Naavi.org

The Karnataka High Court in the course of a judgement  has urged the Police to prepare a detailed guideline for seizure of electronic evidence and pending such development, has issued its own minimum guidelines to be implemented.

The judgement has also made some references to the Privacy aspects involved in Forensics and provide some clarity on Polygraph test as well as whether password to a computer device can be refused by the device owner under Privacy issues.

The judgement is likely to be a reference judgement to many Cyber Law practitioners and Forensic investigators.

The  single bench of Justice Suraj Govindaraj said “It would be in the interest of all the stakeholders that detailed guidelines on seizure of electronic evidence by the Police are prepared by the police”.

The copy of the judgement is available here

The Case involved the arrest of an IT professional, subjecting him to a polygraph test to which he has not consented, forcing him to part with the password for his mobile etc. The conduct of the Polygraph test without consent was rejected by the Court.

It did refer to the Puttaswamy Judgement and debated if forcing the password to be disclosed would be a violation of the Privacy.

The Court gave the following opinions on different questions that arose during the investigation.

1. The Investigating Officer, during the course of an investigation could always issue any direction and/or make a request to the accused or other persons connected with the matter to furnish information to provide material objects or the like. This includes  a request to furnish the password.
2. The Court cannot per-se/suo moto issue any directions to the accused to furnish the passwords and direction to cooperate would not amount to a direction to furnish password.
3. In the event the accused not providing the password, the IO can approach the Court seeking for necessary directions to the accused to provide the same. The investigating officer could approach the concerned court seeking for issuance of a search warrant to carry out a search of the electronic equipment.
4. In terms of section 102 of CrPC, if there are any emergency circumstances, including the “Suspicion of any commission of an offence” ,the Police officer could seize the equipment. In such scenario. there must be a recording in writing made by the IO specifying in writing the reasons etc. In normal course IO may issue a notice under section 91 of CrPC calling upon the accused to produce the particular document and if not produced, seek a search warrant from a Court. The data gathered during the course of investigation should not by itself be a proof of guilt which has to be separately established.
5. The Use of data during the course of investigation would not amount to a violation of the right to privacy and would come under the exceptions carved out in the Puttaswamy case. However, in no case could such details be provided by the IO to any third party without written permission of a Court. In case of dereliction of this duty the IO can be proceeded against.
6. The Investigating agency would be at liberty to engage a specialized agency required to crack the password if the password given is wrong.
7. Provision of the password does not amount to providing testimony. The data available on the mobile or computer has to be separately proved.

The Court however did not highlight the role of a non cooperating intermediary and whether he could be proceeded against as an abetter.

Following the above observations, Court felt that the following minimum guidelines may be implemented by the Police for seizure.

17.5.1: When carrying out a search of the premises as regards any electronic equipment, Smartphone or e-mail account the search team to be accompanied by a qualified Forensic Examiner.

17.5.2. When carrying out a search of the premises, the investigating officer should not use the computer or attempt to search a computer for evidence. The usage of the computer and/or search should be conducted by a properly authorized and qualified person, like a properly qualified forensic examiner.

17.5.3. At the time of search, the place where the computer is stored or kept is to be photographed in such a manner that the connections of wires including power, network,. etc., are captured in such photographs.

17.5.4. The front and back of the computer and or the laptop while connected to all the peripherals are to be taken.

17.5.5. A diagram should be prepared showing the manner in which the computer and/or the laptop is connected.

17.5.6. If the computer or laptop is in the power-off mode, the same should not be powered on.

17.5.7. If the computer is powered on and the screen is blank, the mouse could be moved and as and when the image appears on the screen, the photograph of the screen to be taken.

17.5.8. If the computer is powered on, the investigating officer should not power off the computer. As far as possible, the investigating officer to secure the services of a computer forensic examiner to download the data available in the volatile memory i.e., RAM since the said data would be lost on the powering down of the computer or laptop.

17.5.9. If the computer is switched on and connected to a network the investigating officer to secure the services of a forensic examiner to capture the volatile net work data like IP address, actual net work connections, net work logs, etc.,

17.5.10. The MAC address also to be identified and secured,

17.5.11. In the unlikely event of the Forensic examiner not being available, then unplug the computer, pack the computer and the wires in separate faraday overs after labeling them.

17.5.12. In case of a laptop if the removal of the power cord does not shut down the laptop to locate and remove the battery.

17.5.13. If the laptop battery cannot be removed, then shut down the laptop and pack it in a faraday bag so as to block any communication to the said laptop since most of the laptops, nowadays have wireless communication enabled even when the laptop is in the stand by mode.

17.6. Seizure of networked devices: Apart from the above steps taken as regards seizure of the computer, laptop, etc., if the said equipment is connected to a network:

17.6.1. To ascertain as to whether the said equipment is connected to any remote storage devices or shared network drives, if so to seize the remote storage devices as also the shared network devices.

17.6.2. To seize the wireless access points, routers, modems, and any equipment connected to such access points, routers, modems which any some times be hidden.

17.6.3. To ascertain if any unsecured wireless network can be accessed from the location. If so identify the same and secure the unsecured wireless devices since the accused might have used the said unsecured wireless devices.

17.6.4. To ascertain who is maintaining the network and to identify who is running the network – get all the details relating to the operations of the network and role of the equipment to be seized from such network manager.

17.6.5. To obtain from the network manager, network logs of the machine to be searched and/or seized so as to ascertain the access made by the ·said machine of the net work.

17.7. Mobile devices: 

Mobile devices would mean an include smartphone mobile phone, tablets GPS units, etc., during the course of seizure of any of the mobile devices apart from the steps taken in respect of a computer and/or laptop, the following additional steps to be taken.

17.7.1 Prevent the device from communicating to network and/or receiving any wireless communication either through wifi or mobile data by packing the same in a faraday bag.

17.7.2. Keep the device charged throughout, since if the battery drains out, the data available in the volatile memory could be lost.

17.7.3. Look for slim-slots remove the sim card so as to prevent any access to the mobile network, pack the sim card separately in a faraday bag.

17.7.4. If the device is in power off mode, the battery could also be removed and kept separately.

17.7.5. If the device is powered on, then put it in an aeroplane mode in android device or airplane mode in a lOS device.

17.8. In an the cases above, the seized equipment should be kept as far as possible in a dust free environment and temperature controlled.

17.9. While conducting the search, the investigating officer to seize any electronic storage devices like CD, DVD, Blu-Ray, pen drive, external hard drive, USB thumb drives, solid-state drives etc., located in the premises, label and pack them separately in a faraday bag.

17.10. The computer storage media, laptop, etc., to be kept away from magnets, radio transmitters, police radios etc., since they could have an adverse impact on the data in the said devices.

17.11. To carry out a search of the premises to obtain instructions manuals, documentation, etc., as also to ascertain if a password is written down somewhere since many a time person owning equipment would have written the password in a bo0k, writing pad or the like at the said location.

17.12. The entire process and procedure followed to be documented in writing from the time of entry of the investigation/search team in to the premises until they exit.

It appears that the Police did not invoke Section 69/69A of the ITA 2000 with a due notification from an appropriate authority.

It is to be appreciated that the honorable judge has taken enormous efforts to put together a guideline which will be useful to the Police.

Naavi

US is a land where commercial exploitation is the natural business strategy. The Face Book, Google, WhatsApp are all representations of such  “Money First” approach. The laws are therefore often used to make money while pretending to protect the common man.

The “Ambulance Chasers” are a creation of this tendency. A new genre of “Ambulance Chasers” are now emerging in the light of the “Privacy Laws” which try to provide several rights to the Data Subjects to protect their sense of Privacy.

We had discussed in our earlier article “How Do I harass a Company with GDPR”?how a Company was harassed by a data subject by an unreasonable pursuit of a a valid right with no substantiation of the “Harm”.

Presently it appears that some companies in USA have started a business by which they can represent such data subjects and raise claims on other companies apparently in trying to protect the interest of the data subject but more surreptitiously to extort money from companies.

The business model of Privacybee.com is one such attempt where  the modus operandi starts with an innocuous looking e-mail is sent to a company stating that X is my customer and please let me know whether his/her personal data is being processed by your company. There will be no “Verification” of the data subject nor a digitally signed e- mail request. It does not substantiate what harm has been caused to the data subject by the suspected processing of personal data of their customer by the noticee.

To answer this query the Company has to search its data base for the name of the data subject with only such supporting information as an “E Mail Address”.  Even if the Company cannot find any data, if the Company has to commit it through an e-mail, it has to make a “Personal Data Discovery attempt” probably through an external consultant and certify the findings under Section 65B of Indian Evidence Act before responding that no data is being processed for X.

The cost of this exercise is disproportionate to the basic cause which is “Prevention of harm to the data subject”. Privacybee.com does not send/ provide evidence about how it has obtained the right to represent the data subject. Instead it sends out a link which is meant to promote subscription to its service. It refers to a page claiming to show “Power of Attorney” authorizing the request which may lead to a 404 page.

Indian companies may remember that a “Power of Attorney through Electronic Document” is not recognized under Indian ITA 2000 (Section 1).

The notice exercises a “Right to Forget” which according to Indian PDPB 2019 requires adjudication.

The notice does not provide any context where the consent might have been given and simply declares that consent is withdrawn. Indian PDPB makes it necessary for withdrawal of consent to be justified and in unreasonable withdrawal, expect the data subject to bear the cost.

The notice makes references to several  data protection laws both from US jurisdiction and EU jurisdiction (known to privacybee.com) without establishing how the data subject and the notice receiving company is related to the relevant law.

As expected the notice ends with a “Threat” of legal action if no reply is sent within one month. In the absence of the proof of damage or harm caused to the data subject the threat of legal action does not stand judicial scrutiny.

When such e-mail notices are received by Indian companies, Naavi.org considers them as an “Attempt to harass and extort money” from Indian companies. We have flagged this incident with the Ministry of Information Technology and the CERT-IN .

While the PDPB-2019 was being drafted, we have repeatedly brought to the notice of the Justice Srikrishna Committee as well as the JPC that Indian data processing companies need to be protected against misuse of such privacy related notices by introducing a provision that

“No legal action against a registered Indian data processor would be permitted without sanction from the Indian Data Protection Authority.”

We called it as the “Umbrella Protection”

We have also repeatedly suggested that Indian companies should provide for a GDPR Exclusion clause in their Privacy Policies to expressly disclaim the jurisdiction of GDPR and other foreign laws.

This issue is some thing that Nasscom should address in the interest of the Indian data processing companies. However NASSCOM and DSCI may be more interested in fighting against Indian data protection legislation rather than taking up such public causes.

A time has come now for Naavi.org to consider representing such victim companies who are being harassed by privacybee.com type of vultures.

We may remember that such activities (like what Privacybee.com wans to undertake) under Indian PDPB 2019 are allowed only of the organization itself gets registered with the Indian DPA as a “Consent Manager”. A consent Manager is himself a “Data Fiduciary” and is expected to follow law. We can observe that privacybee.com does not follow privacy principles under either CCPA regulation nor the GDPR regulation but projects itself as the Privacy Saviour.

We invite companies affected by such companies to come together as an “Association of Data Processing Organizations in India” and fight for their justice against international data invaders. We request MeitY to take a lead in guiding such companies. This can also be part of the PDPB 2019 revised after the JPC discussions. We await the final version of the PDPB 2019 when it is presented in the Parliament.

The privacybee.com is registered as a company in USA and we request FTC to conduct an enquiry about the activities of this company and for Attorney General of Califorina and Washington also to conduct their own enquiries on this extraction racket.

If this tendency to misuse law is not curbed, the genuine data subjects who are really harmed and need to take the protection under a data protection law will also get discredited and their rights will get diluted.

Naavi

Also refer:

Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights

Protect Indian Companies from possible GDPR overreach

Need for a Regulatory gateway

Following is the reply received from Privacybee.com

P.S: We are happy to note that the  company acknowledges its restricted jurisdiction. Our intention is to point out that the business model built on sending a roving enquiry  relying on a general power of attorney without a company specific request from the data subject  when the data may not belong to a EU citizen, is unethical.

There is a website called PrivayBee.com registered under a PO box address in Seattle which is indulging in sending spam mails to Indian companies seeking data subject information without any verification of the data subject or establishing the genuinity of the enquiry.

The Company simply sends an e-mail quoting a client’s name and e-mail address and requests that information about the person should be provided and if available deleted.

The Company quotes several laws of the world without proper jurisdictional verification and expecting Indian companies to visit its website and probably subscribe to its services. The website does not have any grievance redressal mechanism and itself implants at least 7 cookies if you visit. The Company does not provide any corporate address or contact on its website.

This company is part of the dangerous trend of some US companies which are themselves not privacy compliant but try to use the Privacy Excuse to scare the public and market their services.

These companies are to be considered as “Criminal” entities and action should be initiated against them by appropriate regulatory agencies in USA.

Since this company is using GDPR as an excuse without declaring which supervisory authority to whose control it is subject to, the FTC in USA has to conduct an investigation on this company and expose its malicious designs. It also quotes CCPA and hence the Attorney General of California also has a jurisdiction to enquire.

In the interest of a larger number of companies both within USA and outside and more particularly in India, I urge the Indian Cert-In to write to the Attorney General of California to enquire and expose the activities of this company.

Any company in India which has received notices from this company may kindly share the information with Naavi.org and CERT-In and if possible some concerted action may be initiated to curb such malpractices.

Naavi

Also Read:

Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights

Today the first batch of Data Protection Professionals in India who have been trained on Indian Data Protection Laws, Global Data Protection Laws and Data Audit skills with special training on the PDPSI framework are completing the certification examination. A few of them will be certified as “Certified Auditors for the FDPPI-PDPSI Data Protection Audit with DTS evaluation” after the entire evaluation process is over. A Few more would be certified as “Certified Consultants for the FDPPI-PDPSI Data Protection Implementation”

The Implementation Consultants and Certified Auditors would be professionals who have completed around 55 hours of class room training (Online) and 4.5 hours of online examination plus several hours of assignments. They have read through over 1000 pages of notes. This is one of the most elaborate training programs conducted in any such certification programs.

At the end of this rigorous program, FDPPI is confident that these professionals  will be able to stand out in the community as people with the necessary knowledge and skills to start guiding the Indian organizations towards Privacy and Data Protection Compliance.

We all know that skill cannot be entirely acquired through external training alone and hence these professionals will continue to improve their skills and some of the consultants after more experience may be upgraded to the level of auditors FDPPI will have a plan to implement this “Continuing Data Audit Skill Enhancement” program.

The industry already has several “Certified” professionals who have been certified from other organizations some of them recognized world over. However, in terms of the focus and intensity of training, the FDPPI Certified professionals will be a class apart though  this will need some time to be recognized by the industry.

These are the professionals who create path by walking…. not wait for others to show the path…

Naavi

To

Smt Nirmala Seetharaman
Honourable Minister of Finance
Delhi

Sub: Regarding Crypto Currency Experimentation

Madam

I was going through the report in livemint.com and cnbtc18.com on the proposed regulation on Crypto currency in which you are quoted to be soft on the demands of the Bitcoin industry which is fighting to retain legitimacy to Bitcoin and other Crypto Currencies as equivalent to legit currency of the country.

We have been debating this for several years now and initially RBI was firm on the banning of private crypto currencies. Subsequently, since neither the Ministry of Finance and  the Supreme Court was supporting them openly, RBI went quiet. This emboldened the Bitcoin community to spread out and trap many more innocent investors.

This must stop forthwith if we are honest to the economic future of India.

Legalizing Crypto currency is Financial Sedition

There is simply no logic for the Central Bank of the country to surrender its right to have control on the issue of “Currency” and any discussion on letting “Crypto” to be called a “Currency”. If accepted, there would be a flight of Bank deposits in India to “Crypto Assets” held with “Crypto Exchanges in the form of Bitcoin Wallets” . These will be like the e-mail accounts of proton mail and will not be under control of our regulatory authorities.

The legalization of Crypto currencies should be treated as “Sedition” in the “Financial Regulation”.

Crypto is Digital Black Money.

I do understand the political compulsions to be diplomatic in your response and there could be many in the bureaucracy who would like Bitcoin and crypto currencies to continue since it is the best way to receive bribes. For the same reason routine politicians are not keen in seeing the end of Bitcoins.

But the fact that Bitcoins and other Private Cryptos with which Bitcoin is fungible represent “Digital Black Money” does not need to be stressed. I consider that Modi Government will not succeed in its fight against Black money until the digital black money is completely eliminated.

If Privately managed Crypto currencies such as Bitcoin, Ethereum and the 5000 others are not banned lock stock and barrel, we will not be able to control the spread of black money. It is this money which will be used to fund the CAA protest,  Red Fort attack or Kashmiri Terrorists or the Ransomware criminals. The dreaded “Deep web” is funded by Crypto currencies and banning them is a way to make the life of a Cyber Criminal difficult.

India can be an Anti-Crypto Currency Leader of the World

Many ask why India should stand different from many other countries who are tolerant of the Crypto currencies. But we must appreciate that India is India and should have the courage to stand for what is right. There are many countries in the world who are tolerant of Pakistani terrorism or Chinese aggressive military attitude. But it does not mean India should not take an independent stand.

I am confident that India has the capability to lead the “Anti-Crypto Group of Countries” and its decision to ban the Private Crypto currencies would go a long way to establish economic independence.

We need not be apologetic since we are in the right track

We observe that your statement “Government will have a calibrated approach”, “Want to ensure window for experiments”  was made as a diplomatic statement in a TV debate and referred to the “Enablement of Government Controlled Crypto Currency”.

While “Block Chain Technology” is often quoted as an “Innovation” that needs to be supported and “Legalization of Bitcoin” is a way to recognize this innovation is a fake narrative.

Block chain as a technology has some use cases and may  be allowed to be developed by technology companies  as is contemplated in the draft bill. But this cannot be used to legitimize the use of Bitcoin or other Private Cryptos.

Experimentation should not end up in dilution of the regulation in any manner. All Crypto currency variants are all mutually convertible and hence banning them in toto is the need of the hour. Any small room given for innovation would be misused to develop a “Currency Mechanism” which will substitute Bitcoin with some other form of “Crypto Asset” which though legal would be used as a Currency. Remember how Ram Rahim Cult was using paper slips as currency within their premises and how havala operators use a currency note torn into two halves for carrying on their operations. Similar innovative “Digital Chips” will be developed as “Alter-Crypto” if law allows for their existence.

We are aware that there are many “Game Currencies” like the “Linden” which are convertible to Crypto Currencies and hence even a small opening provided to the technology innovators will encourage back door entry of Bitcoin in a different form.

RBI Crypto Rupee will break FEMA and encourage Crypto Mining Malware

It should be recognized that the Government backed Crypto currency will not be different from the Digital Payment systems we already have in the country and would not add anything significant to the economy.

At best it will only encourage zombies who will try to keep mining for the “Crypto Rupee” and result in depleting the scarce resources of “Electricity” and “Computer resources” besides “Productive time” in search of digging for Crypto Rupees in their internet connected computers.

This will continue to encourage “Crypto Mining Malware” to be developed and installed in the mobiles and computers of innocent malware victims and encourage more Cyber Crimes.

Hence there is no logic for taking any action in this regard immediately. Let it be there as an enabling provision but if introduced, it will defeat our Foreign Exchange Management system making Rupee Convertible. You can separately assess the problems arising out of full convertibility of Rupee.

Experimentation with an evil like Bitcoin is like experimenting with drugs. We have to say No even the first time.

There is no need to be apologetic

Even the views of  Elon Musk need not be taken seriously since he may have reasons of his own to retain his wealth in the form of Crypto Currencies.

There is no need to be apologetic to the Bitcoin community as if we are “looking inward”. Sadguru Vasudev often reminds us that Indian culture has been strong because of how we have focussed on “Inner Engineering” of the human being. Yoga is an example of how looking inward actually unleashes the power to address the worldly challenges.

Our stand could be termed as standing firm on principles and not “looking inward”. Neither “Fintech” nor “Fast Moving Technology” have any right to destabilize India as a country. We may support technology but donot hesitate to regulate attempts of disruption whether it is in curbing cyber crimes, regulating delinquent digital media or those who want to take over the financial control of the country.

We have recently shown such guts in taking on Twitter or Face Book and the recent joint action by Mr Ravi Shankar Prasad and Prakash Javdekar on Intermediary Guidelines was an indication that at last the Modi Government is willing to shake off its hesitancy and take tough decisions.

As a person from Karnataka whom you represent, I would be extremely happy if you can also show the exemplary courage to “Say No…firmly…to Bitcoin…even for experimentation”.

The non introduction of the Bill in the first part of the session is itself a show if hesitation by the Ministry of Finance to support the legislation. This should be rectified quickly by the passage of the bill to ban Private Currencies in the second half of the budget session without fail.

Thanking you in advance.

Yours faithfully

Na.Vijayashankar

6th March 2021

Reference:

Livemint.com

cnbctv18.com

An interesting question has been raised by the Indian Corporate sector regarding the applicability of the new Intermediary Guideline to the corporate interaction platforms such as Zoom/Goto Meeting/webex/Google or Team other companies facilitating streaming of content and messaging among users and also the public at large.

A doubt has arisen that given that with more than 5 million users registered with such platforms, will this makes them significant social media intermediaries and whether they  will need to moderate content effectively and have rules in place for moderation.

It is also indicated that the platforms  may not be able to exercise control as in the case of the  attack in Christchurch, in March 2019, which was live streamed on Facebook though after the event,  FaceBook tightened rules for live streaming .

After this incident, 31 countries and several tech companies came together to form a pledge called the “Christchurch call”  initiative.  India also is a signatory. It is believed that Zoom has also joined this pledge  in 2020.

Since  Microsoft Teams and other technologies are also in use in schools for online education, the need to have moderation of live streaming is also relevant in certain circumstances.

The Christchurch call for action was an initiative which which included voluntary commitments from Governments and online service provdiers intended to address the issue of terrorist and violent extremist content online and to prevent the abuse of the internet.

We must remember that all terrorist activities are also considered freedom movements or religious commitments by the section of people who are called terrorists. Hence there will always be differences of opinion whether an act is “Terrorism” or “Religious Action”. In between these two extremes there will be the “Freedom of Speech” protagonists some of whom have a leaning on one of these sides or their own political agenda to try and create mis representative narratives. It is this mis representation from the digital media that this Intermediary rules try to addrss.

As regard live streaming, it is news and it is the journalist who has to show maturity and  discretion. It is also part of the fact which the reporter may not know and hence some events may get broadcast unknowingly.

What needs to be regulated however is the “Conspiracy” and “Planning” to commit a terrorist activity. The Disha Ravi incident in which it is reported that a Zoom meeting was held to discuss the “Terror Plan” is an example of what may have to be regulated.

However, in such cases, it is difficult to blame the intermediary except if the title of the meeting gave any clear indication about the intention. We have discussed this in the past in the case of Bazee.com case whether the title “DPS MMS Video” which was the video sought to be sold in the platform which was the “Obscene” content on the basis of which action was taken against the executives of Bazee.com under Section 79. (2004-2008)

See here for more details on bazee.com case

Under the laws Intermediary is defined in Section 2(w) of the Act and the streaming service provider may come under this definition. However, their “Due Diligence” is in ensuring that a proper Privacy Policy and Terms are provided for the guidance of the user and ensuring that the identity of the owner of a streaming video can be shared with the law enforcement. They may not do a KYC but should be able to collect both declared information such as the e-mail address and physical address but also the meta data such as the IP address at the time of registration.

The 180 days data retention rule may also be applicable to the platforms.

However, the streaming video publishers are like the You Tube. They are the platform used by the other publishers. In the case of You Tube, they become the “Curated Content Publishers”. But the Zoom and others donot “Publish” subsequently and hence donot become the “Media”.

At best the role of Zoom etc will be like a CCTV camera which faithfully captures and broadcasts to the server and may capture events which need to be regulated. But here the platform is a “Pure intermediary” like an ISP and hence the “Social Media” responsibilities donot adhere to them.

The platforms Zoom etc therefore need not to be worried about the new Intermediary guidelines. Also sharing such Videos or content within a community of employees etc may not come under the definition of “Publication”  since no “Public” is involved. Hence the entire set of responsibilities donot apply to the Companies. However, if the content is leaked out to the outside world and creates problems (eg when Whats App messages are forwarded to outside of the original group) the person who was responsible for making a controversial content public should bear the responsibility and the company should be in a position to identify such a person through the meta information about viewing, recording and downloading etc.

(This debate may continue.. Comments are welcome)

Naavi