Seizing Power

Why the IT Act is dangerously open to procedural misuse

Gaps in the IT Act, which is governed by the CrPC, allow unchecked discretion to authorities investigating potential offences. AVITRA GULATI / THE WASHINGTON POST / GETTY IMAGES
01 January, 2013

IN THE WAKE OF THE SHIV SENA CHIEF Bal Thackeray’s death on 19 November, Mumbai almost completely shut down. Offices closed, shops shuttered, and residents holed up indoors, as the party’s supporters forced a bandh on the city to honour their leader’s life. Shaheen Dhada, a 21-year-old medical student, was hardly alone in her annoyance; her reaction, in keeping with the zeitgeist, was to post a message on Facebook, lamenting that “everyone just goes bonkers” because “one politician died a natural death”. Her friend Renu Srinivasan, upon reading the post, hit the “Like” button, ostensibly expressing her support for Dhada’s sentiment. Within hours of the post, police officers arrested both Dhada and Srinivasan under Section 66A of the Information Technology Act of 2000 (The IT Act), a sweeping provision of law that treats as a criminal offence online speech that so much as offends another person or causes “annoyance” or “inconvenience” (among other things). Offences under Section 66A are also cognizable, meaning police have the power to register a first information report, investigate, and arrest the accused—all without a warrant from a court of law.

In the aftermath of the young women’s arrests—they have since been released—there has been a popular uproar over Section 66A, which many consider a patently unconstitutional provision. There have been widespread calls for the repeal of the law, and two public interest litigations have been filed questioning the provision’s validity, one in the Madras High Court and another in the Supreme Court. Demands for an amendment to the section have also been debated in the Rajya Sabha.

But in the clamour over the illegality of the substantive contents of Section 66A, procedural gaps in the law, which have an equally pernicious impact on our civil rights, have been completely overlooked. In fact, the IT Act in its entirety is susceptible to wanton executive abuse.

The act, which was amended in 2008, is meant to function as an absolute law governing all rights and obligations in the cyber world. But, as is the case with most laws that create criminal offences, it depends on the Code of Criminal Procedure of 1973 (the CrPC) for many of its procedural requirements. When an offence occurs under the IT Act, the diktats of the CrPC govern how that offence is investigated, how evidence is collected, how an accused is arrested, and all other such procedural questions. Without specific rules on how cyber crimes ought to be investigated (whether under 66A or another law), reliance on the CrPC puts in serious jeopardy any remaining right to privacy that we enjoy in the digital world—and ends up placing largely unbridled discretion in the hands of the police. As history has shown us, this only serves to affront our constitutionally guaranteed fundamental rights.

A recent public interest litigation filed by a Delhi student, Shreya Singal, highlights some of the failings caused by the reliance on the CrPC. For instance, Section 156(1) of the criminal code empowers the police to investigate cognizable offences, such as those under Section 66A of the IT Act, without an express order from a magistrate. All that the officer needs to do in such a case is to record his reasons in writing. (The objective behind requiring investigating officers to take this minimal precaution was to prevent the police from entering into someone’s home and taking away his or her private property without cause.) Section 41 of the CrPC allows the police to arrest, without a warrant, any person who has committed such an offence.

If it weren’t for the substantive wordings of 66A, under which a mere statement causing annoyance can be considered a crime, the discretion bestowed through the joint workings of the IT Act and the CrPC may not by itself have been of particular concern. Police have a more perturbing form of discretion, however, which has hitherto largely been ignored. This arises from a lack of search-and-seizure guidelines for digital information, a gap in the law that is either a product of gross legislatorial oversight or an act of intelligent repression.

With most criminal statutes, relying on the CrPC is not a cause for alarm; the CrPC contains substantial insights on how crimes in general ought to be investigated. But the search-and-seizure jurisprudence ingrained in the code is predicated on the concept of physical property—think police rummaging through piles of papers and boxes. Typically, if the police, while investigating a crime, want to rifle through documents in your office, search your house for contraband, or even seize your computer’s hard-disk, they will likely approach a magistrate. The magistrate then issues appropriate orders—either a summons or, if that fails, a search warrant—and the wheels of the investigation are set in motion. Section 165 of the CrPC allows officers investigating cognizable offences to search for documents without a court’s warrant if they believe there is a likelihood of undue delay.

But what about cases where the authorities want to go through your Gmail inbox, or a comment that you made on a private Facebook group? Trickier still, what if they want access to information that exists in an online cloud—information that is neither here nor there, information that presents all kinds of jurisdictional headaches? The idea of documents existing on a cloud was unfathomable at the time of the CrPC’s drafting and the code justifiably pays little attention to the unique concerns of searching for and seizing such information. Now, under the guise of investigating an offence, law enforcement officials can access all kinds of private data with no authority enforcing limits on the scope of their searches.

Technically, the language in our relevant laws—sections 91 to 93 of the CrPC—is wide enough to allow virtual places to be subjected to a search warrant. But the procedure for such a search is decidedly vague, and effectively grants a free hand to the police. In the US, for example, newer and more advanced technologies, such as GPS, cell-site data, and domestic surveillance drones, have posed substantial challenges to previously established protections of law; there is much that law enforcement agents there can do without their activities being categorised as a search and therefore being subject to relevant regulations. Likewise, in India, search and seizure have generally been interpreted on an idea of physical property, and as technology expands, the infractions on our inherent right to privacy, which enjoys but a chequered history in the country, will only mount.

The right to privacy finds no mention in the Constitution, and it is only through the Supreme Court’s activism that it has been read into Article 21 of the Constitution, meaning it can now only be denied by a just, fair and reasonable procedure established by law. In PUCL vs. Union of India, a 1997 case that ensued from arbitrary wiretapping of politicians’ telephone lines by the Central Bureau of Investigation (CBI), the Supreme Court, faced with a lack of legislatorial safeguards concerning interception of telecommunications, established a set of guidelines by recognizing the grave threat to our right to privacy posed by activities such as the CBI’s. “Right to privacy would certainly include telephone-conversation in the privacy of one’s home or office,” Justice Kuldip Singh wrote. “Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law.”

Based on the guidelines issued by the Supreme Court in the PUCL case, the government in 2009 (a good nine years after the IT Act was drafted) issued rules regarding general surveillance on the Internet, including the interception, monitoring and decryption of information. These rules present their own set of threats to civil liberties—Google’s latest Transparency Report, for instance, shows that India made more requests for user data than any country bar the US; the company complied with 64

percent of India’s requests, revealing information from 3,467 accounts. While this goes to show the importance of the safeguards under the 2009 rules from the point of view of broad surveillance, the more run-of-the-mill investigations of cyber crimes are still devoid of any specific guidelines.

In response to this statutory void, the legislature may point toward Sections 91 to 93 of the CrPC and say that an investigating officer, when he is unable to access an email or a post on Facebook, is well within his rights to approach a magistrate and request a summons or a search warrant. These measures are academic in the case of cognizable offences such as 66A; but even when a search warrant is issued, how exactly is the information to be obtained? Is the investigating officer supposed to contact the service provider (such as Google or Facebook), or should the user be forced to reveal the information? The latter would be a clear violation of Article 20(3) of the Constitution, which establishes a fundamental right against self-incrimination: “No person accused of any offence shall be compelled to be a witness against himself.” Therefore, the only logical option available would be to contact the service provider. But is this to be done in accordance with the 2009 rules, which deal with general surveillance as opposed to investigation of offences—or can the police approach the issue in any manner they find befitting? This lack of clarity merely serves to encourage executive excess.

It is therefore important not merely to question the contents of 66A, but also to probe into how the alleged offences that led to the recent spate of arrests were investigated. A few days after the revelations of Dhada’s and Srinivasan’s arrests, news broke of the arrest of a pair of Air India employees, who spent 12 days in jail over comments made against the Congress party in a private Facebook group—a group accessible only to a select number of members. The police, apart from arresting the individuals, also reportedly seized their Air India identity cards, passports, laptops and mobile phones.

According to a report in The Hindu on 24 November, a first information report in the Air India employees’ case was lodged in March and was followed by arrests only in May. The investigation apparently took well over a year, but neither employee was summoned even once. Presumably, then, the arrests were made either without a perusal of the employees’ comments, or the private comments were accessed without summons. Worryingly, under the present laws, the latter course of action might have been perfectly legal.

Such whimsical, unjust police acts are one thing; but the matter is compounded by the fact that even illegally obtained evidence may still be admissible in court. As a result, it may not matter much whether the police have the right to search your emails or Facebook groups without warrant.

The lack of guidelines and the inadequacy of the CrPC mean that the procedures for investigating cyber crimes are even more dangerous and threatening to our civil liberties than previously believed. In the long run, online surveillance is only bound to mount.

In order to protect privacy and maintain even a modicum of human dignity in the online world, it is necessary that the IT Act be amended so that the procedures for investigations are laid out with greater care. To not have basic legal safeguards in place would only cause an injustice as grave as the one that the wordings of Section 66A have inflicted.