2.1.1 The Hybrid Nature of Cyber Crimes
Cyber crimes are fundamentally different from traditional crimes. They exist at the intersection of technology and human intent, making them inherently hybrid. Understanding this duality is the first step to mastering cyber criminal law.
"A cyber crime is never just about the computer. It's always about what the human intended to achieve through the computer." Fundamental Principle of Cyber Criminal Law
Why Are Cyber Crimes Hybrid?
Every cyber crime has two essential components that must coexist:
🖥️ Technology Component
- Use of computer, network, or digital device
- Electronic records as subject or medium
- Technical method (hacking, phishing, malware)
- Digital trace and electronic evidence
🧠 Intent Component (Mens Rea)
- Dishonest intention to cause wrongful gain/loss
- Fraudulent misrepresentation
- Knowledge of unauthorized access
- Criminal negligence or recklessness
Implications for Legal Practice
Because cyber crimes are hybrid, they can rarely be charged under just one statute. Most cyber crimes require sections from both the IT Act (for the technology component) and BNS (for the intent/conduct component).
Accused creates a fake investment app, collects money from victims, and disappears. What sections apply?
Dual Analysis:
- Technology: Fake app = computer resource used for impersonation → S.66D IT Act
- Intent: Inducing delivery of money through deception → S.318 BNS (Cheating)
- Additional: If identity stolen → S.66C IT Act
2.1.2 IT Act vs BNS: The Relationship
The IT Act, 2000 is a special law dealing specifically with technology-related crimes. The Bharatiya Nyaya Sanhita (BNS), 2023 is the general penal law covering all crimes. Understanding their relationship is crucial for correct charging.
🎯 IT Act, 2000 (Special Law)
- Scope: Technology-specific crimes only
- Focus: Crimes against or using computers
- Examples: Hacking, identity theft, cyber terrorism
- When Required: Technology is essential element
- Priority: Prevails over BNS for cyber-specific conduct
📚 BNS, 2023 (General Law)
- Scope: All criminal conduct
- Focus: Human conduct and intent
- Examples: Cheating, extortion, forgery
- When Required: Traditional crime elements present
- Supplements: IT Act for underlying criminal conduct
The Doctrine: Special Law vs General Law
Generalia Specialibus Non Derogant — General law does not derogate from special law. Where the IT Act specifically covers a cyber offence, it prevails over BNS for that specific conduct. This was affirmed in Sharat Babu Digumarti v. NCT of Delhi (2017).
Three Possible Charging Scenarios
| Scenario | Statute(s) Apply | Example |
|---|---|---|
| IT Act Only | Offence is purely technological; no traditional crime element | Simple unauthorized access to computer (S.66) without further crime |
| BNS Only | Traditional crime committed; technology merely incidental | Sending threatening message (S.351 BNS) — IT Act has no specific section |
| Both IT Act + BNS | Cyber-specific + traditional crime elements both present | Phishing fraud: S.66D (personation) + S.318 BNS (cheating) |
When Both Apply Simultaneously
In most practical cases, both statutes apply. The key is understanding what each contributes:
┌─────────────────────────────────────────────────────────────────┐
│ CYBER CRIME OCCURS │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Q1: Is there a SPECIFIC IT Act provision for this conduct? │
└─────────────────────────────────────────────────────────────────┘
│ │
YES NO
│ │
▼ ▼
┌──────────────────┐ ┌──────────────────┐
│ Apply IT Act │ │ Apply BNS only │
│ section │ │ (e.g., S.351 │
│ (e.g., S.66D) │ │ intimidation) │
└──────────────────┘ └──────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Q2: Is there ALSO underlying traditional criminal conduct? │
│ (cheating, extortion, forgery, etc.) │
└─────────────────────────────────────────────────────────────────┘
│ │
YES NO
│ │
▼ ▼
┌──────────────────┐ ┌──────────────────┐
│ ADD BNS section │ │ IT Act section │
│ (e.g., S.318 │ │ alone sufficient │
│ cheating) │ │ │
└──────────────────┘ └──────────────────┘
│
▼
┌──────────────────────────────────────┐
│ FINAL CHARGE: IT Act + BNS │
│ Example: S.66D + S.318 BNS │
└──────────────────────────────────────┘
2.1.3 Common Charging Mistakes
Even experienced practitioners make charging mistakes in cyber cases. These errors can lead to acquittals, quashing, or ineffective prosecution. Learn to identify and avoid them.
Mistake #1: Using Only BNS When IT Act is Mandatory
❌ Wrong Approach
FIR charges only S.318 BNS (cheating) for a phishing attack where accused impersonated a bank official via fake website.
Problem: Misses the technology-specific offence. S.66D IT Act (cheating by personation using computer resource) is mandatory when impersonation occurs through digital means.
✅ Correct Approach
Charge S.66D IT Act (primary — technology-specific) + S.318 BNS (supplementary — underlying cheating) + S.66C IT Act if identity credentials were stolen.
Mistake #2: Using Struck-Down Section 66A
❌ Critical Error
FIR includes S.66A IT Act for sending offensive messages online.
Problem: Section 66A was declared unconstitutional in Shreya Singhal v. Union of India (2015). Any charge under S.66A is void ab initio and invites immediate quashing.
✅ Correct Approach
Use S.351 BNS (criminal intimidation), S.356 BNS (defamation), or S.67 IT Act (obscenity) depending on the nature of the content. Never cite S.66A.
Mistake #3: Charging IT Act for Non-Cyber Conduct
❌ Over-Criminalisation
FIR charges S.66 for a threat sent via WhatsApp message.
Problem: S.66 requires unauthorized access/damage to computer systems. Sending a message through a legitimately accessed app is not "hacking." IT Act doesn't have a provision for threatening messages (S.66A is struck down).
✅ Correct Approach
Charge S.351 BNS (criminal intimidation) only. If threatening with bodily harm, use S.351(3) BNS. IT Act sections not applicable for mere messaging.
Mistake #4: Missing Supplementary Sections
❌ Incomplete Charging
Ransomware attack on hospital: FIR charges only S.66 (hacking).
Problem: Misses critical aggravating sections. Ransomware demanding money is also extortion. Attacking critical infrastructure may constitute cyber terrorism.
✅ Comprehensive Charging
S.66 (hacking) + S.66F (cyber terrorism — critical infrastructure, lives at risk) + S.308 BNS (extortion) + S.43 (civil damages) + S.61 BNS (conspiracy if multiple accused).
Why Police Prefer BNS: Police officers are more familiar with traditional sections. They may charge only BNS provisions even when IT Act is mandatory. As a lawyer (prosecution or defence), always verify if IT Act sections should be added or if wrongly included sections should be challenged.
2.1.4 Practitioner's Charging Strategy
A systematic approach to identifying applicable sections will save you from costly mistakes and strengthen your case, whether you're prosecuting or defending.
The 5-Step Section Identification Framework
- Step 1: Identify the Technical Act
What technological method was used? Hacking, phishing, malware, unauthorized access, data theft? - Step 2: Check IT Act Specific Provisions
Does IT Act have a specific section for this technical act? (S.65, 66, 66C, 66D, 66E, 66F, 67, 67A, 67B) - Step 3: Identify the Criminal Objective
What was the accused trying to achieve? Money (cheating/extortion), harm (intimidation), reputation damage (defamation)? - Step 4: Add Applicable BNS Sections
Which BNS provisions capture the criminal objective? (S.303, 308, 318, 336, 351, 356, 77, 78) - Step 5: Check Aggravating Factors
Conspiracy (S.61 BNS), organized crime, minors involved (POCSO), national security (S.66F)?
Quick Reference: Common Cyber Crime → Section Mapping
| Crime Type | IT Act Section | BNS Section | Notes |
|---|---|---|---|
| Hacking / Unauthorized Access | S.66 | — | IT Act sufficient unless further crime |
| Phishing / Online Fraud | S.66D | S.318 | Both mandatory |
| Identity Theft | S.66C | S.319 | Add S.319 if personation for further fraud |
| Ransomware | S.66 + S.66F | S.308 | S.66F if critical infrastructure |
| Online Extortion / Sextortion | S.66E | S.308 | Add S.67/67A if obscene content involved |
| Cyber Stalking | — | S.78 | IT Act has no stalking provision |
| Online Defamation | — | S.356 | IT Act has no defamation provision |
| CSAM | S.67B | + POCSO | POCSO mandatory for minors |
For Defence Counsel: Always check if prosecution has over-charged or mis-charged. Common grounds for quashing include: (1) S.66A cited (struck down), (2) IT Act section used where no technology-specific conduct exists, (3) Wrong section applied (e.g., S.66 for mere messaging), (4) Missing mandatory IT Act section suggests investigation failure.
🎯 Key Takeaways
- Cyber crimes are hybrid: Technology + Intent — both must be addressed
- IT Act is special law: Prevails over BNS for technology-specific offences (Sharat Babu)
- Most cases need both: IT Act for tech element + BNS for criminal objective
- Never use S.66A: Struck down in Shreya Singhal — void ab initio
- 5-Step Framework: Tech Act → IT Act check → Criminal objective → BNS → Aggravating factors
- Defence opportunity: Mis-charging is grounds for quashing
📝 Part 2.1 Quiz
Test your understanding of the cyber crime statutory architecture.
Cyber crimes are hybrid because they exist at the intersection of technology (computer/network) and human criminal intent (mens rea). Both components must be present.
The doctrine means special law prevails. For cyber crimes, IT Act (special) prevails over BNS (general) for technology-specific offences. Affirmed in Sharat Babu Digumarti.
Phishing requires both: S.66D (cheating by personation using computer) for the tech element, and S.318 BNS for the underlying cheating. S.66A is struck down.
Shreya Singhal v. Union of India (2015) struck down S.66A as unconstitutional for being vague and violating Article 19(1)(a). Any FIR citing S.66A is void.
IT Act has no provision for criminal intimidation (S.66A struck down). S.351 BNS (criminal intimidation) applies. S.66 requires unauthorized access, not mere messaging.
Ransomware on hospital: S.66 (hacking), S.66F (cyber terrorism — critical infrastructure, lives at risk), S.308 BNS (extortion for ransom demand).
Sharat Babu Digumarti v. NCT of Delhi (2017) established that IT Act as special law prevails over general penal law for technology-specific offences.
Police officers are more familiar with traditional BNS/IPC sections from training and experience. IT Act sections require understanding of technology — leading to under-charging.
IT Act has no stalking provision. S.78 BNS (stalking) applies to cyber stalking. S.66E is for privacy violation (capturing images), not stalking.
Any FIR citing struck-down S.66A is void. Immediately file quashing petition under S.528 BNSS. The charge itself is unconstitutional per Shreya Singhal.