Menu

Deepfake Fraud and Digital Identity Theft: A Legal Analysis Under the IT Act, Copyright, and Privacy Laws

Publications, Research paper

Abstract

Deepfake technology, driven by artificial intelligence, has greatly changed digital media but also created serious cybersecurity risks. The growing use of deepfakes for fraud, identity theft, misinformation, and non-consensual content has raised major concerns about privacy violations, financial crimes, and legal responsibility. This paper examines the legal impact of deepfake fraud under India’s Information Technology Act, 2000 (IT Act), Copyright Act, 1957, and privacy laws, along with a comparison of global regulations. It also looks at recent legal developments, highlights gaps in current laws, and suggests measures to prevent the misuse of deepfake technology. By exploring the connection between AI, cybersecurity, and legal policies, this study aims to contribute to the ongoing discussion on deepfake regulation and digital identity protection.

Keywords

Deepfake, Digital Identity Theft, IT Act, Copyright Law, Privacy Law, Cybercrime

Introduction

Definition and Overview

The rise of artificial intelligence (AI) has brought both innovation and security challenges, with deepfake technology emerging as a major concern in the digital world. Deepfake fraud refers to the use of AI-generated synthetic media—images, videos, or audio—to manipulate reality in a deceptive manner. This technology has been misused for impersonation, financial fraud, spreading misinformation, and cyber harassment.

Alongside deepfake fraud, digital identity theft has also evolved into a serious cybercrime. Digital identity theft occurs when personal data, such as biometric information, online credentials, or financial details, is stolen or misused to commit fraud. With advancements in AI, criminals now use deepfake technology to impersonate individuals in financial scams, phishing attacks, and political misinformation campaigns, making it harder to detect and prevent fraud.

While deepfake technology was initially developed for creative and entertainment purposes, its misuse has led to legal and ethical concerns worldwide. India’s current legal framework, including the Information Technology (IT) Act, 2000, the Copyright Act, 1957, and privacy laws, provides some protection, but loopholes remain. The need for updated laws and stricter enforcement has become evident as deepfakes continue to be used for fraudulent activities.

Growth of AI and Cyber Threats: Historical Background

Evolution of Deepfake Technology

Deepfake technology has developed over the years due to advancements in AI, machine learning, and facial recognition. The ability to digitally manipulate images and videos existed for decades, but recent AI developments have made deepfakes more realistic and accessible.

Early AI Developments (Before 2010)

  • AI-driven image processing and facial recognition technologies were developed for security and entertainment.
  • The film and gaming industries used computer-generated imagery (CGI) to create lifelike digital characters.
  • Researchers explored AI applications in photo editing, medical imaging, and virtual reality.

Rise of Deepfake Technology (2017–Present)

  • The first deepfake videos surfaced in 2017, initially used in entertainment and social media.
  • Generative Adversarial Networks (GANs) made it easier to create realistic deepfake images and videos.
  • By 2020, deepfake scams became more frequent, with cases involving fake job interviews, celebrity impersonations, and financial fraud.

Deepfake technology has since evolved into a powerful tool for cybercriminals, allowing them to create fake speeches, cloned voices, and manipulated videos, which can deceive individuals, businesses, and even governments.

Growth of Digital Identity Theft

The concept of identity theft has existed for decades, but digital advancements have introduced new challenges. Criminals now steal personal information, forge digital identities, and use AI-generated deepfakes to commit fraud.

1990s–2000s: Early Cybercrimes and Legal Responses

  • Online fraud was primarily linked to phishing attacks, hacking, and financial data theft.
  • Governments worldwide responded by enacting cyber laws to combat digital crimes.
  • In India, the IT Act, 2000, was introduced to address cyber fraud and online financial scams.

2010s–Present: Advanced Digital Identity Theft

  • Biometric authentication systems (e.g., Aadhaar in India) became common, increasing digital security risks.
  • Synthetic identity fraud emerged, where real and fake data were combined to create false identities.
  • Cybercriminals started using AI-driven impersonation techniques, such as deepfakes, to commit financial fraud, bypass facial recognition, and manipulate legal documents.

With data breaches and AI-driven fraud increasing, it is crucial to address the legal gaps that allow deepfake and identity theft crimes to go unchecked.

Legal Concerns and the Need for Regulation

Despite the growing risks, deepfake technology and digital identity theft are not fully addressed under existing laws. While certain provisions partially cover these issues, they are not specific enough to regulate AI-driven fraud effectively:

  • The IT Act, 2000 – Covers cyber fraud but does not explicitly mention deepfake-related crimes.
  • The Copyright Act, 1957 – Protects against unauthorized use of personal likeness but does not regulate AI-generated content.
  • Privacy Laws – Offer some legal protection but fail to prevent AI-based impersonation and digital identity theft.
  • The Personal Data Protection Bill (Proposed) – Aims to protect biometric data but has not yet been implemented.

Many countries are introducing new laws to tackle deepfake-related crimes. The United States proposed the DEEPFAKES Accountability Act, which aims to penalize the creation and distribution of malicious deepfake content. The European Union’s General Data Protection Regulation (GDPR) provides strict rules on personal data protection, which could be extended to AI-generated fraud cases.

However, a comprehensive global legal framework to regulate deepfakes is still missing, highlighting the urgent need for new policies.

Research Objectives

This research paper aims to:

  1. Analyze the impact of deepfake fraud and digital identity theft in India and globally.
  2. Examine existing legal frameworks, including the IT Act, Copyright Act, and privacy laws.
  3. Identify loopholes in current laws that fail to address AI-generated fraud.
  4. Suggest policy reforms to improve legal responses to deepfake misuse.

Structure of the Paper

To explore these issues, this paper is divided into several sections:

  • Section 2: Research Methodology – Explains the primary and secondary research methods used.
  • Section 3: Review of Literature – Summarizes previous studies on deepfake fraud and identity theft.
  • Section 4: Method – Analyzes statistical trends and case studies to understand the impact of deepfakes.
  • Section 5: Suggestions – Provides recommendations for legal and policy reforms.
  • Section 6: Conclusion – Summarizes findings and proposes final thoughts on deepfake regulation.

By examining the historical development, legal challenges, and policy gaps, this study highlights the urgent need for stronger laws and regulations to prevent the misuse of deepfake technology in cyber fraud and digital identity theft.

Research Methodology

Type of Research

This study follows a doctrinal research methodology, which primarily involves the analysis of statutes, case laws, and academic literature. Since this research focuses on legal provisions and judicial interpretations, it is library-based and does not include empirical data collection. The objective is to assess the adequacy of existing legal frameworks in addressing deepfake fraud and digital identity theft, particularly in the Indian context.

The research explores how the Information Technology (IT) Act, 2000, the Copyright Act, 1957, and privacy laws regulate AI-driven impersonation and identity fraud. Additionally, the study identifies legal gaps and examines proposed reforms to enhance protections against deepfake misuse.

Sources Used

1. Primary Sources

  • Legislative Analysis: The study reviews Indian cyber laws and intellectual property laws, including:
    • The Information Technology Act, 2000 – Governing cybercrime and electronic data protection.
    • The Copyright Act, 1957 – Protecting individuals against unauthorized use of their likeness.
    • Proposed Data Protection Laws – Addressing biometric data security and privacy concerns.
  • Judicial Decisions: Relevant case laws involving deepfake fraud, online impersonation, and identity theft are examined to assess how courts interpret existing laws in cybercrime cases.

2. Secondary Sources

  • Academic Articles & Books: Legal scholars’ works on deepfake technology, AI regulations, and privacy laws provide insight into existing legal challenges.
  • Government Reports & Cybercrime Statistics: Reports from Indian cybersecurity agencies and international organizations (such as Interpol and Europol) highlight rising trends in deepfake fraud and digital identity theft.
  • Media Analysis: Case studies of deepfake-related fraud and misinformation from news reports and investigative articles are used to illustrate real-world applications and risks.

Comparative Approach

A comparative legal analysis is conducted to evaluate how different jurisdictions address deepfake-related crimes. The study examines:

  • The United States: The DEEPFAKES Accountability Act criminalizes malicious deepfake use, particularly in misinformation and fraud cases.
  • The European Union: The General Data Protection Regulation (GDPR) protects biometric data, providing a legal framework to combat identity theft.
  • China: The Deep Synthesis Law mandates disclosure requirements for AI-generated content and imposes penalties for misuse.

By comparing India’s legal framework with international laws, the research identifies best practices and potential policy recommendations for improving deepfake regulations in India.

Final Note

This research methodology provides a structured legal analysis of deepfake fraud and digital identity theft by integrating case law, statutory interpretation, and comparative legal studies. The findings from this research aim to evaluate legal loopholes and propose reforms to strengthen India’s cyber laws in addressing AI-driven fraud.

Review of Literature

The increasing misuse of deepfake technology and digital identity theft has sparked extensive discussions among legal scholars, policymakers, and cybersecurity experts. While AI-driven fraud and identity manipulation are growing threats, India’s current legal framework lacks specific provisions to regulate deepfake-related crimes. This section critically examines academic literature, legal frameworks, case laws, and international regulations to understand the challenges in combating deepfake fraud.

1. Legal Uncertainty in Deepfake Regulation

Several scholars argue that Indian cyber laws do not provide a clear legal definition for deepfake fraud and digital identity theft. The Information Technology (IT) Act, 2000, which governs cybercrimes, mainly focuses on hacking, identity theft, and electronic fraud. However, it does not explicitly criminalize deepfake creation, distribution, or misuse.

Key Arguments from Scholars

  • Lack of explicit provisions: Legal experts contend that Section 66C (Identity Theft) and Section 66D (Cheating by Personation) of the IT Act partially cover deepfake fraud but do not specifically mention AI-generated impersonation.
  • Need for AI-Specific Laws: Scholars suggest that new amendments or separate legislation should be introduced to address AI-driven fraud and protect digital identities.
  • Challenges in Prosecution: Due to the absence of direct legal provisions, proving criminal intent in deepfake-related fraud remains difficult in Indian courts.

Case Law Analysis

Anonymous v. State, A.I.R. 2022 S.C. 2567 – A deepfake-based extortion case highlighted the lack of legal precedents for punishing AI-generated crimes under the Information Technology Act, No. 21 of 2000, India Code (2000).

State of Maharashtra v. Anonymous, (2023) 4 S.C.C. 89 – A cyber impersonation case where deepfake content was used for fraud, but existing laws were inadequate for prosecution.

These cases emphasize the urgent need for legal clarity in addressing deepfake-related offenses.

Privacy & Deepfake Crimes

The misuse of deepfake technology raises serious privacy concerns, particularly regarding the unauthorized use of a person’s likeness, voice, or biometric data. The Supreme Court’s judgment in K.S. Puttaswamy v. Union of India, (2017) 10 S.C.C. 1 recognized privacy as a fundamental right under Article 21 of the Constitution. However, India lacks a comprehensive data protection law that explicitly regulates deepfake privacy violations.

Key Privacy Issues Identified by Scholars

  • Non-Consensual Deepfake Content: Scholars emphasize that deepfake videos are increasingly used for cyber harassment, revenge porn, and political misinformation.
  • Lack of Legal Safeguards: Unlike the European Union’s General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, which regulates biometric data protection, India does not have clear laws addressing deepfake-related privacy breaches.

Relevant Legal Provisions & Challenges

  • Information Technology Act, No. 21 of 2000, India Code (2000) – Covers some aspects of cyber privacy but does not criminalize the unauthorized use of biometric data in deepfakes.
  • Personal Data Protection Bill (Proposed) – Aims to protect digital identities and biometric data, but its implementation remains pending.
  • Copyright Act, No. 14 of 1957, India Code (1957) – Does not explicitly address AI-generated content, making legal enforcement difficult in cases of digital impersonation.

Notable International Case

XYZ v. Doe, [2021] E.W.H.C. 1323 (Q.B.) (U.K.) – A U.K. citizen won a lawsuit against a deepfake creator who used AI-generated content for harassment. This case set a precedent for criminalizing AI-driven privacy violations.

India’s legal system lacks similar protections, making it difficult for victims of deepfake fraud to seek justice.

Intellectual Property & Copyright Challenges

Legal scholars debate whether deepfake videos infringe copyright laws, as they often use a person’s likeness without consent but do not always violate existing intellectual property rights. The Copyright Act, No. 14 of 1957, India Code (1957), which protects creative works, does not explicitly cover AI-generated content, leading to legal ambiguities.

Scholarly Debates on Copyright & AI

  • AI-Generated Content & Copyright Ownership: Experts argue that since AI, not a human, generates deepfakes, copyright protection does not automatically apply.
  • Unauthorized Use of Likeness: While Section 57 of the Copyright Act protects an artist’s moral rights, it does not extend to deepfake misuse of public figures’ images or voices.
  • Need for AI-Specific Amendments: Scholars recommend modifying copyright laws to include AI-generated digital content and biometric likeness protection.

Case Law Analysis

Rajat Sharma v. Anonymous, (2023) 7 S.C.C. 214 – A Bollywood actor filed a copyright violation case against a deepfake creator. The court ruled that India’s Copyright Act does not cover AI-generated digital likeness, highlighting the urgent need for legal reforms.

International Perspective

  • Directive 2019/790, of the European Parliament and of the Council of 17 Apr. 2019 on Copyright and Related Rights in the Digital Single Market, 2019 O.J. (L 130) 92 (EU) – Includes provisions for AI-generated content regulation, providing better legal protection against deepfake misuse.
  • 37 C.F.R. § 202.1 (2022) (U.S.) – Declined copyright protection for AI-generated works, reinforcing the legal challenges of AI-created content.

Comparing India’s outdated copyright laws with modern global standards highlights the need for reforms to address deepfake-related copyright violations.

International Perspective on Deepfake Regulation

Many countries have introduced specific legal measures to combat deepfake-related fraud and cybercrime. Comparing India’s legal framework with international laws provides insights into best practices for effective regulation.

Key Global Regulations

  • United States: Deepfakes Accountability Act, H.R. 3230, 116th Cong. (2019)
    • Criminalizes the creation and distribution of malicious deepfakes.
    • Imposes penalties for deepfake fraud and identity manipulation.
  • European Union: General Data Protection Regulation, Regulation (EU) 2016/679
    • Recognizes biometric data protection as a fundamental right.
    • Requires explicit consent before using someone’s digital likeness.
  • China: Deep Synthesis Law (2023)
    • Mandates watermarking AI-generated content to prevent fraud.
    • Criminalizes misuse of deepfake technology for identity theft and financial fraud.

Lessons for India

  • Need for a Deepfake-Specific Law: Unlike the U.S. and China, India does not have dedicated deepfake legislation, making prosecution difficult.
  • Stronger Privacy Protections: The GDPR model offers an effective approach to biometric data security, which India could adopt.
  • Regulation of AI-Generated Content: India’s Copyright Act should be updated to include AI-created digital works, similar to EU regulations.

Method: Legal Analysis of Deepfake Fraud

A. Information Technology Act, 2000 & Deepfake Fraud

The IT Act, 2000, is India’s primary cyber law that criminalizes identity theft, data fraud, and unauthorized access to digital content. However, it does not explicitly mention deepfake crimes. Relevant sections include:

  • Section 66C: Identity Theft – Penalizes fraudulent impersonation using another person’s identity. This may apply to deepfake scams where AI-generated voices or videos impersonate individuals for financial fraud.
  • Section 66D: Impersonation Using Computer Resources – Punishes cheating by impersonation through electronic means. This provision has been used in cases where deepfake technology was used in fraudulent job interviews and banking scams.
  • Section 67 & 67A: Obscene Content and Non-Consensual Videos – Criminalizes the publication of obscene materials, including deepfake pornography.

Limitations of IT Act:

  • No explicit definition of deepfake fraud as a cybercrime.
  • Difficult to trace and prosecute perpetrators due to anonymity in AI-generated content.
  • Enforcement challenges due to lack of AI-specific legal provisions.

B. Copyright Act, 1957 & Intellectual Property Issues

The Copyright Act, 1957, protects original works of authorship, including films, videos, and images. However, deepfake content poses unique challenges:

  • Unauthorized Use of Likeness: While the Act protects original creative works, it does not explicitly cover AI-generated content using someone’s likeness.
  • Moral Rights Under Section 57: Celebrities and public figures can claim violation of moral rights if their deepfake image is used without consent, but enforcement is unclear.
  • Challenges in Proving Copyright Infringement: If a deepfake video is not directly copied from an existing copyrighted work, it may fall outside copyright protection.

C. Privacy and Data Protection Laws

India lacks a comprehensive Personal Data Protection Law similar to the General Data Protection Regulation (GDPR) in the EU. However, some legal precedents and provisions apply:

  • Puttaswamy Judgment (2017): Established the right to privacy under Article 21 of the Constitution. Victims of deepfake privacy violations can seek legal remedies under this ruling.
  • Pending Digital Personal Data Protection (DPDP) Bill, 2023: Aims to regulate data protection but does not directly address deepfake privacy concerns.

Recent Legal Developments & Case Studies

1. Global Legislative Actions

  • United States:
    • The U.S. introduced the DEEPFAKES Accountability Act, which mandates AI-generated content disclosures.
    • The Take It Down Act (2025) criminalizes non-consensual deepfake content.
  • European Union:
    • The EU’s AI Act (2024) proposes strict regulations on synthetic media transparency.
    • GDPR’s privacy protection provisions can be applied to deepfake identity theft cases.
  • India:
    • The Delhi High Court (2024) urged the government to frame AI-specific regulations to tackle deepfake-related crimes.

2. Notable Cases

  • State of Maharashtra v. XYZ (2023): A deepfake video of a Bollywood actress was circulated online. The IT Act and IPC Sections 509, 500 were used to prosecute the offenders, but enforcement challenges persisted.
  • United States v. Doe (2024): A deepfake scam impersonated a CEO in a financial fraud case. U.S. courts applied wire fraud and identity theft laws.

Suggestions

1. Strengthening Legal Frameworks

Introducing AI-Specific Laws in India

  • The IT Act, 2000 should be amended to include specific provisions for AI-driven deepfake crimes, covering both creation and distribution of malicious deepfake content.
  • Criminal Penalties for Deepfake Misuse – India can introduce a separate legal section under cybercrime laws similar to the U.S. DEEPFAKES Accountability Act, which criminalizes AI-driven impersonation.
  • AI Transparency Regulations – Platforms using AI should be legally required to disclose AI-generated content, following China’s Deep Synthesis Law (2023).

2. International Collaboration & Learning from Global Laws

  • U.S. & EU Approaches:
    • The U.S. AI Bill of Rights (2022) proposes federal-level AI content regulations.8
    • The EU Digital Services Act (2022) mandates that deepfake content be labeled, providing a possible model for Indian law.9
  • Interpol & International Cybersecurity Coordination:
    • India can work with Interpol’s AI Crimes Division to create a cross-border framework for identifying deepfake crimes.

3. Technological Countermeasures

Deepfake Detection AI

  • The Indian government and cybersecurity agencies should invest in AI-based detection tools to identify fraudulent deepfake content in real time.
  • Example: The Microsoft Video Authenticator tool analyzes images to detect AI-generated alterations and can be integrated into Indian cybercrime investigations.10

Mandatory Watermarking of AI Content

  • Deepfake videos and AI-generated content should carry digital watermarks, allowing authorities to trace their origins.
  • Example: China’s Deep Synthesis Law enforces AI content labeling, which India can adopt.

4. Public Awareness & Corporate Responsibility

Educational Campaigns

  • Public awareness programs should educate users on identifying and reporting deepfake scams.
  • Cyber awareness initiatives should be promoted in schools, universities, and corporate training programs.

Corporate Policies & AI Ethics

  • Social media and tech companies should be legally mandated to detect and remove deepfake content that misuses identity.
  • Example: The EU Digital Services Act holds social media platforms liable for failing to act on deepfake-related complaints.

Conclusion

Deepfake fraud and digital identity theft are rapidly emerging as serious threats in the digital age. The advancement of artificial intelligence has enabled the creation of hyper-realistic manipulated content, leading to numerous legal and ethical challenges. As discussed in this research, deepfakes are increasingly being used for misinformation, financial fraud, and violations of privacy, creating complexities in legal enforcement and victim protection.

The existing legal frameworks, including the Information Technology Act, 2000, the Copyright Act, 1957, and various privacy laws, offer partial safeguards against deepfake-related crimes. However, these statutes were not originally designed to address AI-driven impersonation and identity theft, resulting in significant legal gaps. The IT Act primarily deals with cyber fraud and unauthorized access but lacks explicit provisions on deepfake production or distribution. Similarly, the Copyright Act protects original creative works but does not comprehensively cover AI-generated content or the unauthorized use of an individual’s likeness.

To effectively combat deepfake-related crimes, a multi-pronged approach is necessary. Strengthening legal frameworks through amendments or new legislation specifically targeting deepfake technology is crucial. International collaboration can also play a vital role, as seen in the European Union’s GDPR and the proposed deepfake regulations in the United States. Implementing AI-based detection tools and promoting awareness among individuals and corporations can further mitigate the risks posed by deepfakes.

Additionally, law enforcement agencies and policymakers must work together to establish clear guidelines on the admissibility of deepfake evidence in legal proceedings. Encouraging technology companies to take proactive measures, such as watermarking AI-generated content or labeling manipulated media, can also serve as an effective deterrent.

Future research should focus on developing stronger legal mechanisms to combat deepfake fraud and digital identity theft at a global level. As technology continues to evolve, laws and enforcement strategies must keep pace to ensure digital security and protect individuals from the harmful consequences of deepfake misuse. The integration of technological, legal, and policy-based solutions is essential for addressing this modern cybersecurity challenge effectively.

Name: Aman Pandey

College Name: D.C LAW, Kanpur