CYBER LAW Liability of Cyber Cafe Operators

Various risks are inherent in the role of a Cyber Cafe operator. However, considering their importance in this cyber age, it is imperative that their business must go on. There have been various cases in India where cyber cafe owners have been put behind bars for the misuse of their computer systems by their customers, when we kept wondering why the innocent [1] cyber cafe owner was being made liable for the offence committed by his customers. Cyber cafes have always acted as an easy medium for the commission of illegal activities in cyberspace and Cyber Cafe operators have many times been implicated for the acts of their customers. [2] 

In the first week of January, 2009, several mails were sent to some of the IT companies of Bangalore, from a Cyber Cafe, threatening terrorist attacks. [3] There have been many such instances in the past where Cyber Cafes have been used, as a medium, for either real or false terrorist communication. [4] Several Cyber Crimes such as stealing of online banking passwords and consequent fraudulent withdrawal of money have also occurred through Cyber Cafes. Cyber Cafes have often been used for sending of obscene mails to harass people. Keeping in view these instances, Cyber Cafes have been regarded as one of the key intermediaries which need to be regulated. [5] Therefore, in order to regulate Cyber Cafes, several States had passed various regulations, some under the Information Technology Act, 2000 and some under the State Police Act.

The issue of liability of Cyber Cafe operators has gained importance with the increase in offences being committed using them as a medium. They are being held for abetting these offences by providing the necessary infrastructure for the commission of the offence. [6] 

Earlier, the liability of cyber cafe operators was not directly discussed under the Information Technology Act, 2000 but it was implied within the term “Network Service Providers" and they were required to observe due diligence which was stipulated under the erstwhile Section 79 of the Act, in order to evade the liability for the offences being committed by using their facilities. However, the amendments in the Act in the year 2008 made the liability direct.

If there is any allegation against the operator under the Act, rules or regulations, for any third party data made available by using his facilities, he shall not be liable if he is able to prove that the offence was committed without his knowledge or that he exercised all the due diligence to prevent the commission of that offence. However, in this case, the onus of proof lies on the operator to prove that he exercised due diligence. [7] 

In this paper, the author has endeavoured to discuss the legal framework that governs the liabilities of cyber cafe operators, the changes brought about by the Information Technology (Amendment) Act, 2008, and the similarities and dissimilarities in the law in India and in other major legal systems across the globe.


Cyber cafes have been defined differently by different authors in various parts of the world. Some definitions are exclusive while others are very inclusive in nature. The Oxford Dictionary defines ‘cyber cafe’ as “[a] cafe with computers on which customers can use the internet, send emails, etc.". [8] 

They are places that generally offer networked computers for hire by an hour. [9] They offer variety of internet applications to their customers, such as email, web-browsing, chat rooms, etc. Some of them also provide office applications such as word, power point, editing softwares, etc. [10] Furthermore, the Karnataka regulations for Cyber Cafes define a Cyber Cafe as "[a]ny premises where the Cyber Cafe Owner/Network Service Provider provides the computer services including internet access to the public". [11] 

It may also be defined as

“a place which facilitates the use of the internet to anyone on payment of fixed charges. Cyber Cafe owners are neither publishing nor transmitting, or causing any obscene material to be published." [12] 

The Expert Committee on the Review of the Information Technology Act, 2000, in its report suggested the insertion of Section 2(1) (nn) which defines a cyber cafe as “a place where access to electronic form is provided to the public". [13] However, this definition was not accepted, and a new definition was inserted as Section 2(1) (na) in the Information Technology Act by way of the amendment in 2008. This definition reads as

“any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public". [14] 

Consequently, the legal framework governing the liability of cyber cafe operators has been strengthened by the insertion of this definition, as this has removed all the ambiguities concerning the definition of a cyber cafe.


After the passage of the Information Technology (Amendment) Act, 2008 there has been a substantial change in the cyber cafe regulatory scenario. Earlier, the State Governments who took this initiative as a part of the e-Governance measures to handle the law and order situation in their respective jurisdictions and passed several regulations for cyber cafes either as notifications under Section 90 of the 2000 Act or under the Police Act of the respective states. [15] These laws primarily elaborated the ‘due- diligence’ measures that the Cyber Cafe owners had to take, such as maintenance of a visitor's register and checking a photo ID of the customers to ensure their identity. Some regulations also required registration of Cyber Cafes with the Police Stations of their locality and some required periodical statements by the cyber cafe operators to be filed with the Police.

When the Act was being framed, there were suggestions that cyber cafe owners be mandated to maintain log records. But this had to be done away with after it came under heavy criticism. [16] However, the scenario changed after the amendments in the Act in the year 2008. With the amendments of 2008, several responsibilities on Cyber Cafe regulations passed on to the Central Government. The term Cyber Cafe is now defined in the Information Technology Act. The Act also includes Cyber Cafe within the definition of “intermediary" [17] and imposes responsibilities for

Data retention for such duration as the Central Government may prescribe (Section 67C).

Implementing interception instructions from the Government if any (Section 69).

Implementing instructions for blocking of websites if any (Section 69A).

Retention of traffic data for specified period (Section 69 B).

Additionally, Cyber Cafes being considered as liable for "Assistance" or "Abetment" under various other sections when offences are committed under the Act cannot be ruled out. Though Section 79 provides for protection, it requires that Cyber Cafes need to follow "Due Diligence". [18] 

In the case, [19] a pornographic video was put to sale on this website. The person in- charge contended that it was without his knowledge and that it was not possible to supervise each and every article that was put on sale on the website. The video clip was taken off as soon as they received the information. [20] However, that person was arrested and kept behind the bars until he was granted a bail by the Delhi High Court.

Earlier, the liability of cyber cafe operators was not directly discussed under the Information Technology Act, 2000 but it was implied within the term “Network Service Providers" and they were required to observe due diligence which was stipulated under the erstwhile Section 79 of the Act, [21] in order to evade the liability for the offences being committed by using their facilities. [22] However, the amendments in the Act in the year 2008 made the liability direct, by including cyber cafes within the definition of “intermediaries". The protection given under the amended section to the intermediary is wider than the protection provided by the earlier section. The extent of liability is in line with the EU Directive. [23] 

Section 79 of the Act, that stipulates that intermediaries shall be exempted from liability in certain cases, has also been amended. [24] The term “intermediary" has been used in place of “network service provider". [25] Essential features of Section 79 are, [26] 

When an intermediary receives knowledge that some unlawful act is being committed with information under his control, he needs to “expeditiously" remove or “disable access", “without vitiating the evidence in any manner" [27] .

The intermediary shall observe “Due Diligence". [28] 

An intermediary cannot be made liable for the commission of an offence using his facilities, if he was unaware of the offence or if he has observed due diligence. [29] 

The genesis of the aforementioned provision lies in the acknowledgement by the society, and consequently by the Parliament, that it is irrational to hold them liable when they have very little control over the activities of the users of their facilities. Moreover, this would have a devastating effect on the growth of this industry as well. [30] 


The interpretation of the terms “due diligence" and “knowledge" is imperative for the proper understanding of Section 79 of the Act.

The term ‘knowledge’ should refer to actual as well as constructive knowledge. Therefore, a person would be deemed to have constructive knowledge with respect to the contents of a material, if that would put a reasonable man of average intelligence on notice as to the suspicious nature of that material. [31] Here knowledge means that the intermediary either knows or has any reason to believe that the material that is being transmitted is unlawful. [32] 

Furthermore, the term ‘due- diligence’ refers to reasonable steps that should be taken by a person so as to avoid commission of any offence or contravention. It means that reasonable steps have been adopted to ensure that the information content that is being transmitted is lawful. A due diligence exercise is a statutory duty on the part of the intermediary to have regulatory practices to prevent transmission or publication of any kind of unlawful content. [33] 


Section 79 of the Act provides that intermediaries, which includes cyber cafe owners as well, may not be liable for the acts committed by others if they observe “due diligence". However, the experience of the past few years suggests that the regulations have proved largely ineffective. Most of the Cyber Cafes are managed through the servants of the owners who have little technical knowledge or responsibility and this makes it very easy for the criminals to misuse the facilities for sending threatening e-mails or planting key loggers, spreading obscene information etc. [34] 

Section 79 appears to adopt the contributory liability standard for imposing liability upon intermediaries when knowledge of the illegal activity imposes liability on the intermediary. However, the section is silent as to whether “knowledge" is actual knowledge or constructive knowledge because of which the differing approaches can lead to varying results.

An illustration is the finding of the United States’ District Court in the Sony case [35] was that Sony had no direct involvement with video television recorder purchasers and so was not involved in a possible infringing use of the product. [36] Although its advertising material made no mention of copyright law, Sony's video television recorders' instruction manual warned purchasers that unauthorised copying of television programmes and content could be a breach of the copyright law. [37] The court assumed that Sony had constructive knowledge that its machines could be used to record copyright material but this fact alone was insufficient for it to be liable as a contributory infringement of copyright. [38] Consequently, it is imperative the standard of knowledge should be defined.

Another requirement for precluding liability of an intermediary is that “he had exercised all due diligence to prevent the commission of such offence or contravention". [39] Different standards for due diligence exists, which include

absolute due diligence

personal due diligence. [40] 

It is nowhere provided in the section, by way of an explanation, that what constitutes due diligence or what are the criteria by which the intermediary would be considered to observe due diligence. Thus at best the safe harbour provided to intermediaries under the ITA proves sketchy and inadequate. [41] 

Furthermore, by virtue of Section 79, a Cyber Cafe operator would be exempted from liability if he is able to prove that the offence was committed without his knowledge or that he had exercised all the due diligence required to prevent the commission of the offence. However, here the onus is on the operator to prove that he is not guilty. This makes it easy for anyone to pull the operator into litigation and then the operator would be burdened with the task of proving due diligence and absence of knowledge.

Consequently, it is difficult for a cyber cafe operator, who is not well acquainted with the technicalities, to observe due diligence and also to prevent misuse of its facilities.


As the internet and related technologies are spreading, the liabilities of the intermediaries are decreasing worldwide. The statutory emphasis has nowadays shifted to protect and strengthen the business model. [42] In United States, it was decided that interactive computer services should not be held liable for their failure to withhold, edit or restrict access to offensive material disseminated through their medium. [43] Title II of the Communications Act of 1934 was amended to include such provisions.

Thus, in United States, intermediaries enjoy unqualified immunity from liability for material created by third parties, using their facilities. [44] This section was enacted to remove disincentives of self- regulation fearing that the specter of liability would deter the intermediaries from blocking and screening offensive material. [45] The provision forbids the imposition of publisher’s liability on the service provider for the exercise of its editorial functions. [46] It creates federal immunity to any cause of action that would make service providers liable for information originating with a third party user of the service. [47] However, this immunity is lost if the intermediary provides this material knowingly. [48] 

In the United Kingdom, the U.K. Defamation Act, 1996 contains a defence for “innocent dissemination" which is available only if the defendant took “reasonable care" and “did not know, and had no reason to believe" that the statement he is publishing is defamatory. [49] The provision in Unites Kingdom is significantly different from the American provision. Here, the onus to prove his innocence lies on the intermediary. [50] 

However, if these conditions are not satisfied, the intermediary would be liable for the acts of the third parties. [51] Where a person failed to take reasonable steps to remove a defamatory material of which he also had the knowledge, he could not be exempted from the liability imposed on him by the UK Defamation Act, 1996. [52] 

Significantly, the provisions in U.K. are quite similar to the “due diligence" requirement in the Indian Information Technology Act.


In my view certain regulations can make the legal framework governing cyber cafes in India more effective. Examples of such regulations are

Registration of the cyber cafes should be made mandatory. Moreover, de-registration should be done as a means of punishing non- compliance of regulations.

There should be a compulsory training for the Cyber Cafe operators to ensure that they are well aware of the technological advancements.

A certificate should be provided to the persons who have successfully completed their training. Only those operators who are certified by the appropriate training authority should be allowed to open a cyber cafe.

It should be made mandatory for every Cyber Cafe operator to install a camera in the premises. This would help in keeping a record of the persons entering and leaving the Cyber Cafe. This would also act as deterrence for the wrongdoers.

The aforementioned suggestions, if accepted, would make the legal framework more efficient and effective.


The changes brought about by the amendment Act of 2008 are definitely a great step towards strengthening the legal framework governing the liability of the cyber cafe operators. However, there are still many problems in this regard such as lack of technical and legal knowledge on the part of cyber cafe operators, no proper guidance related to the term “due diligence", etc.

Cyber Cafes are, for a larger section of the society, the gateways of Cyberspace. Therefore, the importance of this industry cannot be neglected. The risks involved in this business are outweighed by its benefits for a common man. Therefore, it is imperative that we should maintain a balance between the security and privacy of the citizens and the proper functioning of this business.

The laws have to keep up with the pace of the changing technology. Law should be such that it should cover even those possible breaches which may occur in the future. Liberty should be given but at the same time absolute liberty may result in anarchy. Therefore, innocent Cyber Cafe operators should not be held liable for the acts of others, and it should be ensured that others may not take advantage of their lack of technical as well as legal knowledge.

Consequently, there is a need to strengthen the laws and to take measures for better implementation of the existing laws.