含羞草社区

With the rapid growth and adoption of technology, cybercrime has seen an unprecedented rise. Hacking, phishing, identity theft, doxxing and digital payment frauds have left individuals and businesses exposed and vulnerable.

India at present has no dedicated legislation catering to the entire range of activities plaguing the digital ecosystem. Victims have to rely on general offences under the Indian Penal Code, 1860 (IPC), such as theft, forgery, voyeurism, stalking and criminal intimidation, as read with the provisions of the Information Technology Act, 2000 (act), and its ancillary rules. These laws have proved wholly inadequate to overcome the challenges of the increasing sophistication of technology and its use in the commission of crime. The replacement of the IPC by the Bhartiya Nyaya Sanhita, 2023 (BNS), with effect from 1 July 2024, has not brought about any drastic change to the treatment of cyber offences other than adding the term contents in electronic form to the offence of selling obscene books and the inclusion of cybercrimes within the new offence of organised crime. The BNS has broadly adopted the offences in the IPC as amended pursuant to the act.

With the act focusing primarily on specific cybercrimes such as identity theft, cheating by impersonation, hacking and data breaches, it is more computer-centric. It does not comprehensively cover all emerging threats, such as advance persistent threats and sophisticated phishing schemes. This leisurely approach to emerging cybercrime may be appreciated from the fact that when the act was brought into effect in June 2000, it criminalised only three offences, tampering with computers and computer systems, hacking and publishing obscene information. Only in 2008 was it amended to include sending offensive messages through communication servers, dishonestly receiving a stolen computer resource or communication device, identity theft, violation of privacy and cyber terrorism through the addition of sections 66A to 66F and sections 67A to 67C. These amendments appear as unwieldy appendages because of the changes in the technological landscape and the innovative ways that cybercriminals devise to attack the unwary.

In today’s era of tech-savvy criminal syndicates and groups able to commit offences beyond physical borders with impunity, the provisions of the act do not provide adequate tools for dealing with the concerted, organised and complex nature of cybercrime. There is also an absence of adequate mechanisms to assess, control and monitor the development, adoption and rollout of emerging technologies such as blockchain, generative artificial intelligence, datafication and the internet of behaviour, all of which are potentially pervasive and exploitative.

To address these concerns, the government in March 2023, put forward the Digital India Act, 2023 (DIA). Its objective was to replace the act and formulate evolvable rules consistent with the changing nature of technology and which could be updated according to the demands of the country’s digital infrastructure. The administration has acknowledged that the act has been unable to adapt to rapidly evolving cyberspace and the DIA is intended to overcome this shortcoming. The legislation is meant to bring about enhanced safety, the classification of intermediaries, a fair and open internet and increased accountability. However, there is no guidance as to how such objectives are to be achieved.

Although India is second only to China for the number of internet users, comprehensive legislation focusing on cyber security, such as the DIA, is still far from becoming a reality. The Ministry of Electronics and Information Technology is considering whether to bring in broad legislation for the entire digital ecosystem or to propose several issue-specific acts dealing more effectively with complex cyber-crime activity.

India, the third-largest digitised country globally, has also been reported to be the third largest for the number of phishing attacks. It is therefore imperative that the DIA or other proposed legislation should adopt a considered, consultative and comprehensive approach that draws on the experience of jurisdictions in which similar legislation has been enacted. This includes the Digital Services Act in the European Union and the Online Safety Act in the United Kingdom.

Aman Avinav is a partner (disputes, investigations and white-collar crime) at Phoenix Legal.