Site icon CJP

Does revealing your device password to the police amount to self-incrimination?

On October 29, a Delhi CBI Court held that the CBI cannot force the accused to reveal the password of his computer as it would amount to self-incrimination. Since there is always an apprehension that the data accessed could be evidence that could eventually be used to prove the accused guilty in court. The court also considered a 2021 Karnataka High Court’s judgement which had held to the contrary, allowing the investigating agency to seek the password from the accused while stating that the High Court had not considered an important Supreme Court precedent.

Background

In this case, the CBI sought the password of the computer as well as some software used by the accused, which he opposed. Hence the CBI filed an application before the District Court. The investigating agency relied upon Karnataka High Court judgment in Virendra Khanna vs. State of Karnataka, (decided on 12.03.2021 in W.P. No. 11759 of 2020) where the court had held that investigating agency has a right to seek password and biometrics from an accused for accessing/opening his computer system and mobile phone which was/were seized during investigation and no constitutional right of the accused is violated.

The accused opposed the CBI’s application stating that he has the right to remain silent under Article 20(3) [No person accused of any offence shall be compelled to be a witness against himself] of the Constitution of India as well as Section 161 (2) Cr.P.C [Such person shall be bound to answer truly all questions, other than questions the answers to which would have a tendency to expose him to a criminal charge or to a penalty or forfeiture], also adding that the CBI demand interferes with his right to privacy. He also refuted the application of the Virendra Khanna judgement due to territorial limitation and also on grounds that it was a judgment per incuriam i.e. a judgement applied without due application; wherein a judgement of a court has been decided without reference to a statutory provision or an earlier judgement which may or would have been relevant.

Right against self-incrimination

The right against self-incrimination finds its origins in Latin maxim nemo tenetur seipsum prodere (i.e. no one is bound to accuse himself) and the evolution of the concept of “due process of law” enumerated in the Magna Carta.

In Selvi v. State of Karnataka, (2010) 7 SCC 263, the Supreme Court held thus, “the right against self-incrimination” is a vital safeguard against torture and other “third-degree methods” that could be used to elicit information. It serves as a check on police behaviour during the course of investigation. The exclusion of compelled testimony is important otherwise the investigators will be more inclined to extract information through such compulsion as a matter of course.

The major crux of this right lies in the principle that during the trial stage, the onus is on the prosecution to prove the charges levelled against the defendant and hence, this right is a vital protection to ensure that the prosecution discharges the said onus.

The US Constitution incorporates the “privilege against self-incrimination” in the text of its Fifth Amendment.

Article 14(3) (g) of the International Covenant on Civil and Political Rights (ICCPR) enumerates the minimum guarantees that are to be accorded during a trial and states that everyone has a right not to be compelled to testify against himself or to confess guilt.

The European Convention for the Protection of Human Rights and Fundamental Freedoms, 1950, Article 6(1) states that every person charged with an offence has a right to a fair trial and Article 6(2) provides that “everybody charged with a criminal offence shall be presumed innocent until proved guilty according to law”.

With the right against self-incrimination also comes the provision that a person’s right to remain silent cannot be adversely used against him to prove his guilt. Section 161(2) CrPC enables a person to choose silence in response to questioning by a police officer during the stage of investigation, and as per the scheme of Section 313(3) and proviso (b) to Section 315(1) of the Code, adverse inferences cannot be drawn on account of the accused person’s silence during the trial stage.

Jurisprudence

In Selvi, the Supreme Court held that although certain provisions of CrPC such as section 39 (places a duty on citizens to inform the nearest Magistrate or police officer if they are aware of the commission of, or of the intention of any other person to commit the crimes) are intended to ensure the citizens’ cooperation during the course of investigation, they cannot override the constitutional protections given to the accused persons.

The person being interrogated can resort to Section 161(2) CrPC which prescribes that when a person is being examined by a police officer, he is not bound to answer such questions, the answers of which would have a tendency to expose him to a criminal charge or a penalty or forfeiture.

In Nandini Satpathy case [(1978) 2 SCC 424 : 1978 SCC (Cri) 236], Justice VR Krishna Iyer held, “Article 20(3) is a human article, a guarantee of dignity and integrity and of inviolability of the person and refusal to convert an adversary system into an inquisitorial scheme in the antagonistic ante-chamber of a police station.”

 What does not count as self-incrimination?

There are other instances where issue of self-incrimination has been argued before courts and the courts have liberally allowed investigations holding certain investigations to be compatible with Article 20(3) which means that not all investigations or seeking of evidence from an accused can amount to self-incrimination. While interpreting Article 20(3), the Supreme Court in Selvi held that Constitution-makers could not have intended to put obstacles in the way of efficient and effective investigation into crime and of bringing criminals to justice.  The giving of finger impression or of specimen signature or of handwriting, does not amount to self-incriminating evidence.

“Self-incrimination must mean conveying information based upon the personal knowledge of the person giving the information and cannot include merely the mechanical process of producing documents in court which may throw a light on any of the points in controversy, but which do not contain any statement of the accused based on his personal knowledge,” the court held.

in Jamshed v. State of U.P. [1976 Cri LJ 1680 (All)], the Allahabad High Court held that the phrase “examination of a person” under Section 53 CrPC should be read liberally so as to include an examination of what is externally visible on a body as well as the examination of an organ inside the body and thus held that a blood sample can be compulsorily extracted during a “medical examination”.

In Mahipal Maderna v. State of Rajasthan [1971 Cri LJ 1405 (Raj)], the Rajasthan High Court held that an order requiring the production of a hair sample comes within the ordinary understanding of “investigation”

Revealing password is self-incriminating?

The court, relied upon the Selvi judgment where the apex court laid out a test to identify whether a particular fact/information/testimony/evidence comes within the category of “testimonial fact” as protected by Article 20(3) of the Constitution of India which an accused is not bound to give. The oral or written statement which convey the personal knowledge of a person in respect of relevant facts amount to “personal testimony” and may be based on oral or written statement of an accused but they can still be compelled for the purpose of identification or comparison with facts and materials which are already in the possession of the investigating agency.

The court held that Article 20(3) can be invoked when the statements are likely to lead to incrimination by themselves or “furnish a link in the chain of evidence” needed to do so but not for comparison/identification with other evidence.

“…a testimony in oral (like voice sample) or written form (like specimen hand writing or signature) though may be personal yet they can be taken under compulsion from an accused if it is to be used for the purpose of identification or comparison with already available voice recording or signature/handwriting which is/are obtained from other sources like seizure of document or chance print, finger prints of the scene of crime, etc,” the court said.

Since the CBI was seeking password of the computer from the accused for accessing his data and not for comparison or identification, the court held that narco-analysis of an accused cannot be done without his consent since such procedure involves personal knowledge of the accused. On the same principle, the court held that similar logic applies to a password as it involves the import of personal knowledge.

When statements are likely to lead to incrimination by themselves or “furnish a link in the chain of evidence”, then bar of Article 20(3) of the Constitution would apply.

Password vs Biometrics

Computer sources or mobile phones these days can also be unlocked by use of biometrics such as thumb print or face scan. In the Virender Khanna judgment, password and biometrics have been treated as one and the same thing. However, the district court in this order observed that as per the Criminal Procedure (Identification) Act, 2022 (w.e.f. 18.04.2022) a different approach is required to be taken.

The court observed that biometrics such as finger-impressions, palm-print impressions, foot-print impressions, photographs, iris and retina scan are included in the definition of “measurements” as are physical, biological samples and their analysis, behavioural attributes including signatures, handwriting. Thus, during investigation such “measurements” can be taken by the police and the Magistrate can also given directions to the accused to provide such measurements. However, the Act does not mention words like password or user id in the definition of “measurements”. “Therefore, it is clear that the aforesaid Act does not apply to the password/User ID of an electronic record (which may be contained in a computer system, mobile phone, hard-disk, memory card, email etc.) or any other documentary evidence (like a suit-case locked with some number code),” the court held.

The court has thus inferred that an accused can be asked or directed to give his biometrics (in the form of his finger impressions, face or iris recognition) for the purpose of opening of his electronic device.

At the same time, the Criminal Procedure (Identification) Act, 2022 under section 3 has an exception that “any person arrested for an offence committed under any law for the time being in force may not be obliged to allow taking of his biological samples under the provisions of this Section” unless the offence is against a woman or a child or when the offence is punishable for more than 7 years. Which means if a person is charged with minor offences he/she can refuse to provide such “measurements”.

“…said biometrics can be taken from an accused and used for opening of mobile phone/computer system/email/software applications, etc. by the police agency, wherever such need arises for a fair investigation,” the court opined.

Further, if password is required by police not for accessing data but for comparison of the said password (as a physical evidence) with the other available evidence, then the same is permissible.

Password is a testimonial fact

The court was of the opinion that when an accused is asked to disclose his password to the investigating agency, he is required to apply his mental faculty and/or memory to recall said password and it is purely based on his personal mental effort or knowledge, therefore, said information comes within the category of “testimonial fact” which the accused cannot be forced to give.

“…a password does not itself constitute a ‘self-incriminating testimony’ against an accused who gives such password, but from practical point of view, the said password alone is not the sole objective of the IO and in fact he wants to use it for the purpose of accessing the data which is contained in a computer system or a mobile phone which is/are seized from the accused and, therefore, the said password is to be taken as integral part of the said computer system/mobile phone which is/are not severable from it. While considering the status of such information being incriminating or not, this Court cannot consider password alone in isolation.”

Even if there is apprehension that the data revealed after entering the password may be incriminating, the accused has the right to not give such password to the investigating agency as per section 161(2) of CrPC which uses the words “tendency to expose him to a criminal charge or to a penalty or forfeiture.”

Evidence obtained by illegal means can still be used in the court in certain circumstances, hence if after being forced to reveal password, incriminating data is revealed, it will amount to self-incrimination by the accused.

Conclusion

The court thus held that the accused cannot be compelled to provide any password to his computer as he is protected by Article 20(3) of the Constitution of India as well as Section 161(2) of Cr.P.C. However, at the same time the Investigating agency is at liberty to access the data in the computer with the help of specialised agency or person at the risk of accused for loss of data, if any.

This being an order of a district court, it will not have an impact on jurisprudence, unless affirmed or upheld by at least, a High Court. However, the order has decided upon an important aspect of investigation since electronic devices are often seized by investigating agencies in the course of investigation when those accused are not aware of their right against self-incrimination. Even if this order cannot have the force of law to be applicable in all cases, it can become matter of contention to be decided by higher courts eventually to protect an accused person’s right against self-incrimination.

Relevance to The Wire raids

This order also came at a time when multi-city raids were conducted by Delhi Police at the homes of editors of The Wire, an independent online news portal based on a criminal defamation complaint filed by BJP’s IT cell chief, Amit  Malviya. The FIR was lodged on charges of cheating, forgery defamation and criminal conspiracy; none of which are serious offences where the accused can be forced to give any biometric information. Now as per the CBI court’s order, none cannot be forced to even reveal passwords to their devices.

The Delhi  Police Crime Branch, however, arbitrarily conducted search and seizure operations at the homes of The Wire’s founding editors, Siddharth Varadarajan, M K Venu and Sidharth Bhatia as well as the deputy editor, Jahnavi Sen and product-cum-business head, Mithun Kidambi, relying on notice under Section 91 of the Criminal Procedure Code, 1973.

According to media reports, a total of 16 devices were seized from the office of The Wire. Two phones, a tablet and a laptop from Varadarajan, a phone and a laptop each from Venu, Bhatia, Sen and Kidambi, and two hard disks from the accounts department’s computers were among the devices seized. A reporter’s phone and the computer he worked on at the Wire’s office were also taken away in Delhi. In addition to these devices, the Delhi police also asked the four editors and Kidambi to remove passcodes from their phones and laptops, and to provide passwords to their official and personal email accounts. Three staffers were asked for passwords to their official email accounts while another staff member was told to give passwords to both official and personal email accounts.

Siddharth Vardarajan told Sabrangindia that they had opposed the seizure of these devices without providing (the safeguard of) any hash value (ie numeric value that uniquely identifies data lodged in any device at a particular point of time. The Wire has given objections of this violation of procedure in writing to the Delhi Police contingent and Investigating Officer (IO). They were all however compelled to surrender all devices and divulge the passwords without the requisite safeguards of protecting the integrity of the data seized.

Independent analysis and investigation of a cloned hard disc of one of the accused in the famed Bhima Koregaon case has revealed how data implants on computers are indeed a possibility. Arsenal Consulting, a Massachusetts-based digital forensics firm has analysed an electronic copy of activist Rona Wilson’s laptop and arrived at the conclusion that an attacker used malware to infiltrate the laptop and place incriminating evidence on it, reported The Washington Post. To date this has not been examined by the courts in this case.

Meanwhile the PUCL statement condemning the raids in The Wire noted that the Crime Branch did not follow the requisite procedure as it took away devices from the news portal’s New Delhi office and from the homes of those raided without providing any hash value, i.e., the numeric value that uniquely identifies data lodged in an electronic device at any given point in time.  There are legitimate concerns that absence of a hash value leaves the door open to planting material on the digital devices.

The order may be read here.

 

 

 

Image courtesy: Zac Freeland/Vox

Related:

Raids on Wire editors & seizure of electronic devices did not follow law & procedure: PUCL

Raids on The Wire criminalising journalism: DIGIPUB India condemns Delhi police action