Digital Forensics is the art and science of discovering information. We often use this term related to a situation where we need to find information which is not clearly visible in the ordinary course of a transaction. The key aspect of “Forensics” is that the information discovered through the process has to be acceptable to an independent third party leading the investigation or judicial process. Hence the information discovered through a forensic process need to be capable of being an “Evidence” in a judicial process.
A Discovery that does not lead to an “Acceptable Evidence” is of limited use. In an investigation of a crime, Police often extract statements from the accused which are used for further investigation but are not admissible as evidence at the time of trial. However, a statement made before a magistrate may be acceptable as “Admissible Evidence” at the time of trial. Similarly, a technical extraction of information could be loosely called “Forensic Discovery” but for it to be respected as “Forensic Discovery”, it needs to be acceptable as “Evidence”.
How a piece of information becomes acceptable as “Evidence” is a mater determined by the “Law of the Land”. What is accepted as evidence in Courts in USA may not be acceptable as Evidence in a Court in India. Similarly, what is accepted in a Civil Court may not be accepted in a Criminal Court. What is accepted in a departmental enquiry or a Family Court or an Arbitration may not be acceptable in another forum.
Thus, a Forensic investigator needs to always keep in mind the objective of his forensic activity and ensure that the end result of his effort becomes useful as a “Forensic Evidence”.
Sometimes an investigator may acquire information through means which are not straight forward or may involve deception or even illegal methodology. In such cases, the Courts may hold different views about the admissibility of the evidence in the first place and on the liability of the investigator who has used unethical or illegal methods of acquisition of evidence.
In the case of Digital Forensics in India there are two specific laws that need to be taken note of by the Forensic investigator to ensure that his work is admissible as evidence in a Court without dispute or do not create a reverse charge of illegality.
First is the more familiar requirement of a Certificate under Section 65B of Indian Evidence Act 1872 as amended by the Information Technology Act 2000 effective from 17th October 2000. According to this 20-year-old law, the forensic investigator presenting a report about information in electronic form has to be provide an appropriate description of the process through which the evidence was obtained, and the tools or devices used for observation along with his signature and certain warranties that the presented material (say in print out) is a faithful copy of what he observed, the computer used was working in a proper condition etc. As regards the legality of the forensic investigation, the investigator is required to hold an authorization from the person who is the owner of the device in which the observation was made. In this context it is immaterial who owns the data residing inside the computer resource as long as the permission is obtained from the person in charge of the device.
In case the owner of the data is different from the owner of the device and suffers a damage on account of the activity of the forensic investigator, he may make claim for compensation from the investigator but he may be indemnified from the liability in case he has a proper authorization. The vicarious liability for the damage if any falls on the device owner unless the investigator has exceeded the authority given to him by the device owner as regards what data he can observe and whether any collateral damage is properly indemnified.
In the coming days, another important law of the country is likely to have a significant impact on the activities of a forensic investigator and expected to add more complication to the above situation. This would be the “Data Protection Act of India” which is presently in the form of a Bill (DPB2021) in the Parliament and is expected to be passed in February of 2022.
The DPB 2022 is a law that is designed to protect the Right to Privacy of an individual which is recognized as a fundamental right of the citizens of India under Article 21 of the Constitution, subject to reasonable exceptions as enumerated in Article 19(2). A decision to this effect was provided by a Nine Member bench of the Supreme Court of India in its verdict on 24th August 2017 in the now well known case referred to as Justice K S Puttaswamy Vs Union of India.
This act is applicable for “Personal Information” in most of its scope but has one provision regarding the need to disclose a data breach of even “Non-Personal Information”.
The organization which has the control on the personal data of an individual and determines its purpose of usage and means of usage is called the “Data Fiduciary” under the Act and is expected to take care of the right of privacy of the individual to whom the personal information relates. The act also recognizes that a Data Fiduciary may engage the services of a “Data Processor” under a contractual arrangement to whom the personal data may be entrusted for further processing. Such a data processor will be bound to follow the contractual obligations and to some extent also the provisions of the law during the process of process.
The Act has provisions to impose hefty fines upto 4% of the total worldwide turnover of an organization in case of any failure of the data fiduciary to comply with any of the provisions of the law. Some of the provisions also apply to the Data Processor who also may be liable for penalties. If an organization is projecting itself as a “Forensic Company” then the expectation is that the company has its own tools and methods of investigation (considered as “Processing” under the DPB 2021) and the contract with the data fiduciary cannot specify the complete details of how the process can be undertaken. In such circumstances the forensic company may take on the role of a “Joint Data Fiduciary” and cannot rely entirely on the contractual document with the Data Fiduciary which may have a clause indemnifying the investigator from any consequential liabilities.
In the case of an individual forensic investigator, if he is using his own tools and methods of investigation which is often the case, he would be also considered as a “Joint Data Fiduciary”.
In view of the above, the Forensic professionals need to be fully aware of the liabilities that may arise in the course of their professional activity and prepare themselves for compliance like a “Data Fiduciary” and ensure that the contract with the company appointing them as a forensic investigator is comprehensive and sufficient to protect the interest of the investigating company as well as its investigators.
It may be noted that the essence of “Privacy” is keeping information “Confidential “and not disclosed except as “Permitted by law” or as “Consented” by the data principal to whom the personal information belongs to. On the other hand, the essence of “Forensic investigation” is to “dig for truth”. Often the investigator does not know what will come forth of his investigation. Most of the times a successful forensic investigator will dig up such information which not only unravels the truth behind a transaction which he is appointed to investigate and is investigating, but also information which is not related to the designated investigation and many times information belonging to other persons. Some of these may reveal what could be considered as misdemeanours or even cognizable offences.
In such a situation, the investigator would come under an ethical and legal scrutiny of whether he is obligated to keep the information confidential to himself or reveal it to his employers or reveal it to the company whose information is being investigated. Even if he wants to keep the information confidential, he needs to decide how does he archive the information and keep it secure so that the information does not leak out from his custody unintentionally.
The Information Technology Act 2000 already has both civil and criminal penalties prescribed for acts that contravene the act. Though Courts do accept evidence as a revelation of truth even when it is obtained illegally, the persons who provides the evidence may not automatically be protected from the legal liabilities arising out of the illegal collection of the evidence.
Often Journalists engage in “Sting” operations which could be not legal and may even involve “Unauthorised access to information amounting to hacking”, they normally try to claim immunity because they do the sting operation in “Public Interest” and in the course of their journalistic activities. In the case of forensic investigators, there may or not be “Public Interest” in the primary investigation and whether there is public interest in disclosure or non disclosure of information unearthed during the investigation is left to the wisdom of the investigator. The investigator may have to exercise his mature judgement on whether the information has to be disclosed and if so to whom. If the disclosure was inappropriate, then it could cause damage to the reputation of some innocent persons and cause harm that could lead to penalties under the DPB 2021 besides ITA 2000.
The harm recognized under DPB 2021 is more complex than under ITA 2000 and without a proper understanding of the law, an investigator would be endangering his profession if he does not ensure that both the “Contract” and the “Conduct” are well within the legal boundaries.
DPB 2021 does provide certain exemptions whereby an organization may undertake fraud investigations or information security related activities involving processing of personal data without the specific consent of the data principal. Similarly, law enforcement and Judiciary may enjoy some exemptions. Further public interest and Medical emergencies may also be having exemptions from consent.
Where the activity of processing of personal information is not covered under exemptions, the investigator needs to be ready to face the liabilities either directly or under the shield of an effective indemnity built into the contract.
Since this subject is new and “Consent” for “information that a data principal or the data fiduciary does not know it exists” is not clearly addressed in law, the professional forensic investigator needs to arm himself with sufficient knowledge of data protection law and develop a proper methodology to address the compliance requirements.
Foundation of Data Protection Professionals in India (FDPPI), an organisation that leads the data protection related activities in India and is lead by the author, has developed a standard called “Data Protection Compliance Standard of India (DPCSI) where an attempt is made to suggest some methodologies for compliance by the forensic investigating organizations. This is a pioneering effort on a global scale and also includes the evaluation of an organization for its maturity in implementing the data protection measures in the form of “Data Trust Score”. Forensic investigators need to make themselves equipped with the DPDPSI framework which is applicable not only for the Data Fiduciaries being investigated but also to the investigator himself to set up his own systems and practices.
Thus the advent of the new legislation in the form of DPB 2021 will make a significant change to the activities and operations of a forensic investigator and a professional forensic investigating agency. To preserve and promote the career in Digital Forensics it is required that professionals take efforts to be also proficient in the emerging legal changes in he country.
Naavi
