Virendra Khanna vs. State of Karnataka: Passwords and Privacy
“If you have got nothing to hide, then you should have nothing to fear”. This is an argument we often get when asked to disclose our mobile password. Our mobile phone password is a key to our treasure of personal information which most of us would not like to reveal. However, what if the police ask for it? Revealing passwords can be extremely problematic (Remember Sushant Singh case?). Soon enough, your WhatsApp chats could be on TV. So, this begs the question- What is the law on the issue? Can the police force an accused person to reveal his password? The Karnataka High court recently answered the question in a Virendra Khanna vs. the State of Karnataka. Further, it issued guidelines for the investigating agency for search and seizure of electronic equipment, and the protection/ safeguards that investigating agency has to adopt in respect of smartphones and the like.
Facts of the Case
The police filed a case against the petitioner under Section 21(c) of Narcotic Drugs and Psychotropic Substances, 1985 and Section 14 of the Foreigners Act, 1946. During the investigation, the police asked the petitioner to furnish the password for unlocking his mobile phone & two e-mail accounts. When he did not accede to this demand, the trial court passed an order directing the petitioner to co-operate with the investigation. Further, the same court passed another order to subject the petitioner to the Polygraph test to disclose such passwords.
The application to permit the polygraph test was neither served on the petitioner nor the petitioner’s counsel. The petitioner was not given an opportunity to defend himself against the application before the Trial court. Therefore, the petitioner’s counsel applied for recall of the order of the Polygraph test. But, the court rejected the recall application and ordered in favor of the respondent. Hence, the petitioner filed the writ petition before the Karnataka High Court to quash these orders.
Arguments Laid Down By The Petitioner’s Counsel
Learned Senior Counsel Shri Hashmat Pasha submitted that the order permitting the police to subject the petitioner to the Polygraph test violates Article 20(3) of the Constitution and the judgment of the Hon’ble Supreme Court in the case of Selvi vs. State of Karnataka. The compulsory administration of the Polygraph test leads to physiological responses involuntarily from the personal knowledge of the test subject. The test subject cannot choose to remain silent and compelled to give answers which may incriminate him against several offences. Therefore, polygraph test leads to testimonial compulsion and violates the right against self-incrimination guaranteed under Article 20(3) of the Constitution. Further, such an order restraining his personal liberty must have a basis in law. There is no specific law that enables subjecting the accused to a Polygraph test for disclosure of passwords thereby violating Article 21 of the Constitution.
He further argued that insisting the petitioner to unlock the mobile phone containing his personal information violates the right to privacy as held under Justice K.S. Puttaswamy (Retd.) vs. Union of India. Article 21 of the Constitution guarantees the right to privacy and there must be a reasonable law enacted by the Parliament to restrict personal liberty. Till today, the Parliament has not enacted any law which empowers the Court to give direction to furnish passwords of mobile phone and e-mail accounts.
Arguments Laid Down By The Respondent’s Counsel
Learned Special Public Prosecutor Shri Veerana Tigadi appeared for the respondents. He submitted that direction to submit password does not violate Article 20(3) of the Constitution. He relied upon State of Bombay vs. Kathi Kalu Oghad to substantiate his claim that “To be a witness” is not equivalent to “furnishing evidence”. Just like fingerprints, signatures, footprints, and handwriting specimens are taken for identification of the accused, similarly, the password is taken to identify the accused. This doesn’t amount to “to be a witness” as the accused does not convey any personal knowledge in the form of oral or written testimony to the court. Therefore, furnishing a password is not violating the right against self-incrimination.
He further submitted that in Justice K.S. Puttaswamy’s case, the Supreme Court held that the right to privacy is not absolute and can be curtailed if 3 requirements are satisfied. These requirements are Legality, Legitimate Interest, and Proportionate action. Simply meaning, there must be a rational nexus between the object and the means to achieve them.”
The order to furnish a password satisfies all three requirements. Several laws empower the trial court to direct the disclosure of passwords: Section 139 of Indian Evidence Act [Cross-examination of person called to produce a document], Section 54A of Cr. P.C [Identification of the person arrested], Section 311A of Cr. P.C [Power of Magistrate to order a person to give specimen signature or handwriting]. As per the Puttaswamy case, “prevention and investigation of crime” are legitimate interests of the State. The action is proportionate because the order is merely seeking disclosure of passwords in aid of investigation.
After hearing the arguments, the court framed the following questions as issues and answered them.
Can the investigating officer issue a direction to an accused to furnish the password/biometrics to pen the smartphone/e-mail account?
Yes. The investigating officer can direct the accused to furnish a password to unlock the smartphone/electronic equipment. However, it is up to the accused to accede to these demands.
In the event of the IO issuing direction but the accused does not furnish password then what is the recourse available to the IO?
The Investigating officer can approach the court for issuance of a search warrant to search a smartphone or any other electronic equipment.
Can a court issue a suo moto order to the accused to furnish password/biometrics?
The court cannot per se issue any directions to the accused to furnish a password. The gathering of information and methodology of investigation is an ex-facie domain of the investigating officer. The Court can only act on the application filed by either of the parties.
What is the consideration for the issuance of a search warrant in order to search a smartphone or computer system?
Chapter VII of Cr. P.C (Processes to compel production of things) is also applicable on search and seizure of mobile phones, laptops, computer equipment, and other electronic devices. Section 100 of Cr. P.C provides that a person in charge of a closed “place” is required to permit and facilitate search. Similarly, the accused/ person in charge of the electronic equipment has to provide password/ biometrics to open the smartphone, email account, and the like.
Further, a search can be conducted without a warrant in emergent circumstances like the danger of equipment/data being destroyed, the possibility of equipment not being available and so on [Section 102, 165 Cr. P.C]. In the ordinary course of circumstances, the Investigating Officer needs a search warrant to search and seize the electronic equipment.
Additionally, Section 69(1) of the IT Act, 2000 also empowers specific officers to pass orders compelling decryption of information.
Would providing password/biometrics and personal data of mobile phone amount to self-incrimination and prove the guilt of the accused?
Disclosure of passwords provides access to the personal information/ data of the accused. It is construed as a document/ an object like a murder weapon. As such, it does not prove the guilt of the accused. The burden remains on the investigating officer to prove the data gathered with cogent material evidence. Merely providing access to a smartphone does not amount to testimonial compulsion and doesn’t violate the right against self-incrimination.
Would providing password/biometrics violate the right to privacy of a person providing such a password?
The court held that the use of data during the investigation would not amount to a violation of the right to privacy- which comes within the exceptions carved out in the Puttaswamy case. The responsibility of safeguarding the data lies on the investigating officer. If he furnishes the data to any third party without the written permission of the court, then the court can prosecute the investigating officer against dereliction of duty.
Also read: Investigation Information Leaks- Is there a remedy?
What if the accused or any other person connected with the matter does not furnish the password/biometrics despite a search warrant or direction to furnish the password?
The investigative agency can serve a notice on the accused stating that the court can draw an adverse inference against the accused if he does not provide the password/biometric [Section 114- Evidence Act]. The accused will have only one chance to provide the password/biometrics. The investigative agency would be at liberty to change the password of the mobile phone & block access to undesignated officers.
Also read: Investigating Agency cannot retain social media login credentials during investigation.
On an application made by the Prosecution, the court can direct the manufacturer/service provider to unlock a smartphone or enable access to e-mail accounts. If the manufacturer does not facilitate unlocking a smartphone/ e-mail accounts, then on an application by the investigating agency, the court can allow the IO to engage specialized persons to hack into the mobile phone or e-mail accounts.
If the investigating agency is unsuccessful in unlocking the phone and the data gets destroyed, the prosecution would be free to draw an adverse inference against the accused.
What are the protection and safeguard that the IO has to take after collecting smartphone/ electronic equipment?
While searching a piece of electronic equipment, a qualified Forensic examiner shall accompany the search team. The team shall take photographs of the place where the computer is placed, including the front & back of the computer.
If the computer is in a power-off state, then the team should not power it on. If the computer is on, the forensic examiner should download data available in RAM, identify and store the MAC address. The team should seize network devices like routers, modems, wireless access points, identify and secure the unsecured network devices.
Further, they must prevent the mobile phone from connecting with a mobile data/wireless connection. They should remove the sim card of the mobile phone keep it in a separate Faraday bag. If the mobile phone is in a power-off state, then the team should remove the battery and keep it in a separate Faraday bag. If the device is powered on then it should be put on airplane mode.
Lastly, the team should document the entire procedure in writing. The documentation should begin from the time of entry of the search team and continue until they exit.
Do subscribe to our Telegram group for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.