The Passcode on your phone, the right to privacy and protection against self incrimination

An interesting guest post by the very talented Shreyash Sharma (4th Year, National Law University Odisha) & Gultash Guron (Final Year, Campus Law Centre Delhi) where they examine a rather vexed question relating to the scope of the protection against self incrimination in the context of phone passcodes (face scans, finger prints) and the fundamental right to privacy.

Mobile phones, these days, have become an extension of the human mind. They are privy to our darkest secrets and our deepest desires. Our phones possibly know us better than our families and friends, and arguably, better than we know ourselves. Everything that we do on our cell phone : from liking cute cat videos, navigating to a location on GPS, to shopping online, we are leaving digital footprints everywhere. Investigators love all of this. This means contemporaneous cogent forensic/objective evidence of what the accused does.  Now in this context, picture this:  a suspect in a criminal case is compelled to provide his fingerprint or a face scan or his password[1] to unlock his phone. Can he be so compelled? What about the constitutional protection of not being compelled to be a witness against herself? Or the fundamental right to privacy?   

Article 20(3) of the Constitution of India[2] provides that “No person accused of an offence shall be compelled to be a witness against himself.”

Data encryption and decrypting digital/electronic content are some of the difficulties faced by the prosecution and investigating agencies and the fastest way around this hurdle is to unlock the encrypted devices. 

Broadly, evidence is classified into three categories, namely, oral, documentary and physical evidence. Article 20(3) read with Section 161(2) of Cr.P.C[3]. protects an accused against any oral testimony which has a tendency to expose her to a criminal charge. However, compulsory extraction of physical evidence lies outside the guarantee of Article 20(3) of the Constitution.

In M.P Sharma v. Satish Chandra,[4] the court noted that compelled production of incriminating documents by a person against whom an FIR has been made is testimonial compulsion within Art 20(3) of the Constitution. The court gave a wide import to Article 20(3) so as to cover not only oral testimony or statements in writing by an accused but also furnishing of evidence by production of a thing or of a document or in other modes.  

This interpretation was curtailed in  State of Bombay vs Kathi Kalu Oghad,[5] where the court considered whether directing an accused to provide his handwriting specimen, signatures or thumb or finger impression violated Article 20(3) – the court answered in negative.

The Court held that testimonial evidence means “to be a witness” and being a witness “may be equivalent to furnishing evidence in the sense of making oral or written statements, but not in the larger sense so as to include giving of thumb impressions or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for the purpose of identification.” Thus, physical characteristics such as hair sample, blood sample, saliva and fingerprints are not testimonial in nature.

The reasoning applied in Kathi Kalu was also used in a recent case by the Apex Court to hold that compulsory production of voice samples was not in violation of Article 20(3). [6]

Suffice to say that the accused cannot refuse to unlock a phone protected only by a fingerprint or face or iris scan as neither of them are testimonial. Fingerprints and passwords by themselves do not have any evidentiary value and would not be protected under Article 20(3) of the Constitution. The Supreme Court clearly noted in Kathi Kalu that for a testimony to be self-incriminatory it must be of such a character that by itself it should have the tendency of incriminating the accused.

In fact, it cannot be denied that fingerprints and other physical characteristics such as hair and voice samples are the most powerful tools of personal identification which are available to the police and the courts. The biometric technologies have dramatically increased the successful identification of suspects and are indispensable parts of the police investigation today, facilitating more efficient investigation. 

However, there is no denying the fact that using a fingerprint, or a password for that matter, to access a smart phone can reveal or lead to possibly incriminating information.

In Selvi v. State of Karnataka,[7] while considering the question of what constitutes “incrimination” for the purpose of Article 20(3), the court reflected on derivative use, i.ewhen information revealed during questioning led to the discovery of independent materials, thereby furnishing a link in the chain of evidence gathered by the investigators.

The court noted that, “The relevant consideration for extending the protection of Article 20(3) is whether the materials are likely to lead to incrimination by themselves or `furnish a link in the chain of evidence’ which could lead to the same result. Hence, reliance on the contents of compelled testimony comes within the prohibition of Article 20(3) but its use for the purpose of identification or corroboration with facts already known to the investigators is not barred.

Can the argument that disclosing a password involves the use of mental faculties, hold when the phone is being unlocked for the purpose of corroboration or identification of already available evidence? Can it then be considered to not be ‘testimonial’ and thus not be protected under Article 20(3). Perhaps, the same possibilities were present in the mind of the judges in Selvi, when they observed that, “We must emphasize that a situation where a testimonial response is used for comparison with facts already known to investigators is inherently different from a situation where a testimonial response helps the investigators to subsequently discover fresh facts or materials that could be relevant to the ongoing investigation.

Privacy and Smart Phones

In a post-Puttuswamy[8] world, privacy must always be put on the highest of pedestals. The draft Personal Data Protection Bill provides various safeguards for protection of privacy of individuals and Per Section 43 of the Data Protection Bill, 2018[9] these safeguards can only be waived off if so authorised by a law made by the Parliament and the State legislature. However, as has been recently held by the Hon’ble Supreme Court, the right to privacy must, “bow down to compelling public interest[10]. A harmonious construction of these two positions of law (supposing that the Bill is passed by the legislature and Section 43 remains unaltered) would entail that right to protection of privacy and by an extension personal data must not be interfered with or unduly taken advantage of unless so authorised by law while at the same time being subject to reasonable restrictions.

This discourse surrounding privacy and smart phones poses an interesting question: Since, no law requiring the accused to unlock their phones (either by production of fingerprints, face scans or passwords) exists at present and keeping in mind that the right to privacy is subject to reasonable restrictions, can unlocking a phone be successfully argued before a court of law on the grounds of privacy alone? Considering how a phone is a treasure trove of personal information, will a court of law hold the private nature of smartphones above the duty of the investigating authorities? 

At this stage, it is pertinent to understand how other jurisdictions have dealt with passwords and compelled testimony.

 Comparison drawn with the US & UK position.

An English court in R v S & Another[11] held that a password is similar to a locked drawer and has an independent existence to that of the will of the accused. Thus, as one can be compelled to produce a key to open a drawer, the court can also compel the accused to provide these passwords.

Per contra, the American approach can be understood by, In Re Boucher[12]. The court considered passwords to be analogous to the password combination of a safe revealing which would invariably reveal personal knowledge of the accused. The case also relied on the “doctrine of foregone conclusion” which is used to determine if the Fifth Amendment rights will come into the picture or not.

In general, the American courts have held that the refusing to disclose passwords is within the ambit of the Fifth Amendment as an oral testimony and being the contents of the mind. In In re Grand Jury Subpoena Duces Tecum for instance, the court held passwords to be testimonial in nature and thus covered by the Fifth Amendment and also rejected the doctrine of foregone conclusion as the State could not satisfactorily prove the existence of incriminating material on the encrypted hard disk drive.[13]

A contrary view appeared nearly three years ago in State of Florida v. Stahl where it was held that the password itself is the ‘foregone conclusion’ and not the material sought to be obtained by unlocking the device. This approach has subsequently been criticised in both Katelin Eunjoo Seo v. State of Indiana[14] and G.A.Q.L v. State of Florida[15] where the material sought was held to be the foregone conclusion and not the password to the electronic device as the principal objective of the investigating authority is to obtain access to the evidentiary material stored on the device and not simply unlocking it. 

The issue of privacy has been considered in In the Matter of the Search of a Residence in Oakland[16] where the court relied on the landmark judgment of Riley v California[17] to highlight the importance of mobile phones in this day and age and opined, “mobile phones are subject to different treatment than more traditional storage devices, such as safes, and should be afforded more protection”. The court herein pointed out that, where the fingerprint itself IS the password, the fifth amendment is implicated, despite these features, otherwise, being non testimonial.

The judge put it succinctly, “utilizing a biometric feature to unlock an electronic device is not akin to submitting to fingerprinting or a DNA swab”as “in this context, biometric features serve the same purpose of a passcode.” “If a person cannot be compelled to provide a passcode … a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.” Thus, the act of unlocking a phone with a finger of thumb scan far exceeds the “physical evidence” created when a suspect submits to fingerprinting to merely compare his fingerprints to existing physical evidence (another fingerprint) found at a crime scene, because there is no comparison or witness corroboration required to confirm a positive match.

Way forward for India 

There are two important points which the Indian courts must consider. First, whether passwords are by themselves testimonial in nature and second, will unlocking a phone be subject to the accused’s right to privacy?

For the first question, the courts must either consider passwords to be similar to a physical key or akin to a combination of a safe. Referring to the pith and marrow of Kali Kathu, a testimonial act was equated with providing ‘personal knowledge’ about relevant facts. Therefore, a password will be protected by Article 20(3) only if it the courts hold it to be within the realms of ‘personal knowledge’ and not if it is equated to production of a physical key having an independent existence outside the mind of the accused.

For the second question, it is essential to keep in mind that the law continues to evolve as we reach finer levels of understanding. Once, men could refuse even lawful search of their houses as they were considered in control of their domicile and every man’s house was his castle. Clearly, this defence failed to stand the test of time. Yet, the underlying framework of a private sanctum sanotrum is still applicable to this day. Further, as smartphones more often than not contain intimate information and almost always embarrassing details about a person, does providing an unrestricted access to the device in order to safeguard the ideals of justice trump the accused’s right to privacy? Thus, the courts must consider whether privacy can be infringed in order to protect the interest of the public or not? 

It will be interesting to see how the courts tackle all these issues when they arise, which they surely will. 

Today mobile phones can be considered to be extension of our minds.  The mind of any person is undeniably a protected space  and in light of the advancements in technology, the following observations by Justice L’Heureux-Dube, of the Canadian Supreme Court need to be mentioned:

Although the search of an individual’s home is an invasion of privacy, and although the taking of fingerprints, breath samples or bodily fluids are even more private, there is no doubt that the mind is the individual’s most private sanctum. Although the state may legitimately invade many of these spheres for valid and justifiable investigatory purposes vis-a-vis the accused, it is fundamental to justice that the state not be able to invade the sanctum of the mind for the purpose of incriminating that individual. This fundamental tenet is preserved, in its entirety, by the principle against self-incrimination.[18]


[1] Throughout this article, the term ‘password’ is used as a catch-all phrase for various kinds of unlocking mechanisms which require the use of mental faculties such as a numeric pin, pattern based unlocking options, alphanumeric passphrases, encrypted data keys etc.

[2] Article 20(3), Constitution of India

[3] Section 161(2), Code of Criminal Procedure, 1973

[4] M. P. Sharma And Others vs Satish Chandra 1954 AIR 300

[5] State of Bombay vs Kathi Kalu Oghad AIR 1961 SC 1808

[6] Ritesh Sinha vs State Of U.P.& Anr 2019 SCC OnLine SC 956

[7] Selvi v. State of Karnataka AIR 2010 SC 1974

[8] Justice K.S.Puttaswamy(Retd) vs Union Of India (2018) 1 SCC 809

[9] Section 43, The Data Protection Bill, 2018

[10] Ritesh Sinha vs State Of Uttar Pradesh 2019 SCC OnLine SC 956

[11] R vs S & Anr. [2008] EWCA Crim 2177

[12] In Re Boucher 2007 WL 4246473

[13] In re Grand Jury Subpoena Duces Tecum 670 F.3d 1335; see also United States v. Kirschner, 823 F. Supp. 2d 669 and Commonwealth v. Baust, 89 Va. Cir. 267 (Va. Cir. Ct. 2014)

[14] Katelin Eunjoo Seo v. State of Indiana 29A05-1710-CR-2466

[15] G.A.Q.L v. State of Florida So. 3d at 1066 (Fla. 4th DCA 2018)

[16] In the Matter of the Search of a Residence in Oakland, 354 F. Supp. 3d 1010 (N.D. Cal. 2019)

[17] Riley v California, 189 L. Ed. 2d 430

[18] R.J.S. v. Her Majesty The Queen, [1995] 1 S.C.R. 451, 605

3 thoughts on “The Passcode on your phone, the right to privacy and protection against self incrimination

  1. The argument under Article 20(3) is a strong one in favor of the accused. The relevant portions highlighted and analogy drawn from the Selvi Judgment is also very interesting and makes out a strong case on behalf of the accused.

    However, the entire argument about “Right to Privacy” and its application in the realm of a Criminal Investigation, in my opinion is misplaced. The police officers will obviously have the right to investigate to reach the ends of justice provided they do not transgress Article 20(3). For instance, examining the computer database and “cookies” is commonly done by Cyber Cell officers in cyber crimes like hacking/pornography etc. These all acts will also violate the Privacy Law (if and when it comes). Similarly, many acts conducted by the IO during investigation will be violative of Privacy Law, but, I believe after the lodging of the FIR, the privacy law shall either not apply (through a possible court verdict which may come in future) or apply in a diluted sense.

    Like

    1. Thank you for your views!

      As mentioned above, Section 43 of the Personal Data Protection Bill provides: “Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorized by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.”

      Section 69 of the IT Act is one such law which, as you have rightly pointed out, enables the investigating agencies to intercept, monitor or decrypt any computer resource.

      However, the three tests laid down by Justice Chandrachudh in the Puttaswamy case are most important:

      1. the existence of a “law”
      2. a “legitimate State interest” and
      3. the requirement of “proportionality”

      While Section 43 covers the first two, the intent behind including the right to privacy in this discussion is to ensure that the information being sought from a particular device is balanced with the privacy of the person so accused.

      In other words, at what point in the investigation process, it becomes acceptable to curtail the accused’s right to privacy?

      “I believe after the lodging of the FIR, the privacy law shall either not apply (through a possible court verdict which may come in future) or apply in a diluted sense.”

      Keeping in mind of course that the outcome of such a problem will largely be decided on a case to case basis, I, respectfully, disagree. Anybody can file an FIR against anybody else. Making an FIR as the threshold for infringing the privacy of an accused is in and of itself a very low bar. Further, such a threshold is not proportional in light of the Puttaswamy judgment because a mere allegation does not constitute sufficient grounds to infringe on a fundamental right.
      Unless, the investigating agencies are able to prove the existence of particular information on somebody’s phone or able to convince the court of the need to parse through the contents of one’s phone, the right to privacy must be respected.

      This is not to state the right to privacy should interfere with the ability of the investigating officer to conduct an efficient investigation but rather, that this right should be an essential consideration during any such investigative measure.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s