In the age of Artificial Intelligence, crime has been industrialized, globalized and technologically sophisticated, increasingly offering a safe haven for organized, tech-savvy criminals. Cybercrime is no longer an episodic, or peripheral threat; it now poses a serious risk to national security, economic stability and social trust.

Agentic criminals are ready to offer Cybercrime-as-a-Service (CaaS) for conceiving, executing and monetizing crime. CaaS is borderless, scalable, automated and increasingly intelligent with minimal risk of detection or legal consequence. The internet has magnified both the reach and complexity of cybercrime, while emerging technologies have further escalated the challenges.

Cybercrime-as-a-Service represents the outsourcing and commercialization of cyber-criminal capabilities, often with implications extending to national security. CaaS ecosystem enables criminals by providing technical infrastructure, tools, and expertise on paid or rental basis lowering the skill barriers for committing crime.

Typically, CaaS model operates at three levels: building the platform, selling or renting criminal services, and execution of offences. Cryptocurrency, dark web, encryption, and anonymity of networks collectively mask criminal activities, making detection increasingly difficult. Malware-as-a-Service, Botnet-as-a-Service, Deepfake-as-a-Service are now recognized manifestations of this model.

Scope and Diversity of CaaSCaaS enables even non-professional offenders to commit urbane crime with sophisticated scale and rapid gain of crime proceeds. A single toolkit can potentially enable thousands of offences across jurisdictions, causing immense financial, psychological, reputational and social harms.

Anyone can be a target ranging from an individual especially children to women, to organization and even a nation. CaaS can sabotage critical infrastructure, facilitate espionage, and manipulate democratic processes. The Facebook-Cambridge Analytica episode (2016), involving mass data harvesting to influence US Presidential Election-2016 and the Brexit referendum, remains a stark reminder of how digital platforms can be misused at scale.

In the era of CaaS, the real battlefield is no longer a crime scene, but the digital ecosystem that enables crime at scale.

Policing Constraints and Policy Challenges

Law enforcement and courts face inherent territorial and jurisdictional limitations in tackling cross-border cybercrime. Crime-as-a-Platform further complicates detection, attribution, investigation and prosecution. Indian police are traditionally trained to deal with conventional crimes, but detection and investigation of everchanging cybercrime is highly complex and needs technical aids.

CaaS by design is platform-based, translational, anonymized and often jurisdiction agnostic. Hence, cybercrime prevention and detection no longer rest on police action alone. Prevention must precede prosecution, public awareness and robust design safety are essentials.

This reality elevates the importance of technological design and platform governance. Law enforcement expectations increasingly extend to security-by-design and privacy-by-design at the architectural level of digital ecosystems. Yet, global legal frameworks governing platforms responsibly remained uneven.

While safe harbour doctrine provides immunity to intermediaries against third-party misuse, courts especially in India are increasingly signaling that immunity without responsibility is an unsustainable and dangerous preposition.

Safe Harbour: Innovation Shield to Accountability Debate

The doctrine of safe harbour originates from judicial conundrum over whether online platforms should be treated as a publisher (like newspaper) or merely a carrier (like telephone company). Early decisions in the Federal US Supreme Court were contradictory.

In Cubby v. CompuServe (1991), the platform was not held liable because it did not moderate content. Conversely, in Startton Oakmont v. Prodigy (1995), the platform was held liable precisely because it exercised moderation. The prevailing message became clear: do not moderate content, else risk liability.

This paradox led to the enactment of Section 230 of the Communication Decency Act, 1996, declaring that platforms shall not be treated as a publisher of third-party content. This near-absolute immunity in the US became the bedrock of Big Tech, enabling rapid innovation and unprecedented scale. Europe responded with conditional immunity under the E-Commerce Directive (2000), later advancing risk-based accountability through the Digital Service Act, 2022.

The United Kingdom, Singapore and Australia have shifted further, embracing duty-of-care framework prioritizing use of safety over platform neutrality. India adopted a middle path under section 79 of the Information Technology Act, 2000, where safe harbour is a privilege earned by responsibility, not as a blanket right.

Indian Judicial Response

Indian courts have consistently emphasized that the platform cannot be passive spectator to harm, particularly when architecture perpetuates or amplifies illegality. In the Baazee.com case (2005), an obscene MMS involving a minor was auctioned through an online platform. The Delhi High Court initially fixed vicarious liability on the CEO of the platform. Although the Supreme Court later refined the statutory mechanics of vicarious liability, the case exposed how platform design failures can cause grave social harm.

Subsequently, courts have directed intermediaries to proactively block illegal advertisements, enforce zero tolerance for publishing child sexual abuse material (CSAM), and deploy automated filtering and takedown mechanisms. Indian jurisprudence has thus steadily narrowed the gap between safe harbour and social accountability, distinguishing it from the US model of near-absolute immunity.

Data Protection Legal Framework

Data breaches are the raw material and precursor of cybercrime. Stolen personal data fuels financial frauds, phishing, identity theft, deepfake abuse, extortion, and targeted exploitation. Article 25 of the EU’s General Data Protection Regulations, 2018 mandates privacy-by-design, and security-by-design, requiring safeguards at the design stage itself.

Negligence in data protection becomes a gateway to criminal misuse, inviting regulatory penalties, civil liabilities and even criminal consequences. Digital arrest, synthetic identity fraud, online extortion, e-murder are new age crimes replacing traditional crime typologies. Crime has migrated online, and platforms are now the terrain on which crime unfolds.

Concluding Remarks

Ignorance of law is no more bliss. Crime today is technology-driven and expecting police alone to counter it is unrealistic. The first responder must now be technocrat, responsible for embedding legality, security, and ethics into digital design. Technological competence must be complemented by the constitutional values, legal awareness, and social responsibility. Equally, cyber-crime investigation demands legally trained technocrats integrated with policing systems.

The future of cyber safety will not be determined solely in police stations and courtrooms, but in code repositories, server rooms, and platform architectures. When crime becomes a service, prevention must become a design principle. Safe harbour without responsibility amounts to digital impunity, undermining trust, safety, and the rule of law in cyber space.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!