Forced decryption of digital devices and accounts: A glimpse at Indian and American perspectives

A recent Supreme Court direction shows its inclination towards permissibility of forced decryption in line with earlier precedents.
Right to Privacy, forced decryption
Right to Privacy, forced decryption

Recently, the Supreme Court of India in Ajay Bhardawaj v. Union of India (GainBitcoin scam case) asked the accused to provide the username and password of his cryptowallet and make full disclosures to the investigating agency.

A few days back, the High Court of Kerala in P Gopalakrishnan alias Dileep v. State of Kerala (Actress assault case) had directed the accused persons to deposit their mobile phones with the Registry so that the prosecution could conduct a forensic examination.

Indian courts are increasingly coming across cases involving evidence in the shape of content found on digital devices which the accused persons are forced to decrypt/unlock at the behest of investigating agencies or under the directions of the courts.

This article seeks to assess the courts’ views on interaction of forced decryption with the right against self-incrimination and the right to privacy guaranteed by the Indian Constitution. As the issue is relatively nascent, apart from weighing the Indian perspective, I shall also look at the judicial attitude taken by the United States of America.

Almost everyone today uses a cell phone which is encrypted using technologies like passwords, pin codes, fingerprints, facial recognition or iris scans. Forcing an individual to decrypt a device requires forcing him to part with a parameter known only to him. Once decrypted, the device is not only a storehouse of incriminatory evidence, but also serves as an inroad into the most private aspects of an individual’s identity. Article 20(3) of the Constitution of India and the Fifth Amendment to the Constitution of USA, both in almost similar terms, provide constitutional protection against self-incrimination. "No person accused of any offence shall be compelled to be a witness against himself," is the exact phraseology in the Indian Constitution and adequately represents the thrust of its American counterpart.

The right to privacy, which has been read into Article 21 of the Constitution of India (apart from acknowledging its existence across other fundamental rights), has its counterpart in Fourth Amendment to the US Constitution, though with certain differences.

Talking about the right against self-incrimination, in both the jurisdictions, the term ‘witness against himself’ is taken to be a protection only against self-incriminating ‘testimonial evidence’ and not against ‘non-testimonial evidence’. In plain terms, testimonial evidence is one where the witness is made to reveal the contents of her mind in the form of substantial oral or written statements. At the other end of the spectrum, non-testimonial evidence is considered to be one where the witness only lays a foregone conclusion in the sense that there is no statement made but things like blood samples, voice samples, signature specimens, fingerprints, body measurements, etc are obtained. The distinguishing factor is that these non-testimonial pieces of evidence have no independent incriminatory nature, but simply aid the investigating agencies in investigating and connecting the dots.

The central issue therefore is whether forcing an accused to provide a parameter (like password, pin code, fingerprint, facial scan, iris scan, etc.) for decrypting his digital device is hit by the protection against self-incrimination for being testimonial evidence or saved from its fetters for being non-testimonial evidence?

The American perspective

The courts in the US have had many occasions to adjudicate on the testimonial/non-testimonial nature of forced decryption and have rendered confliction decisions. Here are a few notable cases:

1. United States v. Doe (In re Grand Jury Subpoena Duces Tecum)

In a case involving child pornography, the accused was subpoenaed by the Court to appear before a grand jury and produce the unencrypted contents of his electronic devices. The accused invoked his Fifth Amendment privilege against self-incrimination and refused to decrypt the same, and was thus held in civil contempt. The Court of Appeal reversed the finding of contempt and held his refusal to decrypt to be justified on the following reasoning:

“the decryption and production of the hard drives would require the use of the contents of Doe's mind and could not be fairly characterized as a physical act that would be nontestimonial in nature. We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.”

2. State v. Diamond

Principally in conflict with the Doe judgment, a district court in a robbery case compelled the accused to provide fingerprints required to access the contents of his Samsung smartphone and ultimately convicted him on ground of the evidence found therein. The Court of Appeal, and ultimately the Supreme Court of Minnesota, affirmed the finding of conviction and held that unlike in case of passwords, the giving of fingerprints did not require the accused to reveal the ‘contents of his mind’ and was thus non-testimonial. The Supreme Court held:

“Because the compelled act merely demonstrated Diamond's physical characteristics and did not communicate assertions of fact from Diamond's mind, we hold that Diamond's act of providing a fingerprint to the police to unlock a cellphone was not a testimonial communication protected by the Fifth Amendment.”

3. Re Search of a Residence in Oakland

Opposing the Diamond judgement, the United States District Court for the Northern District of California in a case concerning extortion by the accused using Facebook messenger, again made a U-turn. The prosecution therein had moved a search warrant application seeking permission to search and seize various items of suspected individuals and the permission to compel any individual at the place of search to provide fingerprints or biometric features for unlocking the digital devices. Disallowing the application, the Court held:

“finger or thumb scan used to unlock a device indicates that the device belongs to a particular individual. In other words, the act concedes that the phone was in the possession and control of the suspect, and authenticates ownership or access to the phone and all of its digital contents…. Thus, the undersigned finds that a biometric feature is analogous to the nonverbal, physiological responses elicited during a polygraph test, which are used to determine guilt or innocence, and are considered testimonial.”

With these conflicting decisions of American courts, the issue of nature and constitutionality of forced decryption remains undecided. It will remain so until the issue reaches the United States Supreme Court and it conclusively lays down the rules for forced decryption.

The Indian perspective

Amongst the Indian courts, the High Courts of Karnataka and Kerala are the only ones to have dealt with the issue of forced decryption at some length. The judicial precedents are as follows:

1. Virendra Khanna v. State of Karnataka & Ors.

The High Court of Karnataka, while dealing with a matter under the Narcotic Drugs and Psychotropic Substances Act, 1985, was required to decide the validity of a trial court order directing the accused to provide the passwords of his smart phone and e-mail account to the investigating agency. The High Court held that compelling an accused to provide his password/fingerprint does not violate the right against self-incrimination or the right to privacy for the following reasons:

a. That a password/fingerprint is a ‘document’ and S. 139 of the Indian Evidence Act, 1872 allows summoning of an accused to produce a ‘document’, be it his password/fingerprint.

b. That a password/fingerprint is nothing but an ‘identification mark’ and S. 54-A, CrPC sanctions disclosure of such identification mark by the accused.

c. That disclosure of password is in the nature of giving specimen signatures or handwriting and therefore such disclosure can be ordered under S. 311-A, CrPC.

d. That mere providing of access to a smartphone/e-mail account would not amount to testimonial compulsion as the information which is accessed therein would still be required to be proved and established in a court of law by following the applicable rules of evidence.

Realising that access to a smartphone/e-mail account implies access to personal content which has no relevance to the investigation and can interfere with the right to privacy, the Court cast a duty upon the investigating officers not disclose to a third party, make public or use in court proceedings the personal details/data found on such a device/e-mail without written permission of the Court.

In dealing with Justice KS Puttaswamy (Retd) and Ors v. UOI & Ors, the Court held that disclosure of password etc in a criminal investigation is covered under the "legitimate interests of the State" exception carved therein as prevention and investigation of crime is a legitimate State interest.

I respectfully disagree with the High Court’s judgment to the extent that it held that mere providing of access to a smartphone/e-mail account would not amount to testimonial compulsion. It has placed reliance on the eleven-judge Bench judgment of the Supreme Court in State of Bombay v. Kathi Kalu Oghad & Ors, which was passed in a totally different context. There, it was held that impressions of thumb, fingers, palm or foot or specimens in writing or exposing a part of the body ‘for the purpose of identification’ would not amount to testimonial compulsion. It is submitted that the Court in Virendra Khanna (supra) lost sight of the fact that disclosure of password here is not merely for the purpose of identification, but a direct gateway to data which may be incriminating.

I also respectfully disagree with the Court’s excessive reliance on the fact that the data accessed after forced decryption would still be required to be proved and established by following the applicable rules of evidence. True, it would still be required to be proved and established. But after the conclusive judgment of the Supreme Court in Arjun Panditrao Khotkar v. Kailash Khushanrao Gorantyal & Ors, the manner of proving electronic evidence has become dangerously easy. A simple certificate under Section 65-B of the Indian Evidence Act, 1872, to the ‘best of the knowledge and belief of the person stating it,’ is not only the proof of the existence of contents, but also proof of the contents themselves. In fact, the judgment says that a certificate under Section 65-B is the only manner in which electronic evidence can be proved.

2. P Gopalakrishnan alias Dileep & Ors v. State of Kerala & Ors

The High Court of Kerala in a sexual assault and criminal conspiracy case directed the accused persons to hand over their mobile phones to the Registry so that the prosecution could get them forensically examined. The High Court relied on Kathi Kalu Oghad (supra) and Virendra Khanna (supra) in the same manner as the former had been relied upon in the latter.

3. Ajay Bhardwaj v. Union of India

The Supreme Court recently in the GainBitcoin scam case directed the accused to share the username and password of his cryptowallet with the Enforcement Directorate for the purpose of carrying out proper investigation. While giving such direction, no talk of the constitutional guarantees in terms of the right against self-incrimination and right of privacy seem to have been made. However, the direction shows the Supreme Court’s inclination towards permissibility of forced decryption in line with the earlier precedents in Virendra Khanna (supra) and P. Gopalakrishnan (supra).

Conclusion

It must be kept in mind that though the law intends to protect an accused person from the hazards of self-incrimination, it cannot put obstacles in the way of efficient and effective investigation into crime and in bringing criminals to justice. It is equally correct that allowing forced decryption by its very nature is an inquisitorial act and as such does not deserve any place in an adversarial justice system like ours. One way to strike a harmonious chord is for the Supreme Court to judicially lay down rules for forced decryption, and that too as a last resort. Keeping a close tab on the developing international jurisprudence will help.

Vasu Bhushan is a New-Delhi based lawyer with penchant for tech and policy.

Bar and Bench - Indian Legal news
www.barandbench.com