Police needs warrant to ask PASSWORD from accused

Police need a warrant to ask password from the accused: Case Law

Case Law Details: Virendra Khanna Vs State of Karnataka 

Petition No. 11759 of 2020 (GM-RES)

A search warrant is necessary for the examination of a smartphone, laptop, or email account of an accused. Held by Karnataka High Court.

An accused cannot be constrained to disclose the password/passcode of his gadgets or accounts through a mere order of a trial court to cooperate with. Section 100 of CrPC provides general procedures that need to be necessarily followed at the time of the search. I say that if the Investigation officer leaks the data A case can be filed under section 72 of The IT Act,2000.

A search warrant is a written order which is issued by a Judge/ Magistrate or a Court to a police officer or any other person authorizing them to conduct a search of a person, location, or vehicle for evidence of a crime and confiscate illegal evidence of a crime. The court in Kalinga Tubes Ltd. v. D. Suri and in many other cases has cautioned the police officer to use search warrant with a little precaution and care and do not abuse their power.

Police officer under a warrant which is issued under any of the provisions of Sections 93, 94, 95, and 97. A search by any other police officer or any other person would be illegal and the sentry into such place will also be unlawful, Private cybercrime investigators beware.  In all situations of search and seizure, the investigating police should follow the procedures laid down under Sections 100 and 165 CrPC

Is asking for a password considers self-incrimination?

The protection against self-incrimination has been provided as a special fundamental right, under Part III [Under Article 20(3)] of the Constitution of India. It provides that no person who is accused of an offense can be compelled to be a witness against himself.

In several cases, the constitutional validity of a search warrant has been questioned. For instance, in the case of V. S. Kuttan Pillai v. Ramakrishnan, wherein it was opined by the court that a search of the premises occupied by the accused does not amount to compulsion on him to give evidence against himself and hence was not violative of Article 20(3) of the Constitution of India.

The High Court laid down the procedure for examining smartphones or email accounts (2021) :

It would be required for the prosecution to approach the Court to seek a search warrant to search the smartphone and or e-mail account. Once a search warrant is issued, it is up to the accused to provide the password, passcode etc. 

The investigating agency could also serve a notice on the accused indicating that in the event of the accused not furnishing the said password, passcode biometrics etc., an adverse inference would be drawn against the accused as regards the aspects notified in the said notice. The accused can then, in order to avoid the adverse inference being drawn, furnish the password, passcode, or biometrics to the authorities.

In the event of the accused or any other person not providing the password, passcode or biometrics, on an application made by the prosecution, the court could direct the service provider, manufacturer of smartphone and/or e-mail service provider, to open or unlock the smartphone and/or email account to enable access to the said smartphone and/or email account.

In the event of the manufacturer and the service provider not facilitating the opening of the smartphone, email account or computer equipment, then the Court on an application being filed in that regard permit the Investigating Officer to hack smartphone and/or email account.

The Investigating agency would be empowered to engage the services of such persons as may be required to hack into the smartphone and or e-mail account and make use of the data available therein, which would be akin to breaking open a lock or door of the premises when the accused were to refuse to co-operate with the Investigating officer and open the door of locked premises.

In the event of the investigating agency is unsuccessful in hacking into the smartphone and or the e-mail account and during the course of such a procedure, if the data on the smartphone and or the e-mail account being destroyed then, the Investigating agency/prosecution would be free to rely upon the notice by which the accused was warned of adverse Inference being drawn.

In this Karnataka case, the High Court set aside the trial court’s order which asked the accused to furnish the password while directing him to cooperate with the investigation. The Court said that the investigating officer will have to seek a search warrant as per the above procedure to examine the smartphones /email accounts. There are two methods in which police can affect search and seizure. 

Password seizure: One under a warrant which is issued under any of the provisions of Sections 93, 94, 95, and 97 and the other is without a warrant under any of the provisions of Sections 103, 165 and 166 of CrPC.the basic provisions as to search and seizure are laid down in Section 100 of CrPC. The procedure set out in the section is generally followed in offenses committed under the Indian Penal Code as well as in special and local laws with a little variance. Thus, in all situations of search and seizure, the investigating police should follow the procedures laid down under Sections 100 and 165 CrPC. Section 102 provides the power of police officers to seize certain property i.e PASSWORD

EMP Warfare as a part of Cyber Warfare : China's war on India

EMP Warfare as a part of Cyber Warfare

EMPs, or electromagnetic pulses, are intense bursts of electromagnetic energy that can be utilized to damage electronics. Man-made nuclear EMPS are impressive weapons of war that are sparingly used due to their highly destructive nature.China’s has ability to conduct an Electromagnetic Pulse attack on the India. China now has super-EMP weapons, knows how to protect itself against an EMP attack, and has developed protocols to conduct a first-strike attack, even as they deny they would ever do so.

China has the most active ballistic missile development program in the world, so this is doubly troubling. Allegedly China used stolen U.S. technology to develop at least three types of high-tech weapons to attack the electric grid and key technologies that could cause a surprise “Pearl Harbor” attack that could produce a deadly blackout to the entire India.

EMPs are one of those things that many people think is fake, or over-blown, or a conspiracy theorist’s dream. But they are real. EMPs can be either natural, from things like extreme solar geomagnetic disturbances, or man-made like a large thermonuclear detonation or a cyberattack. If they are coordinated with physical attacks then things can get real dicey real fast.

As the U.S. Commission to Assess the Threat to the United States from EMP Attack points out, “the physical and social fabric of the United States is sustained by a system of systems – a complex and dynamic network of interlocking and interdependent infrastructures whose harmonious functioning enables the myriad actions, transactions, and information flow that undergird the orderly conduct of civil society.”

According to the Commission, EMP effects represent arguably the largest-scale common-cause failure events that could affect our electric power grid and undermine our society, leaving it vulnerable on many fronts. About the only safe systems are nuclear reactors, both new and old.

High-voltage control cables and large transformers that control the grid are particularly vulnerable. Transformers weigh 400 tons, take two years to build, and cost around Rs. Five Crore million per piece. We are already way behind in having backup transformers ready, so if many go out at once, we have a big problem just powering our country.

The phenomenon of a large electromagnetic pulse is not new. The first human-caused EMP occurred in 1962 when the 1.4 megaton Starfish Prime thermonuclear weapon detonated 400 km above the Pacific Ocean.

One hundred times bigger than what USA dropped on Hiroshima, Starfish Prime resulted in an EMP which caused electrical damage nearly 900 miles away in Hawaii. It knocked out about 300 streetlights, set off numerous burglar alarms, and damaged a telephone company microwave link that shut down telephone calls from Kauai to the other Hawaiian islands.

And that was from many miles away.

On the natural side, in 1989, an unexpected geomagnetic storm triggered an event on the Hydro-Québec power system that resulted in its complete collapse within 92 seconds, leaving six million customers without power.  The storm resulted from the Sun ejecting a trillion-cubic-mile plume of superheated plasma, or ionized gas.

Such storms occur every 60 years or so, and in 1989, we weren’t anywhere near as electrified and electronically interconnected as we are today, or as we will be in 30 years.

Solar events were considered the most likely EMP to occur. Until now.

Even more troubling, China is eager to shoot first with “high-altitude electromagnetic pulse,” or HEMP, weapons launched from satellites, ships, and land.

China’s can be of using HEMP attack to win on the battlefield, defeat U.S. aircraft carriers, and achieve against the U.S. homeland a surprise ‘Pearl Harbor’ writ large 

Needless to say, we are not prepared for this.

A report done while Dr. Pry was a key member of a US congressional EMP commission found that an EMP attack on the US East Coast electric grid could lead to a huge number of deaths, Imagine India

You might think that EMP is too far-fetched to worry about. But you would be wrong. We have been learning in the information age that if it can be done, someone will do it. The speed with which our information age is changing is paralleled by the speed with which our national digital organism can test and block the ever-changing gaps and vulnerabilities in our electronic shield.

Like a host adapting to new parasites, this is just a normal incident for an evolving society in a rapidly-changing digital environment that selects for a digital organism that viscerally understands the whole system and can use it to its advantage.

Societies with older systems will be at a dangerous disadvantage. The Universe does this all the time. Sociologically, China seems to be moving into a more aggressive position globally, evidenced by their recent conflict with us and their aggression in the South China Sea with their east Pacific neighbours.

This may have been aggravated by China’s 1-child policy. Although the policy did rein in population growth (fertility rates dropped below two by 1990 and the present population is 1.3 billion), it gave rise to another problem – too few women.

Almost all cultures prefer a male as the first child and in China, the eldest male is expected to take care of his elderly parents. Therefore, the magnitude of female infanticide in China became astonishing in the decades between 1990 and 2010, when well over ten million female infants were killed. Only a relatively few found adopted homes in other countries.

China then changed to a 2-child policy, but the damage to an entire generation will not be so easily erased. The result was a skewed sex ratio in the generation born since 1980. Today, there are about 50 million more males than females. Just think of the states of Texas, New York and Ohio filled with just men.

The consequences of having too many uncoupled males in a society are worse than just making it difficult to find a mate. Soon there will be a substantial deficit of younger workers to provide support to an aging population. By 2030, China will have over 400 million people over the age of 60. Maintaining sufficient economic growth under these conditions will be difficult.

Some research indicates that excess males to this degree tends to make a society more aggressive and nationalistic, both of which have risen dramatically in China.

Not coincidentally, China has rolled out a number of other new military capabilities, designed to protect their new expansionist future. Included in their burgeoning array is a new generation of nuclear submarines, a carrier-killing missile named DF-21D, intended specifically to destroy aircraft carriers, and new rocket launch vehicles, like the Long March 6 rocket capable of carrying 20 warheads, that just went into space last month to deploy 20 satellites in orbit.

While everyone points out that the United States spends more on its military than the next ten countries combined, it turns out that China is far and away number 2, spending a third of what we spend in dollars, but almost the same percentage of its GDP as USA.

Methods for tracing WhatsApp messages - IT Rules 2021

Methods for traceability of WhatsApp messages - IT Rules 2021

WhatsApp traceability can be achieved in two methods — 

1. Use of digital signatures 

2. The metadata approach. 

However, it is still open to question whether either can discharge its legal objective of establishing criminal liability.

The digital signature approach may not be foolproof because it is susceptible to impersonation. Further, the approach would require the intermediary to keep the private key of the encrypted digital signature and decrypt when ordered by the court or the government. But the key will then become vulnerable to hacking by bad actors and once successful will create havoc, targeting innocent users. This approach with other precautions can be used successfully.

The metadata contains data pertaining to source, time, date, location and other attributes minus the content. But for traceability, a humongous amount of data would be commandeered for which the security agencies neither have the time, energy or capacity to disaggregate for any meaningful result. Second, in some case it may violates the data minimisation principle, envisaged in GDPR, PDPA and other privacy laws of the world. It figures prominently in Justice Puttaswamy judgment on privacy and the PDP Bill, 2019. But in big cases large charge sheets and huge data is the norm which LEA is used to it, its just the security of the meta data and the SOP for the same needs to be evolved.

If the above two techniques are fraught with risks, is it possible to comply with IT rules with a straight-forward method of intermediary keeping the decryption key of the messages? No. Because any modification of the system to give backdoors, weakens the security architecture, rendering it vulnerable to all bad actors.

The other alternative is the client sight scanning, where hashes used in communications are matched against a database of content before sending the message to the intended recipient. But the threat again is real, once the platform gets totally exposed by hackers getting hold of the database.

What is practicability ? 

It is for the intermediaries like WhatsApp to implement and comply with the traceability rule of The IT Rules,2021 and figure out whether it is possible without breaking the encryption.

The government has said time and again that it does not seek content and that originator tracing can be done without breaking encryption. Some national and international experts who maintain that traceability is not possible without breaking encryption but these experts could be wrong as the technology develops day by day.

Government needs to release illustrative guidelines for intermediaries to implement traceability. The end-to-end encryption is the bedrock of securing private messaging and online infrastructure, for ensuring safety and security of its users. Tinkering around with it will lead to a severe crisis of confidence and credibility. Innocent users of various social-media platforms have a cherished right to their privacy. Their personal information and chats cannot be used either commercially or surveilled by the state. A democratic state owes it to its free citizens.

IIT professor V Kamakoti’s in response to the Madras High Court suggested two methods to trace one was adding an originator information with every message and the other where a permission-based system which allows users to classify a message as forward-able or not forward-able.

This reputation of confidentiality that the WhatsApp enjoyed had already come under a cloud in India. Serious concerns were being raised about WhatsApp’s ability to protect a person’s privacy apart from preventing content from being transmitted and stored on its service from unauthorised access and misuse. These IT rules 2021 though not impeaching on privacy legally leaves room to do so, i think checks and audits by MEITY on WhatsApp and other social media websites and messenger service is the need of the hour.

x

What is Virginia Consumer Data Protection Act (CDPA) ?

The Virginia Consumer Data Protection Act (CDPA) law goes into effect on January 1, 2023. The law applies only to businesses with large amounts of consumer data and does not apply to employee or business-to-business (B2B) data. The CDPA also provides broad exemptions, including for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). Broad in scope, the CDPA incorporates aspects of the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the EU General Data Protection Regulation (GDPR).

Below are outlined some key aspects of the CDPA and have compared it to these other comprehensive privacy laws.

Who Must Comply with the CDPA?

Businesses are subject to the CDPA if both of the following criteria are met:

• They either conduct business in Virginia or produce products or services that are targeted to Virginia residents, and
• During a calendar year (i) control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

The Virginia law does not have a revenue threshold, and thus many large businesses that do not hold a substantial amount of consumer data will not be subject to the law. As noted below, the law explicitly excludes B2B and employee data from the definition of consumer, noting that “consumer” does not include individuals “acting in a commercial or employment context.”

Which Entities—and What Data—Is Exempt?

The CDPA does not apply to certain government agencies, financial institutions subject to the GBLA, covered entities or business associates governed by HIPAA, nonprofit organizations and institutions of higher education. The CDPA also exempts certain data, including data protected by federal laws like HIPAA, the GLBA, the Fair Credit Reporting Act, the Driver’s License Protection Act and the Family Educational Rights and Privacy Act. The CDPA further exempts data processed or maintained: (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; (ii) as emergency contact information for an individual; or (iii) that is necessary to retain to administer benefits for another individual. Additionally, controllers and processors that comply with verifiable parent consent requirements under the Children’s Online Privacy Protection Act shall be deemed compliant with any parental consent obligations under the CDPA.

What is “Personal Data” Under the CDPA?

As with other comprehensive privacy laws, the CDPA defines “personal data” broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, the CDPA does not aim to capture Virginia residents in the employment and B2B context as the CCPA does. Instead, under the CDPA a “consumer” is defined as a natural person who is a resident of the Commonwealth “acting only in an individual or household context” and “does not include a natural person acting in a commercial or employment context.”

Similar to the GDPR and the CPRA, the CDPA regulates “sensitive data.” Sensitive data is defined as a category of personal data that includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The protections for sensitive data are discussed further below.

How Does The CDPA Apply Differently to Controllers and Processors?

Like the GDPR, the CDPA differentiates between controllers (companies that are responsible for determining the purpose and means of processing personal data) and processors (companies that process personal data on controllers’ behalf). Under the CDPA, businesses who constitute “controllers” have more stringent obligations. In contrast, processors’ obligations are generally connected to their contracts with controllers. For instance, processors are required to follow controllers’ instructions; implement appropriate technical and organizational measures to help the controller respond to consumer rights; and provide the necessary information for controllers to comply with their data protection assessment obligations. Similar to the GDPR, the relationship between the controller and processor must be governed by a contract that includes certain specified requirements and obligations for the processor.

Obligations for Controllers

The CDPA places several responsibilities on controllers including:

• Limits on Collection and Use of Data. The CDPA requires that controllers limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose for which the data is processed. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purpose for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer consent.
• Reasonable Security. Controllers must also establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data at issue.
• Consent for Processing Sensitive Data. Controllers are required to obtain the consumer’s consent before processing any sensitive data. Consent is defined similarly to the GDPR and the CPRA as a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer and may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
• Data Processing Agreements (DPAs). As noted above, the CDPA requires that controllers enter into DPAs with their data processors. These agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The CDPA provides specific terms that must be included in any DPA.
• Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. This is similar to requirements for privacy policies under the CCPA and, to a more limited extent, under the GDPR.
• Notice of Sale. Controllers that sell personal data to third parties or process personal data for targeted advertising must clearly and conspicuously disclose such processing in its privacy notice and provide a manner in which a consumer may exercise his or her opt out right. Unlike the CCPA, the CDPA does not appear to specify the specific manner in which the controller must prove the opt out right (i.e., there is no requirement for a specific link or button).
• Consumer Request Process. Controllers must establish one or more secure means for consumers to submit requests to exercise their rights. Unlike the CCPA and CPRA, the CDPA is not prescriptive in how consumers must submit such requests, but provides that such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.
• Data Protection Assessment. Controllers must conduct and document a data protection assessment for certain processing activities, including the sale of personal data, the processing of personal data for purposes of targeted advertising or profiling, the processing of sensitive data and any processing activities involving personal data that present a heightened risk of harm to consumers. These data protection assessments must identify and weigh the benefits to the business of processing consumers’ data against potential risks to consumers associated with such processing. In balancing those competing concerns, businesses should consider whether certain safeguards, such as using de-identified data, would mitigate risks to consumers, as well as consumers’ reasonable expectations and the relationship between the business and the consumer.

What Rights Do Individuals Have Under the CDPA?

Similar to the CPRA and the GDPR, consumers have the following rights under the CDPA:

• Right to access. Consumers have the right to confirm whether a controller is processing the consumer’s personal data and obtain access to such data.
• Right to correct. Consumers have the right to correct inaccuracies in the consumer’s personal data.
• Right to delete. Consumers have the right to delete personal data provided by or obtained about the consumer.
• Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data in a portable and readily usable format.
• Right to opt out of certain data processing. Consumers will have the right to opt out of the processing of personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in further of decisions that produce legal or similarly significant effects concerning the consumer. A “sale” under the CDPA is defined more narrowly than under the CCPA or CPRA to mean the exchange of personal data for monetary consideration by the controller to a third party.

The CDPA does not provide for any hardship exemptions to these rights. Businesses must respond to requests within 45 days of receipt of the request and may extend where reasonably necessary for an additional 45 days if the consumer is notified within the first 45-day window. Businesses must establish procedures for consumers to appeal a failure to act on a rights request within a reasonable time period and inform consumers of how they can submit a complaint to the attorney general if the appeal is denied.

Who Enforces the CDPA?

The Virginia Attorney General has exclusive authority to enforce the CDPA and to impose a civil penalty of up to $7,500 per violation. Businesses may avoid an enforcement action, however, by properly remedying the violation. The CDPA’s right to cure allows businesses to correct any violation of the CDPA within 30 days of receiving notice thereof from the Virginia Attorney General. Unlike the CCPA, the CDPA does not provide a private right of action to consumers.

The CDPA also requires businesses to establish procedures for consumers to appeal any denial of their rights under the CDPA. This appeal right, coupled with the provision for enforcement by the attorney general and the possibility of hefty civil fines, may compensate for the lack of a private right of action in the CDPA.

Key Takeaways

Businesses subject to the CDPA will need to perform a comprehensive data inventory and update their external policies and internal procedures to come into compliance. The CDPA requires businesses to conduct data protection assessments for specified processing activities and to establish procedures by which consumers may appeal any denial of their CDPA rights. Businesses must also update their public-facing privacy policies to, among other changes, make a public commitment to not re-identify de-identified personal data and provide details on its data processing activities. The CDPA extends its protections to businesses’ contracts with service providers by requiring businesses to limit the service provider’s use and further distribution of personal data. Notably, the CDPA does not displace or change businesses’ existing obligations to report data breaches.

Whats more to come ?

The CDPA’s quick pace toward enactment may foreshadow its role as a blueprint for other states looking to enact comprehensive data privacy reform. The CDPA was designed to provide key protections for consumers and clearly define the obligations for businesses to ensure a smooth path toward compliance, without imposing overly burdensome requirements in a complicated statutory structure. As State Sen. David Marsden, who introduced the legislation, described, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.”

On the federal level, Lets wait for a US Federal Privacy LAW