No Suo Moto Order To Compel Disclosure Of Passwords: Karnataka High Court
A lock screen from a cyber attack warns that data files have been encrypted on a laptop computer in this arranged photo in London, U.K. (Photographer: Simon Dawson/Bloomberg)

No Suo Moto Order To Compel Disclosure Of Passwords: Karnataka High Court

The Karnataka High Court has said a trial court cannot make a suo moto order asking an accused to furnish his password or biometrics. But this can be done if an application to that effect is filed by the police department, the court has observed.

Citing the lack of a comprehensive law, it has also laid down guidelines for search, seizure and handling of private data obtained by the police during investigation. Authorities must obtain a warrant for this purpose unless there are exceptional circumstances, the high court said in its judgment.

While doing so, it set aside the trial court’s suo moto order asking an accused to share his password, biometrics and allowing the police to conduct a polygraph test without consent. The case alleged offenses under the Narcotic Drugs Act.

Ashish K Singh, partner at the law firm Capstone Legal, told BloombergQuint this is the first time when a constitutional court in India has closely analysed the principles of search and seizure of electronic documents on a wider scale. Apart from police authorities, the judgment will also apply to specialised agencies and regulators who have powers to conduct search and seizure, he said.

Archaic Laws - New Age Issues

India’s criminal law spans different enactments, some of which are from the pre-independence era. Important among them are the Indian Evidence Act, 1872, and the Code of Criminal Procedure, 1973.

As the use of smartphones and electronic devices has increased exponentially, the law confers search and seizure powers on authorities to ensure that electronic evidence can be obtained and used during a trial. But the legal framework lacks specific rules dealing with digital/electronic evidence or for safeguarding privacy of such data.

There are some intrinsic safeguards for protecting an accused as well. Most important is Article 20(3) of the Indian Constitution, which protects a person from self incrimination—an act of compelling a person to be a witness against himself.

Self incrimination happens when an accused is forced to give an oral testimony in a court or produce evidence against himself. Courts have struck down request for conducting polygraph or narco-analysis test in many instances on this ground.

The appellant’s counsel, citing Art. 20(3) and the Puttaswamy case challenged the trial court’s order arguing that:

  • The order violates his constitutional rights which provide a safeguard against self incrimination.

  • The criminal procedure code doesn’t confer powers on a magistrate to make an order directing disclosure of biometrics or password for an email ID or smartphone.

  • As privacy is now a fundamental right, the direction to unlock mobile violates it.

  • And lastly, the accused has a right to remain silent.

The government counsel challenged this arguing that disclosure of password is not a personal testimony and hence no self incrimination will take place. Further, the Puttaswamy judgment itself says that right to privacy can be curtailed for legitimate state interest. And lastly, the law of evidence allows an authority to summon a person for production of electronic records.

High Court Paves A Middle Path

Reading into the past judgments of the apex court and the Indian law of crimes, the high court ruled in favour of accused but disagreed on some key points. It said that:

  • An adverse inference may be drawn against a person if he refuses to share his password after a request from police authorities.

  • Data gathered from a mobile device cannot by itself establish the guilt or innocence of a person. It must be proved by the prosecution during trial.

  • An order to provide password or biometrics is only in nature of a direction to provide a document. It is similar to taking a fingerprint or handwriting sample. And so, it’s not self incrimination.

  • Investigating officer may be held responsible if private information is leaked to a third party.

Guidelines Helpful But Gaps Remain, Experts Say

Experts agreed with the finding of the high court but pointed out the missing elements.

Zulfiquar Memon, managing partner at the law firm MZM Legal, agreed with the court’s observation and the problems that an accused faces in absence of a substantive law.

The most fundamental and inalienable right with an accused is his right to demand a trial as per the due process, without which a person cannot be deprived of right to life and personal liberty, Memon said.

While the term due process has extremely wide connotations, its enforceability depends on existence of laws which can ensure due process has been followed while trying an accused, he said.

But substantive law on digital evidence simply do not exist. Hence, no accused can point to any law and stop agencies from either violating due process or invading privacy or any other safeguards. This tremendously prejudices a person’s ability to enforce his rights and present a credible defense.
Zulfiquar Memon, managing partner, MZM Legal

Findings On Self Incrimination

The high court’s findings on self incrimination is in line with international precedents. But procedural safeguards are equally important, experts said.

Courts in the U.S. have held that compelling the disclosure of a password does not amount to a violation of fifth amendment to the Constitution of United States, Memon said. “U.K. courts have also opined that compulsory disclosure of encryption keys doesn’t violate the protection against self incrimination.”

There are laws which compel the surrender of keys to an encrypted material, if and when required. Section 69 of the Information Technology Act is a good example and such laws have been enacted in almost all major eastern and western countries 
Zulfiquar Memon, managing partner, MZM Legal

Guidelines On Search And Seizure

The high court has also laid down technical guidelines to prevent leakage of data to a third party and protect its integrity. But their success will depend on actual implementation.

It is typical for many magistrates to mechanically direct an accused to share details of passwords and ask him to cooperate with the investigation, Vikrant Singh Negi, partner at DSK Legal, said. The judgment has now extended the protective scope provided in Article 20(3) to the investigation stage and has also expressly laid out that decryption of data can be refused under the code of criminal procedure in certain instances, he said.

As storage of electronic data by investigative agencies is far from satisfactory, the framework by the court for collation, storage of electronic data and its use during trial is in the right direction, but will be fraught with administrative challenges, he added.

Impact On Powers Of Investigative Agencies

Does the judgment curtail or substantially affect the power of the investigative agencies? According to Negi, it must be seen as a balancing act.

The court has tried to balance that the right of an agency to conduct a unfettered investigation and the rights of a citizen under Article 21, he said.

Typically the prosecution case weakens during trial for any excesses or oversight which breach constitutional protections. This judgment is in line with the same thought process. While an accused cannot be compelled to provide passwords, the judgment also holds that an officer can even hack a gadget after taking requisite permission in order to gain access and obtain evidence
Vikrant Singh Negi, partner, DSK Legal

Capstone Legal’s Ashish Singh explained that most regulators adopt principles of the Code of Criminal Procedure and Indian Evidence Act for search and seizure powers. The judgment will have a direct or indirect impact on various pending investigations all over the country, he said.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.