Digital Evidence and Cybercrime: Admissibility and Challenges under Indian Law

Introduction

Cyber-enabled crime has grown in quantity and complexity, and rules governing criminal procedure and evidence have been forced to evolve in response. Indian reaction has taken two courses (1) clarification of doctrine on admissibility and proving of electronic records; and (2) procedural and ecosystem approaches to collection, preservation and cross-border access. This paper charts that evolution and identifies the other fault-lines such as chain-of-custody, privacy and self-incrimination, platform encryption and traceability, and international cooperation. It ends with an advocate-focused checklist on making digital evidence trial-worthy.

The Doctrinal Arc: From Navjot Sandhu to Arjun Panditrao

Early approach under the Indian Evidence Act, 1872

Computer-output evidence through the contemporaneous certificate was the template established in Section 65B of the Indian Evidence Act (IEA). At the very outset, the Supreme Court in State (NCT of Delhi) v. Navjot Sandhu[1] permitted evidence of electronic records to be given by oral evidence and in other forms, which seems to have relaxed the certificate requirement.

In 2014, a three-judge bench in Anvar P.V. v. P.K. Basheer held that the Section 65B certificate was a prerequisite to admissibility of secondary electronic evidence; where the primary evidence is produced (original electronic media), no Section 65B is required.[2]

Shafhi Mohammad v. State of Himachal Pradesh declared that courts were free to relax Section 65B where a party is not in a position to reasonably obtain a certificate of secondary evidence.[3]

Settling the Law

In 2020, a coordinate three judge judicial panel declared in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal[4] that Shafhi Mohammad be per incuriam and clarified: (i) a 65B certificate is required to give as secondary electronic evidence; (ii) original electronic media itself can be led as primary evidence; (iii) courts may summon the certificate under procedural powers if justice so demands.

The New Framework: Bharatiya Sakshya Adhiniyam, 2023

The IEA has been superseded by the Bhartiya Sakshya Adhiniyam (hereinafter referred to as BSA), which came into force on 1 July 2024 and codifies a more technologically advanced evidence code. Section 61 provides that nothing in the Adhiniyam shall invalidate admissibility of electronic or digital records[5] and has identified their legal impact, validity and enforceability as traditional documents. Section 63 of BSA essentially repeats the 65B logic of computer output of a communication device. Simply, when you do not actually create the original media, you demonstrate a derivative computer output by relying on a certificate that satisfies statutory requirements including control, regular use, integrity, etc. [6]

The BSA incorporates electronic and digital records into the meaning of document and gives current presumptions about electronic signatures and electronic records. Such assumptions ease burden of proof when the conditions are established. Section 90 to 93 of the BSA, 2023 will streamline the establishment of electronic records since the court will assume that they are authentic. Section 90 deals with electronic records that are older than five years[7], Section 91 with electronic agreements[8], Section 92 with secure electronic records and digital signatures[9] and Section 93 with secure electronic messages[10]. These assumptions allow such records to be readily accepted into evidence unless the validity is actively being challenged.

Proving the Bits: Admissibility in Practice

Primary vs. secondary electronic evidence

Primary evidence refers to that evidence which is Produced as the original device or media and is used to establish integrity through hashing on seizure, unbroken chain, read-only imaging. No certificate is required to prove authenticity of primary electronic evidence.

Secondary evidence is that when you rely on a printout, exported file, or cloned copy, which requires a certificate of authenticity from the person presenting it as evidence, unless the original is itself produced.

The certificate: content and provenance

The certificate should: (i) identify the device(s) and the process used; (ii) state that the output was produced during regular operations; (iii) affirm integrity; (iv) be signed by a responsible official (ISP/cloud custodian/IT admin/forensic officer). Courts have accepted certificates by platform personnel or company officers who can speak to system use and integrity.[11]

If the adversary holds the system and refuses to cooperate, one can move the court to: (i) issue summons for a § 63 certificate; (ii) direct production under the Code; or (iii) take the original server logs as primary evidence under judicial custody.

If the prosecution withholds a working clone of a seized device or storage media, the defence may move the court for directions, seeking supply of a cloned copy under appropriate protective conditions. The court may permit supervised access in a certified forensic laboratory, ensure verification through hash values to maintain integrity, and impose safeguards to prevent tampering. This balances the accused’s right to a fair trial with the need to preserve the evidentiary value of the original device.[12]

Golden rules on seizure and imaging

At the time of seizure, a cryptographic hash value such as SHA-256 must be computed and recorded in the panchnama, and the same hash must be verified at every stage of transfer to ensure data integrity. Forensic imaging should be performed using write-blockers, creating a complete bit-for-bit clone of the storage media, and all examination should be conducted only on this clone while the original media remains sealed and preserved. Proper metadata discipline must be maintained by logging every instance of access, preserving system time and timezone settings, and documenting the tools and their versions used during the process.[13][14]

Privacy, Illegality, and Self-Incrimination

Illegally obtained digital evidence-admissible?

Indian law generally admits relevant evidence even if obtained unlawfully; the remedy lies in sanctioning the illegal act, not excluding the evidence per se.[15] The post-Puttaswamy privacy era injects proportionality scrutiny into state intrusions[16], but Pooran Mal’s rule has not been overruled.

Article 20(3)[17] and unlocking devices

Compulsion to provide fingerprints or voice samples is generally considered non-testimonial and permissible, as reaffirmed by the Supreme Court in Ritesh Sinha v. State of U.P.[18], which authorizes the taking of voice samples under judicial order. In contrast, techniques such as narco-analysis, polygraph tests, and Brain Electrical Activation Profile (BEAP) tests have been held to violate Article 20(3) when administered involuntarily, with the Court in Selvi v. State of Karnataka[19] emphasizing that such techniques infringe upon the right against self-incrimination and raise concerns about the admissibility of both the results and derivative evidence.

Platforms, Encryption, and Traceability

Rule 4(2) of the 2021 Intermediary Guidelines requires significant messaging platforms to enable “first originator” identification for specified offences.[20] WhatsApp has challenged this in the Delhi High Court, arguing it breaks end-to-end encryption. The matter remains sub judice; courts have not compelled de-encryption but do expect lawful cooperation on metadata and account-level records when warrants/requests meet statutory thresholds.[21]

Courts have accepted WhatsApp chat transcripts accompanied by system-level certificates from platform officers, provided integrity is shown.[22] Advocates should obtain both the chat export and a § 63 certificate referencing platform systems, export method, and hash values.

Conclusion

The Indian evidence law has now gone digital. The BSA is the solution to the gap between e-records and traditional records. The open questions are not conceptual. They straddled the boundary between privacy, encryption, and investigative requirements: forced decryption, scope-bound searches of devices, and traceability of encrypted messengers. The courts are expected to maintain the calibration on a case-by-case basis by utilizing the proportionality of Puttaswamy, but retaining the Pooran Mal rule of admissibility of illegally obtained evidence that is nonetheless probative. To advocates, the rule is simple: plan your collection and proof plan during the investigation phase, not the night before trial, and treat all the bytes as though they will be contested, because they will.

References

Statutes and Rules

1. Bharatiya Sakshya Adhiniyam, 2023, No. 47, 2023 (India).
2. Indian Computer Emergency Response Team (CERT-In), Directions Relating to Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents (Apr. 28, 2022).
3. Intermediary Guidelines, 2021, (India).

Cases

1. State (N.C.T. of Delhi) vs. Navjot Sandhu and Ors. (04.08.2005 – SC) : MANU/SC/0465/2005.
2. Anvar P.V. vs. P.K. Basheer (18.09.2014 – SC) : MANU/SC/0834/2014.
3. Shafhi Mohammad vs. The State of Himachal Pradesh (30.01.2018 – SC) : MANU/SC/0058/2018.
4. Arjun Panditrao Khotkar vs. Kailash Kushanrao Gorantyal and Ors. (14.07.2020 – SC) : MANU/SC/0521/2020.
5. Dell International Services India Private Limited vs. Adeel Feroze and Ors. (02.07.2024 – DELHC) : MANU/DE/4392/2024.
6. Gopalkrishnan vs. State of Kerala and Ors. (29.11.2019 – SC) : MANU/SC/1652/2019.
7. The Director of Inspection of Income Tax (Investigation), New Delhi and Ors. vs. Pooran Mal and Sons and Ors. (20.09.1974 – SC) : MANU/SC/0255/1974.
8. Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors. (15.12.2017 – SC) : MANU/SC/1604/2017.
9. Ritesh Sinha vs. The State of Uttar Pradesh and Ors. (07.12.2012 – SC) : MANU/SC/1072/2012.
10. Selvi and Ors.  State of Karnataka  (05.05.2010 – SC) : MANU/SC/0325/2010.
11. Anvar P.V. vs. P.K. Basheer (18.09.2014 – SC) : MANU/SC/0834/2014.

Reports and News

1. Ministry of Home Affairs, Cases of cyber frauds Press Release: Press Information Bureau (2024), https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=2003158 (last visited Sep 5, 2025).
2. Sarita  Chaganti Singh, Nikunj Ohri & Jaspreet Kalra, India plans curbs on suspect bank accounts to fight cyber fraud, sources say Reuters (2024), https://www.reuters.com/business/finance/india-plans-curbs-suspect-bank-accounts-fight-cyber-fraud-sources-say-2024-04-25/ (last visited Sep 5, 2025).

[1] State (N.C.T. of Delhi) vs. Navjot Sandhu and Ors. (04.08.2005 – SC) : MANU/SC/0465/2005.

[2] Anvar P.V. vs. P.K. Basheer (18.09.2014 – SC) : MANU/SC/0834/2014.

[3] Shafhi Mohammad vs. The State of Himachal Pradesh (30.01.2018 – SC) : MANU/SC/0058/2018.

[4] Arjun Panditrao Khotkar vs. Kailash Kushanrao Gorantyal and Ors. (14.07.2020 – SC) : MANU/SC/0521/2020.

[5] Bharatiya Sakshya Adhiniyam, 2023, § 61, No. 47, 2023 (India).

[6] Bharatiya Sakshya Adhiniyam, 2023, § 63, No. 47, 2023 (India).

[7] Bharatiya Sakshya Adhiniyam, 2023, § 90, No. 47, 2023 (India).

[8] Bharatiya Sakshya Adhiniyam, 2023, § 91, No. 47, 2023 (India).

[9] Bharatiya Sakshya Adhiniyam, 2023, § 92, No. 47, 2023 (India).

[10] Bharatiya Sakshya Adhiniyam, 2023, § 93, No. 47, 2023 (India).

[11] Dell International Services India Private Limited vs. Adeel Feroze and Ors. (02.07.2024 – DELHC) : MANU/DE/4392/2024.

[12] P. Gopalkrishnan vs. State of Kerala and Ors. (29.11.2019 – SC) : MANU/SC/1652/2019.

[13] Indian Computer Emergency Response Team (CERT-In), Directions Relating to Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents ¶ 6 (Apr. 28, 2022).

[14] Scientific Working Group on Digital Evidence (SWGDE), Best Practices for Computer Forensics 3–5 (2020).

[15] The Director of Inspection of Income Tax (Investigation), New Delhi and Ors. vs. Pooran Mal and Sons and Ors. (20.09.1974 – SC) : MANU/SC/0255/1974.

[16] Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors. (15.12.2017 – SC) : MANU/SC/1604/2017.

[17] INDIA CONST. art. 20, cl.2.

[18] Ritesh Sinha vs. The State of Uttar Pradesh and Ors. (07.12.2012 – SC) : MANU/SC/1072/2012.

[19] Selvi and Ors.  vs. State of Karnataka  (05.05.2010 – SC) : MANU/SC/0325/2010.

[20] Intermediary Guidelines, 2021, R.4, cl.2, 2021 (India).

[21] Anvar P.V. vs. P.K. Basheer (18.09.2014 – SC) : MANU/SC/0834/2014.

[22] Dell International Services India Private Limited vs. Adeel Feroze and Ors. (02.07.2024 – DELHC) : MANU/DE/4392/2024.