This article is written by PRITESH BAHADUR, GRAPHIC ERA HILL UNIVERSITY, DEHRADUN, BALLB (HONS.), FIFTH YEAR during his internship at Ledroit India.
SCOPE OF ARTICLE
This article attempts to contemplate the emerging challenges of deepfake technology and the inadequacy of concurrent legal frameworks in India to address AI-generated fake media, of which most prevalent are the fake videos. This discussion aims to look into the analysis of current legislative provisions under the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. This article attempts to explore the definitional ambiguity around Deepfakes, evaluating the enforcement challenges raised during execution by regulatory authorities, and attempts to assess the remedial mechanism as established by the competent authorities, in favour of the victims. By way of comparative analysis and considering relevant case laws, this article proposes targeted legislative reforms to bridge the existing legal gaps.
KEYWORDS
Deepfakes, artificial intelligence, Information Technology Act, digital personal data protection, misinformation, synthetic media
ABSTRACT
The proliferation of deepfake technology presents unprecedented challenges for the legal minds worldwide, especially India, for being recently being implicated by the wrongdoings of establishments like scam call center who might just grab a dollar from you ‘legally’ if they already have the capacity to blackmail you through a ‘deepfake’. Deepfakes, which utilize artificial intelligence to create hyper-realistic but entirely fabricated videos, have emerged as a potent tool for misinformation, defamation, and privacy violations. Despite the existence of legislative frameworks such as the Information Technology Act 2000, the Digital Personal Data Protection Act 2023, and various intermediary guidelines, Indian law lacks specific provisions addressing the unique characteristics of AI-generated synthetic media.
This article aims to critically examine the ‘inherent’ legal landscape, identify major gaps in enforcement and remediation, and proposes comprehensive reforms the legal minds can happily apply to at least initiate a meaningful process or precedent: including specific criminal provisions for deepfake utilisation with malicious intent, enhanced Intermediary obligation(s), and addressing issues such as victim centric remedial mechanisms.
The analysis aims to demonstrate: while current laws provide a fragmented or unaddressed response to deepfake related harms, an all-encompassing or ‘cohesive’ legislative approach incorporating technological literacy and international best practices remains essential for effective regulation.
THE INADEQUACY OF EXISTING LEGISLATIVE FRAMEWORKS
Legal fictions are dangerous things, especially when applied to rapidly evolving technology. At the core of India’s current software piracy problem lies a massive, fundamental disconnect: the law historically treats computer code like a novel, but pirates treat it like a bank vault to be cracked. Under the Copyright Act of 1957, software is technically classified and protected as a “literary work.”
This classification is pivotal because it confers upon software developers the same bundle of exclusive rights granted to authors of books or plays; specifically, the exclusive right to reproduce their work, issue copies to the public, and make adaptations under Section 14 of the Act.
But let’s be honest about the practical application here. Calling a complex operating system or an enterprise database a “literary work” does not fully capture the functional and technical reality of modern infringement.
Real-world piracy is rarely about someone simply engaging in plagiarism. It is far more sophisticated. In practice, piracy covers unlicensed installation and use, the distribution of cracked binaries, keygens that generate fake serial numbers, and other unauthorized copying or public communication of software that infringes exclusive rights. Section 51 of the Copyright Act attempts to catch this conduct. It provides the legal basis for civil injunctions, damages claims, and criminal liability. However, while Section 51 addresses the result of the infringement, the unauthorized copy, it often struggles to address the technical method of the theft.
This is precisely why the Information Technology Act, 2000, becomes an essential, albeit imperfect, companion to copyright law. The IT Act shifts the legal focus entirely. It stops looking at “copying” and starts looking at “access” and “integrity“. Section 43 targets the individuals who engage in unauthorized access, downloading, copying, or the introduction of viruses and contaminants. But for a software developer, Section 65 is the real weapon in the arsenal. This section creates a specific offense for the tampering with “computer source documents”. In the context of a piracy raid, Section 65 is often the only provision that accurately describes the act of modifying a program’s source code to disable license verification protocols or erase audit logs. Furthermore, when such acts are committed dishonestly or fraudulently, Section 66 escalates the conduct to a serious criminal offense punishable by imprisonment.
The challenge for practitioners is not just identifying the theft. It is the strategic choice. Do you pursue the violator for the infringement of rights under the Copyright Act, or do you target the hacking of the system’s integrity under the IT Act? Or, as we shall see, is the only viable path to try and do both without getting tangled in procedural red tape?
THE REMEDIAL TOOLKIT: CIVIL, CRIMINAL, AND ADMINISTRATIVE TRACKS
Most enforcement strategies fail because they pick the wrong lane. A robust enforcement strategy requires a fluid understanding of the three distinct tracks available under Indian law, which differ wildly in terms of speed, the burden of proof, and the ultimate pain inflicted on the defendant.
First, consider the Civil Track. This is the standard, default move for most corporate plaintiffs. Rights holders file civil suits to obtain interim and permanent injunctions, which are critical for immediately halting the distribution or use of pirated software. Beyond simple stoppages, the civil courts can award damages to compensate for lost licensing revenue or order an “account of profits” to reclaim the illicit gains made by the pirate. The primary advantage here is speed regarding the immediate cessation of hostility; courts are often willing to grant ad-interim injunctions quickly to prevent irreparable harm. However, the reality of the civil track is that while the injunction may be quick, the full trial to determine final damages can be a lengthy, exhausting process where the standard of proof is the preponderance of probabilities.
On the other hand, there is the Administrative Track, a unique and often underutilized feature of the IT Act. Under Section 43, unauthorized access and copying that results in a quantifiable loss can be addressed through a complaint to an Adjudicating Officer (AO) rather than a regular judge. The AO has the pecuniary jurisdiction to award compensation up to ₹5 crores.
This creates a specialized forum for resolving disputes where the claim value is quantifiable and within this cap. It is particularly valuable for “end-user piracy” cases—such as a corporation found using 50 unlicensed versions of Microsoft Office—where the loss is a specific calculation of unpaid license fees. If the claim exceeds the ₹5 crore limit, the jurisdiction shifts back to the competent civil courts, but for many SMEs and mid-sized disputes, the AO remains a faster, more focused venue.
Finally, the Criminal Track remains the “nuclear option.” Under the Copyright Act, “knowing” infringement is a criminal offense. The Supreme Court of India has elevated the stakes significantly by recognizing copyright offenses as cognizable and non-bailable. This means the police can arrest without a warrant, and the pirate does not get automatic bail—a massive deterrent. Similarly, the IT Act provides for imprisonment of up to three years for dishonest acts under Section 66 or source code tampering under Section 65. However, the standard of proof here is “beyond reasonable doubt,” which is a high bar requiring concrete evidence of knowledge or dishonest intent, unlike the civil standard.
THE EVIDENTIARY HURDLE: FORENSICS AND “KNOWING” INFRINGEMENT
Here is the hard truth: the law does not matter if you cannot prove the install actually happened. In the digital realm, evidence is volatile. It disappears. Logs can be wiped, cracked software can be deleted with a single keystroke, and entire servers can be reformatted in minutes.
To surmount this volatility, the “Practitioner Playbook” for India heavily relies on the appointment of Local Commissioners in civil suits. A Local Commissioner is an officer of the court appointed to visit the defendant’s premises, often without prior notice, a procedure akin to an Anton Piller order to search for and seize infringing evidence. This “search and seizure” capability is vital. It locks down the evidence and restrains ongoing use before the defendant has a chance to destroy the incriminating data.
The evidence kit required for a successful action is extensive and unforgiving. It must include proof of rights, such as EULAs, registration information, and license proofs. But legal papers are not enough. You also need the technical proof: installation counts, version and build identifiers, and audit reports. In cases involving the IT Act, the requirement is even more technical. You need system and access logs, endpoint and network forensics, and hash-verified images to prove unauthorized access or tampering. Furthermore, under the Indian Evidence Act, specifically Section 65B, electronic records must be accompanied by a certificate to be admissible in court. Without this certificate, your logs are essentially inadmissible.
We can see the importance of this rigorous approach in the landmark case of Microsoft Corporation v. Waidande In this instance, the Delhi High Court granted a permanent injunction against the unlicensed use of Microsoft Windows and Office and awarded ₹20 lakh in damages. The court’s decision was not arbitrary; it was heavily influenced by the robust record provided by the plaintiff. This record included investigator inputs, specific installation counts, and evidence secured by the court-appointed commissioner. The case underscores a workable evidence kit: audit/licensing records combined with on-site inspection and forensic imaging are the only way to establish unauthorized installations and quantify relief.
THE INTERMEDIARY CONUNDRUM
In the modern ecosystem, software piracy is frequently facilitated not by direct peer-to-peer exchange but through third-party intermediaries—cloud storage providers, social media platforms, and file-sharing sites. Enforcement here faces the “Safe Harbor” defense, which protects intermediaries from liability for third-party content, provided they act with due diligence.
The scope of this protection has been a subject of intense judicial and legislative scrutiny. The Division Bench of the Delhi High Court, in the case of MySpace Inc. v. Super Cassettes Industries Ltd., clarified the boundaries of intermediary liability. The court held that “actual knowledge” of infringement is required to trigger an intermediary’s liability. Crucially, the court ruled that intermediaries are not required to generalized pre-screen all uploads or engage in roving monitoring. That would be an impossible burden. Instead, the onus is on the rights holder to provide specific, URL-level notices identifying the infringing material.
This judicial standard is now tightly coupled with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules impose strict timelines on the platforms. Upon receiving “actual knowledge” via an appropriate order or specific notice, an intermediary must remove or disable access to the infringing material within 36 hours. This creates a high-pressure dynamic for enforcement. Rights holders must have the infrastructure to detect infringement and issue precise, URL-specific notices rapidly. For their part, intermediaries must operationalize a 36-hour response workflow to maintain their safe harbor protection, alongside maintaining grievance officers and repeat-infringement policies.
STRATEGIC CONCURRENCY AND CONCLUSION
Given these complexities, relying on a single statute is often a recipe for failure. Effective enforcement requires a strategy of “concurrency“—running the Civil and IT Act tracks simultaneously.
The process typically begins with filing a civil suit to secure an immediate ad-interim injunction. This is the fastest way to stop the bleeding. Concurrently with the injunction, the plaintiff should seek the appointment of a Local Commissioner to conduct a forensic search and seizure, imaging hard drives and counting installs. This secures the evidence.
Once the evidence is locked down, the strategy forks. If the forensic audit reveals a quantifiable loss of license fees (e.g., 50 unlicensed computers) and the amount is under ₹5 crore, a complaint under Section 43 of the IT Act can be filed before the Adjudicating Officer for compensation.
This utilizes the civil evidence bundle in the AO proceedings. However, if the evidence reveals distinct dishonesty (such as the fraudulent cracking of codes) or tampering (such as deleting source logs), the matter can be escalated to a criminal complaint under Sections 65 and 66 of the IT Act. This allows the plaintiff to preserve appeal rights while maximizing pressure.
Ultimately, the goal of this legal framework is proportionality. By combining the “literary work” protection of the Copyright Act with the “digital integrity” provisions of the IT Act, India aims to create an environment where deterrence is credible and remedies are accessible. Success depends on “calibrated dual-track enforcement”. It requires rights holders to be precise—generating specific notices for intermediaries, conducting rigorous self-audits, and pleading their cases across both civil and criminal forums.
As the Microsoft and MySpace judgments demonstrate, the tools for effective enforcement exist; the challenge lies in their strategic and concurrent application. Stronger digital evidence SOPs and clearer concurrency rules would further reduce friction, but the current playbook, if executed with discipline, provides a formidable defense against piracy.
