Electronic Evidence Statutes and Cyber Offences

India's primary cyber offence statute is the Information Technology Act 2000 (IT Act), amended significantly in 2008. Chapter XI of the IT Act defines offences: Section 66 covers computer-related offences including dishonest or fraudulent access, data theft, and transmitting viruses. Section 66A was struck down by the Supreme Court in Shreya Singhal v Union of India (2015) as an unconstitutional restriction on free speech. Sections 66B through 66F address receiving stolen computer resources, identity theft, cheating by impersonation, violation of privacy, and cyber terrorism respectively.

The 2023 legislation updates added two dimensions. First, the Bharatiya Nyaya Sanhita 2023 (BNS) incorporates electronic communication into a range of general offences, including criminal intimidation, cheating, and forgery, so prosecutors can now charge those offences on the basis of digital acts without relying solely on the IT Act. Second, the Digital Personal Data Protection Act 2023 (DPDPA) imposes data-handling obligations that intersect with forensic practice: an examiner processing personal data during an investigation may need to consider whether the DPDPA's exemptions for law enforcement activities cover the specific activity.

The IT Act also governs intermediary liability through Section 79, which provides safe harbour for intermediaries who comply with government directions to remove content. Amendments in 2021 introduced the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, requiring social media platforms to appoint grievance officers and to trace originators of messages on request. These rules have forensic implications because they create retention and disclosure obligations that affect where digital evidence can be found and how it can be obtained.

In the United States, the Computer Fraud and Abuse Act 1986 (CFAA) is the primary federal statute. It creates offences based on obtaining information from protected computers without authorisation, damaging protected computers, and trafficking in access credentials. The definition of 'without authorisation' has been contested in courts for decades. In Van Buren v United States (2021), the Supreme Court held that a person who has permission to access a computer does not violate the CFAA by using that access for an improper purpose. State computer crime statutes add further coverage. The Electronic Communications Privacy Act 1986 (ECPA) governs law enforcement access to stored electronic communications and wiretapping, and has been updated by the Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act) for cross-border data requests.

In England and Wales, the Computer Misuse Act 1990 defines three core offences: unauthorised access to computer material (Section 1), unauthorised access with intent to commit or facilitate further offences (Section 2), and unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer (Section 3). The Serious Crime Act 2015 added Section 3ZA (unauthorised acts causing or risking serious damage) and Section 3A (making, supplying, or obtaining articles for use in computer misuse offences, addressing exploit tools). The Investigatory Powers Act 2016 governs surveillance, bulk collection, and equipment interference powers, and sets the warrant framework for accessing encrypted or cloud-held data.

The Budapest Convention on Cybercrime (2001) is the binding international layer. It requires all signatories to criminalise the same core categories of conduct and to cooperate on cross-border evidence requests. As of 2024, more than 60 states have ratified it. A second Additional Protocol (2022) strengthens the mutual legal assistance mechanisms, including provisions for direct cooperation with cloud service providers across borders. India is not a signatory to the Budapest Convention, which creates friction in cases where Indian investigators seek digital evidence held by servers in signatory states, and vice versa.

The legal power to seize a digital device is one thing; the procedural obligation to handle it correctly to preserve evidential integrity is another. Investigators who have lawful power to seize can still render evidence inadmissible by failing to comply with the handling requirements. Understanding both is essential for anyone who participates in a digital investigation.

In India, the Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS) carries the procedural framework for search and seizure, replacing the CrPC. Sections 94 and 185 of the BNSS authorise production and search orders for electronic records. The IT Act additionally provides specific powers for Controller of Certifying Authorities and for police officers above the rank of Deputy Superintendent to search premises and seize equipment under Section 80. Search and seizure under Section 100 of the BNSS (formerly Section 165 CrPC) requires a search warrant, specifies two independent witnesses must be present, and mandates a seizure list signed by the witnesses.

In the United States, the Fourth Amendment prohibition on unreasonable searches governs device seizure. Law enforcement must generally obtain a search warrant supported by probable cause. The warrant must specify the devices to be seized and the information to be searched for. United States v Comprehensive Drug Testing (9th Circuit, 2010) established important guidance on over-seizure risk when searching computers: investigators should not use access to a device to acquire data beyond the scope of the warrant. The Supreme Court held in Riley v California (2014) that warrantless search of a smartphone incident to arrest is unconstitutional; a warrant is required except in narrowly defined exigent circumstances.

In England and Wales, the Police and Criminal Evidence Act 1984 (PACE) and PACE Code B govern search and seizure. Section 19 of PACE allows seizure of any item found during a lawful search if the constable has reasonable grounds to believe it is evidence of an offence or has been obtained through the commission of an offence. For devices containing large volumes of third-party data, PACE Code B requires special attention to material that may be legally privileged or that belongs to persons not under investigation. The College of Policing's Digital Forensics Guidance and the ACPO (now National Police Chiefs' Council) Good Practice Guide for Digital Evidence set out the four principles of digital evidence handling that govern how seized devices must be imaged and examined.

Authentication is the threshold requirement: a court must be satisfied that the document or record is what the proponent claims it to be before admitting it. For paper documents, authentication is typically achieved by a witness who recognises the document or by comparison with a known specimen. For electronic records, authentication must address the additional possibility that the record was altered after it was created, that its metadata has been changed, or that it originated from a different source than claimed.

Under the Bharatiya Sakshya Adhiniyam 2023, Section 63 defines electronic records and Section 57 provides the conditions for admissibility. The certificate required for admission must be provided by the person occupying a responsible official position in relation to the operation of the relevant device or management of the relevant activities. The certificate must identify the electronic record and must attest: (a) that the computer or device was in working order during the relevant period, (b) that the information was produced in the ordinary course of activities, (c) that any copying was done accurately, and (d) that the information supplied corresponds to the content of the record. The Supreme Court of India in Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal (2020) confirmed that the certificate is mandatory for secondary electronic evidence and that its absence is a fatal defect.

Under the US Federal Rules of Evidence, Rule 901(b)(9) allows authentication of a process or system by evidence describing how it works and showing that it produces accurate results. Rule 902(13) and (14) allow self-authentication of electronic records through certificates from custodians and certification of forensic hash values, removing the need for live testimony from the custodian in many cases. In practice, a digital exhibit is typically authenticated by the forensic examiner who testifies that they imaged the device, computed the hash of the original image, examined a copy, and verified that the copy's hash matches the original. This chain of technical steps is the US functional equivalent of the statutory certificate requirement.

The hash value is the technical foundation of authentication. A cryptographic hash function produces a fixed-length digest from the input data: SHA-256 produces a 256-bit digest, and MD5 produces a 128-bit digest. Any change to even a single bit of the input data produces a completely different digest. When a forensic examiner images a seized device, they compute the hash of the image. Before examining the image, they verify the hash has not changed. At court, the examiner can demonstrate that the examination copy is bit-for-bit identical to the image taken at seizure, and that no alteration has occurred. This is chain of custody expressed in cryptographic form.

The digital forensic examiner occupies two related but distinct roles in proceedings. First, as a factual witness, the examiner can testify to what they did and what they observed. Second, as an expert witness, the examiner can offer opinions and interpretations that go beyond the direct observation. Both roles carry obligations, but the expert role is the one subject to gatekeeping standards that vary across jurisdictions.

In India, expert evidence is governed by Section 39 of the Bharatiya Sakshya Adhiniyam 2023, which provides that the opinion of a person specially skilled in digital evidence, computer science, or electronic data extraction is relevant. The standard for admission is competence and relevant expertise; there is no equivalent of the Daubert methodology test. However, the Khotkar decision reinforces that the technical evidence, including examination reports, must be supported by the statutory certificate and by a witness competent to speak to the methodology used.

In US federal courts, the Daubert standard (Daubert v Merrell Dow Pharmaceuticals Inc, 1993) requires the trial judge to assess whether the expert's methodology is scientifically valid. The four non-exhaustive Daubert factors are: whether the theory can be and has been tested, whether it has been subjected to peer review and publication, the known or potential error rate and the existence of standards, and whether the methodology is generally accepted in the relevant scientific community. Digital forensic tools and methods have been tested against these criteria. Courts have excluded digital forensic evidence where the examiner used untested or unsupported software, or could not explain the methodology. For the UK, the admissibility standards are discussed in the Admissibility Standards Around the World topic.

The expert report in a digital case follows the same structural requirements as any expert report in proceedings, with additional technical components. For a discussion of report structure and the expert's duties, see The Expert Report: Structure and Duties. In a digital case the report must also document the device details, imaging methodology, hash values, software tools used and their validated version numbers, and the steps taken during examination in sufficient detail for another competent examiner to repeat them.

Digital evidence is routinely stored across jurisdictions. A device seized in one country may contain data held on servers in another; a cloud account may store data distributed across multiple countries. This creates a structural tension between the territorial scope of domestic seizure powers and the global location of the data. The traditional tool for resolving this is a Mutual Legal Assistance Treaty (MLAT) request, but MLAT processes are slow, typically taking months, and are often unsuitable for investigations where the data may be deleted or modified before the request is processed.

The US CLOUD Act 2018 allows US courts to issue warrants for data held by US-based service providers regardless of where the data is physically stored, subject to exceptions where complying would violate the law of the country where data is stored. It also provides a mechanism for foreign governments to enter executive agreements with the US that allow their law enforcement agencies to request data directly from US providers. The UK entered such an agreement in 2019. The EU's e-Evidence Regulation, adopted in 2023, creates a cross-border order mechanism allowing national judicial authorities in EU member states to require service providers established in other member states to produce or preserve electronic evidence directly.

For the digital forensic examiner, cross-border issues arise in practice when an investigation involves cloud-stored data, when the device contains foreign-server artefacts such as browser history from services hosted abroad, or when evidence must be collected in a way that will be admissible in a jurisdiction other than where the examination is conducted. In multi-jurisdictional cases, the examiner should document which legal authority governed each step of the collection and examination, because a receiving court may need to assess whether the evidence was gathered lawfully under both the source jurisdiction's law and its own.