Digital Evidence & Cybercrime in India: Admissibility, Authentication, and the Road Ahead under the BSA 2023 & BNSS 2023

Abstract

As crime has emigrated into digital spaces, Indian courts have been forced to confront difficult questions about how to authenticate, admit, and evaluate electronic records. The Bharatiya Sakshya Adhiniyam, 2023 (BSA) rewords the rules on electronic evidence (replacing the Indian Evidence Act, 1872), while the Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS) updates criminal procedure—comprising mandatory audio-video recording of search and seizure—to strengthen chain of custody. This article maps the statutory framework, traces the key Supreme Court jurisprudence from Navjot Sandhu to Arjun Panditrao Khotkar, and refined practical guidance for investigators and counsel. It also flags emerging challenges such as end-to-end encryption, platform traceability, cross-border data, facial recognition, and deepfakes, and ends with concrete recommendations to make digital evidence both reliable and rights-respecting.

Why Digital Evidence Matters—Now

Most modern crimes—fraud, extortion, harassment, terror, cartel conduct—leave a digital trail: call detail records (CDRs), device images, CCTV, app logs, cloud data, and social-media messages. Indian criminal law experienced a historic reset on July 1, 2024, when the BNS, BNSS and BSA came into force—explicitly identifying electronic records and tightening procedure for search, seizure and recording. These reforms aim to improve the integrity and speed of trials that rests on digital proof. 

The Statutory Framework: From Evidence to Procedure

Bharatiya Sakshya Adhiniyam, 2023 (BSA)

The BSA’s Section 61 defines “document” to expressly include electronic and digital records—emails, server logs, text messages, social-media posts, etc. Section 62 recognizes the admissibility of electronic records, and Section 63 (the successor to the erstwhile Section 65B of the Evidence Act) sets out the familiar “computer output” rule: when a party relies on a copy/printout rather than the original device, a certificate from a responsible official attesting to the manner of production and system integrity is required. The text largely reflects the 65B signal, demonstrating a continuation of the same doctrine under the new administration.

Takeaway: If you generate a secondary electronic record (e.g., a printout of a WhatsApp chat or a PDF of server logs), you should attach a Section 63 certificate; if you produce the original device itself (e.g., the phone) and prove it in the usual way, you may not need the certificate.

Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS)

BNSS establishes procedural upgrades that directly impact digital evidence handling. Notably, Section 105 authorises audio-video recording of search and seizure—a reform that, if executed accurately, greatly strengthens chain of custody and diminishes disputes over tampering/meddling. BNSS also embraces wider e-processes (e-FIR, e-service), arranging criminal procedure with the realities of digital crime.

IT Act & Rules: Intermediaries, Retention, and Traceability

The Information Technology Act, 2000 and Intermediary Rules contour how platforms preserve and disclose data. Rule 4(2) of the IT (Intermediary Guidelines & Digital Media Ethics Code) Rules, 2021 (as amended in 2023) requires “significant social media intermediaries” to enable identification of the first originator of a message in specified cases—India’s version of “traceability”—though its consistency with end-to-end encryption and privacy remains hotly debated. Rule 67C IT Act mandates intermediaries to preserve and retain specified information, and CERT-In’s April 2022 Directions needed entities to retain logs for 180 days and provide data upon order—important for building reliable timelines. 

The Supreme Court’s Journey on Electronic Evidence Certificates

1. State (NCT of Delhi) v. Navjot Sandhu (2005)

The Parliament-attack case emerged to allow some flexibility: electronic records could be proved by other means even without a 65B certificate. That leniency later came under sharp scrutiny/inspection.

2. Anvar P.V. v. P.K. Basheer (2014)

A watershed. The Court held that Section 65B is a special provision that must be satisfied for secondary electronic records; other routes (Sections 63–65 of the old Evidence Act) cannot be used to evade 65B. This reinforced up the certificate’s centrality. 

3. Shafhi Mohammad v. State of Himachal Pradesh (2018)

A two-judge bench seemed to relax the rule for parties without control over the device (e.g., CCTV footage held by a third party), suggesting certificate requirements are procedural and can be administered with in suitable cases. This produced confusion. 

4. Sonu @ Amar v. State of Haryana (2017)

The Court elaborated that rebuttals to mode or method of proof (such as absence of a 65B certificate) should be raised at trial, not for the first time in appeal, unless there is earnest prejudice—underscoring the need for timely procedural accuracy. 

5. Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020; 3-Judge Bench)

The Court settled the law: Anvar is correct; Shafhi is not. A 65B-style certificate is mandatory when a secondary copy of an electronic record is produced. However, where the original device/media is produced and proved, no certificate is needed. The judgment also clarifies who can sign and when the certificate may be produced (even later, with court leave) and recognizes the role of Examiners of Electronic Evidence under IT Act Section 79A. This remains the controlling authority under the BSA’s successor provisions. 

6. Other Notable Rulings

Tomaso Bruno v. State of UP (2015) encouraged drawing an adverse inference where CCTV evidence that should exist is withheld. 

M.R. Hiremath (2019) reiterated that electronic records must meet 65B where secondary evidence is relied on. 

Gopalkrishnan @ Dileep v. State of Kerala (2019) held that an accused is entitled to a forensic image/copy of electronic evidence (with appropriate protections) under disclosure norms—important for fair trial and independent analysis. 

Bottom line: Under the BSA 2023, courts will read new Sections 61–63 consistently with the Anvar–Arjun Panditrao line: produce the original device where feasible; otherwise, file a Section 63 certificate that directly addresses system integrity and the process by which the “computer output” was generated. 

Admissibility of Electronic Evidence

• When is a Certificate Needed?

Original device/media produced (primary evidence): Generally, no certificate needed if you prove the device and its operation through standard evidence (seizure memo, panch witnesses, forensic examiner testimony).

Copy/printout/screenshot (secondary evidence): Certificate is mandatory under BSA Section 63 (ex-65B). 

• Who Should Sign? What Should It Say?

The signatory should be a person occupying a responsible official position in relation to the device/operations (e.g., the IT head, custodian of records, or platform compliance officer) with personal knowledge of the system and the manner of extraction. The certificate should: (i) identify the device/system; (ii) state that the computer was regularly used; (iii) explain the method of producing the printout/copy; (iv) certify that to the best of knowledge, the record is a true and accurate “computer output.” Courts in Arjun Panditrao emphasize substance over empty formalism. 

• Proving System Integrity & Chain of Custody

Even with a certificate, tamper-resistance and chain of custody are critical. BNSS Section 105 requires AV-recording of searches; practical SOPs urge immediate hashing (MD5/SHA-256) and use of write-blockers at seizure to prevent modification; seizure memos should record the hash values and serial numbers, and a forensic image should be created at the earliest opportunity. 

Assessing Hygiene Protocols

• At the Scene (Phones, Laptops, CCTV, DVRs)
• Isolate the device (airplane mode, Faraday bag if needed).
• Photograph & video-record the seizure (BNSS §105); document time, date, geo-tags, and witness details.
• Mark before analysis and document the tool/version used; keep originals sealed.
• Image the device with a write-blocker, work on the forensic image, and keep an audit log of every access.
• Seizure memo should include device identifiers, storage media IDs, and hash values. 

From Platforms & ISPs

When you seek platform data (CDRs, IP logs, content metadata), request certified records with system affidavits that meet BSA §63 requirements. Maintain headers and server timestamps; insist on time-zone indications. Where data is abroad, use MLAT channels; where urgent, explore the G7 24/7 network contact points. 

Recurrent Problem Areas

1) WhatsApp Chats, Screenshots, & “Forwarded” Content

Courts are cautious of plain screenshots. Authentication enhances if you: (i) seize the original phone; (ii) extract via forensic tools; (iii) preserve chat databases and metadata; (iv) get a Section 63 certificate from the custodian/platform when you’re depending on exported copies.

2) CCTV/DVR Evidence

Delay in seizure, overwritten loops, no marks are common pitfalls. Tomaso Bruno alerted that missing CCTV that should exist can justify unfavorable inference; counsel must move early to secure DVRs and record hashes at seizure. 

3) CDRs, IP Logs, & Server Records

Obtain data directly from the custodian (telecom, ISP, platform) with a certificate. Cross-check IP allocations with time-zones and NAT logs, and correlate with device seizure to avoid misattribution. CERT-In 2022 Directions and Rule 67C retention norms can support timely preservation.

Rights & Limits: Privacy, Self-Incrimination, and Procedure

• Privacy Baseline—Puttaswamy

The right to privacy is a fundamental right under Article 21; any search/seizure or compelled disclosure must satisfy legality, necessity, and proportionality. This influences the breadth of device searches and long-term surveillance, involving facial recognition deployments.

• Compulsion & Article 20(3)

In Selvi, the Supreme Court prohibited involuntary narco/brain-mapping; in Ritesh Sinha, it authorised voice samples without violating Article 20(3). Courts generally distinguish testimonial compulsion (e.g., forcing a password) from physical identifiers (fingerprint/face unlock). Investigators should avoid coercing password exposure, preferring lawful use of biometric unlock where authorised, or neutral forensic bypass—subject to warrants and BNSS safeguards.

• Traceability & Encrypted Platforms

Rule 4(2) (first-originator) collides with E2E encryption architectures, raising both technical possibility and privacy questions. Orders pursuing originator data must be narrowly tailored and law-grounded, and platforms will often oppose overbreadth or over-retention. Expect litigation to continue as courts balance public order with privacy and free expression. 

Cross-Border Electronic Evidence

India is not a Party to the Budapest Convention, so cross-border data often travels through MLAT requests. MLATs are slow; investigators should anticipate delays and use preservation letters early. The UN Convention against Cybercrime (adopted in December 2024) may eventually provide an additional multilateral avenue for cooperation, but timelines and domestic implementation will matter. India’s discussions with the US around a CLOUD Act executive agreement have been proposed by commentators but are not yet concluded. 

New Frictions: Facial Recognition & Deepfakes

• Facial Recognition Evidence

Police use of FRT has enlarged, but concerns endure about accuracy thresholds, bias, and legal basis. Reports show low matching thresholds used in Delhi policing in the past; any FRT match should be treated as investigative lead, not conclusive proof, and must be corroborated.

• Deepfakes & AI-Generated Media

The BSA’s text is technology-neutral; a deepfake video is still an “electronic record,” but the authenticity burden is heavier. Parties should present: (i) full-chain metadata, (ii) hashes at creation/seizure, (iii) forensic expert analysis (Section 79A “Examiner of Electronic Evidence”) identifying synthetic artifacts, and (iv) corroborative evidence. Comparative scholarship insists customised evidentiary rules for deepfakes; India will likely evolve judge-made standards before tailored legislation arrives. 

How the DPDP Act Interacts (and Why It Matters)

The Digital Personal Data Protection Act, 2023—while mainly a privacy statute—contains exceptions for processing data for law enforcement and court proceedings. This means intermediaries can (and must, when lawfully ordered) preserve and share data needed for investigations/prosecutions, while still applying data minimization and security. Even once fully operationalized via Rules, DPDP is unlikely to hinder lawful evidence gathering, but it will urge agencies toward clearer notices, purpose limitation, and data security in handling seized digital material. 

A Practitioner’s Toolkit

For Investigators

• Before seizure: Obtain proper legal authority; prepare AV equipment for BNSS §105 recording.
• At seizure: Video-record; note device identifiers; immediately hash storage media; create write-blocked images; seal originals.
• From platforms/ISPs: Seek custodian certificates aligned with BSA §63; demand time-zone and system descriptions; preserve logs early (CERT-In Directions).
• Disclosure: Provide the defence with mirror images/hashes per P. Gopalkrishnan.
• For FRT/AI evidence: Treat algorithmic outputs as corroborative; obtain methodology and validation details; document error rates and thresholds. 

For Prosecutors & Complainants

• Prefer original devices where feasible; else, ensure tight 63-certificate compliance.
• Line up 79A Examiner or qualified forensic expert for methodology and tool validation.
• Anticipate defence challenges on chain of custody, timing of certificates, and device control—Arjun Panditrao allows late certificates with leave, but plan early. 

For Defence Counsel

• Scrutinize hash continuity, tool versions, and write-blocker usage; probe gaps in BNSS §105 AV-trail.
• Challenge “screenshots” without device seizure; insist on original device or Section 63 certificates; request independent imaging.
• For FRT/deepfakes, demand algorithmic documentation, thresholds, and expert analysis; cross-examine on bias and error rates.

Policy Recommendations

1. Uniform National SOPs: Publish binding SOPs (hashing, imaging, sealing, logs) across states; align with BNSS §105 and Section 63.
2. Forensics Capacity: Invest in 79A Examiner networks, lab equipment, and judge-police training on AI and encryption. 
3. Platform Cooperation: Standardize certificate templates for CDRs, IP logs, and content metadata; ensure time-zone clarity and system descriptions. 
4. Cross-Border Access: Modernize MLAT practice, consider executive agreements for direct data access (CLOUD Act-style) with privacy guardrails; monitor the UN Cybercrime Convention implementation. 
5. Deepfake Guidance: Issue model judicial practice directions on evaluating AI-generated media—hashes, provenance, and independent forensic verification should be the minimum standard.

Conclusion

India’s new evidence and procedure codes preserves the core architecture of electronic evidence law while nudging practice toward better documentation and integrity. The jurisprudence now clearly requires a Section 63 (ex-65B) certificate for secondary electronic records, while original devices remain verifiable through ordinary means. The hard work is practical: hash early, image properly, record searches, certify correctly, and disclose fairly. As encryption, cross-border storage, FRT, and deepfakes complicate proof, the legal system’s legitimacy will hinge on technically sound, rights-respecting procedures that make digital evidence both reliable and just.

References

1. State (NCT of Delhi) v. Navjot Sandhu, (2005) 11 S.C.C. 600 (India).
2. Anvar P.V. v. P.K. Basheer, (2014) 10 S.C.C. 473 (India).
3. Shafhi Mohammad v. State of Himachal Pradesh, (2018) 2 S.C.C. 801 (India).
4. Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 S.C.C. 1 (India).
5. Bhartiya Sakshya Adhiniyam, No. 47 of 2023 (India).
6. Bhartiya Nagarik Suraksha Sanhita, No. 45 of 2023 (India).
7. Pavan Duggal, Electronic Evidence in India: A Cyber Lawyer’s Perspective on Case Law Evolution, CISO Platform (Apr. 2025), https://www.cisoplatform.com/profiles/blogs/electronic-evidence-in-india-a-cyber-lawyer-s-perspective-on-case.
8. Team LiveLaw, Supreme Court Reaffirms That Section 65B Certificate Mandatory for Admissibility of Electronic Evidence, LiveLaw (July 15, 2020), https://www.livelaw.in/top-stories/supreme-court-reaffirms-that-section-65b-certificate-mandatory-for-admissibility-of-electronic-evidence-159433.
9. SCC Online Blog, Digital Evidence and Indian Courts: Section 65B of the Evidence Act Revisited, SCC Online (Aug. 2021), https://www.scconline.com/blog/post/2021/08/20/digital-evidence-and-indian-courts-section-65b/.
10. Cyril Amarchand Mangaldas, Electronic Evidence under Indian Law: The Judicial Approach So Far, IndiaCorpLaw Blog (May 2022), https://indiacorplaw.in/2022/05/electronic-evidence-under-indian-law-the-judicial-approach-so-far.html.