Friday, July 13, 2012

Encryption and Self-Incrimination

Encryption of data is a means to secure and sensitive private data and prevent third parties from obtaining that information. It is a part of our everyday life, and we come across encryption each time we conduct an online transaction through our credit/debit cards, or install a new software on our computer by inserting the product key. The easy availability of such software however makes it easy to be used for a number of nefarious purposes, with "criminals including drug traffickers, pedophiles and terrorists [turning] to encryption to conceal their activities". To drive home the point of the security issue, you can see a slightly old but very compelling list of incidents involving encryption here. 
This reality has prompted States to enact key disclosure laws so that law enforcement is not crippled when faced with encrypted data, thus providing for compelling individuals to produce encryption keys. These laws pose searching questions for legal regimes which provide a right against self-incrimination, as witnessed in the U.K. and U.S.A. India also provides for compelled disclosure through s. 69 of the IT Act, 2000, but it has somehow remained under the radar for more than a decade in spite of the Constitution providing a fundamental right against self-incrimination through Article 20(3). Through this comment I seek to explore this aspect of s.69, reminding us of the challenges that the right against self-incrimination creates and faces in an era of intense security and surveillance.

Supreme Court on Self-Incrimination

It is essential to provide a background sketch of the law on self-incrimination in India today, as that will shape any interpretation which the Court adopts. The Supreme Court in the early years of independence gave many significant rulings on interpretations of Part III Articles, and one such ruling was M.P. Sharma v. Satish Chandra where the scope and extent of Art 20(3) was clarified. Speaking for a unanimous bench, Jagannadhadas, J. famously held that, “[t]o be a witness is nothing more than to furnish evidence … indeed, every positive volitional act which furnishes evidence is testimony”, making it clear that oral and documentary evidence could come within the confines of Art 20(3).

This catch-all phrase did not hold the field for long though and less than a decade later, eleven judges in of that Court in State of Bombay v. Kathi Kalu Oghad reconsidered the matter. By an 8-3 majority, the concept of “personal knowledge” as the key constituent of evidence for Art 20(3) was introduced and continues to be the test today. The scope of 20(3) was significantly restricted, and evidence such as fingerprints and handwriting exemplars were excluded from its ambit since they did not have a communicative, personal aspect, and were independent of the will of the person as such. An equal if not more important development ignored by textbooks, is the shift in the approach of the Court; from focusing on the positive volitional acts of testimony, the focus was now the testimony itself. It has remained so since.

There exist few areas of self-incrimination law where Kathi Kalu Oghad has not penetrated, and one such area is specifically relevant to this discussion. Would the power to compel production of documents or other issue a summons under s. 91 of the Code of Criminal Procedure (“Cr.P.C”) (s. 94, Cr.P.C. 1878) apply to an accused person, given the protections of Art 20(3)? A Constitution Bench answered this question in Shyamlal Mohanlal v. State of Gujarat and held that this power could not be exercised vis-a-vis accused persons, as it would violate Art 20(3). Reservations were expressed subsequently, but the decision remains good law on the specific issue outlined therein.

Why do I refer to Shyamlal as a decision of particular importance? Both s. 69 of the IT Act and s. 91 of the Cr.P.C. depend on compelling the individual to produce the necessary information. Taking the decision in Shyamlal to its logical conclusion, one would find it difficult to argue that compelling an accused to produce encryption keys or assist in decryption would not offend Art 20(3). If the Court would have been more receptive of the testimonial-physical distinction brought in by Kathi Kalu Oghad, then such an outright restriction would certainly not be the outcome.

Evidentiary Nature of Encryption Keys

Shyamlal does present a stumbling block, but not an insurmountable one. Given the almost universal acceptance of the Kathi Kalu Oghad approach and dictum, combined with a growing tendency to ease the burden on the  the prosecution in establishing its case, a reconsideration of Shyamlal today I believe would almost certainly result in a different outcome. Rather than a blanket exclusion, the matter would possibly turn on the nature and characterisation of evidence involved - only production of evidence independent of the accused's will could be compelled under s. 91. The same thus becomes crucial in context of encryption keys. English and American Courts have grappled with this specific issue already and provide valuable insight.

The English Experience

State access to keys was provided in s. 49 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) which like the IT Act only allows for decryption directions when necessary. Arguments were made that the section offends Art 6 of the ECHR, but were not given much credence at the time. These claims formed the principal arguments in R v. S and the reasoning adopted by the Court of Appeal is of particular interest. Briefly, the Police issued notices to both defendants compelling them to provide the encryption keys to the hard drives without which the data was rendered inaccessible. The defendants toed the Art 6 line. Noting the observations of the European Court in Saunders, the question became whether the key itself would be evidence dependent of the will of the accused – or testimonial evidence in Indian parlance. The Court held it did not, employing the oft-used analogy of the locked drawer: just as the key to that locked drawer exists independent of the will of the accused, so does the encryption key. The act of giving the key itself was not incriminating, but comparable to giving blood or urine samples.

The American Experience

The American judiciary first gave the notable judgment on this issue with the District Court of Vermont deciding In Re Boucher, subsequently appealed by the State. The Police when navigating through Boucher's laptop with his consent found files containing child pornography, but could not access this material later as the relevant files were protected by encryption. This required a password which only Boucher knew and for which he was subpoenaed. While the District Court held for Boucher, the Appellate Court reversed the decision allowing the subpoena. Importantly, both courts understood encryption keys analogous to a combination for a safe rather than a key to a drawer, holding it therefore to be evidence revealing the contents of Boucher’s mind and thus not independent of his will. The 11th Circuit Court of Appeals in February 2012 decided John Doe, which was very similar on facts. The Government argued the locked drawer analogy, which was rejected again. For the Court, producing the encryption key would be testimony of the accused’s “knowledge of the existence and location of potentially incriminating files; of his possession, control and access to the encrypted portions of the drives; and his ability to decrypt the files.”

Which Road to Take?

I believe, assuming the Court agrees Art 20(3) is engaged, that the American approach is theoretically and pragmatically more sound as against the English one. Analogising encryption keys to locked drawer situations would take away the fundamental nature of their intangibility, something for which the English Court has been criticised. Such evidence relies on the contents of the accused's mind and compulsion to produce it would amount to giving “personal knowledge” of the facts. Furthermore, in fact situations such as John Doe and R v. S (as per the record) the act of producing the key would not be “neutral”, and have communicative aspects as highlighted by the American courts.

Recognition of the engagement of the right against self-incrimination is followed by the next important step of balancing the claims involved. Here again American jurisprudence proves handy. In both Boucher and John Doe, the case actually turned on what is called the "foregone conclusion” doctrine. Simply put, compelling an accused to produce evidence would not engage self-incrimination rights if the existence and location of that evidence is a “foregone conclusion” by virtue of it being known to the investigating agency through other independent sources. Thus such testimony “adds little or nothing to the sum total of the Government’s information.” Indian jurisprudence has primarily focused on reliability of evidence as a rationale behind Art 20(3), which is supplemented by the concept of fairness underlying criminal trials. It is argued that the doctrine fits neatly in this framework. Not only does it augment reliability of evidence for which the sole source was otherwise the accused himself, but it also makes compulsion on the accused seem less abhorrent since he is not providing evidence to which the authorities otherwise had no access at all. It would be a mistake to criticise this position merely for it takes assistance of the accused: a high burden of proof in criminal law is not an exclusive burden upon the State forbidding assistance from the accused and mustn't be confused as such.

Thus I believe this approach offers a fitter alternative to the current position espoused by Shyamlal. It does indeed involve judicial appreciation that can turn controversial, but provides a helpful starting point nonetheless. 

Post by Abhinav Sekhri, who studies law at the National Law School of India University, Bangalore.

1 comment:

thenumber10 said...

Unfortunately the links provided don't seem to be functioning, so I'm giving some important links here for reference

1. s. 69 of the IT Act: http://www.vakilno1.com/bareacts/informationtechnologyact/s69.htm

2. MP Sharma v. Satish Chandra:
http://indiankanoon.org/doc/1306519/

3. State of Bombay v. Kathi Kalu Oghad:
http://indiankanoon.org/doc/1626264/

4. s. 91 of the CrPC:
http://www.vakilno1.com/bareacts/CrPc/s91.htm

5. Shyamlal Mohanlal v. State of Gujarat:
http://indiankanoon.org/doc/1861858/

6. R v. S (Court of Appeal UK):
http://www.bailii.org/cgi-bin/markup.cgi?doc=/ew/cases/EWCA/Crim/2008/2177.html&query=decryption&method=boolean

7. In Re Boucher (Dist. Court):
http://www.volokh.com/files/Boucher.pdf

8. In Re Boucher (Court of Appeal):
http://federalevidence.com/pdf/2009/03-March/InreBoucherII.pdf

9. USA v. John Doe:
http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf

Abhinav Sekhri