The Legal Shadow Of Digital Arrests: Analysing Procedural Loopholes In The BNS And IT Act

As cyber fraud continues to dominate national headlines, one peculiar specimen stands out as its sophisticated evolution. 'Digital arrests' creatively merge psychological coercion and technical spoofing, relying on a chain of hijacked telecom nodes, mule bank accounts, and senior citizens as favoured targets. In a typical digital arrest scam, the scammers call victims and pose as a government or law enforcement authority, or a 'virtual court'. They're clad in official uniforms, armed with fabricated warrants of arrest, and assisted by AI deepfake technology that helps convince the victim that they are the real deal. They threaten the victims that serious criminal charges- income-tax evasion, smuggling of contraband, cybercrime (the irony!), money laundering, etc. - will be pressed against them unless they keep their camera on 24x7, and prove their innocence. The scam can last for several hours, days, or even months, and the victim is pressured into revealing sensitive financial information or transferring large amounts of money as a 'security deposit' or some other proof of cooperation.

If high-volume OTP/phone cloning scams are 'cash cows' for cybercriminals, digital arrest is the high- value 'star'. An average digital arrest dupes the victim into parting with savings ranging from lakhs to crores of rupees. Recently, a senior citizen reportedly lost close to INR 23 crores in what is potentially the single largest individual amount in the scam's recorded history. The victim has moved the Supreme Court of India seeking guidelines and a framework for prevention of digital arrests, and the apex court has issued notice to government and banking agencies for the same.

Given the widespread and persistent threat posed by the digital arrest scam, the procedural and legal deficits enabling it must be analysed. At its core, it remains a fundamental crisis of authentication and procedural due process in an era where the state has digitized its services but has not yet authenticated its presence.

The essence of the scam is the false pretence of a criminal investigation. Current law—specifically the Bharatiya Nyaya Sanhita, 2023 (BNS), and the Information Technology Act, 2000 (IT Act),—treats this phenomenon as a series of isolated acts of cheating (Section 318 of BNS), extortion (Section 308 of BNS), impersonating a public servant (Section 204 of BNS), or cheating by personation (Section 66D of the IT Act). However, this misses the structural vulnerability: the asymmetry of information regarding state procedure. The scam operates by exploiting the 'legal shadow' of the Code of Criminal Procedure. Under Sections 160 and 161 of the old CrPC (now mirrored in the BNS), police can summon individuals for interrogation. Scammers leverage the conceptual existence of these powers to justify a 'video interrogation'. Courts in India have accepted electronic service (WhatsApp/email) as valid, particularly in urgent cases, provided there is proof of delivery/reading. However, since there is no statutory mandate for how a digital summons must be authenticated, the citizen is left to judge the legitimacy of the caller based on visual cues—caller details, police uniforms, backgrounds, and 'official' stamps—all of which are easily synthesized.

The Verification Vulnerability

The Indian legal system lacks a statutory root of trust for digital interaction. In the physical world, an officer's authority is verified through a badge, a physical presence, and a written warrant that can be cross-verified at a local station. In the digital world, this chain of custody is broken.

The arrest being done 'digitally' is a procedural exploit that bypasses the rules of evidence. By forcing a victim into a continuous video call, the scammer creates an unrecorded, unmonitored 'black site' interrogation. This is a direct violation of the principles of transparency that govern Indian criminal law, yet it persists because of the absence of a standardized 'verification protocol' for state-citizen communication.

Lack of Legal Literacy & Digital Hygiene

The average Indian cell phone user lacks basic digital hygiene, and is gullible to installing unknown apps, answering calls from spoofed numbers and believing the legitimacy of deepfake video calls. The problem is compounded with a lack of legal literacy surrounding criminal procedure. Legally, an arrest requires a physical deprivation of liberty under the authority of a warrant or specific statutory conditions. Digital arrest is a conceptual impossibility that exploits a lack of public legal literacy.

Focussed Protection for the Elderly

While mass public awareness campaigns have somewhat succeeded in informing the more tech-savvy millennials and gen-zies about phishing scams, the primary target of digital arrests is disproportionately senior citizens and the elderly, who do not possess the same of level of awareness.

The Way Forward

Since almost 80% of losses come from high-value scams targeting senior citizens, the focus must be to strengthen awareness and procedural safeguards on this demographic. Campaigns must lead with the fact that digital arrest has no legal basis in India to immediately break the psychological spell. Official circulars must formally declare that no Indian agency will ever conduct a custodial interrogation or demand 'verification funds' via video call. This is important so that the state can dissolve the scam's primary weapon: the perceived legitimacy of its own authority. Consideration can be given to effectuating 'cooling periods' for large bank transfers if they are made from the accounts of elderly citizens, especially for newly added beneficiaries. Telecom industry can work with Department of Telecommunications to identify calls originating from verified government servers on the user's handset, further authenticating call origins.

The absence of a standardized, secure process across India relating to authentication of digital summons creates vulnerabilities to phishing, unauthorized impersonation, and disputes over service. Thus, the core problem is the erosion of trust in state identifiers; the scam narrative is merely the context. A more long-term but robust solution can be to consider a specific legislation governing digital due process. Such a law can mandate that all digital summons must be digitally signed by authorized officials via an e-Sign process in accordance with the IT Act, and include a QR code linked to a centralized, government-hosted authentication ledger that citizens can use to verify the authenticity of the summons. Instead of sending unsecured PDFs or images, the system can generate verifiable, tamper-evident documents with embedded cryptographic keys, ensuring non-repudiation and integrity. This will help replace the current vulnerability-by-default with a framework of authentication-by-design. To ensure the integrity of the Indian digital state, we must move beyond awareness campaigns and enact definitive legislation that mandates authentication-by-design, turning the 'digital arrest' from a sophisticated legal exploit into a technical and procedural impossibility.

Author is a Cybersecurity and Privacy Expert. Views are personal