Coupon Accepted Successfully!


Regulation of Internet Service Providers and Intermediaries

(This file should be read after the earlier file which discusses jurisdiction related issues)

Who are intermediaries? Conceptually, intermediaries are those entities because of whom users of the internet are able to access content on the internet or communicate or transact with other users (a formal definition is provided later in this discussion). The existence of intermediaries is extremely important for maintaining access to the internet. Having an understanding of how intermediaries are regulated is important for a business for two reasons:

  • If the business has an online presence (say, through a website), an intermediary will have the ability to legitimately restrict access to its website on the internet;
  • Although businesses may not immediately realize it, many of them may themselves qualify as intermediaries and be subject to the same duties and risks which apply to intermediaries. For example, any website which allows user-generated content to be shared with the public (such as Blogger or YouTube), an e-commerce website which allows third parties to sell products (such as EBay or OLX) will qualify as an intermediary.

Example -  How can you identify the intermediaries involved when you take a particular action on the internet?

Let us take the example of content posted by a user by way of a blog (on Blogger), or a video uploaded on YouTube, or a status update on a social media network such as Twitter or Facebook. Let’s assume that X, an Indian user, uploads a video on YouTube.

The content is hosted on YouTube’s servers, or a cloud hosting service (if YouTube avails services of a cloud at the backend). These servers could be located anywhere in the world. Accessing the services of a website may involve accessing content stored over multiple locations (which often happens in case information is stored on a cloud). Additionally, mirror servers may be located in a different country than the main server which hosts the information.

A visitor to YouTube accesses this information through his internet service provider.

In this scheme of things, a number of ‘intermediaries’ are involved when a visitor accesses content on YouTube. These intermediaries are essentially the middlemen in the chain who make available the communication link between a user and a website and facilitate data transfer. These would be internet service providers, hosting providers, domain name registries and other service providers.
In the above case it would be the user’s ISP, YouTube itself, its domain name registrar (which is Markmonitor Inc., as a simple ‘Whois’ search on the internet will indicate), the various servers hosting the video, etc.

Risks of operating as an intermediary

Under law, if a person’s legal rights are violated by another person (Wrongdoer), any persons who have incited, abetted, or aided the Wrongdoer in committing the violation may also be held responsible (even if it is to a lesser degree). If commission of a particular act is punishable under Indian law, it is likely that facilitating or providing the means to encourage such action may also be punishable. Usually the punishment under criminal law is fine and imprisonment for the directors or the persons in control of the entity’s affairs. Hence, intermediaries can potentially be held liable under various Indian laws for illegal actions that have been committed using the resources made available by them, even without their knowledge or active participation in the commission of the illegal acts. The general principles of liability for encouraging offences are mentioned under the Indian Penal Code.


If X violates Y’s legal rights through an action on the internet, intermediaries involved in the process could potentially run the risk of legal proceedings against them for ‘enabling’ the commission of the act. Most intermediaries are structured as corporate entities – legal proceedings can initiated against their directors and key officers (who may face risk of imprisonment), and can even adversely affect company valuations and acquisitions by investors.

This is a very serious business risk for an intermediary, and could even discourage intermediaries from providing vital services and platforms on the internet, unless intermediaries are provided some protection by the law.


Bazee.com - India’s first high profile case on intermediary liability

In 2004, an internet website Bazee.com (the predecessor of EBay India) carried a listing, offering a CD clip of two school children engaged in a sexually explicit act, which was uploaded for sale on Bazee.com by a student of IIT Kharagpur. The video was uploaded under a fake name and address, and under the category of “e-books”, so that it would not be detected by Bazee’s internal filters. Bazee.com merely brought buyers and sellers together (and took a commission on sale), and had no other role in specifically permitting the sale of this particular product. However, when the video was discovered on Bazee.com, Avnish Bajaj, the Managing Director (MD) of the company, had been arrested for allowing obscene material to be available for sale (which is an offence under both the Indian Penal Code and Information Technology Act). His passport was impounded and he was not permitted to leave India without the permission of the court.

He was only temporarily released from custody (but he was not acquitted) after furnishing a bond that he would assist in investigation whenever necessary with a security amount of INR 2 lakhs. The case went on for about 8 years
from the occurrence of the incident. Fortunately, the Supreme Court acquitted Avnish Bajaj (on procedural grounds) in 2012. 


Note:The Supreme Court’s order is available here.

He was also fortunate that Bazee’s acquisition by EBay (which was underway at the time of the incident), was not appreciably affected.


Formal definition of intermediary

The IT Act has a relatively formal definition of intermediaries which is provided here. Under the IT Act, an intermediary (Intermediary) is defined to include “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.”

In the example where a visitor accessed user-generated content on YouTube, each of the entities providing access to the content would qualify as intermediaries.

What would happen if the user-generated video contained copyrighted information, say, a movie that is copyrighted by Warner Brothers? What if the video contained material which was defamatory to a respectable businessman in the US?

In such a situation, Warner Brothers or the businessman would have a right to sue the user who uploaded the video. In addition, each of the intermediaries pointed out above could also be potentially liable for aiding, abetting or encouraging the legal violation.

Intermediary liability under IT Act

In order to protect intermediaries from the risk of liability from illegal or unlawful activities on the internet where the intermediaries have not been actively involved, the IT Act was amended in 2008. As per the IT Act in its current form, an intermediary must not knowingly publish, host or initiate transmission of unlawful information.

The intermediary will be liable if:

(i) It
 has knowingly aided or induced the commission of an unlawful act, or


(ii) If after receiving actual knowledge, or being notified by a Government or its agency that information hosted on a computer resource regulated by the intermediary is being used to commit an unlawful act, it does not remove information expeditiously.

What should an intermediary’s role be limited to so that it is not held liable for illegal activities? What obligations must intermediaries comply with so that they are not held liable?

When the intermediary has not knowingly participated in the commission of unlawful activity, it is granted protection from liability, as discussed below. As per the IT Act, an intermediary will not be liable in respect of third party information or data hosted by it under the following circumstances:


1. The function of the intermediary is restricted to providing access to a system where third party information is transmitted, stored or temporarily hosted, or

2. When the intermediary does not a) initiate the transmission of the information, b) select the receiver of the information, and c) select or modify the information contained in the transmission, i.e. when the intermediary is merely a ‘blind’ carrier of information sent by a person to another person.

3. The intermediary observes ‘due diligence’ – this is an interesting condition (discussed later). The rules for due diligence are prescribed in the Information Technology (Intermediaries Guidelines) Rules, 2011 (Intermediaries Rules) (discussed below).

4. Due diligence as per the Intermediaries Rules

Under the Intermediaries Rules, due diligence requires the intermediary to take the following steps:

1)  Appointment of Grievance Officers:

As per the Intermediaries Rules, websites must appoint grievance officers (to address complaints made by users and victims who suffer as a result of access or usage of computer resource) whose appointment must be made known to users.


2)  Publication of policies

Intermediaries must also publish a) a set of rules and regulations, b) a privacy policy and c) a user agreement for access or usage of their resources (collectively referred to as the Intermediary Policies). These Intermediary Policies must notify users not to host, display, upload, modify, publish, transmit, update or share certain prohibited categories of information (Prohibited Information) listed below:

  • Information which belongs to another person and to which the user does not have any right
  • Information which is obscene, disrespects privacy or encourages money laundering or gambling etc., or is otherwise unlawful in any manner
  • Information which may harm minors in any way;
  • Information which infringes any patent, trademark, copyright or other proprietary rights;
  • Information which deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
  • Information which impersonates another person;
  • Information which contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
  • Information which threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

3) Intimation of consequences of non-compliance by users:

The intermediary is also required to inform the users that it has the right to terminate access or usage rights to its computer resources if the user does not comply with its rules, user agreement and privacy policy, and to remove any information which is not in compliance with the Intermediary Policies.

5. Other responsibilities of intermediaries

i) Duty to comply to remove offending content in case of takedown notices from private entities

As per the Intermediaries rules, any person who is ‘affected’ by Prohibited Information has the right to apply to the intermediary to remove access to the content (called a ‘takedown notice’). The intermediary must remove such information within 36 hours of receiving the request. It should preserve records pertaining to the notice for 90 days.

Duty to assist government agencies with information

As per the Intermediaries Rules, a government may issue an order to an intermediary to provide requisite information or assistance to agencies which are authorized to undertake investigative, protective, cyber security activity. Such information or assistance must be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law (see below for a discussion of the circumstances when information can be intercepted by the government).

Grounds for interception of information by government
(or its agencies)

The IT Act empowers the government (or its agencies) to intercept, monitor or decrypt (or to block access) any information transmitted, received or stored in any computer resource on certain national interest and security grounds,(See Section 69, IT Act), as explained below:

  • sovereignty or integrity of India,
  • defence of India,
  • security of the state,
  • friendly relations with foreign states or
  • public order or for
  • preventing incitement for the commission of any cognizable offence (i.e. an offence for which the police can arrest without a warrant)
  • investigation of any offence.

iii) Compliance with John Doe Orders

As explained in the chapter on copyright, courts may issue John Doe orders against copyright infringers. An intermediary may have to take-down or block access to content on the basis of a John Doe order that is presented by the copyright owner. John Doe orders have been issued against intermediaries for taking down online content which is violative of copyright.

(For understanding the concept of John Doe orders, refer to the module on Copyright)

Duty to comply with regulatory orders to block access to websites

The IT Act has created a body called the Computer Emergency Response Team (“CERT”), which is empowered to issue instructions for blocking of websites. Intermediaries are under an obligation to block access to websites on the instructions of the CERT as per a notification issued by the Central Government (DoT Notification) pursuant to the IT Act (IT Act Notification 181) The CERT is empowered to act on the directions of the following persons or entities (they can be broadly classified as governmental agencies or a court) (Authorized Complainants):

  • Secretary, National Security Council Secretariat (NSCS).
  • Secretary, Ministry of Home Affairs, Government of India.
  • Foreign Secretary in the Department of External Affairs or a representative not below the rank of Joint Secretary.
  • Secretaries, Departments of Home Affairs of each of the States and of the Union Territories.
  • Central Bureau of Investigation (CBI), Intelligence Bureau (IB), Director General of Police of all the States and such other enforcement agencies.
  • Secretaries of Heads of all the Information Technology Departments of all the States and Union Territories not below the rank of Joint Secretary of Central Government.
  • Chairman of the National Human Rights Commission or Minorities Commission or Scheduled Castes or Scheduled Tribes Commission or National Women Commission.
  • The directives of a court.
  • Any others as may be specified by the Government.

Procedure for blocking access - Once the CERT has (i) verified the authenticity of the complaint and (ii) is of the opinion that blocking the website is absolutely essential, it is empowered to issue instructions to the Department of Telecommunications (DoT), which will in turn instruct internet service providers (ISPs) (as ISPs are within the jurisdiction of DoT) to block the website.

Note: The DoT Notification does not specify grounds for blocking of websites. Therefore, a complaint by an Authorized Complainant on the grounds of violation of general provisions of law or violation of Intermediaries Rules may be a sufficient reason for CERT to issue instructions to block a website. Although the CERT must decide whether it is ‘essential’ to block a website before issuing instructions for blocking it, it is doubtful whether CERT could actually refuse action upon a court order or a government direction instructing it to block a website in a real-life situation.

 Past instances of blocking access to websites

In 2012, internet service providers (ISPs) operating in India were ordered to block access to torrent download sites such as Pirate Bay and other video download sites such as DailyMotion and Vimeo. Although only specific videos uploaded on these sites were claimed to be in violation of copyright, the order to block access was issued was issued in respect of the entire website. Later on, in October 2012, the Madras High Court restricted take down or blocking orders issued by it to only the specific URL/ link which contained the infringing content, and not on the entire site.

(A list of websites that were blocked by various internet service providers (as of May 2012) is provided on the link here


Blocking orders were issued at the request of the owners of copyright in the videos, usually film production companies. For example, Viacom18, which was the company that produced Gangs of Wasseypur, had obtained a blocking order from the Bombay High Court in respect of the movie.

 Intermediaries’ degree of care while blocking websites

Intermediaries need to observe a certain level of diligence when they block a website. Wrongful blocking of a website by an intermediary may cause it to be liable to its customers (not copyright owners, but those who utilize the services of the intermediary) for deficiency of service under Indian consumer protection law. For example, if an ISP has misinterpreted a court order while blocking a website, it could be liable under consumer protection law of India. Airtel had to pay INR 20,000 to a customer for blocking access to entire torrent sites (instead of specific URLs, as contemplated by the Madras HC order).(See story on The Hindu here)  

 Consequences of breach of the provisions of the IT Act by intermediaries

1) Wrongful disclosure of confidential information: Disclosure of confidential information by intermediaries without consent of the concerned person, and with the knowledge that it may cause wrongful loss punishable with imprisonment of three years and fine of up to INR 500,000 upon intermediaries.

2) Non-compliance with an order to intercept information: Failure to comply with orders to share information with government agencies issued pursuant to the IT Act is punishable with imprisonment of upto 7 years and fine (the amount of fine is not specified in the IT Act).

Test Your Skills Now!
Take a Quiz now
Reviewer Name