Cybercrime and the Legal Framework in India: Challenges in Enforcement

Abstract

The digital age has transformed human interaction, commerce, governance, communication and many digital services. However, this transformation has also led to a steep rise in cybercrimes extending from online fraud, identity theft, phishing, cyberstalking, and ransomware attacks to sophisticated state-sponsored intrusions. India, as one of the largest digital economies, faces an unprecedented challenge in creating and enforcing effective legal mechanisms to combat cybercrime. This article explores the existing framework under the Information Technology Act, 2000, the Indian Penal Code, 1860, and the newly implemented Bharatiya Nyaya Sanhita, 2023, alongside judicial interpretations that shape the field. It critically evaluates enforcement gaps, issues of jurisdiction, evidentiary hurdles, and the balance between liberty and security. The article argues that while India has made progress in regulating cyberspace, challenges in enforcement persist due to outdated legislation, limited capacity building, and the cross-border nature of cybercrime. It aims to provide practitioners, policymakers, and legal scholars with a realistic roadmap to strengthen cybercrime enforcement without undermining civil liberties.

Introduction

The consolidation of technology into everyday life has blurred the boundary between the physical and digital realms. While this digital transformation has accelerated innovation and economic growth, it has also created fertile ground for criminal activities. Cybercrime today is not enclosed to isolated hacking incidents but extends to organized financial frauds, state-backed cyberattacks, child exploitation networks, and even cyber terrorism. The National Cyber Crime Reporting Portal and various Indian states report sharp increases in complaints related to online fraud, identity theft, cyber harassment, and data breaches. Enforcement of cyber laws is more than just a matter of passing legislation—it cpmprises practical, technical, institutional, and procedural challenges.
India, with over 800 million internet users, stands at the core of this challenge. According to the National Crime Records Bureau (NCRB) Report 2022, cybercrimes in India increased by nearly 24% compared to the previous year, with the majority relating to fraud and extortion. The government has introduced new legal instruments, most notably the Information Technology Act, 2000 (IT Act), and the CERT-In Guidelines (2022), along with the recent reforms under the Bharatiya Nyaya Sanhita (BNS), 2023 and Bharatiya Sakshya Adhiniyam, 2023. Yet, enforcement challenges, jurisdictional complexities, and evidentiary limitations hinder effective prosecution.
This article explores how India’s legal system handles cybercrime today: what the statutes allow, how the courts have interpreted them, and where enforcement breaks down. It then proposes reforms to make enforcement more effective, while securing respect for privacy, freedom of expression, and due process.

I. Understanding Cybercrime in the Indian Context

A. Defining Cybercrime

Cybercrime broadly refers to unlawful acts where a computer, network, or digital device is the target, tool, or medium of the crime. The IT Act, 2000, while not providing a single exhaustive definition, recognizes offenses such as unauthorized access, hacking, identity theft, cyber terrorism, and publishing obscene content electronically.
The UN Manual on the Prevention and Control of Computer-Related Crime (1995) categorizes cybercrimes into four groups:

• Crimes against the computer as a target (e.g., hacking, DDoS).
• Crimes using the computer as a tool (e.g., fraud, phishing).
• Crimes facilitated by computers (e.g., money laundering, child exploitation).
• Hybrid crimes with both physical and digital elements.

In India, cybercrimes largely fall under the second and third categories, with a sharp rise in financial frauds and online harassment.

B. Emerging Trends

• Financial Fraud: With digital payments, phishing, vishing (voice phishing), SIM cloning, and cryptocurrency scams are increasing. In 2022–2023, the Reserve Bank of India reported over 45,000 fraud cases linked to digital payments.
• Cyber Harassment: Revenge porn, cyberstalking, and online abuse disproportionately affect women and minors. NCRB data indicate over 3,500 cases of online harassment in 2022.
• Cyber Terrorism: Terrorist organizations exploit encrypted platforms for recruitment, propaganda, and coordination.
• AI-enabled Crimes: Deepfakes and automated scams are emerging threats with limited legal coverage.

II. The Legal Framework for Cybercrime in India

A. The Information Technology Act, 2000
The IT Act remains the backbone of India’s cyber law. Significant provisions include:

• Section 43 & 66: Penalizing unauthorized access, data theft, and hacking.
• Section 66C & 66D: Addressing identity theft and cheating by impersonation using computers.
• Section 67 & 67A: Punishing publication of obscene material electronically.
• Section 66F: Defining cyber terrorism, carrying life imprisonment.
• Section 69 & 69B: Empowering the government to intercept, monitor, and decrypt digital communications.

Additionally, the IT Rules (especially Intermediary Guidelines and Digital Media Ethics Code Rules, 2021) regulate obligations of intermediaries (platforms, service providers), traceability, takedown protocols, retention of data, and transparency requirements.

B. Indian Penal Code, 1860 and Bharatiya Nyaya Sanhita, 2023
Before the BNS, traditional crimes like cheating, forgery, and defamation were often extended to cyberspace through the IPC. The BNS, 2023 has modernized several provisions, making digital frauds explicitly punishable. For instance, Section 319 of the BNS addresses cheating by personation using digital means.

C. Procedural Laws and Evidence
The Code of Criminal Procedure (CrPC), 1973, now replaced by the Bharatiya Nagarik Suraksha Sanhita, 2023, and the Bharatiya Sakshya Adhiniyam, 2023 provide new procedural clarity. Notably, Section 63 of the Bharatiya Sakshya Adhiniyam aligns with the old Section 65B of the Indian Evidence Act, reaffirming the need for certificates for admissibility of electronic evidence.

D. Regulatory Bodies

• CERT-In: Nodal agency for responding to cyber incidents, issuing guidelines and directives.
• NCRB: Compiles and analyzes cybercrime data.
• Specialized Cyber Cells: Established in various states but plagued by uneven capacity and resources.

III. Judicial Responses to Cybercrime

Courts have played a key role in defining the ambit of cyber offences, defining defamation and intermediary liability, and shaping evidentiary standards. Some landmark judgments to be studied include:

• Shreya Singhal v. Union of India, (2015) 5 SCC 1 – The Supreme Court indeed struck down Section 66A of the IT Act for violating the fundamental right to freedom of speech and expression guaranteed under Article 19(1)(a) of the Indian Constitution, highlighting the delicate balance between liberty and regulation.
• Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473 – Reiterated the mandatory requirement of Section 65B certificates for admissibility of electronic evidence in courts, thus ensuring the authenticity and reliability of digital records.
• Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1 – Clarified the evidentiary value of electronic records, upholding the mandatory nature of the section 65B certificate electronic evidence, and providing mechanisms for obtaining it, especially when the producing party is not in control of the device.
• Suhas Katti v. State of Tamil Nadu (2004) – One of India’s first convictions for cyber harassment via obscene postings on a Yahoo group, demonstrating the early application of cyber laws to online offence
• State of Karnataka v. M.R. Hiremath, (2019) 7 SCC 515 – Addressed procedural lapses in cybercrime investigation and reaffirmed the importance of proper adherence to legal procedures, including those related to the admissibility and handling of electronic evidence.

Judicial activism has ensured protection of fundamental rights, but it has also revealed how legislative gaps leave enforcement agencies ill-equipped.

IV. Key Enforcement Challenges

Based on recent studies and government reports, several recurrent obstacles hinder effective enforcement:
1. Lack of Technical and Forensic Capacity
Cyber police cells in many states do not have sufficient staff trained in digital forensics, malware analysis, traceability of digital footprints. For example, a recent IJLLR article reports that many enforcement agencies still struggle with preserving logs and securing devices properly.

• Institutional and Capacity Issues
• Shortage of trained cyber forensic experts.
• Lack of standardized investigation protocols across states.
• Delays in setting up dedicated cyber courts.

2. Jurisdictional and Cross-Border Issues

Cybercriminals often operate from foreign servers; data stored abroad complicates access. Mutual Legal Assistance Treaties (MLATs) are slow and bureaucratic. Enforcement within India is also complex when data centers or servers are managed by intermediaries with little presence in particular states.

3. Ambiguous or Outdated Legal Provisions
Some offences are vaguely defined. For example, “intermediary liability” is governed by rules that leave interpretive gaps. The IT Act dates to 2000 and was not designed for modern challenges such as ransomware, AI-driven attacks, or deepfakes. Enforcement often becomes reactive rather than proactive.

4. Delay in Evidence Collection and Preservation
Digital evidence is fragile—logs are overwritten, devices are lost or corrupted. Delays in lodging FIRs, in seizing devices, or in preserving network logs can destroy critical proof. The insistence on Section 65B certification has led to numerous acquittals, as investigating agencies often fail to obtain valid certificates. The digital chain of custody remains fragile due to poor forensic infrastructure.

5. Balancing Privacy and Security
Government surveillance powers under Sections 69 and 69B of the IT Act have been criticized as excessive. The Supreme Court in Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 recognized privacy as a fundamental right, demanding greater judicial oversight of surveillance.

6. Low Reporting and Awareness
Cultural, educational, and practical obstacles: many victims (especially in rural or marginalized groups) don’t report cyber offences due to lack of awareness or fear of reputational harm. Also, law enforcement sometimes lacks public outreach, awareness, or simplified complaint mechanisms.

V. Real-Life Cybercrime Examples

• UPI Fraud Cases: Over 50,000 cases between 2021–2023.
• Ransomware Attacks: Hospitals and infrastructure impacted by ransomware.
• Deepfake Scams: Increasing impersonation and financial fraud.
• Cyber Harassment: Thousands of cases annually, mostly affecting women.

VI. Empirical Data: Recent Trends

A study by IJLLR (2025) shows that cybercrime cases have spiked in India, but arrests and convictions lag behind. States report large numbers of FIRs but fewer successful prosecutions.
Local police data in cities shows explosion of online fraud complaints versus the number of convictions.
Studies show that many police stations still rely on outdated software/hardware for investigations, lack standard operating procedures for digital evidence handling.

VII. Comparative Global Perspectives

• United Kingdom: The Computer Misuse Act and rules on intermediary responsibilities are more frequently updated. The UK has established cybercrime courts, specialised units, and public-private partnerships with technology firms to trace, block, and remove content more rapidly.
• United States: The Computer Fraud and Abuse Act (1986) provides clear penalties for unauthorized access. The U.S. also enforces strong collaboration with tech companies.
• European Union: GDPR has provisions for preserving data, breach notification, and cooperation among member states. Cross-border investigations are facilitated via networks like Eurojust and procedural instruments that reduce friction.

These comparative lessons suggest India can benefit from more specialised courts, faster mutual cooperation frameworks, and clearer intermediary responsibilities.

VIII. Proposals for Reform

Drawing from the identified gaps, here are reform suggestions that could strengthen enforcement without undermining fundamental rights:

• Specialised Cybercrime Courts
  Courts dedicated to cybercrime with trained judges and staff can reduce delays, improve quality of judgments, and build jurisprudence quickly.
• Capacity Building & Forensic Labs
  Expand access to certified digital forensics laboratories; build training programmes for police, prosecutors, and judiciary; invest in tools for preserving digital evidence (hashing, write-blocking etc.).
• Statutory Clarification & Legal Reform
  Amend the IT Act (or with BSA, newer statutes) to define newer offences (deepfakes, ransomware), clarify intermediary liability, set clear standards for digital evidence preservation, privacy protection.
• Stronger Data Preservation Mandates
  Make retention of server logs, CDRs mandatory for longer durations; faster procedures to seek preservation orders; penalties for intermediaries who don’t comply.
• International Cooperation & Streamlined MLATs
  India should negotiate more modern treaties, explore bilateral agreements with major cloud/hosting jurisdictions, set up fast track legal assistance, engage with global tech companies for cross-border data access.
• Public Awareness & Reporting Mechanisms
  Create awareness campaigns, simpler reporting tools, ensure privacy protections for victims to encourage more reporting; use I4C and similar bodies to coordinate at national level.

IX. Safeguarding Fundamental Rights

Any reform efforts must balance enforcement with rights such as freedom of expression, privacy, and procedural fairness:

• Interception powers (Section 69) must satisfy principle of proportionality and legal safeguards.
• Intermediary rules and takedown procedures should allow for notice and counter-notice to avoid overreach.
• Data accessed for investigations must be secure, and subject to oversight.
• Courts should ensure accused have ability to challenge digital forensic methods and chain of custody.

Conclusion

India stands at a critical juncture where digital growth and cyber threats are simultaneously accelerating. While legislative frameworks like the IT Act, IPC, BNS, and the Bharatiya Sakshya Adhiniyam provide the foundation, enforcement remains inconsistent across jurisdictions due to technological complexity and limited expertise. Judicial pronouncements have clarified crucial aspects of digital evidence and privacy rights, yet emerging challenges such as AI-enabled fraud, deepfakes, ransomware, and cross-border cybercrime require adaptive legal measures.
To ensure a secure digital ecosystem, India must adopt a multi-pronged strategy: updating laws to cover new technologies, enhancing institutional capacities, strengthening international collaboration, and educating citizens on cyber hygiene. Balancing privacy and security remains paramount. With comprehensive reforms and proactive enforcement, India can mitigate cybercrime risks while sustaining its digital growth trajectory, ultimately fostering public trust in digital platforms and ensuring justice in the online space.

References

• Aditya Bhattacharya, All About Digital Evidence, iPleaders (Apr. 2023), https://blog.ipleaders.in/all-about-digital-evidence/.
• Bhartiya Sakshya Adhiniyam, No. 47 of 2023 (India).
• Digital Evidence Emerging as Decisive Tool in Trials: Ex-Judge, Times of India (Aug. 2025), https://timesofindia.indiatimes.com/city/lucknow/digital-evidence-emerging-as-decisive-tool-in-trials-ex-judge/articleshow/123395039.cms.
• Information Technology Act, No. 21 of 2000 (India).
• Law Commission of India, Report No. 185: Review of the Indian Evidence Act, 1872 (2003).
• Pavan Duggal, Electronic Evidence in India: A Cyber Lawyer’s Perspective on Case Law Evolution, CISO Platform (Apr. 2025), https://www.cisoplatform.com/profiles/blogs/electronic-evidence-in-india-a-cyber-lawyer-s-perspective-on-case.