EMP Warfare as a part of Cyber Warfare : China's war on India

EMP Warfare as a part of Cyber Warfare

EMPs, or electromagnetic pulses, are intense bursts of electromagnetic energy that can be utilized to damage electronics. Man-made nuclear EMPS are impressive weapons of war that are sparingly used due to their highly destructive nature.China’s has ability to conduct an Electromagnetic Pulse attack on the India. China now has super-EMP weapons, knows how to protect itself against an EMP attack, and has developed protocols to conduct a first-strike attack, even as they deny they would ever do so.

China has the most active ballistic missile development program in the world, so this is doubly troubling. Allegedly China used stolen U.S. technology to develop at least three types of high-tech weapons to attack the electric grid and key technologies that could cause a surprise “Pearl Harbor” attack that could produce a deadly blackout to the entire India.

EMPs are one of those things that many people think is fake, or over-blown, or a conspiracy theorist’s dream. But they are real. EMPs can be either natural, from things like extreme solar geomagnetic disturbances, or man-made like a large thermonuclear detonation or a cyberattack. If they are coordinated with physical attacks then things can get real dicey real fast.

As the U.S. Commission to Assess the Threat to the United States from EMP Attack points out, “the physical and social fabric of the United States is sustained by a system of systems – a complex and dynamic network of interlocking and interdependent infrastructures whose harmonious functioning enables the myriad actions, transactions, and information flow that undergird the orderly conduct of civil society.”

According to the Commission, EMP effects represent arguably the largest-scale common-cause failure events that could affect our electric power grid and undermine our society, leaving it vulnerable on many fronts. About the only safe systems are nuclear reactors, both new and old.

High-voltage control cables and large transformers that control the grid are particularly vulnerable. Transformers weigh 400 tons, take two years to build, and cost around Rs. Five Crore million per piece. We are already way behind in having backup transformers ready, so if many go out at once, we have a big problem just powering our country.

The phenomenon of a large electromagnetic pulse is not new. The first human-caused EMP occurred in 1962 when the 1.4 megaton Starfish Prime thermonuclear weapon detonated 400 km above the Pacific Ocean.

One hundred times bigger than what USA dropped on Hiroshima, Starfish Prime resulted in an EMP which caused electrical damage nearly 900 miles away in Hawaii. It knocked out about 300 streetlights, set off numerous burglar alarms, and damaged a telephone company microwave link that shut down telephone calls from Kauai to the other Hawaiian islands.

And that was from many miles away.

On the natural side, in 1989, an unexpected geomagnetic storm triggered an event on the Hydro-Québec power system that resulted in its complete collapse within 92 seconds, leaving six million customers without power.  The storm resulted from the Sun ejecting a trillion-cubic-mile plume of superheated plasma, or ionized gas.

Such storms occur every 60 years or so, and in 1989, we weren’t anywhere near as electrified and electronically interconnected as we are today, or as we will be in 30 years.

Solar events were considered the most likely EMP to occur. Until now.

Even more troubling, China is eager to shoot first with “high-altitude electromagnetic pulse,” or HEMP, weapons launched from satellites, ships, and land.

China’s can be of using HEMP attack to win on the battlefield, defeat U.S. aircraft carriers, and achieve against the U.S. homeland a surprise ‘Pearl Harbor’ writ large 

Needless to say, we are not prepared for this.

A report done while Dr. Pry was a key member of a US congressional EMP commission found that an EMP attack on the US East Coast electric grid could lead to a huge number of deaths, Imagine India

You might think that EMP is too far-fetched to worry about. But you would be wrong. We have been learning in the information age that if it can be done, someone will do it. The speed with which our information age is changing is paralleled by the speed with which our national digital organism can test and block the ever-changing gaps and vulnerabilities in our electronic shield.

Like a host adapting to new parasites, this is just a normal incident for an evolving society in a rapidly-changing digital environment that selects for a digital organism that viscerally understands the whole system and can use it to its advantage.

Societies with older systems will be at a dangerous disadvantage. The Universe does this all the time. Sociologically, China seems to be moving into a more aggressive position globally, evidenced by their recent conflict with us and their aggression in the South China Sea with their east Pacific neighbours.

This may have been aggravated by China’s 1-child policy. Although the policy did rein in population growth (fertility rates dropped below two by 1990 and the present population is 1.3 billion), it gave rise to another problem – too few women.

Almost all cultures prefer a male as the first child and in China, the eldest male is expected to take care of his elderly parents. Therefore, the magnitude of female infanticide in China became astonishing in the decades between 1990 and 2010, when well over ten million female infants were killed. Only a relatively few found adopted homes in other countries.

China then changed to a 2-child policy, but the damage to an entire generation will not be so easily erased. The result was a skewed sex ratio in the generation born since 1980. Today, there are about 50 million more males than females. Just think of the states of Texas, New York and Ohio filled with just men.

The consequences of having too many uncoupled males in a society are worse than just making it difficult to find a mate. Soon there will be a substantial deficit of younger workers to provide support to an aging population. By 2030, China will have over 400 million people over the age of 60. Maintaining sufficient economic growth under these conditions will be difficult.

Some research indicates that excess males to this degree tends to make a society more aggressive and nationalistic, both of which have risen dramatically in China.

Not coincidentally, China has rolled out a number of other new military capabilities, designed to protect their new expansionist future. Included in their burgeoning array is a new generation of nuclear submarines, a carrier-killing missile named DF-21D, intended specifically to destroy aircraft carriers, and new rocket launch vehicles, like the Long March 6 rocket capable of carrying 20 warheads, that just went into space last month to deploy 20 satellites in orbit.

While everyone points out that the United States spends more on its military than the next ten countries combined, it turns out that China is far and away number 2, spending a third of what we spend in dollars, but almost the same percentage of its GDP as USA.

Methods for tracing WhatsApp messages - IT Rules 2021

Methods for traceability of WhatsApp messages - IT Rules 2021

WhatsApp traceability can be achieved in two methods — 

1. Use of digital signatures 

2. The metadata approach. 

However, it is still open to question whether either can discharge its legal objective of establishing criminal liability.

The digital signature approach may not be foolproof because it is susceptible to impersonation. Further, the approach would require the intermediary to keep the private key of the encrypted digital signature and decrypt when ordered by the court or the government. But the key will then become vulnerable to hacking by bad actors and once successful will create havoc, targeting innocent users. This approach with other precautions can be used successfully.

The metadata contains data pertaining to source, time, date, location and other attributes minus the content. But for traceability, a humongous amount of data would be commandeered for which the security agencies neither have the time, energy or capacity to disaggregate for any meaningful result. Second, in some case it may violates the data minimisation principle, envisaged in GDPR, PDPA and other privacy laws of the world. It figures prominently in Justice Puttaswamy judgment on privacy and the PDP Bill, 2019. But in big cases large charge sheets and huge data is the norm which LEA is used to it, its just the security of the meta data and the SOP for the same needs to be evolved.

If the above two techniques are fraught with risks, is it possible to comply with IT rules with a straight-forward method of intermediary keeping the decryption key of the messages? No. Because any modification of the system to give backdoors, weakens the security architecture, rendering it vulnerable to all bad actors.

The other alternative is the client sight scanning, where hashes used in communications are matched against a database of content before sending the message to the intended recipient. But the threat again is real, once the platform gets totally exposed by hackers getting hold of the database.

What is practicability ? 

It is for the intermediaries like WhatsApp to implement and comply with the traceability rule of The IT Rules,2021 and figure out whether it is possible without breaking the encryption.

The government has said time and again that it does not seek content and that originator tracing can be done without breaking encryption. Some national and international experts who maintain that traceability is not possible without breaking encryption but these experts could be wrong as the technology develops day by day.

Government needs to release illustrative guidelines for intermediaries to implement traceability. The end-to-end encryption is the bedrock of securing private messaging and online infrastructure, for ensuring safety and security of its users. Tinkering around with it will lead to a severe crisis of confidence and credibility. Innocent users of various social-media platforms have a cherished right to their privacy. Their personal information and chats cannot be used either commercially or surveilled by the state. A democratic state owes it to its free citizens.

IIT professor V Kamakoti’s in response to the Madras High Court suggested two methods to trace one was adding an originator information with every message and the other where a permission-based system which allows users to classify a message as forward-able or not forward-able.

This reputation of confidentiality that the WhatsApp enjoyed had already come under a cloud in India. Serious concerns were being raised about WhatsApp’s ability to protect a person’s privacy apart from preventing content from being transmitted and stored on its service from unauthorised access and misuse. These IT rules 2021 though not impeaching on privacy legally leaves room to do so, i think checks and audits by MEITY on WhatsApp and other social media websites and messenger service is the need of the hour.

x

What is Virginia Consumer Data Protection Act (CDPA) ?

The Virginia Consumer Data Protection Act (CDPA) law goes into effect on January 1, 2023. The law applies only to businesses with large amounts of consumer data and does not apply to employee or business-to-business (B2B) data. The CDPA also provides broad exemptions, including for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). Broad in scope, the CDPA incorporates aspects of the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the EU General Data Protection Regulation (GDPR).

Below are outlined some key aspects of the CDPA and have compared it to these other comprehensive privacy laws.

Who Must Comply with the CDPA?

Businesses are subject to the CDPA if both of the following criteria are met:

• They either conduct business in Virginia or produce products or services that are targeted to Virginia residents, and
• During a calendar year (i) control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

The Virginia law does not have a revenue threshold, and thus many large businesses that do not hold a substantial amount of consumer data will not be subject to the law. As noted below, the law explicitly excludes B2B and employee data from the definition of consumer, noting that “consumer” does not include individuals “acting in a commercial or employment context.”

Which Entities—and What Data—Is Exempt?

The CDPA does not apply to certain government agencies, financial institutions subject to the GBLA, covered entities or business associates governed by HIPAA, nonprofit organizations and institutions of higher education. The CDPA also exempts certain data, including data protected by federal laws like HIPAA, the GLBA, the Fair Credit Reporting Act, the Driver’s License Protection Act and the Family Educational Rights and Privacy Act. The CDPA further exempts data processed or maintained: (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; (ii) as emergency contact information for an individual; or (iii) that is necessary to retain to administer benefits for another individual. Additionally, controllers and processors that comply with verifiable parent consent requirements under the Children’s Online Privacy Protection Act shall be deemed compliant with any parental consent obligations under the CDPA.

What is “Personal Data” Under the CDPA?

As with other comprehensive privacy laws, the CDPA defines “personal data” broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, the CDPA does not aim to capture Virginia residents in the employment and B2B context as the CCPA does. Instead, under the CDPA a “consumer” is defined as a natural person who is a resident of the Commonwealth “acting only in an individual or household context” and “does not include a natural person acting in a commercial or employment context.”

Similar to the GDPR and the CPRA, the CDPA regulates “sensitive data.” Sensitive data is defined as a category of personal data that includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The protections for sensitive data are discussed further below.

How Does The CDPA Apply Differently to Controllers and Processors?

Like the GDPR, the CDPA differentiates between controllers (companies that are responsible for determining the purpose and means of processing personal data) and processors (companies that process personal data on controllers’ behalf). Under the CDPA, businesses who constitute “controllers” have more stringent obligations. In contrast, processors’ obligations are generally connected to their contracts with controllers. For instance, processors are required to follow controllers’ instructions; implement appropriate technical and organizational measures to help the controller respond to consumer rights; and provide the necessary information for controllers to comply with their data protection assessment obligations. Similar to the GDPR, the relationship between the controller and processor must be governed by a contract that includes certain specified requirements and obligations for the processor.

Obligations for Controllers

The CDPA places several responsibilities on controllers including:

• Limits on Collection and Use of Data. The CDPA requires that controllers limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose for which the data is processed. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purpose for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer consent.
• Reasonable Security. Controllers must also establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data at issue.
• Consent for Processing Sensitive Data. Controllers are required to obtain the consumer’s consent before processing any sensitive data. Consent is defined similarly to the GDPR and the CPRA as a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer and may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
• Data Processing Agreements (DPAs). As noted above, the CDPA requires that controllers enter into DPAs with their data processors. These agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The CDPA provides specific terms that must be included in any DPA.
• Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. This is similar to requirements for privacy policies under the CCPA and, to a more limited extent, under the GDPR.
• Notice of Sale. Controllers that sell personal data to third parties or process personal data for targeted advertising must clearly and conspicuously disclose such processing in its privacy notice and provide a manner in which a consumer may exercise his or her opt out right. Unlike the CCPA, the CDPA does not appear to specify the specific manner in which the controller must prove the opt out right (i.e., there is no requirement for a specific link or button).
• Consumer Request Process. Controllers must establish one or more secure means for consumers to submit requests to exercise their rights. Unlike the CCPA and CPRA, the CDPA is not prescriptive in how consumers must submit such requests, but provides that such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.
• Data Protection Assessment. Controllers must conduct and document a data protection assessment for certain processing activities, including the sale of personal data, the processing of personal data for purposes of targeted advertising or profiling, the processing of sensitive data and any processing activities involving personal data that present a heightened risk of harm to consumers. These data protection assessments must identify and weigh the benefits to the business of processing consumers’ data against potential risks to consumers associated with such processing. In balancing those competing concerns, businesses should consider whether certain safeguards, such as using de-identified data, would mitigate risks to consumers, as well as consumers’ reasonable expectations and the relationship between the business and the consumer.

What Rights Do Individuals Have Under the CDPA?

Similar to the CPRA and the GDPR, consumers have the following rights under the CDPA:

• Right to access. Consumers have the right to confirm whether a controller is processing the consumer’s personal data and obtain access to such data.
• Right to correct. Consumers have the right to correct inaccuracies in the consumer’s personal data.
• Right to delete. Consumers have the right to delete personal data provided by or obtained about the consumer.
• Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data in a portable and readily usable format.
• Right to opt out of certain data processing. Consumers will have the right to opt out of the processing of personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in further of decisions that produce legal or similarly significant effects concerning the consumer. A “sale” under the CDPA is defined more narrowly than under the CCPA or CPRA to mean the exchange of personal data for monetary consideration by the controller to a third party.

The CDPA does not provide for any hardship exemptions to these rights. Businesses must respond to requests within 45 days of receipt of the request and may extend where reasonably necessary for an additional 45 days if the consumer is notified within the first 45-day window. Businesses must establish procedures for consumers to appeal a failure to act on a rights request within a reasonable time period and inform consumers of how they can submit a complaint to the attorney general if the appeal is denied.

Who Enforces the CDPA?

The Virginia Attorney General has exclusive authority to enforce the CDPA and to impose a civil penalty of up to $7,500 per violation. Businesses may avoid an enforcement action, however, by properly remedying the violation. The CDPA’s right to cure allows businesses to correct any violation of the CDPA within 30 days of receiving notice thereof from the Virginia Attorney General. Unlike the CCPA, the CDPA does not provide a private right of action to consumers.

The CDPA also requires businesses to establish procedures for consumers to appeal any denial of their rights under the CDPA. This appeal right, coupled with the provision for enforcement by the attorney general and the possibility of hefty civil fines, may compensate for the lack of a private right of action in the CDPA.

Key Takeaways

Businesses subject to the CDPA will need to perform a comprehensive data inventory and update their external policies and internal procedures to come into compliance. The CDPA requires businesses to conduct data protection assessments for specified processing activities and to establish procedures by which consumers may appeal any denial of their CDPA rights. Businesses must also update their public-facing privacy policies to, among other changes, make a public commitment to not re-identify de-identified personal data and provide details on its data processing activities. The CDPA extends its protections to businesses’ contracts with service providers by requiring businesses to limit the service provider’s use and further distribution of personal data. Notably, the CDPA does not displace or change businesses’ existing obligations to report data breaches.

Whats more to come ?

The CDPA’s quick pace toward enactment may foreshadow its role as a blueprint for other states looking to enact comprehensive data privacy reform. The CDPA was designed to provide key protections for consumers and clearly define the obligations for businesses to ensure a smooth path toward compliance, without imposing overly burdensome requirements in a complicated statutory structure. As State Sen. David Marsden, who introduced the legislation, described, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.”

On the federal level, Lets wait for a US Federal Privacy LAW

IT Rules 2021 - Social Media & OTT Rules

Social media, OTT Platforms, online news websites regulation in india (Information Technology Rules, 2021 )

This are the Rules framed pursuant to the powers conferred by Section 79(2)(c) and Section 69A(2) of the Information Technology Act, 2000 provides for classification of films and other entertainment programmes, including web series, bring digital news platforms within the ambit of regulations covering print and electronic media and attempts to rein in social media intermediaries. 

Guidelines for intermediary and social media intermediary 

The Rules define 'significant social media intermediary' as social media with users above the threshold notified by the Central government. 

The Rules mandate that social media intermediary should 'enable the identification of the first originator of the information on its computer, as "may be required by a judicial or or an order passed by the Competent authority" and such an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order.

If has also been provided that the significant social media intermediary "shall have a physical contact address in India published on its website or mobile based Internet application or both, as the case may be, for the purposes of receiving the communication addressed to it."

The rules and regulations, privacy policy or user agreement of the intermediary should inform the user of computer resource not to host, display, upload, modify, publish, transmit, store, update or share any information that is inter alia, obscene, pornographic, paedophilic, threatens the unity, integrity, defence, security or Sovereignty of India, friendly relations with foreign States, or public order, or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any foreign States. 

No such information should be published which is patently false and untrue, and is written or published in any form, with the intent to mislead or harass a person, entity or agency for financial gain or to cause any injury to any person.

Self-Regulatory Body

It has been notified that would be one or more self-regulatory bodies of publishers. Such a body shall be headed by a retired judge of the Supreme Court, a High Court or independent eminent person and have not more than six members. The concerned Regulatory body will have to register with the Ministry of Information and Broadcasting. This body will oversee the adherence by the publisher to the Code of Ethics and address grievances that have not be been resolved by the publisher within 15 days.

Disposing a grievance

It has been laid down that a self-regulating body while disposing a grievance or an appeal will issue guidance or advisories to the applicable publisher/entities: 

(a) warning, censuring, admonishing or reprimanding such entity; 

(b) requiring an apology by such entity; or 

(c) requiring such entity to include a warning card or a disclaimer; or 

(d) in case of online curated content, direct such entity to (i) reclassify ratings of relevant content; (ii)make appropriate modification in the content descriptor, age classification and access control measures; (iii) edit synopsis of relevant content; 

Code of Ethics and Procedure/safeguards for Digital/Online media

Part III of the Rules state that digital and online media will be governed by Code of Ethics. The Code of Ethics which in turn is given in the appendix make the Programme Code under under section 5 of the Cable Television Networks regulation) Act, 1995 and norms of Journalistic Conduct of the Press Council of India under the Press Council Act, 1978 applicable to digital media. 

The Code of Ethics is applicable to those entities who are operating within the territory of India and such entity conducts the systematic business activity of making its content available in India, which is targeted at Indian users. The code of ethics will cover the following entities:

• 1. Publishers of news and current affairs content; 

• intermediaries which primarily enable the transmission of news and current affairs content; 

• 2. Publishers of online curated content.

• intermediaries which primarily enable the transmission of online curated content.

Monthly compliance report

The rules require the concerned body/entity to publish a monthly compliance reportmentioning the details of complaints received and action taken on the complaints as well as details of contents removed proactively by the significant social media intermediary.

Such entities should not publish content which affects the sovereignty and integrity of India, jeopardises security of State or which is detrimental to India’s friendly relations with foreign countries. Further, online content should be classified based on the nature of the content 'U', 'UA', 'A' etc

They should also take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.

A three tier structure has been notified to address the grievances made by various users. 

(a) Level I - Self-regulation by the applicable entity; 

(b) Level II — Self-regulation by the self-regulating bodies of the applicable entities 

(c) Level III - Oversight mechanism by the Central Government.

Establishment of "Grievance Portal"

It has been laid down that the concerned Ministry shall establish an online Grievance Portal, as the central repository for receiving and processing all grievances from the public in respect of the Code of Ethics, within three months of the commencement of the rules.

• If a person is having a grievance against any 'content published by an applicable entity'then the same may register its grievance on the Grievance Portal.

• The Portal shall generate and issue an acknowledgement of the grievance a the benefit of the complainant within 24 hours of its registration, and electronically direct the grievance to the applicable entity for addressing the grievance, and also refer such grievance to the Ministry and the self-regulating body for information and record.

Mandatory Notification by the Significant publishers and 'content' creators 

It has been stated that it shall be mandatory for 'significant publisher' of news and current affairs content to notify the Broadcast Seva that - it is operating in the territory of India, by furnishing the information that may be required on the Broadcast Seva by the Ministry, for the purpose of enabling communication and coordination with such publisher. 

The explanation reads that - for the purposes of this rule, a publisher of news and current affairs content shall be a significant publisher of news and current affairs content if it: 

(a) publishes news and current affairs content as a systematic business activity. 

(b) operates in the territory of India.

(c) has not less than five lakh subscribers, or fifty lakh followers on the services of any significant social media intermediary, as the case may be.

"Publisher/entities shall take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.” reads out the general principles of the code of conduct 

Self-Classification of Content

The rules state that the OTT platforms, which have been regulating their content through various, would be self-classifying the content into five age based categories- U (Universal), U/A 7+, U/A 13+, U/A 16+, and A (Adult). The concerned online platforms would be required to implement parental locks for content classified as U/A 13+ or higher, and reliable age verification mechanisms for content classified as “A”.

My Views :

Government has played a carrot and stick, while adamant social media gets the stick as it gets in other countries too, OTT platforms and Online news gets the carrot of self regulation. Now, within 3 months, WhatsApp has too ready their software to pinpoint originator of message so fake news peddler’s will be behind the bars quickly . Now US IT behemoths like Google and Facebook need to appoint compliance officers responsible towards Indian law and enforcement and these officers can face jail like the impending Amazon Prime lady with any Anticipatory bail for tandav Web-series. I think next now we can wait for media bargaining code like the one in EU, UK and Australia . Indian cyberspace is now governed cyberspace moving an inch towards Internet Balkanisation, which remains inevitable .

Admission & Confession in Cyber Crime Cases

Admission & Confession in Cyber Crime (IT Act,2000) Cases

Digital evidence: reliability When one examines the issue of reliability of digital evidence there arises a number of questions. Should forensic software (digital evidence) be entitled to a judicial presumption of reliability? When, if ever, should courts compel non-party forensic software vendors to reveal proprietary source code to party experts in order to assure a fairer trial? And what does reliability mean in the context of digital evidence anyway? 

The term ‘Admission’ means stating something or admitting something other than guilt. So now the question is does confession also meant the same. The answer is no, as there is a very thin life difference between confession and admission. The word ‘confession’ means acknowledgement of guilt made by a person after an offence has been committed.

ADMISSION (Sec. 17-23, 31)

According to sec. 17 of the Indian Evidence Act,

“An admission is a statement, oral or documentary or contained in electronic form, which suggests any inference as to any fact in issue or relevant fact, and which is made by any of the persons, and under the circumstances, as described under Indian Evidence Act.”

Admission is a substantive piece of evidence but not conclusive proof also it waives or dispenses the production of evidence by concealing that the fact asserted by the opponent is true. 

In the case, Raja Pratap Bahadur Singh v. Raja Rajgan Maharaj Jagatjit Singh [1936 Lucknow] it was held that admissions are a very weak kind of evidence and the court may reject the same if it is satisfied from other circumstances that they are untrue. Hence it shifts the onus to the maker on the principle that what a party himself admits to being true may be reasonably presumed to be true so that until the presumption is rebutted the fact admitted must be taken to be true.

In English Law, the term ‘admission’ is used only in civil cases but in Indian laws, it is used in both civil as well as criminal cases. The statement is a genus; admission is the species and confession is the sub-species. Admission will lose its effect if not made voluntarily.

WHO CAN MAKE ADMISSION

Sec. 18 of the Indian Evidence Act allocates classes of person who all can make an admission-

• Party to the proceeding

• Agent authorized by such party [but the statement of agent will be binding only during the term of agency and before proving admission by the agent he has to prove his agency]

• Party suing or sued in a representative character making admission while holding such character [it will include trustees, executors, administrators, managers, etc.]

• Person who have a proprietary or pecuniary interest in the subject matter of the proceeding

• Person from whom parties have derived the interests in the subject matter of the suit

Admission of a fact made by a pleader in the conduct of the suit on his client’s behalf is binding on the client. But a party is not bound by a pleader’s admission in an argument on what is a pure question of law.

An exception to Sec. 18 of IEA

Sec 19 – Admissions by persons whose position must be proved as against party to suit

Sec. 19 states that any third party gives such a statement that proves the liability and right against any party to the suit will be admissible. The object of this section is not to lay down that certain statements are relevant or admissible but merely to add the category of a person by whom a statement made before considered to be an admission within the terms of the act.

Sec. 20- Admissions by persons expressly referred to by party to suit

When the party expressly refers to the third person for some information in reference to the subject matter which is in dispute then the statement made by the third person will be admissible.

Sec. 19 and Sec 20 are exceptions to the rule that statements made by strangers to a proceeding are not admissible within the terms of the act.

It is a general rule that admission cannot be proved on or on behalf of a person who makes it but sec. 21 is an exception to this general rule. Sec. 21 has three clauses which state that-

• Person making the admission was dead and hence his admission made earlier during his lifetime will be admissible (Sec. 32)

• When the statement is about the existence of any state of mind, body, or about the time when such state of mind or body existed and accompanied by the conduct then that statement will be held admissible (sec. 14)

• When the fact is not otherwise relevant to become relevant (Sec11)

ORAL ADMISSION-

Admission can be made either orally, documentary or in electronic form as mentioned in Sec.17. But sec. 22 and Sec. 22 A deals with when oral admission as to contents of document or electronic form will become relevant.

Oral admissions as to the contents of a document are not relevant, unless and until the party proposing to prove them shows that he is entitled to give secondary evidence of the contents of such document under the rules hereinafter contained, or unless the genuineness of a document produced is in question.

For Example- Sunil executed a deed of the mortgage against Sheela. Later Sheela files a suit for possession of the property but during the trial, Sunil denied the existence of any such deed. So, in this case, Sheela Can’t prove by oral evidence that she has before some men admitted that Sunil mortgaged a deed. She has to produce the original deed in a court of law.

ADMISSION IN CIVIL CASES- Sec. 23

In civil cases if it appears to the court that parties to the suit have mutually agreed together that evidence should not be given or made upon an express condition the evidence not to be given then any admission made related to it will be irrelevant. But this section will not discharge any barrister, advocate, attorney, pleader from giving evidence which he is compelled to give u/s 126 of Evidence Act.

This section gives effect to the maxim ‘interest reipublicae ut sit finis litium’ which means it is for the interest of the state that there should be an end to litigation.

ADMISSION ACT AS AN ESTOPPEL

Sec. 31 of the Indian Evidence Act states that Admissions are not conclusive proof but they act as estoppel.

Estoppel has been defined in Sec. 115 of the evidence act. The bare reading of section 115 of the said act is-

“When one person has, by his declaration, act or omission, intentionally caused or permitted another person to believe a thing to be true and to act upon such belief, neither he nor his representative shall be allowed, in any suit or proceeding between himself and such person or his representative, to deny the truth of that thing”

CONFESSION

Confession has not been defined anywhere in the Act. A ‘confession’ is an admission made at any time by a person charged with a crime, stating or suggesting the inference that he committed the crime. It is also said that every confession is an admission but every admission is not a confession. 

The substantive law of confession is contained in Sec. – 24 to 30 of the evidence act and the procedural laws in Sec. 164, 281, 463 of the Criminal Procedure Code. It is presumed that a person will not make an untrue statement against his own interest. 

It has been held in Palvinder Kaur v. State of Punjab[ AIR 1952] that confession must either be accepted or rejected as a whole and the court is not competent to accept only the inculpatory part while rejecting the exculpatory part as incredible. Moving towards the further procedures of confession, let’s see what are the laws related to it.

WHEN CONFESSION WILL BECOME IRRELEVANT (Sec. 24-26)

Sec. 24- Confession caused by inducement, threat or promise, when irrelevant in a criminal proceeding.

Sec. 24 of the Indian Evidence Act states that—A confession made by an accused person will become irrelevant in a criminal proceeding, if it appears to the Court that the confession has been caused by any inducement, threat or promise, having reference to the charge against the accused person and such inducement, threat, promise has proceeded from a person who is in authority and is sufficient, in the opinion of the Court, to give the accused person grounds, which would appear to him reasonable, for supposing that by making it he would gain any advantage or avoid any evil of a temporal nature in reference to the proceedings against him.

Here authority is not merely a police officer or a judicial magistrate but every such person who reasonably holds sway over investigation or trial.

Sec. 28 make this section relevant only if the threat, promise, or inducement is fully removed before recording the confession.

Sec. 25 – Confession to a police officer

A confession made to a police officer shall not be proved against an accused who made it and this confession will be held as inadmissible. The reason behind this is police officers are often regarded as untrustworthy.

But in the case Sita Ram v. State of UP [AIR 1966 SC], a confession was written to a letter and signed by the accused and addressed to a police officer was held to be admissible as the letter was not written in the presence of police officer.

Sec. 162 of CrPC also enacts that no statement made by any person to the police officer in the course of an investigation shall if taken down in writing, be signed by the person making it, then such writing will not be used as evidence.

Sec. 26 – Confession in police custody

A confession made by any person in the custody of police will be held inadmissible unless it shall be recorded in the immediate presence of the Magistrate.

The object of Sec. 25 and 26 is to prevent the practice of torture by the police for the purpose of extracting a confession from the accused person. A confession made by any person in the custody of police is held inadmissible in law because it is against the rule of natural law. The presence of the Magistrate secures the free and voluntary nature of confession.

HOW MUCH OF INFORMATION RECEIVED AGAINST ACCUSED MAY BE PROVED

Sec. 27 of the act states that if the confession of the accused is supported by the discovery of a fact then it may be presumed to be true and not to have been extracted and it comes into operation only if-

• When certain facts are deposed to as discovered in consequence of information received from an accused person in police custody.

• If the information relates distinctly to the fact discovered.

This section is an exception to Sec. 25 and 26. The object of this section is to admit the evidence which is relevant to the matter under inquiry namely the guilt of the accused and not to admit the evidence which is not relevant to that matter. The very first condition to bring sec. 27 into operation is the discovery of a fact in pursuance of information received from the accused. Where the accused made the disclosure statement leading to the discovery of offence then the statement of the accused will be admissible.

CONFESSION OTHERWISE RELEVANT NOT TO BECOME IRRELEVANT

Sec. 29 of the Indian Evidence Act states that, if the confession is made under a promise of secrecy or in consequence of deception which has been practised on the accused, or when he was drunk, or when it was made as an answer for a question which the person making it is not supposed to answer or if he was not warned that he was bound against his confession, for the purpose of obtaining it then such confession will not become irrelevant.

Sec. 164 of CrPC provides the formalities to be undergone by a Magistrate in recording confession. The magistrate has a duty to explain the pros and cons. Of confession to a person making it. But the abovementioned section does not make a confession irrelevant because the accused was not warned that he was not bound to make it.

Sec. 30 of the act states that when more than one person is jointly accused of the same offence and if one of the co-accused makes a confession regarding himself and some other such persons, the court will take that confession into account against the accused and his co-accused. In Kashmira Singh v State of MP (AIR 1952 SC159), the court held that the confession of an accused person against a co-accused will not run evidence as it does not come within the meaning of evidence contained in sec.3 of the evidence act.

CONCLUSION

After all the terms “confession and admission” were coined for evidentiary use, courts have endeavored to draw clear distinctions between them. Conclusively, it can be said that the admission has a vast scope than confession, as the hindmost comes under the ambit of the former. Hence, every confession is an admission, but the reverse is not true.

The major difference between these two is that in the case of confession, the conviction is based on the statement itself, however, in the case of admission, additional evidence is required, to support the conviction.

The distinction between a confession and an admission is not based upon a practical clarification but is based upon the substantive differences of the character of the evidence extrapolated from each. This is to say, a confession is a direct acknowledgment of guilt, on the part of the accused, and by the very definition of it, ostracized an admission which of itself is a statement, oral or documentary, that enables the court to recollect a conclusion as to any relevant fact or fact in issue. It will be meticulously to say that every confession, is an admission but every admission doesn’t necessarily amount to a confession. In other words, a confession is an admission provided that a person charged with a crime, standing or suggesting the inference that he committed the crime, makes it at any time.

WhatsApp Chats as evidence in courts: Case Laws in India

Whatsapp is an instant text messaging application, as of October 2020 it is used by more than 2 billion users in more than 180 countries. Its use has become so prevalent that it has become a primary mode of communication for many individuals. Many parties now use Whatsapp even for business purposes, such as communicating with clients, sending documents or even negotiating contracts.

As a cyber lawyer, one of the questions I get asked frequently is whether Whatsapp messages can be adduced as evidence in court.  Some clients think that because of its “informal” nature, Whatsapp messages would not be admissible as evidence. However, this assumption is inaccurate since there have been many instances where the Indian Courts have allowed Whatsapp messages to be adduced as evidence. 

In January 2021, the Punjab and Haryana High Court had observed that WhatsApp messages will have no evidentiary value unless they are certified as per Section 65B of the Indian Evidence Act (Rakesh Kumar Singla vs Union Of India) .

In State of Haryana Versus Hardik Sikri & Ors, On May 24, 2017 the haryana state trial court recognized WhatsApp chat as evidence and sentenced the three former law students of OP Jindal Global University in Sonepat – 20 years imprisonment to main accused Hardik Sikri and his friend Karan Chhabra for gangraping and blackmailing a junior management student for two years, and seven-year jail term to third accused Vikas Garg. 

“The WhatsApp chats running into pages is so abusive and vulgar that the extracts of the same cannot be explained and put into the judgment and what only can be concluded through the WhatsApp chat is that the prosecutrix (victim) was totally under control and dominance of the accused, Hardik,” additional sessions judge (ASJ) Sunita Grover

In Ambalal Sarabhai Enterprise Ltd v KS Infraspace LLP Limited and Another, the Supreme Court, while hearing a petition challenging an injunction order made a reference to the Whatsapp chats produced as evidence in the case. "The WhatsApp messages which are virtual verbal communications are matters of evidence with regard to their meaning and its contents to be proved during the trial by evidence - in - chief and cross-examination. The emails and WhatsApp messages will have to be read and understood cumulatively to decipher whether there was a concluded contract or not".

There is a recent order of the Gujarat High Court as well, which referred to Whatsapp conversations to form a prima facie opinion regarding grant of bail (Chirag Dipakbhai Sulekha vs State Of Gujarat)

The Delhi High Court in a case has held that a Whatsapp forward message, without an unknown source, cannot be treated as evidence (National Lawyers Campaign for Judicial Transparency and Reforms v Union of India). The Court held that such a forwarded message, without its original, cannot be regarded as a 'document' under the Evidence Act.

In Nivrutti Gaikwad Versus State of Mah. & Pooja Gaikwad (2020(2) Criminal Court Cases 735 (Bombay)

 It was held that Exchange of messages on personal account of two persons, Not public place - However, if messages are posted in Whatsapp Group then it is public place as all members of the group have access to those messages.

SBI Cards & Payments Services Pvt Ltd. Versus Rohidas Jadhav Hon. Justice Patel of Bombay High Court was of opinion that "The Respondent to the Execution Application has been evading service of this Notice under Order XXI Rule 22 of the Code of Civil Procedure 1908. He was served by an authorized officer of the Claimant, Ms Fatema Kalyanwala by sending a PDF and message to his mobile number as a WhatsApp message. For the purposes of service of Notice under Order XXI Rule 22, I will accept this. I do so because the icon indicators clearly show that not only was the message and its attachment delivered to the Respondent’s number but that both were opened." A Bluetick was considered as acknowledgment. 

The NCLAT in the matter of Bhandari Hosiery Exports Ltd. & Ors vs. In-Time Garments Pvt. Ltd., Company Appeal (AT) (Insolvency) No. 143 of 2019, decided on 1 March 2019,  took on record a text message sent over WhatsApp messenger by a corporate debtor to an operational creditor complaining about the quality of goods supplied. On basis of this WhatsApp message, the Court held that there was a ‘pre-existing dispute’ under Section 9 of the Code and accordingly Insolvency Application could not be admitted on account of a pre-existence dispute.

Moreover, Hon. Supreme Court of India, vide Order dated 10.07.2020 in Suo Moto Writ Petition (C) No. 3/2020 in 'Re: Cognizance For Extension of Limitation' had allowed the service of summons via electronic mode including WhatsApp. 

Liability of Group Admin

WhatsApp group admin can’t be held liable for member’s post unless common intention shown held by Bombay High Court :Alleged Crime was under Section 67 of the IT Act, 2000 (related to obscenity)

Kishor v State of Maharashtra [2021] GCtR 787 (Nagpur, Bombay HC) 01/03/2021 in Criminal Application (APL) 573/2016 .

MADRAS High Court Another Judgement 

If the petitioner had played the role of a group administrator alone and nothing else, then while filing final report, the petitioner's name shall be deleted. If some other material is also gathered by the first respondent so as to implicate the petitioner, then of course the petitioner will have to challenge the case only on merits."

R. Rajendran v. The Inspector of Police & Kathirvel

Case No: Crl.O.P.(MD)No.8010 of 2021 & CRL.M.P.(MD)No.4123 of 2021

Forse v Secarma Ltd , Wells and Solari v PNC Global Logistics, Darren Case v Tai Tarian are some of the foreign case laws 

Conclusion :

The general principle is that Whatsapp messages in the form of print outs  or the mobile device showing chats can be admissible as evidence.  This is especially where there is no dispute as to the authenticity of the Whatsapp message, and no dispute as to the identity of the parties to the Whatsapp conversation.  Bearing in mind the findings of the cases above, parties who intend to adduce Whatsapp messages as evidence in their court cases should still ensure that:

• the snapshots of their discussions contain the necessary information to identify the sender/recipient of the messages.
• The owner of the phone or laptop or computer from where the WhatsApp chats are extracted/printed should produce a signed IEA section 65B certificate.
• they don’t wholly rely on Whatsapp messages to build their case, especially when there are other documents available that would be able to conclusively prove the facts in issue.
• If the print out of chat is produced with IEA section 65B certificate it will be considered as secondary evidence, if the phone or laptop or computer is produced it will be considered as primary evidence

Advocate (Dr.) Prashant Mali is a practicing Cyber Lawyer and is considered Authority in Electronic Evidence matters.