varies from CA to CA. The
Certificates are typically issued with one year to two year validity. These are
renewable on expiry of the period of initial issue. Further additional fees for
renewal may also be charged. The costs involved in procuring Digital Certificates
from NIC- CA are attached as a sample. The costs for the other CAs’ can be found
on their respective websites.
► The time taken by the Certifying Authorities to issue a DSC may vary from three
to ten days.
IPRs and Cyberspace

► Intellectual Property is a common term that includes different rights i.e.,

Trademark, Copyright, Patent, Trade Secret, and Industrial Design. Every
business tends to own one or the other kind of Intellectual Property. The rapidly
changing world of technology and daily advancements in the industry pose a
challenge for the businesses to safeguard their rights.
► Copyright is a right given by the law to the creators of literary, dramatic, musical
and artistic works and producers of cinematograph films and sound recordings.
 Section 14(b) – Copyright Act
► Copyright means the exclusive right to do or authorise the doing of any of the following acts in respect of a
computer programme or any substantial part thereof, namely:-
► (i) to reproduce a computer programme in any material form including the storing of it in any medium by
electronic means;
► (ii) to issue copies of computer programme to the public not being copies already in circulation;
► (iii) to perform the computer programme in public, or communicate it to the public;
► (iv) to make any cinematograph film or sound recording in respect of the computer programme;
► (v) to make any translation or adaption
► (vi) to do, in relation to a translation or an adaptation of the computer programme, any of the acts specified in
relation to the work in sub-clauses (i) to (vi);
► (vii) to sell or give on hire or offer for sale or any copy of the computer programme
► A Copyright subsists for sixty years from the beginning of the calendar year next following the year in which
the author dies.
Infringement of Copyright in a Computer
Programme
► According to Section 30 of the Copyright Act, the owner of the copyright in any existing work or
the prospective owner of the copyright in any future work may grant any interest in the right by
licence in writing signed by him or by his duly authorised agent, provided that in the case of a
licence relating to copyright in any future work, the licence shall take effect only when the work
comes into existence.
► Copyright in a Computer Programme shall be deemed to be infringed when any person, without a
licence granted by the owner of the copyright or the Registrar of Copyrights under this Act or in
contravention of the conditions of a licence so granted or of any condition imposed by a competent
authority under this Act-
► (i) does anything, the exclusive right to do which is by this Act conferred upon the owner of the
copyright, or
► (ii) permits for profit any place to be used for the communication of the work to the public
► (iii) makes for sale or hire, or sells or lets for hire,
► (iv) distributes, exhibits in public, or imports into India, any infringing copies of the work
Punishment of Copyright Infringement
► The Copyright (Amendment) Act explains the rights of copyright holder, the rights of the user to
make backup copies and the heavy punishment and fines on infringement of copyright of
software. According to the Copyright Amendment Act 1994, it is illegal to make or distribute
copies of copyrighted software without proper or specific authorisation. The only exception is
provided by Section 52 of the Act which allows a backup copy purely as a temporary protection
against loss, distribution or damage to the original
► It also prohibits the sale or to give on hire, or offer for sale or hire, any copy of the computer
program without specific authorisation of the Copyright holder. Indian Law prohibits
unauthorised duplication of software, making multiple copies for use by different users within an
organisation and giving an unauthorised copy to another individual. If caught with pirated
software, the copyright infringer may be tried under both civil and criminal law.
Amended regime

► A civil and criminal action may be instituted for injunction, actual damages
(including infringers profits), or statutory damages per infringement etc.
Moreover, with the amendments to Indian Copyright Act in 1994, even the
criminal penalties have been substantially increased. According to Section 63B,
there is a minimum jail term of 7 days up to 3 years and fines from Rs. 50,000/- to
Rs. 2,00,000/- for copyright infringement.
Software License

► A software license is a legal instrument governing the use or redistribution of

software. A typical software license grants an end-user permission to use one or
more copies of software in ways where such a use would otherwise potentially
constitute copyright infringement of the software owner's exclusive rights under
copyright law. In addition to granting rights and imposing restrictions on the use
of software, software licenses typically contain provisions which allocate liability
and responsibility between the parties entering into the license agreement.
Software licenses can generally be fit into
the following categories
► Open source licensing - It is a type of accepted copyright license for software that allows
developers to modify and share the source code behind it. Beyond that, open source software can be
freeware, shareware or paid for outright by users depending on the developer’s preference. Some of
the most well-known open source software include Linux, WordPress, Firefox and the Chromium
engine.
► Proprietary licensing - Proprietary licensing is more of a free form licensing that has no real
oversight. When you download a software title under a proprietary license, the developer makes the
rules of what can and can’t be done with it. However, under the law in most countries, there are
really no repercussions to govern this because proprietary licensing is not overseen by any laws
backing it. This is why many well-known proprietary software titles being modified without official
access to its source code.
Domain Names and Domain Name
Systems
► Domain names are used to identify particular web pages. Domain names are
formed by the rules of the Domain Name System (DNS). Any name registered in
the DNS is a domain name. Domain names are used in various networking
contexts and application-specific naming and addressing purposes. In general, a
domain name represents an Internet Protocol (IP) resource, such as a personal
computer used to access the internet, a server computer hosting a web site, or the
web site itself or any other service communicated via the internet. Every computer
on the internet is assigned a unique address called an Internet Protocol Address
(IP Address).
► An IP address looks like as under:
192.168.5.5
► However it is very difficult and inconvenient to remember such numbers and
therefore, the Doman Name System (DNS) was developed.
Domain Name & Intellectual Property
Rights
► Originally, Domain Names were conceived and intended to function as an address,
but with an increasing number of cases of registered domain names being illegally
occupied, it has posed additional problems of how to handle trademark disputes in
cyberspace. Cybersquatting as an offence relates to the registration of a domain
name by an entity that does not have an inherent right or a similar or identical
trademark registration in its favour, with the sole view and intention to sell them to
the legitimate user in order to earn illegal profits.
► An address in the cyber-space is imperative in the new
e-economy for companies and individuals to be easily traceable
by their consumers with the emergence of the Internet as an
advertising forum, recruiting mechanism, and marketplace for
products and services whereby companies doing business have a
strong desire to register domain names akin to their products,
trade names or trademarks. For example, owners of famous
trademarks typically register their trademarks as domain names.
Domain names may be valuable corporate assets, as they facilitate
communication with a customer base. With the advancement of
internet communication, the domain name has attained as much
legal sanctity as a trademark or trade name and, therefore, it is
entitled to protection.
► Another issue is the registration of names of popular brands with a slight spelling
variation like for the sole purpose of diverting traffic to their website through
typing errors. A significant purpose of a domain name is to identify the entity that
owns the website. A domain name should not confuse the consumers as to the
origins of the services or products defeating the principal of trademark law.
Domain Name Protection
► As stated earlier, the constant increase in the use of internet for commercial purposes has greatly
increased the level of cyber crimes and other internet related offences. Thus, the legal protection of
such domain names is a serious issue which must be dealt with. In order to do so, the Internet
Corporation for Assigned Names and Numbers (‘ICANN’), a domain name regulatory authority,
adopted a Uniform Domain Name Dispute Resolution Policy (‘UDRP’), which is incorporated into
the Registration Agreement, and sets forth the terms and conditions in connection with a dispute
between the registrant and any party other than the registrar over the registration and use of an
Internet domain name registered. Upon entering into the Core Registration Agreement with ICANN
while registering a domain name, one agrees to submit to proceedings commenced under ICANN’s
Uniform Domain Name Dispute Resolution Policy.
THE SEMI-CONDUCTOR
INTEGRATED CIRCUITS LAYOUT
► The Semi-Conductor Integrated Circuits Layout-Design Act, 2000 (the Act)
DESIGN ACT,
has been enacted 2000
to provide protection to semiconductor integrated circuits
layout-designs and for matters connected therewith or incidental thereto.
According to the Act, the term 'layout-design' means "a layout of transistors
and other circuitry elements and includes lead wires connecting such elements
and expressed in any manner in a semiconductor integrated circuit". The term
'semiconductor integrated circuit' means "a product having transistors and
other circuitry elements which are inseparably formed on a semiconductor
material or an insulating material or inside the semiconductor material and
designed to perform an electronic circuitry function".
► The Act is implemented by the Department of Information Technology, Ministry of Information
Technology. The Act is applicable for Integrated Circuits Layout-Design IPR applications filed at
the Registry in India. The Semiconductor Integrated Circuits Layout-Design Registry (SICLDR) is
the office where the applications on Layout-Designs of integrated circuits are filed for registration
of created IPR. The Registry has jurisdiction all over India.
The main provisions of the Act are:-
► According to Section 3 of the Act, the Central Government may appoint the Registrar and other
officers of Semiconductor Integrated Circuits Layout-Design for the purposes of this Act.
► Prohibition of registration of layout-designs which:-
i. are not original; or
ii. have been commercially exploited anywhere in India or in a convention country; or
iii. are not inherently distinctive; or
iv. are not inherently capable of being distinguishable from any other registered layout-design.
► A layout-design shall be considered to be original if it is the result of its creator's own intellectual
efforts and is not commonly known to the creators of layout-designs and manufacturers of
semiconductor integrated circuits at the time of its creation. Any person claiming to be the creator of a
layout-design, who is desirous of registering it, shall apply in writing to the Registrar in the prescribed
manner for the registration of his layout-design. Every application shall be filed in the office of the
Semiconductor Integrated Circuits Layout-Design Registry within whose territorial limits, the principal
place of business of the applicant is situated in India.
Infringement of Registered Layout-Design
► A registered layout-design is infringed by a person who, not being the registered
proprietor of the layout-design or a registered user thereof:

i. does any act of reproducing, whether by incorporating in a semiconductor integrated

circuit or otherwise, a registered layout-design in its entirety or any part thereof, which is
not original within the meaning of the Act.

ii. does any act of importing or selling or otherwise distributing for commercial purposes
a registered layout-design or a semiconductor integrated circuit, incorporating such
registered layout-design or an article incorporating such a semiconductor integrated
circuit, containing such registered layout-design for the use of which such person is not
entitled under the Act.
► Any person who contravenes knowingly and willfully any of the provisions of the Act or falsely
represent a layout-design as registered, shall be punishable with imprisonment or with fine or with
both.
► According to Section 32 of the Act, the Central Government shall establish an Appellate Board to
be known as Layout-Design Appellate Board to exercise the jurisdiction, power and authority
conferred on it by or under this Act.
► The Appellate Board shall consist of a Chairperson, Vice-Chairperson and other Members as
required. Subject to the other provisions of the Act, the Bench shall consist of a Judicial Member,
Technical Member and shall sit at such place as the Central Government may specify by notification
in the Official Gazette.
► a) receiving evidence;
► b) issuing commissions for examination of witnesses;
► c) requisitioning any public record; and
► d) any other matter which may be prescribed.
► The Intellectual Property Appellate Board established under Section 83 of the Trade Marks Act, 1999
shall exercise the jurisdiction, powers and authority conferred on the Appellate Board till the
establishment of the Appellate Board.
Offences, Penalties and Procedure

► According to Section 56 of the Act, any person who contravenes knowingly and
wilfully infringes a registered layout-design, shall be punishable with
imprisonment for a term up to 3 years or with a fine of a minium of Rs. 50,000 to
a maximum of Rs. 10 Lakh or with both.
► If any person makes any representaion with respect to a layout-design not being a
registered layout-design shall be punishable with imprisonment for a term up to 6
months or with a fime up to Rs. 50,000 or with both.
► According to Section 59 of the Act, any person who makes a false entry in the
register or a writing falsely purporting to be a copy of an entry in the register, or
produces or tenders, or causes to be produced or tendered, in evidence any such
writing, knowing the entry or wiring to be false, shall be punishable with
imprisonment for a term up to 2 years or with a fine or with both.
Liability of Intermediaries

► Yahoo Case (Domain name conflict)

► Avnish Bajaj v. State (NCT) of Delhi
► Shreya Singhal v. Union of India
► Christian Louboutin SAS v. Nakul Bajaj & Ors.
► Amazon Seller Services Pvt. Ltd. v. Amway India Enterprises Pvt. Ltd.
► Kunal Bahl & Ors. v. State of Karnataka
► Myspace Inc. v. Super Cassettes Industries Ltd.
 Types of Cyber Criminals
► Identity Thieves –
✔ try to gain access to the victim’s personal information like name, address, phone number, place of
employment, bank details, credit card details, Unique Identification Number or Social Security
Number, etc. They use this information to make financial transactions while impersonating the
victim.
✔ Identity theft is one of the oldest cyber crimes and it gained prominence during the early years of
the internet.
✔ They use hacking techniques by which they hack into databases and dig out the personal
information of random people and then use that to make financial transactions in the name of their
victims.
 Internet Stalkers

✔ The individuals who maliciously monitor the online activity of their victims to
terrorize and/or acquire personal information. This form of cyber crime is
conducted through the use of social networking platforms and malware, which are
able to track an individual’s computer activity with very little detection.
✔ The motive of the stalkers can depend upon the kind of cyber crime being
committed but usually internet stalkers seek to acquire important information that
can be used for bribery, slander or both.
Phishing Scammers
✔ Phishers are cyber criminals who attempt to get hold of personal or sensitive information through
victims’ computers. This is often done via phishing websites that are designed to copycat
small-businesses, even big corporations (but phishers usually avoid that because it could attract a
very hefty law suit) or government websites.
✔ Unsuspecting users often fall pray to such activities by unknowingly providing personal information
including home addresses, bank account details, OTPs and even passwords.
✔ After obtaining this information they either commit online frauds, theft of finances, use the
information for themselves or sell it on the dark web.
Use of BitCoin on the Dark Web

► To purchase:
► Drugs
► Guns
► Other illegal goods and services on the dark web.

► Because BitCoin is an anonymous currency – users cant be traced.

► An online drug market of around 1 billion dollars is already running
because of BitCoins. (Silkroad – first darkweb market)
Cyber Terrorists

✔ Well-organized
✔ Politically inspired
✔ Cyber attacks in which the criminals attempt to steal/corrupt data within private
computer systems as well as government computer systems and networks
✔ Resulting in harm/legal injuries to nations, businesses, organizations and
individuals.
✔ The key point of difference between a regular cyber attack and an act of cyber
terrorism is that cyber terrorists are politically motivated as opposed to just
seeking financial gain.
Cyber Crime Techniques
► Botnet: Strategically developed network of bots which crawl the backend of the web to spread
malware with very little detection.
► Zombie Computer: A computer which is deliberately hacked by cyber criminals to gain access to
computer networks.
► Distributed Denial of Service (DDoS)-
With a DDoS attack, cyber criminals are not necessarily seeking to access data per se, rather are hoping
to disrupt or shut down a network via an overload of junk data.
Email Bombing and Subscription Bombing
► In internet usage, an email bomb is a form of internet abuse consisting of sending huge volumes
of emails to an address in an attempt to overflow the mailbox or to overwhelm the server where
the email address is hosted in a denial-of-service attack.
Data Diddling

► Data diddling is the unauthorized modification of data before or during entry into
the computer system and then changing it back after processing is done.
► Including forging or counterfeiting of documents used for data entry and
exchanging valid disks and tapes with modified replacements.
Salami Attacks
► The idea or objective behind making salami attacks is to steal finances by making
a change so small that every such transaction might go undetected.
► In information security, a salami attack is a series of minor attacks that once
taken together result in a larger attack .
► Usual targets are customers of various financial institutions.
Logic Bombs
► a set of instructions secretly incorporated into a program so that if a particular condition is
satisfied they will be carried out, usually with harmful effects.
► These programs are created to do something illegal when a certain event is carried out (contingent
to the happening of an event) – dormant viruses that become active only after a particular date
(like the Chernobyl Virus)
► The Chernobyl virus is a computer virus with a potentially devastating payload that destroys all
computer data when an infected file is executed.
► Since many files are executed during computer use, the virus is able to spread quickly and infect those
files.
► The Chernobyl virus is most notably recognized as the first virus known to have the power to damage
computer hardware. The activated viral strain attempts to erase the hard drive and overwrite the
system's BIOS as well.
► The Chernobyl virus was actually a variant of a parent virus known as CIH, the initials for the alleged
author of the virus, Chen Ing-Hau, a computer engineering student in Taiwan.
► CIH is sometimes referred to as a "space filler virus," referring to its ability to clandestinely take up
file space on computers and prevent antivirus software from running.
► It was named after the famous Chernobyl nuclear disaster that occurred in the Soviet Union on April
26, 1986.
Types of Malware
Spyware
✔ collects user activity data without their knowledge

✔ According to Kaspersky's state of stalkerware in 2019 report, 37,532

unique users were targeted by a stalkerware installation attempt
worldwide in 2019 (between January and August), an increase of 35%
since 2018, when 27,798 users were targeted.
✔ A spyware attack can be carried out remotely or directly on the
smartphone. Usually the attacker/hacker sends an email with a malicious
link, which when clicked by the target installs the spyware on his device.
In the second case, attacker install the app manually in the phone. This is a
lot simpler to carry out as one only needs the password or pin to
physically unlock the phone, something that may not be very difficult for
a spouse.
Adware – just a phishing mechanism
✔ serves unwanted advertisements. Adware could be used as a bait for
ransomware to infiltrate the victim’s system.
Trojan Attacks

► A Trojan disguises itself as desirable code

► An unauthorized program which passively gains control over anther’s system by

representing itself as an authorized program.
► The most common form of Trojans get installed through emails.
► Typically, a webcam hacker or a camfecter sends his victim an innocent-looking
application which has a hidden Trojan software through which the camfecter can
control the victim's webcam. The camfecter trojan installs itself silently when the
victim runs the original application. Once installed, the camfecter can turn on the
webcam and capture pictures/videos. The camfecter software works just like the
original webcam software present in the victim computer, the only difference
being that the camfecter controls the software instead of the webcam's owner.
Rootkits
► Rootkits give hackers remote control of a victim's device

► A rootkit is a type of malware designed to give hackers access to and control over a
target device. Although most rootkits affect the software and the operating system,
some can also infect a computer’s hardware and firmware. Rootkits are adept at
concealing their presence, but while they remain hidden, they are active.
► Once they gain unauthorized access to computers, rootkits enable cybercriminals to
steal personal data and financial information, install malware or use computers as part
of a botnet to circulate spam and participate in DDoS (distributed denial of service)
attacks, etc.
► A rootkit is software used by cybercriminals to gain control over a target computer or
network. Rootkits can sometimes appear as a single piece of software but are often
made up of a collection of tools that allow hackers administrator-level control over the
target device.
Worms

✔ spreads through a network by replicating itself

✔ A computer worm is a malware that replicates itself in order to spread to other computers. It
often uses a computer network to spread itself, relying on security failures on the target
computer to access it.
✔ It will use the infected machine as a host to scan and infect other computers. When these new
worm-invaded computers are controlled, the worm will continue to scan and infect other
computers using these computers as hosts, and this behaviour will continue. Computer worms
use recursive methods to copy themselves without host programs and distribute themselves
based on exploiting the advantages of exponential growth, thus controlling and infecting more
and more computers in a short time. Worms almost always cause at least some harm to the
network, even if only by consuming bandwidth, whereas viruses almost always corrupt or
modify files on a targeted computer.
Virus vs Worm
► The primary difference between a virus and a worm is that viruses must
be triggered by the activation of their host (host file);
► whereas worms are stand-alone malicious programs that can
self-replicate and propagate independently as soon as they have
breached the system. Worms do not require activation—or any human
intervention—to execute or spread their code.

► (Source – Kaspersky.com)
How do Worms function?
► In contrast, worms don't require the activation of their host file.
Once a worm has entered your system, usually via a network
connection or as a downloaded file, it can then run,
self-replicate and propagate without a triggering event. A worm
makes multiple copies of itself which then spread across the
network or through an internet connection. These copies will
infect any inadequately protected computers and servers that
connect—via the network or internet—to the originally infected
device. Because each subsequent copy of a worm repeats this
process of self-replication, execution and propagation,
worm-based infections spread rapidly across computer
networks and the internet at large.
How do Viruses function?

► Viruses are often attached or concealed in shared or

downloaded files, both executable files—a program that
runs script—and non-executable files such as a Word
document or an image file.
► When the host file is accepted or loaded by a target
system, the virus remains dormant until the infected host
file is activated. Only after the host file is activated, can
the virus run, executing malicious code and replicating to
infect other files on your system.
Key-loggers

✔ monitors users' keystrokes

Metamorphic Malware

► A more advanced form of technique used for infiltrating and

disrupting computer systems is the use of metamorphic malware.
These algorithms have a very peculiar feature of repeatedly
adjusting their code and thereby making it extremely difficult to
detect by even the most advanced anti-virus software.
► These forms of malware will make it difficult for the government
agencies and businesses to establish the extent to which data has
been tampered with.
 Ransomware
✔ Disables victim's access to data until ransom is paid – the image below shows the aftermath of WannaCry
Industrialization of cybercrimes – an
interesting area of research (very contemporary)
✔ Not only are there entire organizations of hackers dedicated to infiltrating computer systems
and demanding large ransoms from hacking victims
✔ They are also making a lot of money by selling their precious data onto third parties
✔ This is how it usually works:
1. Having chosen their victim, the hacker gains access to key files on their computer having
exploited security flaws to get in and then
2. The hacker encrypts these files meaning thereby that the victim can no longer use them
unless they have the decryption key
3. The hacker will then demand a huge ransom to be paid.
Ransomware attack on Telangana and AP
Power Utilities -2021
► A malicious software attacked the power utility systems of Telangana and Andhra
Pradesh in the year 2021. Where all the servers went down until the glitch was rectified.
Since the computer systems of Telangana and Andhra Pradesh power utilities were
interlinked, the virus attack quickly spread, taking down all the systems.
Ransomware Attack in February 2022 - Jawaharlal Nehru Port
Container Terminal (JNPCT) :
► India’s only state-owned and operated container terminal Jawaharlal Nehru Port
Container Terminal (JNPCT) was reported to have begun turning away ships
after a ransomware attack. JNPCT is India’s largest container port and one of five
container terminals. Jawaharlal Nehru Port Trust handled half of all the
containers in India. The local reports discovered the attack on 21st February and
began diverting ships to the other terminals in a complex located near Mumbai.
Ransomware Attack in May 2022 - SpiceJet
Airline:
Indian airline SpiceJet faced ransomware attacks on 24th, May or Tuesday night, which slowed the
departure of flights the next morning. It troubled hundreds of passengers who were stuck at the airport and
stranded in several locations in the country. Airline posted on Twitter and confirmed that its system had
faced ransomware attacks.
 Ransomware Attack in July 2022 - Water Resources
Department in Goa:

A ransomware attack was carried out on 21st June in the most responsible organization – Water
Resources Department in Goa, India. This organization is responsible for flood monitoring systems
across all over the regions of Goa. These ransomware attackers have demanded to pay cryptocurrency
for the data to be released.
Ransomware Attack in Oct 2022 - Tata
Power:
India’s largest integrated power company – Tata Power, faced ransomware attacks on
14th Oct, 2022. These attacks impacted their IT infrastructure and system. They have
immediately taken steps to restore or retrieve the systems.
The Hive Group Started leaking data
that it claimed to have stolen from
TATA Power
Ransomware Attack in Nov 2022 - All India
Institute of Medical Service or AIIMS:
India’s leading public medical institute -- All India Institute of Medical Service or
AIIMS, experienced a cyber-attack on 23rd November. This attack affects hundreds
of patients and doctors accessing primary healthcare services, including discharge,
billing, and patient admission system.
Telangana and AP Power Utilities Hacked
\
A malicious software attacked the power utility systems of Telangana and Andhra Pradesh
last year where all the servers went down until the glitch was rectified. Since the computer
systems of Telangana and Andhra Pradesh power utilities were interlinked, the virus attack
quickly spread, taking down all the systems.
UHBVN Ransomware Attack
► Uttar Haryana Bijli Vitran Nigam was hit by a ransomware attack where the
hackers gained access to the computer systems of the power company and stole the
billing data of customers. The attackers demanded Rs.1 crore or $10 million in
return for giving back the data.
► UHBVN which was monitoring electricity billings of nine districts of the state
(Panchkula, Ambala, Kurukshetra, Karnal, Panipat, Yamunanagar, Sonepat, Kaithal
and Rohtak) came under cyber attack at 12.17 AM after midnight on March 21 and
thus the billing data of thousands of consumers had been hacked as the IT wing of
the nigam was target.
► On March 22, when the head office of UHBVN in Panchkula opened, a message
was flashed on computer screens in which the hacker demanded Rs One crore in
form of bitcoins from the state government in order to retrieve the data.
 WannaCry – May 2017
► WannaCry is a ransomware cryptoworm, which targeted computers running the Microsoft
Windows operating system by encrypting (locking) data and demanding ransom payments
in the Bitcoin cryptocurrency.
► India was the third worst-hit nation by WannaCry ransomware, affecting more than 2 lakh
computer systems. During the first wave of attacks, this ransomware attack had hit banks in
India including few enterprises in Tamil Nadu and Gujarat. The ransomware majorly
affected the US healthcare system and a well-known French car manufacturing firm
(Renault).
► Affected a total of around 150 countries and around 23,00,000 computers world wide.
► This was the biggest ransomware attack in history.
► First case: around 7:44 UTC, South East Asia around 12th of May, 2017
► By 12:39 UTC, 74% of all Asia’s ISPs were affected.
► By 15:28 UTC, 65% of Latin American ISPs
► Millions of dollars lost – businesses shut down
Case Study on WannaCry – a ransomware
cryptoworm
► Victims included –
❖ Small to medium sized businesses
❖ Large enterprises, the private sector, the public sector
❖ Railways
❖ Healthcare
❖ Banks
❖ Malls
❖ Ministries
❖ Police
❖ Energy companies
❖ ISPs
❖ All targets were computer systems running on Windows OS.
Stealing of [ Eternal Blue – by shadow
brokers ] contributed to the attack
► It was propagated by using EternalBlue, an exploit developed by the United
States National Security Agency (NSA) for Windows systems.
► EternalBlue was stolen and leaked by a group called The Shadow Brokers a
month prior to the attack.
► While Microsoft had released patches previously to close the exploit, much
of WannaCry's spread was from organizations that had not applied these, or
were using older Windows systems that were past their end-of-life. These
patches were imperative to organizations' cyber security but many were not
implemented due to ignorance of their importance. Some have claimed a
need for 24/7 operation, aversion to risking having formerly working
applications breaking because of patch changes, lack of personnel or time
to install them, or other reasons.
► The cryptoworm kept spreading until it was stopped by Marcus Hutchins –
cybersecurity expert in Kryptos Logic.
What was the exploit??
► Server Message Block Version 1 – SMBv1 – a network communication
protocol – to allow one Windows systems to connect with another Windows
system over a computer network for sharing files and printers over LAN.
► The vulnerability exists because the SMB version 1 (SMBv1) server in
various versions of Microsoft Windows mishandles specially crafted
packets from remote attackers, allowing them to remotely execute code on
the target computer. [Remote (Arbitrary) Code Execution - RCE]
► The NSA did not alert Microsoft about the vulnerabilities, and held on to it
for more than five years before the breach forced its hand.
► The agency then warned Microsoft after learning about EternalBlue's
possible theft, allowing the company to prepare a software patch issued in
March 2017.
► Many Windows users had not installed the patches when, two months later
on May 12, 2017, the WannaCry ransomware attack used the EternalBlue
vulnerability to spread itself.
The exploits leaked by Shadow Brokers
included:
► EternalBlue
► EternalChampion
► EternalRomance
► All the above were developed by NSA and stolen and leaked by SB.
Read about : NotPetya and BadRabbit
Change in the definition of Hacking
► “Hacking” has been removed from S. 66 by the IT(Amendment) Act,
2008.
► Post amendment – Hacking = S. 43(i) r/w S. 66
► S.43(a) – Unauthorized access
► S.43(b)- data theft
► S.43(c)- Introduction of virus
► S.43(d)-damage to computer resource
► S.43(e)- disruption of computer, system or network
► S.43(f)- Denial of Service attacks (DDoS)
► S.43(j)-intention to cause damage – even though intention specific but
a civil offence
S.43(i) + S.43(j) : inserted after
amendment
► Liability – Damages
► Even though intention is a criteria but its not a crime
► Upper Limit on the compensation – not to exceed 1 Cr. – has been removed now

► Problem with S.43(j) – conflict with cyber crimes

► Actus reus + Mens Rea
► Therefore, an act under S.43 which is committed dishonestly and fraudulently
would attract S.66 and make it a cyber crime. Otherwise it is a civil offence under
S.43
Section 65 vs. Section 43(j)

► S.65- Tampering with computer resource that is required to be kept and

maintained by the law
► S.43(j)- Tampering with computer resource kept with private individuals
Jurisdiction – Director to the GOI

► Shashank Shekhar Mishra v. Ajay Gupta case

► JCB India Ltd. v. IP Address 122.163.98.166
Intention is the criteria

► Dishonest or fraudulent intention distinguishes between a cyber offence and a

cyber crime.
► S. 66B – Dishonestly receiving a stolen computer resource
► S.66C- Identity Theft
► S.66D- Cheating by personation
► S.66E- Violation of privacy
► S.66F- Cyber Terrorism
Corporate Criminal Liability – for cyber
crimes
► The Bazee.com case
► S.85 deals with corporate liability for cyber crimes

► Case of child pornography – Bazee.com – Anvish Bajaj v. State(NCT) of Delhi

► The debate about corporate criminal liability of directors
► Directors cannot be held liable if the company is not arraigned as the accused
Why is pornography such a big issue
after all?
► The Hicklin Test
► The Miller Test
► The Likely Audience Test
► The Responsible Reader Test
Hicklin Test – by Sir Alexander James Edmund
Cockburn – the most vulnerable person test
► In Regina v. Hicklin (1868), Lord Chief Justice Alexander Cockburn,
writing for the Court of Queen’s Bench, supplied a broad definition of
obscenity, based on ascertaining “whether the tendency of the matter is
to deprave and corrupt those whose minds are open to such immoral
influences and into whose hands a publication of this sort may fall.”
► The Hicklin Test permitted a conviction for purveyors of obscenity if a
publication had a mere tendency to arouse lustful thoughts in the minds
of the most susceptible, usually youthful, readers. Isolated passages
could be used to determine whether there was sufficient evidence to
infer a defendant’s intention to corrupt public morals. A defendant could
not rebut this inference by arguing that a book was published in the
public interest or by providing evidence of its literary merit.
Regina v. Hicklin
► The Obscene Publications Act 1857, also known as Lord Campbell's Act. Lord
Campbell, the Chief Justice of Queen's Bench, introduced the bill, which provided
for the seizure and summary disposition of obscene and pornographic materials. The
Act also granted authority to issue search warrants for premises suspected of housing
such materials
► Henry Scott, who resold copies of an anti-Catholic pamphlet entitled "The
Confessional Unmasked: shewing the depravity of the Romish priesthood, the
iniquity of the Confessional, and the questions put to females in confession." When
the pamphlets were ordered to be destroyed as obscene, Scott appealed the order to
the court of quarter sessions. Benjamin Hicklin, the official in charge of such orders
as Recorder, revoked the order of destruction. Hicklin held that Scott's purpose had
not been to corrupt public morals but to expose problems within the Catholic
Church; hence, Scott's intention was innocent.
Regina v. Hicklin
► The authorities appealed Hicklin's reversal, bringing the case to the
consideration of the Court of Queen's Bench.
► Chief Justice Cockburn, on April 29, 1868, reinstated the order of the
lower court, holding that Scott's intention was immaterial if the
publication was obscene in fact. Justice Cockburn reasoned that the
Obscene Publications Act allowed banning of a publication if it had a
"tendency… to deprave and corrupt those whose minds are open to
such immoral influences, and into whose hands a publication of this
sort may fall." Hicklin therefore allowed portions of a suspect work to
be judged independently of context. If any portion of a work was
deemed obscene, the entire work could be outlawed.
The reception of the Hicklin in the USA
► In USA, the obscenity laws were based on the anti-obscenity statute, known as
the Comstock Act. Anthony Comstock was appointed postal inspector to enforce
the new law.
► 24 States passed similar prohibitions on materials distributed within the states.
► It covered under its ambit:
1. sexually explicit material
2. material dealing with birth control and abortion.
► Although lower courts in the U.S. had used the Hicklin standard sporadically since
1868, it was not until 1879, when prominent federal judge Samuel
Blatchford upheld the obscenity conviction of D. M. Bennett using Hicklin, that the
constitutionality of the Comstock Law became firmly established. In 1896, the
Supreme Court in Rosen v. United States, 161 U.S. 29 (1896), adopted the Hicklin
test as the appropriate test of obscenity.
End of the Hicklin Era – by the Ulysses
case
► In the case of United States v. One Book Called Ulysses, 72 F.2d 705 (2d Cir. 1933),
Judge John Woolsey found Ulysses to not be obscene.
► The Hicklin test was not followed in this case. Instead the judge gave the following
yardstick to be considered by the court for determining obscenity:
1. the work as a whole and not just selected passages should be interpreted – since
selected passages could be out of context.
2. its effect on an average, rather than the most susceptible person is to be seen.
3. contemporary community standards must be conformed with.
► This ruling refuted those who argued against adult possession of material that could
hypothetically corrupt a child.
Roth v. United States – The Roth Test

► Finally in Roth v. United States, 354 U.S. 476 (1957) :

The US SC held that the Hicklin test was inappropriate.
► Justice Brennan, noted that some American courts had adopted the
Hicklin standard, but that later decisions more commonly relied
upon the question of “whether to the average person, applying
contemporary community standards, the dominant theme of the
material taken as a whole appeals to prurient interest.”
► This Roth test became essentially the new definition of obscenity
in the United States.
Miller Test
► The Miller test was developed in the 1973 case Miller v. California. It has three parts:
1. Whether the average person, applying contemporary community standards, would find
that the work, taken as a whole, appeals to the prurient interest
2. Whether the work depicts or describes, in a patently offensive way, sexual conduct or
excretory functions specifically defined by applicable state law
3. Whether the work, taken as a whole, lacks serious literary, artistic, political,
or scientific value.
► The work is considered obscene only if all three conditions are satisfied.
► The first two prongs of the Miller test are held to the standards of the community, and the
last prong is held to what is reasonable to a person of the United States as a whole.
► The national reasonable person standard of the third prong acts as a check on the first two
prongs, allowing protection for works that in a certain community might be considered
obscene but on a national level might have redeeming value.
► For legal scholars, several issues are important. One is that the test allows for community
standards rather than a national standard. (United States v. Kilbride)
► What offends the average person in Manhattan, Kansas, may differ from what offends the
average person in Manhattan, New York. The relevant community, however, is not defined.
► Another important issue is that the Miller test asks for an interpretation of what the
"average" person finds offensive, rather than what the more sensitive persons in the
community are offended by, as obscenity was defined by the previous test, the Hicklin test,
stemming from the English precedent.
► In practice, pornography showing genitalia and sexual acts is not ipso facto obscene
according to the Miller test.
► For instance, in 2000, a jury in Provo, Utah, took only a few minutes to clear Larry
Peterman, owner of a Movie Buffs video store, in Utah County, Utah. He had been charged
with distributing obscene material for renting pornographic videos which were displayed in a
screened-off area of the store clearly marked as adult-only. The Utah County region had
often boasted of being one of the most socially conservative areas in the United States.
However, researchers had shown that guests at the local Marriott Hotel were
disproportionately large consumers of pay-per-view pornographic material, accessing far
more material than the store was distributing.
 Ranjit D. Udeshi v. State of Maharashtra
► Ranjit D. Udeshi was one of the four partners of a firm that owned a book-stall. The partners were prosecuted
under section 292 of the IPC for selling copies of an allegedly obscene book, Lady Chatterley’s Lover, by DH
Lawrence.
► Section 292 punishes any person who sells any obscene book or other material. Udeshi argued that section 292 is
violative of the rights to freedom of speech and expression under article 19(1)(a) of the Indian Constitution and that
the book is not obscene if considered as a whole.
► Section 292 does not define “obscenity.” Therefore, the Supreme Court had to differentiate between what was
obscene and what was artistic. The Court proceeded to examine the test of obscenity that should be employed to
determine what falls within constitutional limits, as mere sex and nudity do not amount to obscenity.
► The Court used the Hicklin test, which examines whether the impugned matter tends to “deprave and corrupt those
whose minds are open to such immoral influences, and into whose hands a publication of this sort may fall.” This
test was found not to violate article 19 of the Indian Constitution. Under Hicklin, a work should be viewed as a
whole, but the obscene matter should also be separately considered to see if it violates the test. Where art and
obscenity coexist, “art must be so preponderate as to throw the obscenity into a shadow or the obscenity so trivial
and insignificant that it can have no effect and may be overlooked.”
► Where a work substantially transgresses public decency and morality, the rights to free speech and freedom of
expression must give away. In India, “obscenity without a preponderating social purpose of profit” is not protected.
Treating “sex in a manner appealing [or tending to appeal] to the carnal side of human nature” is offensive to
modesty and decency and is obscene. But the extent of such appeal must be examined in each case. The Court
examined the text of Lady Chatterley’s Lover and concluded that it was obscene under Hicklin. The appeal against
conviction was thus dismissed.
Ranjit D. Udeshi Case

► Udeshi found that section 292 violates his fundamental

right to freedom of speech and expression guaranteed by
Article 19(1)(a) of the Constitution. It was decided that
Article 19, paragraph 1, letter (a) of the Constitution is
subject to the restrictions listed in Article 19, paragraph 2.
One of the reasons is public morality and decency. Section
292, dealing with obscene materials, which addresses the
issue of public decency and morality, falls within this
exception. Therefore, section 292 is constitutional.
Likely Audience Test – as opposed to the
most vulnerable person test
► Obscenity has to be analysed by considering the TOTAL WORK
and its impact on the society
► The meaning of obscenity varies from jurisdiction to jurisdiction
► Because every society has its own cultural and moral standards
► It is the moral fabric of the society that determines this
► Likely Audience Test was adopted by the Indian SC in the case of
Chandrakant Kalyandas Kakodar v. State of Maharshtra
► It is difficult to determine and decide the “contemporary society
standards”
► (Discuss the Dost Test and the US v. Kilbride)
Chandrakant Kalyandas Kakodar Case
► The appellant was the author of a short story titled Shama published in the 1962 Diwali Issue of
Rambha, a monthly Marathi Magazine, which was considered as obscene. Criminal Proceedings were,
therefore, initiated before the first class Magistrate, Poona by the complainant Bhide under Section 292,
I.P.C. against the printer and publisher accused 1, the writer of the story accused 2 and the selling agent
accused 3.
► The complainant stated that he had read the aforesaid Diwali issue of Rambha and found many articles
and pictures in it to be obscene which are calculated to corrupt and deprave the minds of the readers in
general and the young readers in particular.
► The Magistrate after an exhaustive consideration did not find the accused guilty of the offence with
which they were charged and, therefore, acquitted them.
► The complainant and the State filed appeals against this judgment of acquittal. Before the High Court it
was conceded that there was no evidence that accused No. 3 had sold any copies of the issues of
Rambha and accordingly the order of acquittal in his favour was confirmed. In so far as the other two
accused are concerned it reversed the order of acquittal and convicted the printer and publisher accused
1 and the writer accused 2 under Section 292, I.P.C., but taking into consideration the degree of
obscenity in the passages complained of a fine of Rs. 25/- only was imposed on each of the accused and
in default they were directed to suffer simple imprisonment for a week. It was also directed that copies
of the magazine Rambha in which the offending story was published and which may be in possession
and power of the two accused be destroyed.
 Chandrakant Kalyandas Kakodar Case – likely audience test
► Virtual world is one society with diminishing conventional borders with differences and a mixture of
moral standards
► Court considered the question of obscenity in a novel (Shama) that centered around the life and times of
a revolutionary poet.
► There were descriptions of the sexual relations that the protagonist chanced upon. the Supreme Court
however made an important and nearly new requirement.
► It was held that :
It is, therefore, the duty of the court to consider the obscene matter by taking an overall view of the entire
work and to determine whether the obscene passages are so likely to deprave and corrupt those whose minds
are open to such influences and in whose hands the book is likely to fall and in doing so one must not
overlook the influences of the book on the social morality of our contemporary society
Though the Hickiln’s Test was not wholly discarded, it was observed that, “What we have to see is that
whether a class, not an isolated case, into whose hands the book, article or story falls suffers in its moral
outlook or becomes depraved by reading it or might have impure and lecherous thought aroused in its
minds”.
The Supreme Court of India held that the test of obscenity must be based on the intended audience
and not on the person into whose hands the book might fall.
Samaresh Bose vs Amal Mitra, 1986 AIR
967
► In which a Bengali novel, “Prajapati”, was challenged on the ground of
obscenity, the Supreme Court held that the book did not have the effect of
corrupting or degrading morals or encouraging lasciviousness among the
readers, as the author intended to expose certain ills irritating the society
and to this end he used his technique, skill and choice of words.

► It departed from the Hicklin test in laying down the obscenity test. The
court held that in assessing the obscenity test, the judge should put himself
in the position of a reader of each age group into whose hands the book is
likely to fall and should try to appreciate what kind of possible effect the
book is likely to have on the readers’ minds.
 Aveek Sarkar v. State of West Bengal
• A German magazine named “STERN” having worldwide circulation published an article with a picture of
Boris Becker, a world renowned Tennis player, posing nude with his black fiancée named Barbara Feltus,
a film actress, which was photographed by her father. The article states of an interview where both Boris
Becker and Barbaba Feltus spoke freely about their engagement, their lives and future plans and the
message they wanted to convey to the people at large through that photograph. Article picturizes Boris
Becker as a strident protester of the pernicious practice of “Apartheid”. It was stated that the purpose of
the photograph was also to signify that love trimphs over hatred.
• “Sports World”, a widely circulated magazine published in India reproduced the article and the
photograph as cover story in its Issue 15 dated 05.05.1993 with the caption “Posing nude dropping out of
tournaments, battling Racism in Germany. Boris Becker explains his recent approach to life” – Boris
Becker Unmasked.
• Anandabazar Patrika, a newspaper having wide circulation in Kolkata, also published in the second page
of the newspaper the above-mentioned photograph as well as the article on 06.05.1993, as appeared in the
Sports World.
• A lawyer practicing at Alipore Judge’s Court, Kolkata, claimed to be a regular reader of Sports World as
well as Anandabazar Patrika filed a complaint under Section 292 of the Indian Penal Code against the
Appellants.
Allegations:
1. The Nude photograph that appeared in the Anandbazar Patrika, as well
as in The Sports World would corrupt young minds, both Children and
youth of this Country and is against the cultural and Moral values of
our society.
2. It is against the dignity and honour of the Indian womanhood and is in
violation of Section 4 of the Indecent Representation of
Women(Prohibition)Act,1986.
3. It was intentionally done by both the accused i.e. Ananda Bazar
Patrika and Sports World for sale of their papers and magazines
published, printed and publicly exhibited and circulated.
4. Since the photograph gives a sexual titillation and its impact is moral
degradation and would also encourage the people commit sexual
commit sexual offences.
 Held:
1. The contemporary morals and national standards of 2014 must be looked into and not the standard of a group of
susceptible or sensitive persons. Hicklin test postulated that a publication has to be judged for obscenity based on
isolated passages of a work considered out of context and judged by their apparent influence on most susceptible
readers, such as children or weak-minded adults.
2. Hicklin test was not regarded as the correct test to be applied to determine “what is obscenity”. Section 292 of the
Indian Penal Code uses the expression ‘lascivious and prurient interests’ or its effect. They applied the “community
standard test” rather than “Hicklin test” to determine what is “obscenity”. A bare reading of Sub-section (1) of
Section 292, makes clear that a picture or article shall be deemed to be obscene (i) if it is lascivious; (ii) it appeals
to the prurient interest, and (iii) it tends to deprave and corrupt persons who are likely to read, see or hear the
matter, alleged to be obscene.
3. A picture of a nude/semi-nude woman cannot be called as obscene unless it has the tendency to arouse feeling or
revealing an overt sexual desire. Only those sex-related materials which have a tendency of “exciting lustful
thoughts” can be held to be obscene, but obscenity has to be judged from the point of view of an average person, by
applying contemporary community standards.
4. The message, the photograph wants to convey is that the colour of skin matters little and love champions over
colour. Picture promotes love affair, leading to a marriage, between a white-skinned man and a black skinned
woman.
Hence under Section 292 they found that no offence has been committed and thus the photograph was not considered to
be as obscene and they set aside the criminal proceedings against the appellant.
Held further:

► Applying the “community tolerance test”, the court held

that decisions in such cases must be made about current
national standards and not those of a vulnerable group. If
society accepts the depiction of sexual activities on the
silver screen, the court cannot cancel it for the sake of a
few sensitive people. The court must accept it if it is
acceptable to society in general.
The Aversion Defence / The Aversive Defence -
Bobby Art International, Etc v. Om Pal Singh
Hoon
► Just because a film depicted riots and sexual violence, it was no reason to deny its
exposure to public.
► The aversion test established the idea that authors and filmmakers sometimes
depict nudity not to arouse sexual desire but rather to arouse in the audience horror
and revulsion (disgust) at the depicted social evil.
► The Supreme Court of India applied the aversion test in the Bandit Queen case. In
this case, the rape scene was challenged on the grounds of obscenity. The court
rejected the challenged and decided that the goal of the scene of frontal nudity was
not to excite the viewers’ lust but to arouse their sympathy for the victim and
disgust for the perpetrators.
 S. Khushboo vs Kanniammal & Anr
► The appellant gave an interview on the India Today channel in which she said
that pre-marital sex should be recognized and embraced by society.
► Dhina Thanthi, a Tamil daily, announced that her statements were received as
“sensational” in Tamil Nadu, and later they had an interview with her in which
the appellant allegedly defended her views.
► The appellant submitted a legal notice dated 2.10.2005 to the editor of ‘Dhina
Thanthi’ shortly after the release of the aforementioned news story, categorically
denying that she had published such comments.
► In S Khushboo vs Kanniammal, the Supreme Court, while deciding the obscenity
of the case, held that while mainstream society may accept sexual relations only
between married partners, there is no statutory offence where unmarried
consenting adults engage in sexual relations. The court ruled that premarital sex
and live-in relationships are no longer so uncommon in Indian society that any
reference to them or calls for social acceptance of such trends cannot be
considered obscene or offensive to womanhood.
The Common Man Test

► This test states that to determine whether art or

publication is obscene or not, it should be seen through
the eyes of the common man and not through the eyes
of a hypersensitive person. In Ramesh vs Union of
India, the Indian Supreme Court held that the effect of
words must be judged by the standards of men of
reason, strength, firmness and courage, and not of those
of weak and wavering minds, or of those who sense
danger in every hostile point of view.
 Section 292 IPC
► According to section 292 of Indian penal code,
• For the purposes of sub-section (2), a book, pamphlet, paper, writing, drawing, painting representation, figure or any
other object, shall be deemed to be obscene if it is lascivious or appeals to the prurient interest or if its effect, or (where
it comprises two or more distinct items) the effect of any one of its items, is, if taken as a whole, such as to tend to
deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it.
• Whoever:
• sells, lets to hire, distributes, publicly exhibits or in any manner puts into circulation, or for purposes of sale, hire, distribution,
public exhibition or circulation, makes, reduces or has in his possession any obscene book, pamphlet, paper, drawing, painting,
representation or figure or any other obscene object whatsoever, or
• imports, exports or conveys any obscene object for any of the purposes aforesaid, or knowing or having reason to believe that
such object will be sold, let to hire, distributed or publicly exhibited or in any manner put into circulation, or
• takes part in or receives profits from any business in the course of which he knows or has reason to believe that any such
obscene objects are, for any of the purposes aforesaid, made, produced, purchased, kept, imported, exported, conveyed, publicly
exhibited or in any manner put into circulation, or
• advertises or makes known by any means whatsoever that any person is engaged or is ready to engage in any act which is an
offence under this section, or that any such obscene object can be procured from or through any person, or
• offers or attempts to do any act which is an offence under this section, shall be punished on first conviction with imprisonment
of either description for a term which may extend to two years, and with fine which may extend to two thousand rupees, and, in
the event of a second or subsequent conviction, with imprisonment of either description for a term which may extend to five
years, and also with fine which may extend to five thousand rupees.
Section 293, IPC

► 293. Sale, etc., of obscene objects to young person.-- Whoever

sells, lets to hire, distributes, exhibits or circulates to any person
under the age of twenty years any such obscene object as is
referred to in the last preceding section, or offers or attempts so
to do, shall be punished [on first conviction with imprisonment
of either description for a term which may extend to three
years, and with fine which may extend to two thousand rupees,
and, in the event of a second or subsequent conviction, with
imprisonment of either description for a term which may extend
to seven years, and also with fine which may extend to five
thousand rupees].
Section 294, IPC

► [294. Obscene acts and songs.—Whoever, to the

annoyance of others—
a) does any obscene act in any public place, or
b) sings, recites or utters any obscene song, ballad or words,
in or near any public place, shall be punished with
imprisonment of either description for a term which may
extend to three months, or with fine, or with both.]
Section 292,293,294 r/w 67 IT Act

► BUT Obscenity has not been defined properly as of yet –

Research Question that still remains is - - What exactly is
Obscene in the digital space (cyberspace) as far as India is
concerned.

► We only have judicial pronouncements to make it clear

► Hopefully Digital India Act, 2023 will cure this issue

Tests for Obscenity

► Hicklin Test (R. v. Hicklin)

► Roth’s Test (Roth v. US)
► Miller’s Test (Miller v. California)
► Climate of literate Test (R. v. Penguine Books Ltd.)
► The common man test (Ramesh v. UOI)
► Clear and present danger test (K.A. Abbas v. UOI)
► Likely audience test (Chandra Kant Kalyandas Kakodar)
► Aversion Test (Bobby Art International)
► Responsible Reader Test (Ajay Goswami)
Interesting readings

► Ranveer Singh’s case

► Urfi Javed’s case
► Milind Soman’s case
Country Responsible for the attack

► The attack was estimated to have affected more than 300,000 computers across
150 countries, with total damages ranging from hundreds of millions to billions
of dollars. At the time, security experts believed from preliminary evaluation of
the worm that the attack originated from North Korea or agencies working for the
country. This was confirmed in December 2017, when the United
States and United Kingdom formally asserted that North Korea was behind the
attack.
Demands – the ransom amount?
► $300 worth of BitCoins (why BitCoins? Because the holder of the
BitCoin would remain anonymous – complete privacy – though the
wallet can be traced but still the owner would be difficult to trace
without extensive forensic analysis).
► Which was later hiked to $600 worth of BitCoins.
► Files were recoverable if the payment were to be made within 7 days
from the infection however they stated that they would recover and
provide the deleted files to the users who were “so poor that they could
not pay even after 6 months”. – just to humiliate the users.
Prep for Interviews

► User License Agreements

► Terms and Conditions of Websites
► Privacy Policies
► Intermediary Obligations
► Content Moderation
► Technology Outsourcing Contracts
► Commercial and Marketing Contracts
► Statutory compliances
► Litigation and Law Enforcements
User Agreement
► User Agreements are published in accordance with the provisions of Rule 3 (1) of
the Information Technology (Intermediaries Guidelines) Rules, 2021 that require
publishing the rules and regulations, privacy policy and terms and conditions for
access and/or usage of this website/service ("Website/Service").
► Rule 3(1) – Due Diligence by an Intermediary: The term ‘intermediary’ includes
social media intermediary and significant social media intermediary.
► S. 2(1)(w) : social media intermediary‘ means an intermediary which primarily or
solely enables online interaction between two or more users and allows them to
create, upload, share, disseminate, modify or access information using its services;
► S. 2(1)(v) : significant social media intermediary‘ means a social media
intermediary having number of registered users in India above such threshold as
notified by the Central Government; Threshold : 50 lakh registered users
Contents of a classic User Agreement
► Definitions like ‘user’, ‘you’, ‘your’, ‘we’, ‘us’, our’
► Access to Website
► Ownership of Intellectual Property Rights
► User Material
► Contents and Promotions
► Disclaimer and Limitations of Liability
► Indemnity
► Third Party Websites
► Notice and Take-Down Process
► Termination
► Miscellaneous
►A sample User Agreement of
Viacom 18
Terms and Conditions of a Website
Contract
A Sample of Terms and
Conditions to be filed
Privacy Policy Drafting

► The Information Technology Act of 2000 governs various issues relating to the
internet, maintenance of website and e-commerce. It is the Information
Technology Act, that criminalizes and provides civil damages for hacking,
infusion of virus, unauthorized copying, tampering, etc., In 2008, the Act was
further extended to criminalize additional activity such as sending of offensive
content, theft of computer resources, identity theft, cheating by impersonation,
cyber terrorism, transmitting of obscene content and child pornography.
► Lets us now look at the rules concerning website privacy policy and privacy rules
in India
Privacy Policy

► Body Corporates while collecting personal information should publish a privacy

policy which must include:
1. a clear and easily accessible statement on its practices and policies
2. type of information collected
3. purpose of collection and usage of such information
4. policy on disclosure with third parties
5. reasonable security practices and procedures adopted.
► It is important to note that the obligation of publishing a privacy policy is
applicable for all types of personal information or data collected and is not limited
to the collection of sensitive personal information.
While drafting the privacy policy for any firm’s website
the following info needs to be kept in mind

► The latest amendments to the Information Technology Act introduced basic privacy and
data protection provisions. The privacy law in India now requires businesses and
websites to apply due care while collecting and dealing with sensitive personal data or
information.
► A civil provision is now available, prescribing damages for an entity that is negligent in
using “reasonable security practices and procedures” while handling “sensitive personal
data or information”, resulting in wrongful loss or wrongful gain to any person. Further,
criminal punishment is also provided for persons who:
• Disclose sensitive personal information without the consent of the person or in breach of
the relevant contract, with the intention of, or knowing that the disclosure would cause
wrongful loss or gain.
► Although some provisions under the IT Act aims at regulating the processing of personal
data in cyberspace, the primary focus of the IT Act has been on providing information
security regulations for the protection of personal and sensitive data in cyberspace.
The SPDI Rules

► In adherence to data protection provisions under the IT Act, the Central

Government has enacted the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules
2011 (hereinafter, “The SPDI Rules”). The SPDI Rules encompasses provisions to
regulate:
1. Processing of Personal Data/Information and/or Sensitive Personal
Data/Information
2. Prescribing security practices and procedures for handling Personal
Data/Information and/or Sensitive Personal Data/Information
Applicability

► The provisions of the IT Act and SPDI Rules apply to

all body corporates collecting, receiving, possessing,
storing, dealing or handling the personal information of
natural persons in India.
1. If a body corporate is located in India: SPDI Rules are
applicable. (NGOs and thinktanks are excluded)
2. If a body corporate is located outside of India: SPDI
Rules are applicable only if the body corporate has a
computer, computer system or computer network located
in India.
Applicability - subjects
► The SPDI Rules protects natural persons residing in India.
Therefore, the collection of information/data of a firm,
partnership, trust, company, LLP, etc. will not attract data
protection requirements under the SPDI Rules.
► It is unclear if the SPDI Rules apply to foreign nationals
residing in India. As per the popular understanding, the
applicability of SPDI Rules is limited to Indian Nationals.
► The IT Act and the SPDI Rules are only applicable to
information and data collected in cyberspace and have no
application on information and data collected through
offline/physical modes.
Data Categorization
► The SPDI Rules define Personal Information as “any information that relates to a natural
person, which, either directly or indirectly, in combination with other information available
or likely to be available with a body corporate, is capable of identifying such person.”
► Further, Sensitive Personal Data or Information has been defined as personal information
which consists of information relating to:
1. Password
2. Financial information
3. Physical, physiological and mental health conditions
4. Sexual orientation
5. Medical records and history
6. Biometric information
► Although the SPDI Rules define “Personal Information”, the rules are majorly focused on
protecting “Sensitive Personal Data or Information”
Exemptions:

► The following information is disregarded as

sensitive personal information/data and is excluded
from data protection obligations:
1. Information that is freely accessible in the public
domain.
2. Information availed under the Right to
Information Act, 2005.
Requirement of consent under the SPDI
Rules
► Where a body corporate is collecting any sensitive personal data, the body
corporate or any person on its behalf is required to obtain consent from the provider
of information through a letter, email, fax or any other electronic mode.
► While obtaining consent, the body corporate should ensure that the provider of
information knows:
1. the fact that the information is being collected from them;
2. the purpose of the collection;
3. the intended recipients (eg. third parties with whom the information might be
shared); and
4. the name and address of the body corporate or person on behalf of the body
corporate who is collecting such information.
► The body corporate must take all the steps as reasonable to ensure that the provider
of the information knows all the metrics stated above.
In case of disputes – Appointment of
a GO
► A body corporate must appoint a grievance officer whose
name and contact details are to be published on the
website. The grievance officer shall ensure that the
grievances and discrepancies of the provider of
information are resolved in a time-bound manner and
within one month from the date of receiving the grievance.
► The SPDI Rules do not stipulate any specific qualifications
or eligibility criteria for the appointment of the grievance
officer.
Standard Security Practices

► Body corporates shall be deemed to have complied with

reasonable security practices and procedures if they adopt:
1. The International Standard IS/ISO/IEC 27001 on
“Information Technology – Security Techniques –
Information Security Management System –
Requirements”; OR
2. Any code of best practices duly approved & notified by
the Central Government.
Storage limitation

► Rule 5(4), SPDI Rules, 2011

► The body corporate or the person on its behalf must
not hold/store the sensitive personal data for longer
than required for the purpose for which the
information has been collected
Disclosures with third-parties – Rule 5(4),
6(1), 6(2), 6(3) and 6(4)
► Before disclosing/sharing sensitive personal data or information with any
third party, the body corporate shall require the prior consent (rule 5(4)) of
the provider of information. Such consent can be escaped in the following
circumstances:
• Where the provider of information has already consented to such disclosure
in the contract entered between the body corporate and provider.
• Where the disclosure is necessary for compliance with a legal obligation.
• Where the disclosure is being made to a Government Agency mandated
under law to obtain such information.
• Where the disclosure is directed by any order under any law.
► Publication of sensitive personal information by the body corporate or by the
third party receiving the information is strictly prohibited. – 6(3) and 6(4)
Digital Personal Data Protection Bill, 2022

• The Bill will apply to the processing of digital personal data within India where such data
is collected online, or collected offline and is digitized. It will also apply to such
processing outside India, if it is for offering goods or services or profiling individuals in
India.
• Personal data may be processed only for a lawful purpose for which an individual has
given consent. Consent may be deemed in certain cases.
• Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and
delete data once its purpose has been met.
• The Bill grants certain rights to individuals including the right to obtain information, seek
correction and erasure, and grievance redressal.
• The central government may exempt government agencies from the application
of provisions of the Bill in the interest of specified grounds such as security of the state,
public order, and prevention of offences.
• The central government will establish the Data Protection Board of India to adjudicate
non-compliance with the provisions of the Bill.
• Exemptions to data processing by the State on grounds such as national
security may lead to data collection, processing and retention beyond what
is necessary. This may violate the fundamental right to privacy.
• The Bill accords differential treatment on consent and storage limitation to
private and government entities performing the same commercial function
such as providing banking or telecom services. This may violate the right
to equality of the private sector service providers.
• The central government will prescribe the composition, and manner and
terms of appointments to the Data Protection Board of India. This raises a
question about the independent functioning of the Board.
• The Bill does not grant the right to data portability and the right to be
forgotten to the data principal.
• The Bill requires all data fiduciaries to obtain verifiable consent from the
legal guardian before processing the personal data of a child. To comply
with this provision, every data fiduciary will have to verify the age of
everyone signing up for its services. This may have adverse implications
for anonymity in the digital space.
DIA, 2023
► Adjudicating User Harm against revenge porn, cyber-flashing, dark web,
women and children, defamation, cyber-bullying, doxing, salami slicing,
etc.
► Age-gating by regulating addictive tech and protect minors’ data, safety
and privacy of children on social media platforms, gaming and betting
apps; Mandatory ‘do not track’ requirement to avoid children as data
subjects for ad targeting, etc.
► Digital user rights including Right to be forgotten, Right to secured
electronic means, Right to redressal, Right to digital inheritance, Right
against discrimination, Rights against automated decision-making, etc.
► Discretionary moderation of fake news by social media platforms should
be critically examined and regulated under the Constitutional Rights of
freedom of speech & expression.
► Definition and Regulation of hi-risk AI systems through legal,
institutional quality testing framework to examine regulatory models,
algorithmic accountability, zero-day threat & vulnerability
assessment, examine AI based ad-targeting, content moderation etc.
► Privacy invasive devices such as spy camera glasses, wearable tech
should be mandated under stringent regulation before market entry
with strict KYC requirements for retail sales with appropriate criminal
sanctions.
► Secure Cyberspace by empowering agencies like CERT for cyber
resilience; strengthening the penalty framework for non-compliance,
advisories on the information & data security practices, etc.
► Content Monetisation Rules for platform-generated and
user-generated content
Content Moderation

► Content moderation is the process of reviewing and

monitoring user-generated content on online platforms to
ensure that it meets certain standards and guidelines. This
includes removing inappropriate or offensive content and
enforcing community guidelines and terms of service.
► In other words, when a user submits content to a website,
that content will undergo a screening process (known as
the moderation process) to ensure that the content upholds
the website’s regulations and is not illegal, inappropriate,
harassing, etc
Power of the Central Government to
intercept Traffic
Electronic Evidence

► Paper document and Electronic document

► Paper document: Sheet of paper + information which is

textual/pictorial/ in marks or figures + tangible + can be sealed
– cannot be easily tampered with

► Electronic document: Generated from a computer + printed

with a printer + cannot be sealed but can be affixed with a
Digital Signature which is an equivalent of a seal – can be
easily tampered with or altered/modified/deleted.
The term “document” defined

► Section 29 IPC : any matter expressed or described upon

any substance by means of letters, figures, or marks, or by
more than one of those means, intended to be used, or
which may be used, as evidence of that matter.”

► Section 3 IEA: “Document” means any matter expressed

or described upon any substance by means of letters,
figures or marks, or by more than one of those means,
intended to be used, or which may be used, for the purpose
of recording that matter.
Electronic documentation under the IT
Act, 2000
► Preamble of the IT Act

► Definitions of “computer” (2(1)(i)), “communication device”

(2(1)(ha)) and “computer network” (2(1)(j))

► Section 4 and Section 5 – legal recognition of electronic

records (2(1)(t))

► Section 7 - retention of electronic documents in electronic

form (2(1)(r)) for specific periods.
Admissibility

► Section 65 B IEA: Admissibility of Electronic Records - Evidence Act specifies

the requirements for the admissibility of electronic records such as eSignatures &
digital documents as evidence in legal proceedings.
► presumptions - Section 85A, 85B, 85C and Section 88A
The requirement of the document being
in “Writing”
► The requirement of writing is reflected in Section 3(65) of the General
Clauses Act: expressions referring to “writing” shall be construed as
including references to printing, lithography, photography and other
modes of representing or reproducing words in a visible form.

► Therefore, the print outs of electronic records + display of electronic

records on the screen = would satisfy the requirements of “Writing”.

► UNCITRAL Model Law of e-commerce: wherever the law requires any

information to be in writing or in type written format or printed form, such
a requirement shall be deemed to be satisfied if the information is
“rendered or made available in an electronic form” and is “accessible so
as to be used for a subsequent reference”.
Some important case laws
► Ziyauddin Burhanuddin Bukhari v. Brijmohan Ramdass Mehra & Ors. –
the court had accepted tape recorded speeches as documents and held such
evidence to be admissible evidence. On a similar reasoning, electronic
records would even qualify as documentary evidence subject to satisfying
the prescribed tests of admissibility.
► Central Electricity Regulatory Commission v. National Hydroelectric
Power Corporation – Held that Court notices can be sent via emails apart
from postal delivery at the registered address in order to avoid delays and
accumulation of arrears, particularly in all commercial litigation where
urgent relief is sought by parties.
► King v. State Ex Rel Murdock Acceptance Corporation: Supreme Court of
Mississipi held that a printout of an electronic record is admissible
evidence of a permanent record stored on a magnetic tape as these records
cannot be accessed and produced without a printout. This decision would
therefore apply to any other form of storing electronic records including
CD ROMs, hard drives, pen drives, etc.
 Kinds of evidence:

► Judicial Evidence
► Non-Judicial Evidence
► Character Evidence
Judicial Evidence

► Those which can be presented before a Magistrate or a Court

► Section 80 IEA : whenever any document is produced by a witness in a judicial

proceeding as evidence, the court shall presume such a document to be genuine,
that it was taken under the circumstances recorded therein and was duly signed
and such evidence is duly taken.
Non judicial evidence

► Evidence that is not given in the presence of a court or judicial officer.

► Example: a confession made by the accused in the presence of some other person
would be termed as a non-judicial evidence

► Section 25 IEA: no confession made to a police officer shall be proved against an

accused of any offence.
Character Evidence

► The evidence that throws light upon the character or the personality traits of a
person.

► Example: In a homicide case, a character evidence of a good character of accused

could be presented by the accused.

► Section 54 IEA: in criminal proceedings the fact that accused person had a bad
character is irrelevant unless evidence has been given that he has a good character,
in which case it becomes relevant.

► Therefore it does not apply when the “bad character of an accused” is itself the
fact in itself.
Sub-categories

► Direct evidence
► Indirect or circumstantial evidence
► Primary evidence
► Secondary evidence
► Oral evidence
► Documentary evidence
► Hearsay evidence
► Real evidence
Direct Evidence

► Where the existence of a fact is proved by producing the original document, or a

document corroborated by the testimony of a witness to an event.

► Example: In case of a matter involving ownership of a property – the original sale

deed for proving the fact of sale of an immovable property can be considered as a
direct evidence.
Indirect Evidence

► Also known as Circumstantial Evidence

► It is based upon the circumstances surrounding a fact or an event to be proved.

► Example: X is alleged to have committed the murder of Y based upon the

circumstantial evidence that no one else was in the room and no other person has
been found to have entered the room during the relevant time in question when the
murder was committed.
Primary Evidence

► It is the best possible proof/ best evidence to prove a fact

► Example: the finger prints obtained from a crime scene which are matching those
of the suspect
Secondary Evidence

► Which is substitutionary proof and not the best evidence to prove a fact.

► Example: In a case of divorce on the ground of infidelity (being unfaithful to a

sexual partner), a woman produces her husband’s chat discussions with another
woman as a proof.
Oral Evidence

► Verbal or spoken evidence as opposed to documentary evidence

► Example: An employee gives oral evidence as witness to prove that his colleague
has discussed with him his plans of committing data theft at the office on a
particular date.
Documentary Evidence

► Which is based on documents produced before the court

► Example: print outs of email from an employee’s computer

to prove that he/she was stealing the company’s data in
order to benefit his/her relatives.
Hearsay Evidence – not admissible in
India
► Example:
► X states that Y told X that Z had a plan to cheat his
employer by stealing data from the company’s servers and
selling them to someone in return of a huge sum of money.

► This type of evidence is not treated as a “reliable

evidence” in a court of law and hence it is not considered
as admissible in India.
Real Evidence

► Evidence that is tangible in nature and which when

analysed by a Court can lead to definite information on
reasonable evaluation.

► Example: a biometric analysis of finger prints or an iris

scan of an accused is a piece of real evidence.
Best Evidence Rule

► Masquerade Music Ltd v. Sprinsteen – Springsteen Case

► Requires a party to produce the best evidence possible to prove his/her case.
► The evidence a party seeks to produce shall not be admissible if the evidence he
seeks to produce indicates that there is better evidence that can be produced unless
a clear explanation of lack of better evidence is submitted.

► Section 65B of IEA

Documentary Evidence generated on
a computer
1) Analysis that is generated by a computer program on
automated basis
2) When the evidence is a by-product of a machine operation
which is used for its statements entered into the machine
and was generated solely by electronic and mechanical
operations of the computer or telephone equipment.
S.65– framework for admissibility of
Electronic Evidence
S. 65A – Contents of e-records must be proved as an evidence in
accordance with the requirements of S.65B

S.65B begins with a non-obstante clause which forms a complete code

for admissibility of electronic evidence

S.65B(1) – Any info stored in an e-record which has been stored,

recorded or copied as a computer output, shall also be deemed as a
“document” & shall be admissible as an evidence without further proof
or production of the originals
S.65B(4) – for e-evidence to be used in
judicial proceedings
► S.65B IEA – S.5 UK Civil Evidence Act, 1968

► A certificate
► Shall have to be produced which identifies the e-record
► & gives particulars of the device involved in the production of the
record.

► Contents of the certificate – to be stated to the best of the knowledge

and belief of the person stating it
Primary and Secondary Evidence
► Importance of S. 62 and S. 63

► Their differences
► Criticism of Tomaso Bruno case (per incurium)
► Shafi Mohammed v. State of H.P. - misinterpretation of the provision as the court held
that the provision was purely procedural in nature.

► Compliance related issues – compliance of S.65B(4) – is it mandatory or not?

► The Election Commission case – Arjun Panditrao Khotkar v. Kailash Kishanrao Goratyal