Cybercrime and Legal Challenges in India: An Analysis of the Existing Cyber Law Framework

Authored By: KASHISH KHAN

RAJSHREE LAW COLLEGE

Introduction

The digital transformation of Indian society has fundamentally altered the way individuals interact with each other, conduct business, administer government, and access information. As more and more individuals turn to digital platforms, cyberspace has become an essential public and economic space. However, this transformation has also introduced a range of criminal activities, including phishing, cyber fraud, and sophisticated threats to national security infrastructure. Cybercrime is no longer merely a technological problem — it is a serious legal and governance challenge that exposes significant weaknesses in the existing regulatory framework.

The Information Technology Act, 2000 made electronic transactions legally recognised in India and helped address several categories of cybercrime.¹ When it was enacted, the Information Technology Act, 2000 was a forward-looking piece of legislation. However, two decades of technological development have demonstrated that it is no longer sufficient. This paper contends that, despite existing legislative provisions, the current cyber law framework in India is inadequate due to outdated definitions, jurisdictional limitations, weak enforcement mechanisms, and procedural complexities in investigation and prosecution. A careful examination of these deficiencies is essential to determine whether the law is equipped to meet the challenges that contemporary cyber threats present.

What Cybercrime Is and How It Is Changing

Cybercrime occurs when people use computers, computer networks, or the internet to commit crimes, target others, or participate in criminal enterprises.² Cybercrime is more difficult to pursue than other forms of crime for a number of reasons: investigations are time-intensive; offenders can act anonymously; crimes can be committed across multiple jurisdictions; and offences can be perpetrated at any moment in time.³

The impact of cybercrime extends across individuals, businesses, and the state. Cybercrime affecting individuals includes:

Financial theft from victims;
Online stalking; and
Online harassment.

Businesses may be victims of cybercrime through:

Data theft;
Ransomware attacks;
Theft of trade secrets; and
Attacks that disable or disrupt a business’s online operational capabilities.

Cybercrime against the state includes cyber terrorism, espionage, and attacks against critical information infrastructure.

Recent advancements in technology have made the perpetration of cybercrime increasingly difficult to detect.⁴ The use of artificial intelligence, encryption, and other technologies actively assists criminal perpetration, making detection and attribution harder. This demonstrates that the current legal framework must be updated to keep pace with technological developments that have rendered existing provisions outdated.

The Current Legal Framework for Cybercrime in India

In India, the most relevant and comprehensive law pertaining to cybercrime is the Information Technology Act, 2000.⁵ This Act criminalises the unauthorised access of computer systems, identity theft, illegal access to data, and the posting of obscene materials online. The offences of cheating, forgery, and criminal intimidation are found in the Indian Penal Code, 1860,⁶ and are applicable to computer-related situations as well. [Note to author: The Indian Penal Code, 1860 has been replaced by the Bharatiya Nyaya Sanhita, 2023 (BNS), which came into force on 1 July 2024. Please consider updating this reference and the relevant section numbers to the BNS equivalents.]

The Code of Criminal Procedure, 1973 governs how the police must investigate cybercrime,⁷ and the Indian Evidence Act, 1872 governs how courts must handle electronic evidence.⁸ [Note to author: The Code of Criminal Procedure, 1973 has been replaced by the Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS), and the Indian Evidence Act, 1872 has been replaced by the Bharatiya Sakshya Adhiniyam, 2023 (BSA), both in force from 1 July 2024. Please consider updating these references accordingly.] Together, these statutes create a patchwork system of laws for regulating cybercrime. The Indian cyber law system generally responds to events after the fact. The Information Technology Act has changed little since its enactment, and most of its provisions do not account for the complexity of cybercrime as it exists today.⁹ The cybercrime legislative framework in India is largely built upon the interpretation of existing laws — and that interpretation is not always consistent or adequate.

Important Legal Issues in Indian Cyber Law

The central difficulty with Indian cyber legislation is that it cannot keep pace with emerging technologies. A range of legal and practical issues renders the framework ineffective.

The first problem is that the laws are outdated and lack clarity. As the law currently stands, most new categories of cybercrime — such as ransomware attacks and deepfake crimes — are not precisely defined in the legislation. This makes it difficult for law enforcement officers to determine the exact nature of the offence and the applicable provision.

Another significant issue is jurisdiction. Most cybercrime incidents involve individuals, victims, and servers located in different countries. The Indian legal system is primarily based on territorial jurisdiction,¹⁰ which creates serious challenges in investigating and prosecuting offences that span multiple countries. International cooperation is possible but is typically slow and insufficiently effective in the fast-paced environment of cybercrime.

Enforcement presents a further difficulty. Law enforcement officers generally lack the investigative skills and specialised training necessary to pursue cybercrime effectively. There is a shortage of trained personnel, inadequate cyber infrastructure, and delays in forensic investigations,¹¹ all of which make the effective prosecution of cybercrime extremely challenging.

There are also serious issues with evidence and procedure. Electronic evidence is relatively easy to tamper with and corrupt. Establishing the authenticity and reliability of such evidence is critically important, and the complexity of the applicable evidentiary rules has resulted in the acquittal of offenders even where the evidence of the crime was otherwise conclusively established.

The lack of cybercrime reporting is an additional and serious concern. Victims — particularly businesses — often choose not to report cybercrime incidents, either out of fear of reputational damage¹² or due to a lack of confidence in the justice system. This under-reporting also hampers the development of well-informed laws and policies.

The Role of Indian Courts in Cybercrime

The Indian courts have helped fill the gaps in the legislative framework by developing judicial interpretations of how cyber law operates.¹³ The courts have recognised that cybercrime is distinct from traditional offences and that electronic evidence must be treated with particular care. Judicial decisions have established that electronic evidence must be properly preserved and that strict procedural standards must be observed in its handling.

However, the statutory framework constrains what courts can ultimately achieve. Judges have frequently sought to apply the principles of traditional criminal law to cybercrime offences. While this has enabled courts to provide relief to those who have suffered harm, it is not a substitute for legislative action.

Judicial initiative has also brought into focus the accountability of intermediaries and online platforms. However, the inconsistency and ambiguity of statutory guidance across various jurisdictions continues to create challenges for the enforcement of cybercrime laws.

Comparative Analysis

A brief comparative study demonstrates that a number of countries have adopted a more comprehensive and specialised approach to the regulation of cybercrime.¹⁴ Several jurisdictions have enacted dedicated domestic cybercrime legislation, established specialised law enforcement units, and improved their international cooperation frameworks.

International instruments such as the Council of Europe’s Convention on Cybercrime have emphasised the need to harmonise domestic laws, expedite information sharing, and ensure adequate training for law enforcement. By contrast, India’s approach remains fragmented and relies largely on general principles of criminal law. While India has made efforts to improve cybersecurity, the absence of a comprehensive and dedicated cybercrime law undermines the effectiveness of those efforts.¹⁵

Need for Reforms

The challenges surrounding cybercrime demand a multi-faceted approach to reform. The following key areas require attention:

Legislative overhaul: A thorough assessment and comprehensive revision of the current cybercrime laws is necessary to ensure alignment between the legal framework and rapidly evolving technology. The laws must define specific categories of cybercrime with sufficient precision.
Institutional capacity building: Adequate training for law enforcement and access to digital forensics tools are essential. The absence of these resources has significantly undermined the ability of the police to investigate and prosecute cybercrime effectively.
Specialised courts: The establishment of dedicated cybercrime courts or the designation of specialised benches is likely to improve the judicial management of cybercrime cases and reduce delays.
Strengthened global collaboration: Addressing the transnational dimensions of cybercrime requires expedited and improved mechanisms for international evidence collection and information exchange.¹⁶
Victim-centred policies: Simplified reporting mechanisms, paired with public awareness campaigns, can incentivise reporting and foster trust in the justice system. Any regulation of cybercrime must also balance effective enforcement with the protection of constitutional rights.

Conclusion

Cybercrime is among the most complex challenges of the contemporary world. Despite the existence of cybercrime legislation in India, the cyber law framework contains significant legal, procedural, and institutional shortcomings.

This paper argues that the dynamic nature of cyber threats cannot be adequately addressed through incremental amendments and judicial interpretation alone. What is required is a comprehensive legal framework, supported by an adequate institutional structure, capable of ensuring cyber safety and the rule of law in the current technological environment.

Reference(S):

¹ Information Technology Act, No. 21 of 2000, India Code (2000).

² UN Office on Drugs and Crime, Comprehensive Study on Cybercrime, UN Doc CTOC/COP/2013/CRP.5 (February 2013).

³ Ibid.

⁴ INTERPOL, Cybercrime: Threats and Trends (2023). [Note to author: please supply the URL and access date for this source before publication.]

⁵ Information Technology Act, No. 21 of 2000, India Code (2000).

⁶ Indian Penal Code, No. 45 of 1860, §§ 415, 463, 503, India Code (1860). [Note to author: The IPC 1860 has been replaced by the Bharatiya Nyaya Sanhita, 2023 (BNS), in force from 1 July 2024. Please update this citation and the corresponding section numbers under the BNS.]

⁷ Code of Criminal Procedure, No. 2 of 1974, India Code (1974). [Note to author: The CrPC 1973 has been replaced by the Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS), in force from 1 July 2024. Please update this citation accordingly.]

⁸ Indian Evidence Act, No. 1 of 1872, §§ 65A, 65B, India Code (1872). [Note to author: The Indian Evidence Act 1872 has been replaced by the Bharatiya Sakshya Adhiniyam, 2023 (BSA), in force from 1 July 2024. Please update this citation and the corresponding provisions under the BSA.]

⁹ Pavan Duggal, ‘The Information Technology Act, 2000: A Critical Evaluation’ (2002) 7 Journal of Intellectual Property Rights 478.

¹⁰ S N Jain, ‘Jurisdictional Issues in Cybercrimes’ (2004) 46 Journal of the Indian Law Institute 268.

¹¹ Ministry of Home Affairs, Government of India, National Cyber Crime Reporting Portal <https://www.cybercrime.gov.in>. [Note to author: please add the access date for this source.]

¹² Data Security Council of India, India’s Cybersecurity Report 2022. [Note to author: please supply the URL and access date for this source before publication.]

¹³ Anvar P.V. v P.K. Basheer (2014) 10 SCC 473 (India).

¹⁴ Council of Europe, Convention on Cybercrime (23 November 2001) ETS No 185.

¹⁵ Data Security Council of India, India’s Cybersecurity Report 2022. [Note to author: please supply the URL and access date for this source before publication.]

¹⁶ UN Office on Drugs and Crime, Comprehensive Study on Cybercrime, UN Doc CTOC/COP/2013/CRP.5 (February 2013).