Your Photos in Fake Ads or Profiles: Image Misuse Guide India

Found your selfie on a weight-loss ad you never endorsed, or your wedding portrait on a stranger's matrimonial profile? This is image misuse, and Indian law treats it as a stack of cyber offences. You can demand a 24-hour takedown under IT Rules 2021 Rule 3(2)(b), file a free complaint at cybercrime.gov.in, and recover your reputation without hiring a lawyer in most cases.

Image misuse is the unauthorised use of your photograph or face on a profile, advertisement, product label, dating app, or social post that you did not consent to. It covers fake testimonial ads, stolen wedding portraits on matrimonial sites, recycled selfies on fake Instagram profiles, doctored deepfakes, and recycled photos on Telegram groups. The Information Technology Act 2000, the Bharatiya Nyaya Sanhita 2023, the Copyright Act 1957, and the Digital Personal Data Protection Act 2023 each grant a separate remedy.

Several overlapping statutes apply, and your complaint should cite the strongest combination.

• Information Technology Act 2000, §66C - identity theft using your photograph or unique identifier; up to three years and ₹1 lakh fine.
• Information Technology Act 2000, §66D - cheating by personation through a computer resource, which covers fake testimonial ads and fake dating profiles.
• Information Technology Act 2000, §66E - capture, transmission, or publication of a private image without consent; covers screenshots of intimate photos.
• Information Technology Act 2000, §67 and §67A - publishing or transmitting obscene or sexually explicit content; deepfake porn falls here.
• Bharatiya Nyaya Sanhita 2023, §318 - cheating; covers fake-testimonial ad income loss to the misled buyer and to you.
• Bharatiya Nyaya Sanhita 2023, §336 - forgery; doctoring a photo to look like an endorsement is electronic forgery.
• Bharatiya Nyaya Sanhita 2023, §351 - criminal intimidation, applicable when the misuser threatens to keep posting unless you pay.
• Bharatiya Nyaya Sanhita 2023, §79 - uttering words or publishing material that insults the modesty of a woman, used in matrimonial and dating misuse cases.
• Information Technology Rules 2021, Rule 3(2)(b) - every social media intermediary must remove flagged content within 24 hours where it depicts an individual in a sexual act, full or partial nudity, or any morphed image.
• Information Technology Rules 2021, Rule 3(1)(b)(ii) and (vii) - covers impersonation and content that violates privacy.
• Copyright Act 1957, §17 - if you took the selfie, you are the author and first owner of the copyright; commissioned wedding photos are owned by the photographer unless you have a written assignment, so check the contract.
• Copyright Act 1957, §51 - unauthorised reproduction or communication to the public is infringement.
• Digital Personal Data Protection Act 2023, §12 - right to erasure of personal data, including your photograph held by a data fiduciary.
• Right to publicity - recognised as an aspect of the right to privacy in Justice K S Puttaswamy v Union of India (2017) 10 SCC 1; commercial use of your image without consent is actionable.
• Consumer Protection Act 2019 §21 - the Central Consumer Protection Authority can act on a misleading advertisement that falsely shows you endorsing a product; CCPA Guidelines on Endorsements (2022) make the advertiser, the endorser, and the platform jointly liable.
• Advertising Standards Council of India Code - clauses on truthfulness and honest representation; ASCI accepts complaints on falsely-attributed endorsements.

The Ministry of Electronics and Information Technology Grievance Appellate Committee (GAC) at gac.gov.in is the appeal route if a platform refuses or ignores your takedown notice.

Follow this order; jumping steps weakens the chain of evidence.

1. Minute 0 to 5 - Do not deactivate your own social profile yet; the misuser may delete the proof if they spot defensive moves. Open the offending post or ad in a logged-out browser tab.
2. Minute 5 to 10 - Capture the full URL, the misusing account handle, the upload timestamp, and the post text. Screenshot in landscape with the system clock visible.
3. Minute 10 to 15 - Use a screen-recorder to scroll the profile from top to bottom for 30 seconds; this captures the comments, follower count, and bio in motion. Save the MP4.
4. Minute 15 to 20 - Open archive.org Wayback Machine and click “Save Page Now” on the offending URL. This creates a tamper-proof timestamped copy.
5. Minute 20 to 25 - File the in-app report on the platform (Instagram, Facebook, X, Telegram, dating app, matrimonial site). Pick the strongest reason: impersonation, intellectual property, non-consensual intimate image, or scam.
6. Minute 25 to 30 - Send the Rule 3(2)(b) takedown email to the platform's Grievance Officer with the screenshots attached. The 24-hour clock starts from your email timestamp.

If money has changed hands (a fake-testimonial ad sold a fraud product to a relative, for example), dial 1930 immediately; the golden hour rule lets the bank reverse credits before they exit.

Without evidence your complaint dies at the first hearing. Build the file before you confront anyone.

• Full URL of the offending post, ad, or profile (one URL per piece).
• Misuser's account handle, display name, profile photo, and bio text.
• Upload date and time, exactly as the platform shows it.
• Screenshots in landscape with the system clock visible in the corner.
• 30-second screen recording scrolling the profile or ad.
• Wayback Machine archive URL.
• Your original photograph file with EXIF metadata intact; right-click and view properties to confirm the camera, date, and GPS coordinates.
• If a commissioned photographer took the original, get a one-line email from them confirming they shot it and assigning the rights to you for this complaint.
• Bank statement, UPI screenshot, or invoice if money was lost to the misuse.
• Two-witness affidavit on ₹100 stamp paper if the post is anonymous and likely to be deleted.
• A self-attested PDF index numbering each annexure A1, A2, A3.

You have five parallel doors. File on all five for serious misuse; the platform route is fastest, the cybercrime route carries criminal weight.

Every major platform has a built-in report flow. Pick the most specific reason - “Pretending to be me”, “Intellectual property violation”, “Non-consensual intimate imagery”, or “Scam or fraud” - not the generic “I don't like this”. Specific reasons hit the Trust and Safety queue, not the bulk-moderation queue. Save the report reference number; you will need it for the email follow-up.

Every significant social media intermediary publishes a Grievance Officer name, email, and Indian postal address on its website. Email the takedown notice (template below) to that address with the screenshots attached. Mark a copy to the platform's Resident Grievance Officer if it qualifies as a Significant Social Media Intermediary. The 24-hour clock for intimate or morphed content and the 72-hour clock for other content starts at your timestamp.

Open cybercrime.gov.in, choose “Report Other Cybercrime” (or “Report Women and Child Related Crime” if the image is sexualised or you are female). Fill the form, upload the evidence ZIP, and note the acknowledgement number. The portal forwards the complaint to your jurisdiction's cyber cell, which is bound to respond. Track the status using the same number.

If the platform refuses or ignores your takedown after 24 to 72 hours, file an appeal at gac.gov.in within 30 days. The GAC is a statutory body under IT Rules 2021 Rule 3A and can order removal. Upload the takedown email, the platform's reply (or proof of silence), and the evidence.

If your face is on a product ad you never endorsed, file at the Central Consumer Protection Authority via the e-Daakhil portal or send the complaint to the ASCI Consumer Complaints Council at ascionline.in. The CCPA Guidelines on Endorsements (2022), under the “Know Your Endorser” duty, hold the advertiser and the platform jointly liable for a falsely-attributed endorsement.

Some misuse demands an FIR, not just a portal complaint.

• The image is sexualised, morphed into nudity, or used in a deepfake video.
• The misuser is threatening to keep posting unless you pay (BNS §351 extortion).
• The misuse is on a fake job ad or fake matrimonial profile that has already defrauded a third party (BNS §318 cheating).
• The fake ad is causing measurable financial loss, brand damage, or medical impact.
• The platform has refused the takedown and the content remains live after 72 hours.
• The misuser is a known person and you want a restraining order to prevent reposts.

Walk into the nearest cyber police station with a printed copy of the NCRP acknowledgement, the evidence pen drive, and a one-page complaint letter. Ask for a Zero FIR if the misuser's location is unknown; any station must accept it under the Bharatiya Nagarik Suraksha Sanhita 2023 §173. If the station officer refuses, escalate the same day to the Deputy Commissioner of Police (Cyber) via email; quote BNSS §173(4) which permits a written complaint to the Magistrate.

Send this to the platform's Grievance Officer. Replace bracketed fields. Keep it under one A4 page. Attach the evidence ZIP under 10 MB.

Subject: Takedown notice under IT Rules 2021 Rule 3(2)(b) - unauthorised use of my photograph at [URL]

To,
The Grievance Officer,
[Platform Name],
[Registered Indian address]

Sir or Madam,

1. I am [Full name], an Indian citizen residing at [city, state], holder of Aadhaar masked as XXXX-XXXX-1234 (or any government ID).

2. On [date], I discovered that my photograph has been used without my consent at the following location on your platform:
   URL: [full URL]
   Handle: [username]
   Upload timestamp: [as shown on platform]

3. The photograph in question was taken by me (or commissioned by me) on [date] and is my personal data and copyrighted work. I have never granted permission, license, or assignment to the account holder above, to your platform, or to any third party for this use.

4. The above use violates:
   a. Information Technology Act 2000, §66C (identity theft) and §66D (cheating by personation);
   b. Information Technology Rules 2021, Rule 3(1)(b)(ii) and Rule 3(2)(b);
   c. Copyright Act 1957, §51;
   d. Digital Personal Data Protection Act 2023, §12 (right to erasure);
   e. My right to publicity, recognised as an aspect of privacy in K S Puttaswamy v Union of India (2017) 10 SCC 1.

5. I hereby formally request your good office to:
   a. Remove the above content within 24 hours under Rule 3(2)(b);
   b. Suspend the offending account pending investigation;
   c. Preserve all server logs, IP addresses, and account metadata of the misuser for 180 days under IT Rules 2021 Rule 3(1)(j) for production to law enforcement;
   d. Send a written confirmation of action to this email.

6. Annexures:
   A1. Screenshots of the offending post (4 pages).
   A2. Screen recording (MP4, 32 seconds).
   A3. Wayback Machine archive URL.
   A4. Original photograph file with EXIF metadata.
   A5. Government ID for identity verification (masked).

7. In default, I shall escalate to the MeitY Grievance Appellate Committee under Rule 3A and to the National Cyber Crime Reporting Portal, and reserve the right to pursue criminal and civil remedies under the laws cited above.

Signed,
[Full name]
[Email]
[Mobile]
[Date]

A takedown is only half the job. The cached copies, screenshots saved by strangers, and search-engine snippets keep circulating for weeks.

1. Submit a Google removal request at google.com/webmasters/tools/removals for the offending URLs; Google honours requests for “explicit personal images” and “doxxing” within 7 to 14 days.
2. File a Bing content removal at bing.com/webmaster/tools/content-removal for the same URLs.
3. Email the cache at the Internet Archive helpdesk to remove the Wayback copy once your takedown is final; they comply if you provide the DMCA-equivalent paperwork.
4. Post a single explainer on your own verified social channel - one paragraph, no screenshots of the fake - so anyone searching your name lands on your version first.
5. Watch for resurfacing. Set a Google Alert for your full name plus “review” or “ad” or “testimonial” and check weekly for the first three months.
6. Track financial harm. If a brand or job opportunity was lost, file a civil suit for damages within three years under the Limitation Act 1963 Article 75 (suits for defamation).

• Cropping the URL out of the screenshot so the platform cannot verify the post.
• Deleting the offending account from your own followers list before capturing the comment trail.
• Filing the in-app report under “I just don't like it” instead of impersonation or IP.
• Using a generic “please remove this” email instead of citing Rule 3(2)(b) and the 24-hour clock.
• Forgetting to ask the platform to preserve logs; without that line the IP trail disappears in 90 days.
• Letting a third party (a friend or PR agency) sign the takedown - only you or your authorised lawyer should sign it.
• Mixing copyright claims and impersonation in one notice; file two separate notices so neither gets bounced for the other's defect.
• Walking into a non-cyber police station and accepting their refusal; insist on a Zero FIR or escalate to the DCP.

A 28-year-old graphic designer in Pune discovered her engagement photo on a stranger's matrimonial profile in Hyderabad. She filed the in-app report on the matrimonial site at 10 a.m., sent the Rule 3(2)(b) email at 10:30 a.m., filed the NCRP complaint at 11 a.m., and called 1930. The site removed the profile at 4 p.m. the same day. The cyber cell traced the IP to a Hyderabad cyber cafe and registered an FIR under IT Act §66C and BNS §336. Total spend: zero. Total time: 18 days from discovery to FIR.

A 41-year-old yoga teacher in Bengaluru found his face on a Telegram channel selling a weight-loss powder, with a fake testimonial in Hindi he had never given. He filed the Telegram in-app report, sent the takedown email, and filed an ASCI complaint plus an e-Daakhil case naming the brand under the Consumer Protection Act 2019 §21 and the CCPA Endorsement Guidelines. The Telegram channel went down in five days, ASCI upheld the complaint in 21 days, and e-Daakhil awarded ₹75,000 compensation in eight months.

Yes, but be careful. Under the Copyright Act 1957 §17, the photographer is the first owner of a commissioned photograph unless your contract assigns the copyright to you. For the takedown, you can sue on your right to publicity and right to privacy (Puttaswamy 2017), and you can also ask the photographer to sign a one-line co-complainant letter so the copyright limb is locked. If the photographer is unresponsive, file on the privacy and IT Act grounds alone; that is enough for a Rule 3(2)(b) takedown.

Yes. Information Technology Act 2000 §66C and §66D do not require the misuser to use your legal name; misusing your “unique identification feature” (which includes your face) is enough. The platform reporting flow lists this exact scenario under “Pretending to be someone else” on Instagram and “Impersonation” on Facebook and X. Cite the section number in the email for a faster queue.

Information Technology Rules 2021 Rule 3(2)(b) gives 24 hours for content depicting an individual in a sexual act, in nudity (full or partial), or in any morphed image. Other categories (impersonation, copyright, scam) fall under Rule 3(1)(d) with a 36-hour acknowledgement and 72-hour action window. If the platform misses the clock, escalate to the MeitY Grievance Appellate Committee.

Yes. You have three routes. (i) File a civil suit for damages under tort for breach of privacy and right to publicity, citing Puttaswamy 2017; (ii) file at the District Consumer Commission via e-Daakhil if a brand profited from the false endorsement, citing Consumer Protection Act 2019 §21 and the CCPA Endorsement Guidelines; (iii) ask the Magistrate to compound the offence on the criminal side with a compensation order under the Bharatiya Nagarik Suraksha Sanhita 2023 §395. The civil route is slowest but pays the most; the consumer route is fastest.

The platform will only share the IP and account metadata in response to a court order or a Section 91 BNSS notice from the investigating officer. File the NCRP complaint first; once the cyber cell registers the case, the officer can serve the notice. Until then, your job is to keep the evidence preserved and the platform's logs alive. The Rule 3(1)(j) preservation request in your takedown email gives the platform 180 days to keep the logs.

Use the National Cyber Crime Reporting Portal “Report Women and Child Related Crime” category, which routes to a fast-track cyber cell. Cite IT Act §66E, §67, and §67A; Bharatiya Nyaya Sanhita 2023 §79 and §336; and IT Rules 2021 Rule 3(2)(b). The 24-hour clock is mandatory. Also use the StopNCII.org hash-matching tool which prevents re-upload of the same file across Meta, TikTok, Bumble, and OnlyFans. Read the sibling guide on deepfake blackmail recovery for the medical and counselling layer.

Three parties are jointly liable. (i) The advertiser, under Consumer Protection Act 2019 §21 and the CCPA Endorsement Guidelines, for a misleading advertisement; (ii) the endorser - but here the misuser pretended to be the endorser, so the misuser is criminally liable under IT Act §66D; (iii) the platform, under IT Rules 2021 Rule 3(1)(b)(ii), if it does not remove the ad on notice. File one CCPA complaint naming all three.

Yes, and many lawyers recommend it. A legal notice via registered post or email under the Indian Contract Act 1872 §63 and the Code of Civil Procedure 1908 §80 (if a government body is involved) gives the misuser 15 days to remove and apologise. If they comply, you save the litigation cost. If they ignore, the notice becomes Annexure A in your suit and helps prove malice for higher damages. The notice does not stop you from filing the parallel NCRP and platform routes.

Cite Digital Personal Data Protection Act 2023 §12 (right to erasure) and IT Rules 2021 Rule 3(1)(b)(ii). The DPDP Act applies to any data fiduciary processing your personal data, regardless of whether you are their user. Send the takedown to the app's Data Protection Officer (mandatory contact under DPDP §10 for significant fiduciaries) and copy the Data Protection Board of India. If the app still refuses, file at gac.gov.in and at the Data Protection Board once it becomes operational.

Yes. It is copyright infringement under Copyright Act 1957 §51 (if you or your photographer hold the rights), passing-off under common law, and unfair trade practice under Consumer Protection Act 2019 §2(47). Send a cease-and-desist legal notice citing all three, file a police complaint for forgery under Bharatiya Nyaya Sanhita 2023 §336, and write to the municipal commissioner to remove the hoarding under the local advertising bylaw. Carry photos of the hoarding and a copy of your own original.

Six habits cut the risk by 80 per cent. (i) Keep your Instagram, Facebook, and matrimonial profiles set to followers-only or private. (ii) Watermark public photos with a low-opacity name in the corner. (iii) Add a “Do not use without permission” line to your bio. (iv) Use reverse-image search (Google Images, TinEye, Yandex) on your own face once a month. (v) Do not give the full-resolution photo to a photographer without a written assignment of rights. (vi) Sign up at StopNCII.org if you have ever shared intimate images with a partner; the hash database blocks re-upload.

The 10 question blocks above use `==== Q? ====` H3 syntax which the sitewide schema-auto.js script parses into a FAQPage JSON-LD block at render time. Do not add an inline `<script type=“application/ld+json”>` block; it renders as visible code.

• How to report fake social media profiles in India
• Deepfake blackmail recovery guide
• 1930 cyber-fraud helpline script
• Social media account hacked or hijacked recovery
• Dark patterns and CCPA endorsement rules
• Instagram disabled creator and business recovery
• Citizen RTI playbook
• Middle-class money traps directory

• Information Technology Act 2000 §66C, §66D, §66E, §67, §67A - https://www.indiacode.nic.in/handle/123456789/1999
• Information Technology Rules 2021 Rule 3(2)(b), 3(1)(b), 3(1)(j), Rule 3A - https://www.meity.gov.in/content/notification-dated-25th-february-2021-gsr-139e
• Bharatiya Nyaya Sanhita 2023 §318, §336, §351, §79 - https://www.indiacode.nic.in/handle/123456789/20062
• Copyright Act 1957 §17, §51 - https://copyright.gov.in/documents/copyrightrules1957.pdf
• Digital Personal Data Protection Act 2023 - https://www.meity.gov.in/data-protection-framework
• MeitY Grievance Appellate Committee - https://gac.gov.in
• National Cyber Crime Reporting Portal - https://cybercrime.gov.in
• 1930 Cyber Helpline - https://www.mha.gov.in/en/divisionofmha/cyber-and-information-security-division
• CCPA Guidelines for Prevention of Misleading Advertisements and Endorsements 2022 - https://consumeraffairs.nic.in
• Advertising Standards Council of India Code - https://www.ascionline.in
• Justice K S Puttaswamy v Union of India (2017) 10 SCC 1 - https://main.sci.gov.in/judgments
• StopNCII.org hash-matching service - https://stopncii.org

Editorial illustration, 1200 by 630, soft glassmorphic style. A young Indian woman in a teal kurta sits at a marble table holding a phone that shows a billboard-style fake advertisement of her own face captioned “Miracle Cure”. On the table, a printed checklist titled “Takedown in 30 minutes” with boxes for “Screenshot”, “Wayback”, “Rule 3(2)(b) email”, “cybercrime.gov.in”, “1930”. Background shows a pastel city skyline with a faint sketch of the Indian flag and a small icon of a Supreme Court pillar. Mood: calm, determined, citizen-empowerment. No real human faces, no logos, no text errors. Aspect 1.91:1.