Unauthorized user

Posted on by user

Introduction

“Unauthorized user” in the cyber context denotes a person who transacts, accesses, or uses another person’s digital identity, credentials, accounts or personal data without permission. In India’s increasingly digital economy—where banking, commerce, communication and government services depend on online authentication—this concept is foundational to both criminal and civil remedies. For practitioners, the term is not merely descriptive: establishing that an actor was an “unauthorized user” triggers specific offences under the Information Technology Act, 2000 (IT Act), engages intermediary duties, shapes electronic-evidence practice under the Evidence Act, and opens civil relief for restitution and injunctive relief.

Core Legal Framework

Key statutory provisions and rules that govern and define the legal consequences of an unauthorized user in India:

  • Information Technology Act, 2000 (IT Act)
  • Section 43 — Civil liability for unauthorized access, download, introduction of viruses and damage to computer systems; compensation for loss or damage caused by a person who without permission does acts referred therein.
  • Section 66 — Penalty for computer-related offences (criminalizes acts under Section 43 when done dishonestly or fraudulently).
  • Section 66C — Identity theft: “Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification of any other person…shall be punished with imprisonment…or fine…” (punishment may extend to three years and fine up to Rs.1 lakh).
  • Section 66D — Cheating by personation using a computer resource: penalizes cheating by personation effected via communication device/computer resource.
  • Section 72A — Penalty for disclosure of information in breach of lawful contract: deals with wrongful disclosure of personal information.
  • Section 79 — Safe harbour for intermediaries subject to due diligence; interacts with intermediary obligations when an unauthorized user acts through platforms.

  • Section 69 & 69B — Governmental powers of interception and preservation of information in interests of sovereignty/security/public order (used sparingly and by state agencies).

  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — Duties on intermediaries to preserve information and respond to court orders and law-enforcement requests; grievance redressal requirements.

  • Indian Evidence Act, 1872

  • Section 65A & 65B — Conditions for admissibility of electronic records. Section 65B(4) requires a certificate identifying the electronic record and describing the manner of its production for admissibility, unless the court permits otherwise in light of Anvar P.V. judgment (see below).

  • Digital Personal Data Protection Act, 2023 (DPDP Act)

  • Regulates processing of personal data; imposes obligations on data fiduciaries; authorises penalties and compensation mechanisms for misuse of digital personal data—relevant where unauthorized use is a data processing breach.

  • Other applicable laws

  • Banking Regulations and RBI instructions (for financial frauds and chargebacks).
  • Consumer Protection Act/Commercial remedies for loss of money or services.
  • Prevention of Money Laundering Act, 2002 (PMLA) in cases where proceeds are laundered.

Practical Application and Nuances

How the concept of “unauthorized user” matters in everyday practice and how it is proved, mitigated and litigated.

  1. Typical fact-patterns and legal lenses
  2. Account takeover (e-banking or e-wallet): unauthorized user obtains password/OTP/SIM and transacts. Key issues: whether access was unauthorized (no consent), whether authentication credentials were misused (Section 66C), and whether the bank/intermediary was negligent (Section 43A/DPDP Act).
  3. Identity theft to apply for loans/credit: fraudulent KYC and impersonation implicate 66C/66D and may trigger civil claims against institutions that relied on forged documents.
  4. Fraud via intermediaries (marketplaces, social media): an attacker lists goods/services using someone else’s identity; intermediary obligations under Section 79 and IT Rules arise.

  5. Data leakage and unauthorized processing: when a service-provider or an employee uses data without authorisation—72A and DPDP Act remedies.

  6. Evidence required to establish “unauthorized user”

  7. Electronic logs: server logs, access logs, IP addresses, device IDs, timestamps and transactional metadata. These show that access originated from another device/location and at times outside the claimant’s use.
  8. Authentication trail: OTP logs, SMS gateway records, SIM swap records, mobile provider call logs—these can indicate fraudulent SIM change or interception.
  9. Bank and payment records: transaction origin, beneficiary accounts, and pattern analysis. Banking logs often critical for tracing funds.
  10. Forensic analysis: device imaging, hash values, metadata, deleted-file recovery. Use CERT-In empanelled labs or accredited forensic experts to prepare reports.
  11. Intermediary/Service Provider records: production under court process (Section 91 Cr.P.C./order) or under Intermediary Rules—preservation requests and production are often decisive.
  12. Chain of custody documentation and Section 65B certificate for electronic records: ensure admissibility of digital evidence.

  13. Corroborative non-electronic evidence: CCTV footage, eyewitnesses, handwriting analysis (for forged documents) and KYC document discrepancies.

  14. Immediate practical steps for lawyers (checklist)

  15. Advise client to preserve evidence: do not change passwords/force logins that may alter logs; note times and sequences.
  16. Lodge FIR promptly with cyber cell specifying precise sections (e.g., 66C, 66D, 43, 72A, and IPC offences if applicable). Time is of the essence because logs are retained for limited duration.
  17. Issue immediate legal notices to banks/intermediaries for temporary freezing of suspect accounts and preservation of records.
  18. Seek ex-parte interim reliefs in civil court: injunctions against the suspect accounts/ports, orders directing intermediaries to preserve data, disclosure orders under Section 11/39 of CPC where appropriate.
  19. Apply for judicial production/preservation under Section 91 Cr.P.C. (or to the appropriate civil court) and seek a certificate under Section 65B from the person producing the electronic record.
  20. Commission forensic examination—obtain a formal chain-of-custody and certified forensic report.
  21. Parallel civil remedies: compensation under Section 43A/DPDP Act, injunctions, declaratory reliefs and account of profits where relevant.

  22. Banking/ombudsman route: for unauthorized banking transactions, file formal complaints with the bank and escalate to RBI Banking Ombudsman; request chargeback/reversal where policies permit.

  23. How courts treat the “unauthorized user” factual matrix

  24. Courts look for: absence of consent; dishonest/fraudulent use; proximate causation of loss; and service-provider negligence where statutory duties are engaged.
  25. Electronic records are decisive but must be tendered with compliance to Section 65B. Delay in obtaining logs or failings in chain of custody often lead to evidentiary difficulties.

Landmark Judgments

  • Anvar P.V. v. P.K. Basheer & Ors., (2014) 10 SCC 473 (Supreme Court)
    Principle: The Supreme Court scrutinized the admissibility of electronic records. The Court held that electronic records must satisfy the requirements of Sections 65A and 65B of the Indian Evidence Act to be admissible, and emphasized the necessity of Section 65B certificate to prove authenticity, subject to limited exceptions. Practical consequence: digital logs, emails, transactional records and Forensic reports must be accompanied by proper certificates and chain-of-custody documentation—failure to do so can render crucial evidence inadmissible.

  • Shreya Singhal v. Union of India, (2015) 5 SCC 1 (Supreme Court)
    Principle: While primarily dealing with free speech and Section 66A, the judgment affirmed careful interpretation of IT Act provisions and held that intermediaries are not per se liable if they follow due diligence and statutory safe harbours. Practical consequence: when an unauthorized user acts through a platform, the platform’s observance of due diligence and procedural compliance (as required by Section 79 and the Intermediary Rules) becomes central to litigation strategy and relief against intermediaries.

  • Avnish Bajaj v. State (NCT of Delhi), 2005 DLT 277 (Delhi High Court)
    Principle: High Court emphasized intermediary liability and the need to examine due diligence by platform operators; demonstrates the need to frame claims carefully when the wrongdoer used an online marketplace or social-media intermediary.

Strategic Considerations for Practitioners

  1. Framing offences and parallel remedies
  2. Draft FIRs with precision: specify the digital acts (accessed without permission, used password/OTP, SIM-swap etc.) and cite IT Act sections (66C, 66D, 43, 72A) and IPC provisions if theft/cheating/forgery are additionally involved.

  3. Run criminal and civil remedies in parallel: criminal prosecution may punish the wrongdoer; civil proceedings provide faster recovery/compensation and injunctive relief.

  4. Preservation and speed: your first win

  5. Time is the adversary. Logs, cache and metadata are ephemeral. Immediate preservation letters and court orders to intermediaries make or break the case.

  6. Use Section 91 Cr.P.C./court production orders and operational intermediary grievance mechanisms; send preservation notices to intermediaries and banks (and follow up with court orders).

  7. Electronic evidence practice

  8. Always obtain Section 65B certificates from the person producing the electronic records (e.g., server-owner or custodian). If production is from an intermediary, insist on production through the custodian who can certify the record.

  9. Maintain forensic hygiene: employ accredited labs, document chain of custody, take imaging/hashing of drives and preserve originals.

  10. Intermediaries and injunctive relief

  11. When an unauthorized user exploits a platform, seek interim injunctions against the intermediary to takedown offending material and to disclose the identity of the user (disclosure orders must reconcile with privacy laws and the Intermediary Rules).

  12. Know the intermediary’s defenses: if they can show due diligence and compliance with rules, they may claim safe harbour.

  13. Banking and recovery strategy

  14. Concurrently press the bank/payment gateway for immediate suspension/reversal and file an ombudsman complaint. Banks are required by RBI guidelines to investigate unauthorized transactions; persistent delay weakens remedy prospects.

  15. Track funds quickly—if funds are routed to third-party accounts, apply for freezing orders and trace under PMLA processes if laundering is suspected.

  16. Pitfalls to avoid

  17. Relying solely on screenshots or unauthenticated printouts—without 65B certificates and forensic corroboration, such evidence is weak.
  18. Delay in lodging FIR or applying for preservation—logs may be overwritten.
  19. Failing to issue preliminary notices to banks/intermediaries or to ask for immediate hold/freeze on suspect accounts.
  20. Neglecting data-protection remedies under DPDP Act where misuse of personal data is central—these can yield distinct compensation and regulatory penalties.

Conclusion

“Unauthorized user” is a fact-driven concept with clear statutory hooks in the IT Act, supported by the Evidence Act and emerging data-protection law. Success for a practitioner turns on early action: preserving digital evidence, framing precise statutory violations (66C/66D/43/72A and civil remedies under 43A/DPDP), securing competent forensic analysis and ensuring electronic records are produced in compliance with Section 65B. Strategically pursue both criminal and civil avenues, press banks and intermediaries to act fast, and build admissible, corroborated evidentiary chains. In practice, winning these disputes is less about rhetoric and more about rapid evidence-preservation, correct statutory framing, and meticulous digital-forensic proof of lack of consent and dishonest intent.