SYNOPSIS This is a public interest writ petition under Article 32 read with Articles 14, 19(1)(a) and 21 of the

Constitution of India seeking directions against the Respondents to frame an

appropriate regulatory framework of Rules, regulations and guidelines for effective investigation of cyber crimes, keeping in mind the fundamental rights of citizens. The Petitioner has also sought directions against the Respondents to carry out proper and widespread awareness campaigns particularly for investigating agencies, intermediaries such as internet service providers and the judiciary, regarding the various forms of cyber crime sought to be criminalized by the IT Act or any other penal law used to tackle cyber crime. The Petitioner has also prayed that this Hon'ble Court be pleased to frame guidelines to be followed by the investigating agencies and the judiciary in handling cyber crime cases so as to protect the fundamental rights of citizens during the intervening period before the Respondents frame the appropriate regulatory framework. There is a near total lack of procedural safeguards in the prevalent system of cyber crime investigation. Police harassment of citizens, whether out of intention or ignorance, is rampant. There are several instances where the police and private entities cooperating with the police during cyber crime investigations have

displayed great negligence and apathy towards innocent citizens. Conventional investigative methods unsuited to dealing with complex cyber crime are nevertheless being followed, leading to police harassment of citizens. Even in a tech-savvy city like Pune, which is touted as an IT hub, the police do not follow a proper and coordinated investigative procedure, as is evidenced by the case of the Petitioner himself. The Information Technology Act has provided that any police officer of the rank of sub-inspector can investigate cyber offences, but there are no criteria for training or knowledge for such officers in order to properly equip them to handle cyber crime, leading to harassment of citizens. The country has progressed in leaps and bounds in terms of information technology, to the point where mobile phones, computers and internet usage are not only common but are also necessities. The Indian Government is digitizing governance, social networking is being used from camaraderie to campaigning, and people are connected to each other in unprecedented ways. The negative side to all this is increasing cyber crime that no doubt needs to be tackled. However, in the absence of proper procedures for investigation and safeguards, citizens are even more vulnerable to police harassment. There is also no uniformity in cyber security control and enforcement practices.

Cyber crime by its very nature can be perpetrated in practically any location in the world. A cyber criminal can sit in one place and commit a crime the effect of which are felt elsewhere, or can malign the name or identity of another person located elsewhere, or even create the false impression that someone else has committed the crime. In such circumstances, it is very necessary that the investigating machinery should take care while investigating, particularly in light of the highly stringent provisions of the IT Act, which prescribe bailable but cognizable offences. The investigations are also dependent on intermediaries such as internet service providers. There are no proper provisions to ensure accountability of intermediaries for their functions in aiding police investigations. The Petitioner has placed his own case before this Hon'ble Court as an illustration of the negligence and lack of knowledge on the part of the police as well as the lower judiciary, and the complete apathy of an intermediary in face of such negligence. The Petitioner has been accused of a cyber crime under Section 66C of the IT Act, for allegedly creating a false profile of a lady on the social networking website Facebook. The said lady lodged separate complaints before the Cyber Crime cell, Pune as well as in the Wanavdi police station, Pune. Each complaint was investigated by officers from the aforesaid branches of the police. The cyber crime cell sent emails to Facebook seeking first login details of the

false profile, and received a reply from Facebook containing the date, time and Internet Protocol (IP) address from which the profile was created. The said date was stated in a format used in the United States of America, which is different from the commonly used format in India, and was accordingly misinterpreted by the police leading to the criminal case against and the arrest of the Petitioner. During investigation, the officer of the Cyber crime cell, Pune sought information of the user of the IP address given by Facebook from an internet service provider, giving a date that was different from the date given by Facebook. Moreover, the investigating officer of the Wanavdi police station, while

investigating into the near-identical complaint of the lady, in fact sent three different letters to the same internet service provider for three different dates, all of which were different from the one indicated by Facebook to the Cyber crime cell, Pune. The internet service provider finally provided login details for the IP address for an entirely different date altogether, on which date the Petitioners name was shown as having used the said IP address. Later, Facebook even clarified its date format and informed the police the correct date of creation of the false profile, but the police never requested the internet service provider to provide login details for the correct date. Instead the police chose to pursue the case against the Petitioner, even though the record of documents filed

by the police themselves before the Ld. Magistrate in Pune shows that the internet service provider gave login details for a wrong date. Such cases of gross negligence and ignorance and police excesses are not unheard of. This Hon'ble Court is currently seized of another public interest litigation over the arrest of two girls in Thane for publishing a post on Facebook criticizing a bandh called in Mumbai following the death of a prominent political figure in Maharashtra. In 2010, a software engineer in Bengaluru was arrested and kept in custody for over 50 days on account of a wrong IP address given by an internet service provider during the investigation of certain offending content on another social networking website. The Petitioner has placed other examples of such lapses before this Hon'ble Court in the Petition. In light of the urgent need for clarity in investigative methods and procedures and the requirement of a proper regulatory framework for investigating cyber crime, the Petitioner has filed the present Petition under Article 32 and has raised substantial questions of law herein.

LIST OF DATES The Petitioner has stated his own case of police harassment faced by him before this Hon'ble Court to place the need of intervention of this Hon'ble Court. The Petitioner has collected information from the criminal case and chargesheet filed against him. 31.08.2010 A complaint is filed by a lady through a letter to the Cyber crime cell, Pune alleging that her husband who was seeking a divorce from her had made a false Facebook profile in her name and had uploaded her photograph on to the said profile and was posting defamatory things about her on Facebook. The complaint is numbered as

Application No. 194 of 2010. 15.09.2010 The officer in the Cyber crime cell, while

investigating the Application No. 194 of 2010 filed by the Complainant, sent a Letter to the Chief Technical Officer of Facebook under Section 91 Cr.P.C. requesting certain details in respect of two Facebook profiles, including that made in the name of the complainant lady. 25.09.2010 The officer in the Cyber Crime Cell, Pune sent an email to Facebook containing an identical request

for information on the given Facebook profiles. 17.10.2010 Facebook replied and provided the first login dates for the two Facebook profiles for which the Cyber Crime Cell had asked for details. The date indicated by Facebook for both the logins was 08/10/10. Facebook also gave the IP address 123.252.208.209 from which the two profiles had been created. 21.10.2010 The officer in the Cyber Crime Cell, Pune sent a Letter to the internet service provider (ISP) asking for certain login details such as physical address of the user of the IP address 123.252.208.209, name of the subscriber, type of internet connectivity, etc. The date of login for which the Cyber Crime Cell asked the details was given as August 10, 2010. Thus, the officer in the Cyber Crime Cell had assumed that the date of first login provided by Facebook, viz. 08/10/10 was in the month-dayyear format and referred to August 10, 2010. 22.10.2010 The Cyber Crime Cell officer sought a clarification via email from Facebook on the format of the date given by Facebook in its email dated October 17, 2010, i.e. whether the date was given in daymonth-year format or month-day-year format, and

accordingly was the date indicated by Facebook October 8, 2010 or August 10, 2010. 01.12.2010 The female complainant lodged another complaint at the Wanavdi Police Station which was numbered as Cr. No. 3265 of 2010 under Section 66C of the IT Act, Pune over the same false Facebook profile. 18.12.2010 The Investigating Officer of the Wanavdi Police station sent a Letter by email to Facebook asking for login details of the creator of the alleged false profile, giving nothing more than the name of the Complainant. 20.12.2010 Facebook replied that it could not provide the required details based only the name of the Complainant, and that the Investigating Officer, Wanavdi Police station needed to give additional identification information, such as user ID number and email address. 24.12.2010 The Investigating Officer, Wanavdi Police station sent a Letter to the ISP asking for details of the user of the IP address 123.252.208.209 for the date 10/10/2010. 30.12.2010 The Investigating Officer, Wanavdi Police station sent another letter to the ISP asking for details of the user of the same IP address, i.e.

123.252.208.209, this time for the date of use being 10/09/2010. The date of the Letter stated at the top of the Letter is indicative of the fact that the Investigating Officer was stating the date in the day-month-time format and, therefore, it appears that the Investigating Officer requested the login details of the user of the said IP address for the date September 10, 2010. 15.02.2011 Facebook replied to the email dated October 22, 2010 of the Cyber Crime Cell, Pune informing the latter that the information provided by it in respect of date of first login of the false profiles was in a year-month-day format. Therefore, the date of first login of the false profiles created by the user of the IP address 123.252.208.209, indicated by Facebook to be 08/10/10 was in fact October 10, 2008. 18.02.2011 The Investigating Officer of the Wanavdi police station sent another Letter to the ISP asking for login details once again of the user of the same IP address, i.e. 123.252.208.209. This time, the Investigating Officer gave the date of login as August 10, 2010. 09.03.2011 The ISP gave details of the user of IP address

123.252.208.209.

However,

for

reasons

best

known to the ISP, the date for which the information was given was October 9, 2010, i.e. a completely different date from what was

requested. From the information provided by the ISP, it is clear that on October 9, 2010, between the hours 07:57:07 (i.e. 07:57 a.m.) and 18:20:06 (i.e. 06:20 p.m.) the IP address 123.252.208.209 was used by the internet dialer owned by the Petitioner. 11.03.2011 The Investigating Officer of the Wanavdi police station sent a Notice to the Petitioner informing him that Cr. No. 3265 of 2011 was registered against him under Section 66-C of the Information Technology Act, 2000 and that he was to remain present in the Wanavdi Police station on March 14, 2011 at 11:00 a.m. 19.04.2011 The Petitioner was arrested and was taken to JMFC, Cantonment, Pune. 27.04.2011 The police filed the chargesheet in the court of the Ld. JMFC, Cantonment, Pune. The Ld. JMFC Cantonment issued process against the Petitioner on the same date. The Petitioner has come across a rising number of

cases where the police have harassed citizens in the name of cyber crime. Hence, the present Petition filed by the Petitioner before this Hon'ble Court.

IN THE SUPREME COURT OF INDIA ORIGINAL JURISDICTION WRIT PETITION (CRL.) NO. (PUBLIC INTEREST LITIGATION) IN THE MATTER OF: Mr. Dilipkumar Tulsidas Shah, age: about 64 years, Occu.: Industrialist, residing at C-5, Lakshadweep Society, PCNTDA, Bhosari, Pune VERSUS PETITIONER OF 2013

1. Union of India Through the Secretary of (IT),

Department Technology,

Information Ministry of

Communications & Information Technology, Government of

India, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi 110003. 2. The State of Maharashtra Through the Home Department, Mantralaya, Mumbai RESPONDENTS

WRIT

PETITION

UNDER

ARTICLE

32

OF

THE

CONSTITUTION OF INDIA IN THE NATURE OF PUBLIC INTEREST LITIGATION FOR ISSUANCE OF A WRIT IN THE NATURE OF MANDAMUS OR ANY OTHER WRIT ORDERS OR DIRECTIONS TO FRAME INTER-ALIA AN TO THE RESPONDENTS APPROPRIATE

REGULATORY FRAMEWORK OF RULES, REGULATIONS AND GUIDELINES FOR EFFECTIVE INVESTIGATION OF CYBER CRIMES, KEEPING IN MIND THE FUNDAMENTAL RIGHTS OF CITIZENS. To, The Hon'ble Chief Justice of India and His Companion Justices of the Hon'ble Supreme Court of India. The Humble petition of the appellant above named: MOST RESPECTFULLY SHOWETH
1.

That the petitioner is a citizen of India and seeks your lordships leave to prefer a Writ Petition in this Hon'ble Court under Article 32 of the Constitution of India as the fundamental rights of the Petitioner as well as other citizens enshrined in Articles 14, 19(1) (a) and 21 of the Constitution of India are infringed by inaction on the part of the Respondents. The Petitioner has not approached any authority for the reliefs similar to the subject matter of the writ petition as similar Writ Petition (Crl.) no.167/2012 titled as Shreya Singhal vs. UOI & ors. is pending before Honble Supreme Court.

2.

That the present Petitioner has not filed any other petition in any High Court or the Hon'ble Supreme Court of India on the subject matter of the present petition seeking identical reliefs.

3.

That the brief facts giving rise to the instant Writ Petition are as follows:
A.

That the petitioner is 63 years old and currently resides at the address in the cause title. The Petitioner runs a Private Limited Company by name Decon Equipment & Systems Pvt. Ltd. having its office at Plot No. 304, Sector No. 10, PCNTDA, Bhosari, Pune. The Petitioner is the Managing Director of the said Company. The said Company is engaged into

manufacturing of machinery. That the Respondent No. 1 is the Union of India through the Secretary (IT), Department of Information Technology, Ministry of Communications & Information Technology. The said Department is generally responsible for implementation of the Information Technology Act, 2000. The Respondent No. 2 is the Home department of the State of Maharashtra which has general control and supervision over the police machinery in the State of Maharashtra.
C.

B.

That the Petitioner has filed the present Petition to place before this Hon'ble Court the near total lack of procedures and existing safeguards currently prevailing in the system of investigation of cyber crime, leading to police harassment of citizens and violation of fundamental rights, and the urgent

need for the intervention of this Hon'ble Court to direct the appropriate authorities to frame rules and regulations for the same. Therefore, the Petitioner states that the above Respondents are necessary parties in the Petition. That there are several instances even in the past where the police as well as private entities purportedly cooperating with the police during investigation of cyber offences have displayed blatant negligence and total apathy towards innocent citizens and have harassed citizens by following conventional methods of investigation that are unsuited to the specialized needs of cyber forensic investigation. As and by way of illustrations, the Petitioner wishes to place on record newspaper reports of certain cases where the IT Act has been abused by investigating agencies to the detriment of citizens and the same are annexed hereto and marked as Annexure 'P-1' Colly(Pages to ) are newspaper reports

D.

of recent cases of police harassment. The Petitioner is himself a victim of the gross ignorance, negligence and callous attitude of the police who have acted against him in total disregard of statutory or constitutional safeguards. E. That the city of Pune, for example, is considered as one of the IT hubs of the world. There are thousands of IT companies having operations in the city. However, the Pune

police lack the basic infrastructure or even the knowledge to deal with cyber crime as can be seen from the facts laid down in the present Petition hereunder. That the Petitioner, on account of lack of knowledge of the police and cyber crime cell in Pune, touted to be an I.T. hub, faced mental tension, agony and was made to suffer the indignity and stress of being arrested for an alleged cyber crime immediately after he had undergone a coronary bypass surgery. The Petitioner, on receipt of the chargesheet, came to know that the entire case against him was on account consistent and repeated mistakes and negligence on the part of two separate branches of police, i.e. the cyber crime branch of the Pune police and the Investigating Officer, Wanavdi Police Station, Pune, in reading the date of commission of the alleged offence. The offence was of creation of a fake profile on the social networking website Facebook, and the said website had informed the cyber crime cell of the date of creation of the profile. The said date was stated in a format used in the United States of America, which is different from the commonly used format in India, and was accordingly misinterpreted by the police leading to the criminal case against the Petitioner.

F.

G.

The Petitioner, on coming to know of the police cases against him, had initially approached the Hon'ble Sessions Court, Pune as and by way of Cri. M.A. 1262 of 2011, seeking anticipatory bail apprehending arrest. However, the Hon'ble Sessions Court was not inclined to interfere and the bail application was withdrawn considering that the offences that the Petitioner was charged with under the I.T. Act were bailable. However, when the Petitioner was later produced before the Ld. Magistrate, Cantonment, Pune, the police sought the custody of the Petitioner by citing provisions under the Indian Penal Code. The Petitioner was released on bail thankfully due to adequate knowledge of the law by the Ld. Magistrate. All of these events occurred within a period of 30 days from the coronary bypass surgery of the Petitioner. Therefore, the Petitioner has filed the present Petition under Article 32 of the Constitution of India, especially after seeing more examples of the blatant violation of fundamental rights that have come up recently. That the Petitioner has raised the following Questions of Law in the present Petition: a. When technology is so advanced and misuse of the

H.

advancement of technology is possible even by minors, and where such misuse can directly affect the fundamental rights of victims of misuse, whether the Union and State

Governments are duty bound to provide safeguards to protect the fundamental rights of citizens? When investigating agencies such as the police are

b.

duty bound to prevent unnecessary harassment of citizens during the course of investigation or even otherwise, can the Judiciary remain a silent spectator when citizens are being harassed on account of misuse of technology and ignorance of everybody involved in the investigating mechanism and the administration of justice? Whether in the current state of lack of clarity in the law

c.

and in investigative procedures, and lack of safeguards against abuse of investigative procedures not suited to tackle modern-day cyber crime, whether the Judiciary is in a position to deal with offences of misuse of Information technology and to protect the fundamental rights of citizens? d. Whether the Judiciary can remain a silent spectator

when fundamental rights of the freedom of speech and expression, the right to life and personal liberty, equality before the law and equal protection of the law are being encroached upon regularly by the investigative machinery either on account of ignorance or mala fide intentions?

e.

When Information technology is a part of everyday life

in society, and where inadvertent or intentional misuse of such technology can lead to the harassment of citizens for no fault of theirs, whether the intervention of this Hon'ble Court has become necessary in the public interest and whether appropriate directions should be issued by the Hon'ble Court in exercise of its extraordinary powers under Article 32 of the Constitution of India? When it is the duty of this Hon'ble Court, as well as all

f.

other courts in India to protect and safeguard the fundamental rights of citizens, and where the same are being violated by the police through arbitrary and / or ignorant exercise of power under the IT Act, or through the misuse of its provisions by persons, whether the intervention of this Hon'ble Court has become necessary? That India has over the years emerged as a global hub for information technology. Computers and the internet are no longer largely an urban phenomenon, and with the advent of mobile internet using cellular phones and internet dialers, the numbers of people using computers and internet resources in India have grown at a staggering rate. However, the Petitioner states that though technology continues to advance at a continually accelerating pace, the legal

I.

framework within which the users of technology are to operate is failing to catch up or keep up. This has resulted in a complete lack of uniformity in cyber security control and enforcement practices. That the legislature has sought to make ambitious strides in the field of information technology regulation by augmenting the IT Act with amendments and rules. The Act itself has given a kind of global jurisdiction to the courts in India to try cyber offences that take place even outside India. Section 75 of the IT Act makes the Act applicable to offences committed outside India, if such offences involve computers, computer systems or computer network located in India. The nature of cyber crime and the ability of perpetrating cyber crimes from and in remote or far off locations may have called for such an approach of jurisdiction without boundaries. However, even this aspect opens the field for rampant misuse allowing miscreants or trouble makers to harass people. The Petitioner states and submits that when courts can try cyber offences in such a flexible manner, there is an urgent need to provide statutory or regulatory safeguards to prevent abuse of the process of law by miscreants or troublemakers seeking to exploit the possibility of such jurisdictional ubiquity.

J.

K.

That, on account of the wide penetration and reach of the internet, there can be instances where a person based in say, Jammu is accused of a cyber crime in say Kanyakumari, though he may not have committed or even be aware of any such offence. However, on account of the jurisdictional flexibility of the IT Act, a criminal offence can be registered and tried against him in Kanyakumari, and he will have to face the utter humiliation of arrest, a criminal trial and the cost and inconvenience of travelling to and fro from his home or place of residence to another place to attend court dates. That the internet has facilitated communication and

L.

exchange of information and services in an unprecedented and incredibly widespread manner, such that people from every part of the world can easily connect and communicate with each other. However, the easy availability and relative anonymity of cyberspace have also led to a vast and ever increasing cesspool of new offences loosely termed as cyber offences. Moreover, the proliferation and popularisation of user friendly services such as electronic mail, social networking websites, internet banking, e-commerce, egovernance, etc. have made it not only possible, but also very easy for practically anybody to commit a cyber offence, though that is not the intention of such services. Often people are even unaware that they may be committing an

offence through their activities, and on occasion certain activities are categorised as offences only after they come to light. That, on the other hand, that there are countless examples of misuse of information technology, and the possibility of mala fide misuse has become increasingly simpler with newer technologies. It is possible today for a person sitting in any part of the country to create trouble for others in any other part of the country or indeed the world. The following activities, for example, can be done easily by almost anybody with some minimal knowledge of computers and relevant software:
a. Hacking into someones computer system and using

M.

his personal data, email ids, etc.; b. Misusing email or other IDs in working

organisations; c. Sending emails / messages from someone elses IT system or cell phone; d. Creating false profiles of persons on social

networking websites and putting up pornographic images or spurious or scandalous messages in the name of such persons; e. Publicly defaming people over the internet

It is not only ordinary citizens that are victims of such misuse. The Government and private enterprises also face cyber attacks. The Petitioner submits that even the website of the Tata Consultancy Services, a premier IT services solutions company and Indias largest software exporter, was hacked into in early 2010 and a message stating This domain name is for sale was displayed on the website. It took three days before the message could be removed from the website, if media reports are to be believed. Another major example as reported in newspapers is that on December 9, 2011, hackers broke into the official website of the Indian National Congress and put a pornographic message in the profile page of Mrs. Sonia Gandhi. That in such circumstances, it is not merely logical but also imperative that specialized law and investigating procedures are required to be made to effectively deal with cyber offences. Such law and procedures must also be able to distinguish any inadvertent lapses from mala fide offences without harassing innocent citizens. The Petitioner submits that to meet this requirement, the Government of India enacted the Information Technology Act, 2000. Thereafter, the ever changing landscape of information technology and the increasing array of cyber offences prompted the Central

N.

Government

to

pass

the

Information

Technology

(Amendment) Act in 2008, wherein many new penal provisions were introduced and an effort was made to empower the police by allowing policemen of at least subinspector rank to investigate cyber offences. However, no investigation procedures were prescribed to tackle complex cyber offences. That while the threat of cyber crime is only increasing, the threat to civil liberty in the name of cyber crime is also becoming increasingly apparent, though this is not an aspect that has been focused upon in the prevalent law and investigative mechanism. According to statistics recently released by the National Crimes Record Bureau and the Indian Computer Emergency Response Team (CERT-In), over 14,000 websites have been hacked in India till October in the year 2012 alone. 294 websites belonging to various ministries and government departments were hacked

O.

between January and October 2012. In terms of cases registered, in 2009, 2010 and 2011, 696, 1322 and 2213 cases were respectively registered under the IT Act and IPC provisions used to tackle cyber crime. The Petitioner submits that, in 2011, a total of 1,184 persons were arrested for alleged cyber crimes under the I.T. Act, and 446 persons were arrested under IPC sections being used to tackle cyber

crime. Thus, in 2011 alone, 1630 persons were arrested on allegations of cyber crime. Out of these, 496 cases were registered for alleged obscene publication / transmission in electronic form, and 443 persons were arrested. Hereto annexed and marked as Annexure 'P-2' (Pages to )is a

copy of a newspaper article with the aforesaid statistics published on the website of the Indian Express newspaper at the link http://www.indianexpress.com/news/over-14000as last

websites-hacked-in-this-year-till-oct-govt/1046050 visited on 18.01.2013 at around 08:26 a.m. P.

That the official statistics that are placed in the previous para only cover the reported cases of cyber crime. However, most cases of cyber crime are never reported to the police, and only a fraction of the reported cases are lodged as FIRs. That for the specific purpose of the present Petition, the Petitioner would like to place before this Hon'ble Court the concept of Internet Protocol or IP addresses. Accordingly, the Petitioner states as under: a. The Petitioner states that an IP address is a code made

Q.

up of numbers separated by three dots that identifies a particular computer on the internet. Every computer requires an IP address to connect to the internet.

b.

Internet service providers typically provide dynamic IP

addresses, i.e. IP addresses which change every time a user logs on to the internet. As of today, the system of IP addresses commonly

c.

used is known as Internet Protocol Version 4 or IPv4, and this system is also used by internet service providers in India for the internet services provided by them. The Petitioner states that as per the IPv4 system, theoretically the possible number of unique IP address combinations is 4,294,967,296 (Four Hundred Twenty Nine Crores Forty Nine Lakhs Sixty Seven Thousand Two Hundred Ninety Six), but in practice the number of IP addresses actually used are far less. Every internet service provider is provided with a limited number of IP addresses which it can then allot to its customer pool. d. Since the IP addresses are limited in number and the

number of users of the internet is ever increasing, the internet service providers provide dynamic IP addresses so that the same IP address is allotted to multiple users, and each user gets a different IP address every time he logs onto the internet. Any user who desires a fixed or static IP address has to apply for the same from the internet service provider and has to pay separate charges for the same.

e.

Since every computer that connects to the internet

must have an IP address that can be traced, therefore, the IP address of a user is such data which can identify or purports to identify a person who is using the said IP address at a given point of time. That keeping the above technical information in mind, the Petitioner humbly wishes to place his own case before this Hon'ble Court as an illustration of how the police and cyber crime investigative forces and even internet service providers are following haphazard methods of investigation with total disregard to the fundamental and legal rights of an unsuspecting public. The Petitioner is placing his case before this Hon'ble Court to display the urgent and imminent need for this Court to intervene and give directions to the appropriate authorities to frame proper rules of investigation and to safeguard the rights of citizens from being abused by investigative authorities, particularly in light of the stringent provisions of the IT Act and their wide ambits. That the Petitioner is a Managing Director of a small scale company by name Decon Equipment & Systems Pvt. Ltd. The Petitioner purchased for official purpose a data card / dialer issued by Tata Teleservices (Mah) Ltd., which is an Internet Service Provider (for short the ISP).

R.

S.

T.

That the Petitioner had undergone a coronary artery bypass grafting surgery in March 1, 2011 to clear 4 blockages in his heart. He was discharged from his hospital in Pune on March 10, 2011. However, prior to his discharge, he was approached by the police and was told that an offence is registered under Section 66C of the IT Act for creating a false profile of a lady (hereinafter the Complainant) on the social networking website called Facebook. The Petitioner has not disclosed the name of the Complainant in the Memo of the Petition in order to protect her identity. The police informed the Petitioner, to the latters great shock and surprise, that the USB internet dialer / data card purchased by the Petitioner from the ISP was used to create a false account of the Complainant on Facebook. That the Petitioner deployed an officer from his company to get details of the criminal case. The Petitioner states that from the information gathered by him he came to know that the Complainant is the original complainant in CR. No. 3265 of 2010 lodged in the Wanavdi police station, Pune. The Complainant had also lodged a separate complaint before the Cyber Crime Cell of the Crime Branch in Pune by Letter dated August 31, 2010 alleging that her husband who was seeking a divorce from her had made a false Facebook profile in her

U.

name and had uploaded her photograph on to the said profile and was posting defamatory things about her on Facebook. It was also further alleged in the complaint that her husband was calling her on her landline telephone and was abusing her with foul language. The said written complaint was registered as Application No. 194 of 2010 by the Cyber Crime Cell, Crime Branch, Pune. The Petitioner is in possession of the said Application No, 194 of 2010 and the same can be tendered. However, the Petitioner has not annexed the same at this time to protect the identity of the Complainant. The Petitioner craves leave of this Hon'ble Court to produce the said document if required. That from the case records gathered by the Petitioner, it appears that on September 15, 2010, the Cyber Crime Cell, while investigating the Application No. 194 of 2010 filed by the Complainant, sent a Letter to the Chief Technical Officer of Facebook under Section 91 Cr.P.C. requesting certain details in respect of two Facebook profiles, one allegedly created in the name of one Mr. Karun Malhotra and the other allegedly created in the name of the Complainant.

V.

Thereafter, on September 25, 2010, the Cyber Crime Cell sent an email to Facebook containing an identical request for information on the given Facebook profiles. Hereto annexed and marked as Annexure P-3 colly. (Page to )are

copies of the Letter dated September 15, 2010 and the email dated September 25, 2010 of the Cyber Crime Cell. That by an email dated October 17, 2010, Facebook replied and provided the first login dates for the two Facebook profiles for which the Cyber Crime Cell had asked for details. The date indicated by Facebook for both the logins was 08/10/10. Facebook also gave the IP addresses from which the two profiles had been created. From the information provided, it seemed that the two profiles were created from the same IP address, i.e. 123.252.208.209, on the same day. However, Facebook stated that on account of technical limitations, it could not attest to the completeness of any IP logs provided. Hereto annexed and marked as Annexure 'P4' (Page to )is a copy of the email dated October 17,

W.

2010 of Facebook. That based on information received from Facebook, the Cyber Crime Cell sent Letter dated October 21, 2010 to the ISP, asking for certain login details such as physical address of the user of the IP address 123.252.208.209, name of the subscriber, type of internet connectivity, etc. The date of login for which the Cyber Crime Cell asked the details was given as August 10, 2010. The Petitioner states that for the purpose of the letter dated October 21, 2010 to the ISP, the

X.

Cyber Crime Cell had assumed that the date of first login provided by Facebook, viz. 08/10/10 was in the month-dayyear format and referred to August 10, 2010. Hereto annexed and marked as Annexure 'P-5' (Page no. to ) is

a copy of letter dated October 21, 2010 of the Cyber Crime Cell. That on October 22, 2010 the Cyber Crime Cell sought a clarification via email from Facebook on the format of the date given by Facebook in its email dated October 17, 2010, i.e. whether the date was given in day-month-year format or month-day-year format, and accordingly was the date indicated by Facebook October 8, 2010 or August 10, 2010. The Cyber Crime Cell also sought a clarification on the time format. Hereto annexed and marked as Annexure 'P-6' (Pages no. to )is a copy of email dated October 22, 2010

Y.

of the Cyber Crime Cell. The Petitioner submits that the Cyber Crime Cell sought the aforesaid clarification from Facebook only after sending a request for details to the ISP as mentioned in the preceding sub-para, thereby displaying negligence at this stage of the investigation itself.
Z.

That thereafter, on December 1, 2010, the Complainant lodged a complaint at the Wanavdi Police Station which was numbered as Cr. No. 3265 of 2010 under Section 66C of the IT Act, Pune. In the said complaint, the Complainant alleged

that an unknown person had created a false Facebook account profile in her name, had uploaded her photograph onto the said profile and had posted defamatory material in her name online. The Petitioner states that in the said complaint, the Complainant mentioned the marital problems with her husband, but did not accuse him of creating the false Facebook profile, although she had made this

accusation in her Application No. 194 of 2010 filed with the Cyber Crime Cell, Pune. She also failed to disclose the existence of the Application No. 194 of 2010 in the said complaint. The Petitioner is in possession of the said FIR and the same can be tendered. However, the Petitioner has not annexed the same at this time to protect the identity of the Complainant. The Petitioner craves leave of this Hon'ble Court to produce the said document if required. AA. The Petitioner states that the offence for which the said Cr. No. 3265 of 2010 was registered was Section 66C of the IT Act. The said Section 66C reads as under: Section 66C. Punishment for identity theft. (Inserted Vide ITA 2008): Whoever, fraudulently or dishonestly make use of the

electronic

signature,

password

or

any

other

unique

identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

The Petitioner states that from the Section quoted above, it is clear that for the offence to have been committed there must be fraudulent or dishonest use of an electronic signature, password, or any other unique identification feature of a person. That the Investigating Officer of the Wanavdi Police station sent a Letter dated December 18, 2010 to Facebook asking for login details of the creator of the alleged false profile, giving nothing more than the name of the Complainant. By an email dated December 20, 2010, Facebook replied that it could not provide the required details based only the name of the Complainant, and that the Investigating Officer needed to give additional identification information, such as user ID number and email address. From the records obtained by the Petitioner, it appears that the Investigating Officer did not correspond with Facebook after this. The Petitioner is in possession of the aforesaid correspondence between the Investigating Officer of the Wanavdi police station and Facebook and the same can be tendered. However, since the same mention the name of the Complainant, the Petitioner has not annexed the same at this time to protect the identity of the Complainant. The Petitioner craves leave of this Hon'ble Court to produce the said document if required

BB.

CC.

That the aforesaid correspondence between the Investigating Officer of the Wanavdi police station and Facebook itself shows the level of ignorance and the insufficiency of technical knowledge prevailing in the police ranks, even in an IT hub like Pune, and the need for urgent intervention of this Hon'ble Court to regularize proper and appropriate

procedures for investigating cyber offences, and to direct the appropriate ministries, departments and services to spread awareness among investigating agencies. That thereafter, the Investigating Officer sent a Letter dated December 24, 2010 to the ISP asking for details of the user of the IP address 123.252.208.209 for the date

DD.

10/10/2010. The Petitioner states that the Cyber Crime Cell had through its Letter dated October 21, 2010 (Annexure P5 herein) had requested the ISP to provide details for the same IP address, albeit for a different date. The Petitioner states that the Investigating Officer of the Wanavdi police station obtained the said IP address or the login and logout times indicated by him in his letter dated December 24, 2010 from the Cyber Crime Cell which had been investigating the alleged offence under the Application No. 194 of 2010. Hereto annexed and marked as Annexure 'P-7'(Page no. to ) is a copy of the letter dated December 24, 2010 of the

Investigating Officer of the Wanavdi police station.

EE.

That the said Investigating Officer sent another letter dated December 30, 2010 to the ISP asking for details of the user of the same IP address, i.e. 123.252.208.209. However, in this letter the Investigating Officer indicated the date of use of the said IP address as 10/09/2010. The Petitioner states that the date of the Letter stated at the top of the Letter is indicative of the fact that the Investigating Officer was stating the date in the day-month-time format and, therefore, it appears that the Investigating Officer requested the login details of the user of the said IP address for the date September 10, 2010. The Petitioner states that states that there is nothing on record to indicate the basis for this date. Hereto annexed and marked as Annexure 'P-8' (Pages no. to )is a copy of letter dated December 30, 2010 of the

Investigating Officer. That thereafter on February 15, 2011, Facebook replied to the email dated October 22, 2010 of the Cyber Crime Cell, informing the latter that the information provided by it in respect of date of first login of the false profiles was in a year-month-day format. The Petitioner states that, therefore, it is clear from the emails dated October 17, 2010 (Annexure P-4 herein) and February 15, 2011 that the date of first login of the false profiles created by the user of the IP

FF.

address 123.252.208.209, indicated by Facebook to be 08/10/10 was in fact October 10, 2008. Hereto annexed and marked as Annexure 'P-9'(Pages no. to ) is a copy

of the email dated February 15, 2011 of Facebook. That the Cyber Crime Cell & the Investigating Officer of the Wanavdi police station had been working together in the investigation of the Cr. No. 3265 of 2010. However, despite the clarification received from Facebook in the email dated February 15, 2011 regarding the date of first login of the false profiles, the said investigating agencies failed to investigate the date given by Facebook, viz. October 10, 2008. Instead the Investigating Officer of the Wanavdi police station sent another Letter dated February 18, 2011 to the ISP asking for login details once again of the user of the same IP address, i.e. 123.252.208.209. This time, the Investigating Officer gave the date of login as August 10, 2010. Hereto annexed and marked as Annexure 'P-10' (Pages to )is a copy of the letter dated February 18, 2011

GG.

of the Investigating Officer of the Wanavdi police station. That by an email dated March 9, 2011, the ISP gave details of the user of IP address 123.252.208.209. From the copy of the email dated March 9, 2011 of the ISP that the Petitioner has obtained from the record of the case, it is clear that the

HH.

same was in reply to the email of the Investigating Officer of the Wanavdi police station containing the letter dated February 18, 2011 (Annexure P-10 herein). However, although in the letter dated February 18, 2011 the Investigating Officer had specifically requested for details of the user of the said IP address for the date August 10, 2010, yet for reasons best known to the ISP, the date for which the information was given was October 9, 2010, i.e. a completely different date from what was requested. From the

information provided by the ISP, it is clear that on October 9, 2010, between the hours 07:57:07 (i.e. 07:57 a.m.) and 18:20:06 (i.e. 06:20 p.m.) the IP address 123.252.208.209 was used by the internet dialer owned by the Petitioner. Hereto annexed and marked as Annexure 'P-11'(Pages no.___ to ____) is a copy of email dated March 9, 2011 of the ISP in reply to the email / letter dated February 18, 2011 of the Investigating Officer of the Wanavdi police station. That from the above sub-paras it is clear that the police had on numerous occasions requested the ISP which is an intermediary under the IT Act to provide information in respect of usage details of the IP address 123.252.208.209. The investigating agencies consistently provided wrong information to the ISP in the form of incorrect dates of the alleged creation of a fake profile of the Complainant. The

II.

ISP, in turn, provided IP login details for a completely different date that was never even requested by the investigating agencies. The report of the ISP does not appear to have been looked at with even a minimal degree of care, as the Petitioner was arrested merely because his name appeared on the said report, despite it giving login details for the wrong date. The Petitioner, therefore, states and submits that the entire investigation is vitiated by the negligence and complete disregard shown by the investigating agencies and the ISP for the fundamental and legal rights of the Petitioner. That upon obtaining the information of the Petitioner from the ISP, and without even checking if the information pertains to the date for which the information was asked, the Investigating Officer of the Wanavdi police station sent a Notice to the Petitioner dated March 11, 2011 informing him that Cr. No. 3265 of 2011 was registered against him under Section 66-C of the Information Technology Act, 2000 and that he was to remain present in the Wanavdi Police station on March 14, 2011 at 11:00 a.m. That the Petitioner does not know the Complainant nor has he ever seen her or does he have any relation with her. The Petitioner did an internal check in his Company and discovered that none of his employees knew her either. The

JJ.

KK.

Petitioner further states that he has never been on Facebook and does not have an account on Facebook or on any other social networking website. He is not even aware of how to use Facebook. The Petitioner, therefore, states that it is inconceivable that he could have created a false profile of a person he has never met, on a social networking website that he does not know how to use, in the space of 10 minutes, i.e. between 09:52 a.m. to 10:02 a.m. August 10, 2010 as informed by the ISP. That the Petitioner has even tried to get information from the ISP in order to prove his innocence and non-involvement in any cyber crime. However, the ISP has refused to provide information to the Petitioner of the IP addresses for the Petitioners own account despite repeated requests of the Petitioner, and even after the Petitioner had specifically placed before the ISP that the information had been provided by the ISP to the police and the police were harassing the Petitioner on account of the same. The unequal treatment given by the ISP to the Petitioner is evident from the correspondence between the Petitioner and the ISP, which is annexed herewith at Annexure P-12.
MM. That the Petitioner was being constantly harassed by the

LL.

police after the Investigating Officer was given his name by

the ISP. He was refused anticipatory bail on account of the fact that the offence registered against him under the IT Act is bailable. That the Petitioner was arrested on April 19, 2011 and was taken to JMFC, Cantonment, Pune. The Petitioner filed an Application for bail, yet for reasons best known to the Investigating Officer, custody of the Petitioner was sought for recovery of the USB dialer / data card, laptop computer of the Petitioner and other details as the police required. However the Ld. Magistrate was pleased to grant bail to the Petitioner. Thereafter the police filed the chargesheet on April 27, 2011 in the court of the Ld. JMFC, Cantonment, Pune. The Petitioner is in possession of the said chargesheet and the same can be tendered. However, the Petitioner has not annexed the same at this time to protect the identity of the Complainant. The Petitioner craves leave of this Hon'ble Court to produce the said document if required. That the Ld. JMFC issued process against the Petitioner on the same date, i.e. April 27, 2011, without examining the documents on record which clearly revealed that the Petitioner had been named as an accused only on account of the negligence of the investigating agencies and the ISP. The Petitioner, therefore, states that the order of issue of process

NN.

was passed without application of mind, without proper appreciation of the materials on record.
OO.

That from the facts stated in the paras above and the official record of Cr. No. 3265 of 2010 on the file of the Ld. JMFC, Cantonment, Pune, the Petitioner submits that the lapses and negligence of the investigating agencies, the ISP and even the Ld. JMFC are crystal clear. The Petitioner has had to suffer the humiliation and severe mental distress and pressure, together the physical stress immediately following his major cardiac surgery, of a full-scale criminal

investigation for no fault of his own. That it is clear from the facts stated above that investigations were carried out for the same alleged offence by two investigating agencies, i.e. the Cyber Crime Cell, Pune and the Investigating Officer, Wanavdi police station. Both the aforesaid agencies sought information in the form of login details of the user of the IP address 123.252.208.209, but they sought the details for different dates, none of which were the actual date as communicated by Facebook on which the false profiles were allegedly created. It is clear that the two authorities were working together on the case since an officer in the Cyber Crime Cell is named as a witness sought to be examined in the chargesheet filed by the Investigating Officer of the Wanavdi police station. Further, the ISP, which

PP.

is an intermediary as defined under the IT Act, and which is statutorily bound to observe due diligence while discharging its duties under Section 79(2)(c) of the IT Act, gave the login details of the user of the said IP address for the wrong date, which is the reason the Petitioners name came into the picture in the first place. On account of the negligence and disorganized investigations carried out by the authorities and the further negligence of the intermediary, as well as the faulty chargesheet filed before the Ld. JMFC, Cantonment, Pune, the Ld. JMFC, without applying his mind to the materials on record, passed the order of issue of process against the Petitioner. Consequently, the Petitioner continues to suffer the stress and indignity of a full scale investigation and criminal proceeding against him, which is having an adverse impact on his fragile health. That in light of the repeated lapses on the part of the police investigators and the terror and torment that such lapses pose to the ordinary persons who become victims of the same, it is absolutely essential that the State Government and the Central Government issue appropriate guidelines and safeguards for investigating cyber crimes and ensure that the same are being strictly adhered to so as to reign in the investigation agencies and protect the rights of innocent civilians. For this purpose, the Petitioner has approached this

QQ.

Hon'ble Court seeking orders directing the appropriate Government to issue the said guidelines and safeguards for investigating cyber crimes. Therefore, the Petitioner has filed the present Petition under Article 32 of the Constitution of India. That internet service providers are nothing but intermediaries as defined in Section 2(w) of the IT Act. Section 79 of the IT Act provides that an intermediary, inter alia, is not liable under the IT Act under the circumstances prescribed under the said Section. However, there is no specific provision in the Act for punishing the intermediaries for negligence or for giving wrong information to State investigating agencies, despite the fact that such negligence or wrong information can directly lead to infringement of the fundamental and statutory rights of citizens, as has happened in the case of the Petitioner. Therefore, the Petitioner has approached this Hon'ble Court seeking orders directing the appropriate Government to issue rules of accountability of intermediaries such as internet service providers and expressly provide for punishing the intermediaries for negligence in the discharge of their duties. That the Petitioner has been keeping himself abreast of some of the latest examples of abuse of the IT Act by investigative

RR.

SS.

agencies and the consequent injustice that has been perpetrated on citizens. If media reports are to be believed, the Central Government has given a kind of directive to the police that arrests under Section 66A of the IT Act should not be made without the approval of senior police officers. However, there is no such directive published by the Government, and in any case it is very narrow and does not consider the possibility of abuse of the other provisions of the IT Act. Being aggrieved by the failure of the Central and State Government to provide regulatory measures to give adequate safeguards to citizens from harassment by

investigating agencies, and to check the lack of accountability of intermediaries, the Petitioner has filed the present Petition before this Hon'ble Supreme Court on the following among other grounds, each of which is distinct and without prejudice to any other: GROUNDS
I. Because there is urgent need for the Central Government

and State Governments to provide regulatory safeguards to prevent abuse of the IT Act and the provisions of the IPC used to tackle cyber offences in order to protect innocent citizens such as the Petitioner from facing needless prosecution and violation of fundamental rights;

II. Because the majority of the police force is not trained or

even aware of how to deal with cyber offences, which results in their adopting conventional means of

investigation that are totally unsuited to dealing with such offences, and also leads to arbitrary and excessive exercise of state power and accordingly, violate

fundamental rights of citizens;

III. Because the Central and State Governments have not

provided any safeguards to protect the fundamental rights and freedoms of citizens which are threatened by rampant misuse, abuse and misplaced application of penal

provisions of the IT Act and the IPC used to tackle cyber offences;
IV. Because as evidenced by the gross negligence of the

investigating agencies and the ISP in the case of the Petitioner, even specialized units of the police set up to tackle cyber crime are operating without following any proper procedure with inherent checks and balances and are initiating criminal proceedings based on faulty or no proper evidence, which is leading to gross abuse of fundamental rights of citizens such as the Petitioner;
V. Because the lack of any concrete regulatory provisions to

ensure accountability of intermediaries such as Internet

Service Providers in case of providing incorrect information to the police of cyber offences is itself an instance of violation of the fundamental rights of citizens, since such incorrect information can and has led to the wrongful deprivation of personal liberty of persons, with no statutory repercussion on the intermediaries, as can be seen from the case of Airtel providing the wrong IP address leading to the arrest and incarceration of a software engineer in Bangalore, as well as the case of Tata Teleservices Pvt. Ltd. giving the name of the Petitioner to the police for use of an IP address but for the wrong date of use;
VI. Because the police department and intermediaries such as

internet service providers need to be provided with concrete regulatory frameworks designed to allow them the flexibility necessary to effectively investigate cyber crime and to also restrict and take them to task if they do not adhere to properly established procedures that are not violative of fundamental and legal rights of citizens; Because despite the most recent controversies and arrests of citizens for seemingly innocuous statements on social networking websites, or even the attempts by the Government as well as politicians to remove content from

VII.

social networking websites or the internet by deeming the same objectionable, the executive will to spread education and awareness of cyber laws is badly lacking, leading to abuse of the law and violation of fundamental rights since the citizens are uninformed and the police are untrained; Because the Department of Electronics and Information Technology, Ministry of Communications and Information Technology, Government of India has published various rules and guidelines on its website located at the web address http://deity.gov.in. However, the Petitioner

VIII.

apprehends, based on his own experience and information gathered by him, that the Government is not

implementing the rules framed by the Department and there is little or no awareness of such rules among the law enforcement agencies, the intermediaries or even the judiciary;
IX. Because while internet content regulation is important to

protect

intellectual

property,

online

commercial

transactions, to prevent trafficking, defamation, sale of illegal drugs or items, etc., such regulation cannot be done, at the cost of fundamental and legal rights and privacy of citizens, through draconian and / or ignorant application of provisions of law;

X. Because

the judiciary, particularly the lower judiciary

handling cyber offences at the first instance, must be made aware of the specialized provisions of law relating to cyber crimes, and there is an urgent need for guidelines even for the judiciary in tackling cases relating to cyber crime so that no citizen is made to be a victim of criminal prosecution initiated on the basis of vague or inadequate evidence, grossly shoddy police work, personal and political vendettas, moral policing or vested interests;
XI. Because

the Respondents have not been proactive in

safeguarding the rights of citizens who are being victimized by the draconian application of penal laws relating to information technology and the intervention of this Hon'ble Supreme Court in the form of guidelines to protect innocent citizens from undue harassment is urgently needed; TT. That the present Petitioner has not filed any other petition in any High Court or the Supreme Court of India on the subject matter of the present Petition. PRAYER In the above facts and circumstances, the Petitioner most respectfully prays that this Honble Court may be pleased to:

a)

Issue a writ of mandamus, or a writ in the nature of a writ of mandamus, or any appropriate writ, order or direction to the Respondents to frame an appropriate regulatory framework of Rules, regulations and guidelines for effective investigation of cyber crimes, keeping in mind the fundamental rights of citizens; Issue a writ of mandamus, or a writ in the nature of a writ of mandamus, or any appropriate writ, order or direction to the Respondents to carry out proper and widespread awareness campaigns intermediaries particularly for investigating agencies,

b)

such as internet service providers and the

judiciary, regarding the various forms of cyber crime sought to be criminalized by the IT Act or any other penal law used to tackle cyber crime; Pending disposal of this Petition issue guidelines to be followed by the investigating agencies and the judiciary in handling cyber crime cases, so that the fundamental rights of citizens can be protected from needless abuse by

c)

investigating agencies and intermediaries; d) pass any other or further orders as may be deemed fit and proper in the circumstances of the case.

FOR WHICH ACT OF KINDNESS, THE PETITIONER SHALL, AS IN DUTY BOUND, EVER PRAY. Drawn by:- Mr. Abhya Nevagi, Advocate FILED BY

( KRISHAN KUMAR) ADVOCATE FOR THE PETITIONER New Delhi Drafted on : 21.12.2012 Filed on : 24.12.2012