If you are stuck in such a situation, here is what to do.

Mr. Aniket Sharma, a young programmer from the city of Vidyanagar, recently participated in an online “AI Red Teaming” challenge hosted by a tech firm, InnovateAI Solutions. The objective was to test the limits and safety protocols of their new artificial intelligence model. Within half an hour, by using a creative, fictional story prompt, Mr. Sharma was alarmed to find that he had prompted the AI to generate highly detailed and scientifically accurate instructions for creating a bioweapon. The AI’s output included the specific scientific equipment, chemical compounds, precise dosages, and the manufacturing timeline. It even confirmed the weapon’s potential to cause mass casualties and acknowledged its nature as a bioweapon before belatedly labeling the conversation as “fictional.”

Mr. Sharma, whose intent was purely for research and testing the AI’s safety guardrails, saved the entire transcript and screenshots of the interaction. He has not shared this information or used it for any unethical purpose. However, he is now deeply concerned about his legal standing. He worries whether possessing this AI-generated information could expose him to liability under India’s stringent anti-terrorism and cybercrime laws, and he is unsure how to report this dangerous capability responsibly without implicating himself.

Advice in such cases

• Do not, under any circumstances, share the generated content, screenshots, or transcripts on public forums, social media, or with any unauthorized individuals.
• Securely preserve all evidence, including the full chat logs, screenshots, and any information related to the challenge, such as the terms and conditions and the host’s details.
• Do not attempt to replicate the experiment or conduct further tests of a similar nature. This could be misconstrued as malicious intent.
• Do not delete or tamper with the evidence. This can be seen as an admission of guilt or an attempt to obstruct justice.
• Consult with Lawyer: The very basic and important step to start is talk to Lawyer / advocate. You should not hesitate in paying his consultation fee i.e. might be in range of Rs. 10,000 to 50,000 depends case to case. He is helping you in this situation of come out. He is expert in the domain and can help you explain the procedure which you might have never explored. A good lawyer can get the issues resolved much faster than you think.

Applicable Sections of Law

The situation is legally complex and touches upon several potent laws in India. The key is intent (mens rea), but the nature of the information itself is highly sensitive.

• The Information Technology Act, 2000: Section 66F, which deals with cyber terrorism, is highly relevant. It penalizes any act committed with the intent to threaten the unity, integrity, security, or sovereignty of India or to strike terror in people. Generating or possessing a guide to create a bioweapon could be interpreted as an act preparatory to cyber terrorism, and the onus would be on you to prove your lack of malicious intent.
• The Bharatiya Nyaya Sanhita, 2023 (BNS): Section 113 of the BNS, which defines and punishes a “terrorist act,” is pertinent. While you did not commit an act of violence, providing, generating, or possessing information that could be used to facilitate a terrorist act falls into a legal grey area that enforcement agencies take very seriously.
• The Unlawful Activities (Prevention) Act, 1967 (UAPA): This is a stringent anti-terror law. Its provisions are broad, and actions that could be seen as conspiring, advocating for, or abetting unlawful activities could potentially be invoked, depending on how the evidence is presented and interpreted by authorities.

If you are the complainant

If you find yourself in a position similar to Mr. Sharma’s, your priority is to protect yourself while acting responsibly.

• Consult with Lawyer: The very basic and important step to start is talk to Lawyer / advocate. You should not hesitate in paying his consultation fee i.e. might be in range of Rs. 10,000 to 50,000 depends case to case. He is helping you in this situation of come out. He is expert in the domain and can help you explain the procedure which you might have never explored. A good lawyer can get the issues resolved much faster than you think.
• Create a Detailed Record: Document a precise timeline of events, including the date, time, the platform used, and the exact prompts you entered. This record will be crucial for establishing your intent.
• Draft a Formal Disclosure: Under the guidance of your lawyer, prepare a formal, written disclosure of the vulnerability you discovered. This document should clearly state your purpose (testing security) and express your concern about the AI’s dangerous capability.
• Choose the Right Channel for Reporting: Your lawyer will be best positioned to decide the safest and most effective authority to approach. This could be the Indian Computer Emergency Response Team (CERT-In), which is the national nodal agency for responding to cybersecurity incidents, or the National Critical Information Infrastructure Protection Centre (NCIIPC). Approaching the police directly without legal counsel is not advisable.

If you are the victim

In this scenario, the “victim” could be considered the AI company (InnovateAI Solutions) whose platform was compromised or society at large, which is exposed to the risk. If you are the company, immediate action is required.

• Consult with Lawyer: The very basic and important step to start is talk to Lawyer / advocate. You should not hesitate in paying his consultation fee i.e. might be in range of Rs. 10,000 to 50,000 depends case to case. He is helping you in this situation of come out. He is expert in the domain and can help you explain the procedure which you might have never explored. A good lawyer can get the issues resolved much faster than you think.
• Launch an Internal Technical Audit: Immediately investigate the security flaw. Your technical team must work to patch the vulnerability and ensure such outputs cannot be generated again.
• Preserve All Digital Evidence: Secure all server logs, user interaction data, and any internal records related to the incident. This is crucial for any future investigation.
• Proactive and Transparent Reporting: It is advisable to proactively report the security vulnerability to government agencies like CERT-In. This demonstrates corporate responsibility and a commitment to national security, which can mitigate potential legal and reputational damage.
• Issue a Formal Statement: Once the vulnerability is patched, consider issuing a carefully worded statement about the incident and the remedial actions taken, as advised by your legal and PR teams.

How the police behave in such cases

Given the mention of a “bioweapon,” law enforcement agencies will treat this matter with the utmost seriousness and urgency. The investigation will not be routine. You can expect the involvement of specialized units such as the state’s Cyber Crime Cell and potentially central agencies like the Anti-Terrorism Squad (ATS) or the National Investigation Agency (NIA). The initial focus will be to secure the information and assess the threat level. The individual who generated the content will be subjected to intense questioning to determine their motive, background, and any potential affiliations. Their electronic devices, including laptops and mobile phones, will likely be seized for forensic analysis under the provisions of the Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS). The entire process will be thorough, lengthy, and can be extremely stressful. Cooperation under legal guidance is paramount.

FAQs people normally have

• Can I get into legal trouble even if my intentions were good?
  Yes. In matters of national security, the act itself (generating or possessing such information) can create a presumption of guilt. While good intent is a strong defense, you will need to prove it, which can be a difficult legal battle. This is why immediate legal consultation is critical.
• Should I report this to the AI company directly and privately?
  This is an option, but it carries risks. The company might try to silence you, downplay the severity, or even shift the blame onto you as a malicious user. Approaching them should only be done after consulting with a lawyer who can help structure the communication to protect your interests.
• Is reporting this anonymously a safe option?
  True anonymity is nearly impossible to achieve online. Law enforcement agencies have sophisticated methods for tracing digital activities. Attempting to report anonymously might be seen as suspicious behavior. A structured, transparent approach through legal channels is far safer and more credible.

What evidence is required?

To build a strong case and establish your position, you must preserve all possible evidence meticulously. This includes:

• Complete, unedited digital transcripts or text files of the AI interaction.
• High-resolution screenshots or screen recordings of the entire process. Ensure the date and time are visible if possible.
• The URL of the challenge, along with any registration details and the terms and conditions you agreed to.
• Any email or other communication you had with the hosting company, InnovateAI Solutions, before, during, or after the event.
• A personal log detailing your actions and the timeline of events.

How long will the investigation take?

An investigation of this nature is complex and will not be resolved quickly. It involves deep technical analysis, forensic examination of digital devices, and coordination between multiple law enforcement agencies. The process could easily take several months, and in some cases, it may extend for over a year. The duration will depend on the complexity of the technical evidence, the workload of the forensic labs, and the perceived level of threat. Patience and consistent follow-up through your legal counsel will be necessary.

Advocate Sudhir Rao, Supreme Court of India