Committed a crime? Now, face(scan) the consequences! The law against self-incrimination and locked smartphones.

crop ethnic hacker with smartphone typing on laptop in dark room

By Bharat Chugh. [1]

First published one SCC Online Blog here.

On the legality of compelling an accused to disclose his smartphone/laptop password, or open his phone through face-scan, or fingerprint and the constitutional protection against self-incrimination.  

Our smartphones are an extension of our minds and souls. Our deepest desires. Our darkest secrets. Our smartphones know it all. You remember that smartphone ad where the manufacturer said something on the lines of, ‘Your phone knows all about you, but not us’? They weren’t lying. Your smartphone indeed knows everything about you. Knows way too much – in fact. 

It, therefore, comes as no surprise that smartphones can offer up a wealth of evidence as far as criminal investigations are concerned. An accused’s phone reveals not only where the accused was, at a given time, but also – who did she text or speak with. It tells us, what did she google and what did she buy online. It also demonstrates the trends and history of her financial dealings. When coupled with a smart watch, a smart car, or even a smart refrigerator, it offers even deeper insights both into the criminal, as well as the crime. It offers much more evidence than a house/office search ever has or will.  

Smartphones are, therefore, a great aid in crime detection and investigation and their importance can hardly be emphasized enough. 

Our notoriously arcane procedural laws, however, were not designed with the smartphone in mind. Therefore, there is little guidance in our laws, on whether an accused can be compelled to deliver-up/produce his smartphone/laptop/email password, in the course of a criminal investigation. 

Let us assume that, in a given case, a smartphone/laptop (being ‘property’ or ‘thing’ within the meaning of CrPC), is seized by the police. However, that – by itself – is not the end of the matter. After that arises the issue of retrieving evidence from that electronic equipment or mailbox. This is what brings us to the elephant in the room: 

Legal issue: 

If the seized smartphone/laptop is locked (as they are likely to be – in almost every case), how do the investigators access the contents of the smartphone/laptop/mailbox and retrieve evidence? 

Can the accused be compelled to provide his password, or give his face-scan/fingerprint? 

Would that violate the constitutional protection against ‘being compelled to be a witness against oneself’? (Article 20(3) of the Constitution of India). 

And, secondly, is there a provision in our procedural law that permits the investigators to seek disclosure of passwords, face-scans, etc? 

The Court’s ruling in Virendra Khanna

These were precisely the questions that arose for consideration in the recent case of Virendra Khanna v. State of Karnataka (2021 SCC Online Kar 5032). 

The facts of the case were fairly straightforward. The accused was charged for an offence under the NDPS Act. The investigators claimed that the accused’s smartphone and email account contained crucial incriminating evidence, and since the same were locked, the IO sought Court’s intervention in this regard.

To further its case, the Prosecution argued:  

  1. Disclosure of phone or computer password is not in the nature of personal testimony. (Reliance in this regard was placed on State of Bombay v. Kathi Kalu Oghad, AIR 1961 SC 1808) 
  2. Such an order does not violate the fundamental Right to Privacy as the Right to privacy is not an absolute right and can be curtailed in case: 
    1. It is sanctioned by law; 
    1. It serves a legitimate state interest/compelling state interest;  (prevention and investigation of crime, in this case); 
    1. It is proportionate; in the sense that there is a rational nexus between the object (the discovery of truth in a criminal investigation) and the means adopted to achieve the said object. (The ‘means’, therefore, should not be excessive and the object sought to be achieved should be so important and time-sensitive – so as to justify the making of in-roads into someone’s privacy.) 
    1. In order to satisfy the requirement of ‘sanction of law’, the prosecution argued that Section 139 of the Evidence Act, Section 54-A and 311-A of the CrPC empower the Court to direct the Accused to disclose his password/faces-can, etc. 
    1. Analogy was drawn to permissibility of ‘identification’ of the Accused, and taking of DNA samples, specimen signatures/handwriting samples, and voice samples.   

The accused, of course, resisted this on the ground of this amounting to ‘compulsion to testify against himself’, and a violation of his right to privacy. Further, this, it was argued, amounted to a denial of his right to silence and rights under Articles 20 & 21 of the Constitution. 

In this background, the Court framed and decided the following issues:  

Issue No.IssueCourt’s decision & reasoning
1.Can a direction be issued to an accused to furnish the password, passcode, or Biometrics in order to open the smartphone and/or email account? Yes. The Investigating Officer (“IO”) can always issue directions for “furnishing of information, material objects or the like”
2. Can a Court issue a suo moto order to the accused to furnish a password, passcode or Biometrics? No. Investigation is the domain/prerogative of the IO. Court is not supposed to be investigating itself, and can act only on an application filed by either of the parties. 
3.In the event of a direction being issued and the accused not furnishing the password, passcode, or Biometrics, what is the recourse available to an investigating officer? IO can approach the Court seeking directions to the accused to provide the same and/or “carry out search of the smartphone or electronic equipment”
4.What is the consideration for the issuance of a search warrant in order to search a smartphone or computer system?It is open to Courts/IOs to issue a notice under Section 91 of the CrPC to the accused to produce a “document” or “thing” which would include a smartphone, a laptop, etc.  Section 92 CrPC may permit the IO and/or the Court to seek documents from a “telegraph authority”. Section 93 permits the Court to issue search warrants w.r.t a “place”.   These provisions empower the search and seizure of things from a “place” and  smartphones, computers, servers, etc. may construed as “places” for the purposes of this section.   Further, Section 100 of the CrPC requires a person in-charge of a closed place (analogy to a phone, laptop or a mailbox) to permit and facilitate a search ordered by the Court.   In emergent circumstances, powers under Section 102 of the CrPC may also be exercised by the IO to seize electronic equipment, and under Section 165 a search/seizure can be carried out even without a warrant.  Further, Section 69(1) of the IT Actalso empowers specified officers to pass orders compelling decryption of any information generated, transmitted, received or stored in a computer resource. 
5.Would the data gathered from a smartphone and/or email account ipso facto prove the guilt of the accused? Depends. Data gathered from the accused’s phone/laptop, etc would be like any other property/evidence gathered during investigation. What would be the weight attached to such evidence is a fact-intensive exercise and a matter of appreciation of evidence, in the light of specific facts and circumstances of each case.  
6.Would providing a password, passcode or Biometrics amount to self-incrimination or testimonial compulsion?No. Given the law laid down in Kathi Kalu Oghad’s case (supra), such information does not amount to accused being compelled to be “a witness against oneself”. Merely providing one’s password, passcode, biometrics, does not amount to making an “oral statement” or a “written statement”. Therefore, it cannot be said to be a “testimonial compulsion”. Article 20 and S.161 of the CrPC is, therefore, not violated. 
7.Would providing of password, passcode or Biometrics violate the right to privacy of a person providing the said password, passcode or Biometrics?No. The case comes within the exceptions carved out in Justice Puttaswamy’s case (2017 SCC OnLine 1462). The IO, however, should not disclose this information to third parties without the permission of the Court and deal with it in a manner conducive to the Accused’s Right to privacy. 
8.What steps could be taken if the accused or any other person connected with the investigation were to refuse to furnish a password, passcode or Biometrics despite issuance of a search warrant and or a direction to provide a password, passcode or Biometrics of that person?In default of Accused providing his password, the Court can draw an adverse inference against the Accused u/s 114 of the Evidence Act, if password is not provided or a wrong password is provided.  In such a case of non-coperation of the accused, the IO may reach out to the manufacturer to access such information and in case of manufacturer not facilitating such access, the IO can, with the permission of the Court, “hack into the smartphone and/or email account” with, of course, the necessary expert assistance. 
9.What are the protection and safeguard that the Investigating Officer would have to take in respect of the smartphone and/or electronic equipment?No proper rules formulated in this regard. Pending such formulation, Court laid down some broad guidelines, such as inclusion of qualified forensic examiners in such endeavors and preparation of proper chain of custody documents, etc. 

Comment:

The judgment must be lauded for addressing a gaping hole in our procedural law and introducing some semblance of a method to the process. 

Having said that, the judgment falls short on a few counts. For instance, it fails to engage with the issue of right to privacy in sufficient detail, in general and – specifically, the requirement of proportionality. 

While the court permitted search/seizures of electronic equipment and it added a caveat that when the court is issuing search warrants it should tailor the order narrowly and with precision so as to “preserve the privacy of the concerned” (Para 12.22) but, unfortunately, it did not elaborate on this further. More specific directions in this regard would have been apt for the guidance of the Courts and the investigators, and would have prevented misuse. 

Further, the requirement of any transgression into right to privacy being ‘sanctioned by law’ wasn’t sufficiently examined. Though the judgment must be credited for interpreting ‘place’ (used in CrPC) as applicable to a device/electronic equipment/mailbox, (which is a fairly modern and technocratic interpretation!), it fails to engage adequately with the other sections relied upon by the prosecution – including Sections 54-A, 311-A CrPC, for instance. 

Further, the judgment, when it sources the power of seeking passwords to Section 91 CrPC (as tantamount to seeking “documents”), commits another fallacy. It ignores a line of decisions where Section 91 of the CrPC has been held to be inapplicable in case of an Accused. (See, for instance,  Shyamlal Mohanlal Choksi (1965 AIR SC 1251) and Kalanithi Maran (2003 SCC Online Mad 936). These cases categorically hold that a notice u/s 91 of the CrPC cannot be issued to an accused as the same amounts to compelling the accused to be a witness against himself. The effect of these decisions has not been considered while sourcing the power to Section 91 of the CrPC. 

Another aspect that hasn’t been considered is the fact that, in some jurisdictions, the courts have made a search warrant mandatory in such cases, with a view to ensure some judicial scrutiny. The desirability of having such a safety valve hasn’t been considered adequately.  

Another aspect of practical importance is the issue of rights of the accused upon seizure. For instance, greater clarity is needed on whether the accused would be able to seek a cloned copy of the smartphone/laptop seized, with a view to be able to use it, and to find out and rely upon exculpatory evidence, if any. 

We hope a future decision would go into these aspects. Given how vexed the issue is, this is certainly (and hopefully!) not the last that we read on this issue. 

All said and done, the decision is a crucial one. Indeed, there are privacy related concerns when it comes to a smartphones/laptops etc, but a narrowly tailored right with the investigators to seek such information is the need of the hour. The judgment would hopefully lead to a more nuanced discourse on balancing of the competing imperatives of a proper investigation, on one hand, and the accused’s right to privacy on the other.  


[1] Authored by Bharat Chugh, Lawyer, Supreme Court of India. The Author can be reached at contact@bharatchugh.in.  The Author wants to thank Siddharth, Shreyash, Roopali, Rashi, Yachika, Hamna, and Tejbir for their excellent suggestions and research.