Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

The January 30, 2018 order of the two member bench of the Supreme Court consisting of  Justices A.K.Goel and U.U.Lalit, in the case of Shafhi Mohammad Vs State of Himachal Pradesh dated 30th January 2018 (SPECIAL LEAVE PETITION (CRL.)  was discussed in these columns earlier. While commenting on the order, it was pointed out that it would unleash “Judicial Anarchy” in India as it would encourage lower Courts to pass judgements against the higher Courts by way of “Clarification” and also because this judgement having the banner of Supreme Court could put the lower courts in a state of confusion on how to address the Section 65B (IEA) certification. The final judgement of 3rd April 2018 as a final order on the SLP has indicated that the Court has not made any attempt to set right its erroneous interim order.

The Judgement was also called a “Tragedy” since it indicated the inability of the Supreme Court to understand technology and an attempt to find short cuts to some imaginary problems.

It was pointed out that the erroneous judgement would give a thrust to mischievous criminals who would fabricate evidence to harass innocent persons.

Unfortunately, the speculation that this Supreme Court judgement would spur Cyber Crimes appears to be coming true sooner than expected.

The essence of the objections raised is as follows.

  1. Under Section 65B of Indian Evidence Act,(IEA), an electronic document is admissible in a Court without the production of the original if it is properly certified as required under the section.
  2. There is some confusion in the Judiciary as well as some legal practitioners as to why certain procedures mentioned in the section are relevant and how they should be interpreted. This includes who has to issue the certificate and how the certificate has to be constructed etc. These have been explained in detail in the columns of www.naavi.org and www.ceac.in
  3. The Supreme Court itself in the celebrated case of P.K.Basheer has explained at length why Section 65B certificate is mandatory under Section 65B and it has been so since 17th October 2000 though different Courts were unable to understand the section and allowed its violation from time to time. This was a three member bench of the Supreme Court and the Shafhi Mohammad bench had no authority to amend the judgement with a “Clarification”.

During our earlier discussions on the Shafhi Mohammad judgement, we have clearly pointed out that it gives a free license to falsify evidence and it could be mis-used.

Now one such case has been reported from Bangalore and is an indication that more such cases will surface in the coming days.

Further, we predict that the Police themselves under the influence of the politicians will falsify evidence and create human rights issues in future. At that time the same Supreme Court will harp on “Freedom of Speech”, “Right of Privacy” and other fundamental rights to criticise the Police. Politicians will then direct the criticism against the Modi Government. The rebellious judges of the Supreme Court and the activist lawyers like Dushyant Dave, Kapil Sibal etc will enjoy the predicament of the Government.

The complaint I am referring to is an incident where a suspected student of an educational institution posted a message in the time line of the Dean, took a screen shot, distributed it in WhatsApp groups, deleted the time line post. After this, a police complaint has been filed either by the same person or some body at his instance that the Dean had made the objectionable posting and has since removed it.

It is clear that such insertion of objectionable posts on the time line in Facebook can be done wherever the owner of the Face Book account has enabled postings on his time line by the public or Friends.

While we advise every reader to check their Privacy Settings in their Face Book account to ensure that such postings on the time line are limited to “Me Only”, we proceed to discuss here how the Shafhi Mohammad judgement creates a problem for the innocent victims of such crimes.

According to the Shafhi Mohammad judgement, since Face Book account of the Dean is not under the control of the complainant, there is no need for him to submit the Section 65B certificate along with the print out of the screen shot allegedly containing the objectionable post. It would be admissible and the trial would begin with the Dean trying to defend that he did not either post the content or delete it subsequently.

The only person who can come to the assistance of the Dean is Face Book which must have the log records including the IP address of the person who made the objectionable post. But getting the evidence out of Facebook is impossible for an ordinary mortal unless the Police move quickly which in most cases is not possible.

(Ed: we have earlier pointed out how the Cyber Crime Police Station of Mumbai-BKC botched up a complaint by refusing to issue a simple request to Google for an IP address resolution possibly in pursuance of some illegal gratification and the higher officials of the Mumbai Police did nothing to correct the situation even when it was brought to their attention. Refer here)

If Section 65B certificate is considered mandatory, then the complainant would have to file the certificate. It could have been filed by the complainant himself in which case the Court could have the option to reject it as not credible since it is a “Self Serving evidence.”

If it is submitted  by a trusted third party, such a person would have to view the objectionable post himself and certify its existence with some additional information and also be ready to face the charge of “perjury” if it really did not exist on the time line.

Since Section 65B certificate is a matter of fact certification, the certifier  would not be able to forensically certify the genuineness of the posting but he would have given some additional material information for investigation to proceed. This would have created one hurdle for the complainant to first find a suitable accomplice to provide the certification and then to convince him that the request is genuine. Then the credibility of the certifier could have acted as an additional check against provision of the false evidence.

Unfortunately, if Shafhi Mohammad judgement is to be applied, there would be no need for a Section 65B certification and it is left to the wisdom of the Court to accept the evidence as presented and proceed with the trial.

By God’s grace, we can say that the  “Clarification” provided by the SLP order is by a two member bench and hence should be ignored. But we strongly feel that this tendency of the lower bench to pass an order over turning the larger bench view and terming it as “Clarification” needs to be corrected by the intervention of the CJI.

In the meantime, we urge the Bangalore Cyber Crime police to prove that they are not like the Cyber Crime Police of BKC, Mumbai and would ensure that Facebook would be made to provide the evidence and resolve the complaint appropriately. If during the investigation it is found that the posting was done by the complainant himself, he should be punished for hacking into the Face Book account of the Dean with a dishonest intention and take action under Section 66 of ITA 2008 along with other provisions of IPC.

In case, like the BKC Cyber Crime Police Station, Bangalore Cyber Crime PS also dithers, then innocent victims will keep cursing the Shafhi Mohammad judgement until it is corrected.

Naavi

The news report that Personal profiles of 50 million Face Book users was collected and unauthorizedly used to help Trump win an election has opened  a new debate on Privacy and Data Protection in India. BJP and Congress parties are fighting on TV to blame each other that they are also indulging in a similar misuse of personal data while the local subsidiary of Cambridge Analytica (CA) which is the firm accused of the misuse claims to have served both BJP and Congress in different elections.

Much of the debate that is happening in this connection appears to be dishonest and hypocritical and the bluff has to be called.

We must first recognize that the CA is supposed to have collected the data through an App which was voluntarily downloaded by users who gave a consent for the access of their personal information. The person who collected the information based on the consent provided used it as a data for some kind of research for targeted advertising. The research was bought by Trump’s campaign managers and hopefully he was benefited.

Just as in India anything done by Modi is objected to, the Anti Trump brigade is accusing as if US election was tampered because of the profiling of the consumer research company and the targeted advertising for which it was used. Even if the firm had done a “Psychological Profiling” from the data available, as long as the data was in the public domain or out of an informed consent, there is no breach of Privacy. There are FinTech companies who do data analytics for fixing credit limits and if data analytics is used to create innovative advertising, it is neither a surprise nor some thing to be scoffed at.

This sort of data collection from public resources or from informed consent cannot be objected to just because we donot like Mr Trump winning.

If there is any real objection, one has to go into the fact of whether the “Informed Consent” was actually through a fraud and if so the data collector namely the British academic “Aleksandr Kogan” has to be brought to book.

Presently all Privacy Laws place faith on such consents. But if the Data Collector breaches the agreement and sells the data to another person who uses it for a purpose other than the purpose for which it was provided, it has to be objected to only on grounds of “Breach of Contract, Breach of trust” etc.

As regards the third party who bought to the data, data protection acts need to impose a “Due Diligence” obligation to disclose and get consent from the data vendor that the purchased data can be used for a specific purpose. Since “Advertising” is a legitimate purpose, if the data collector offers a data for advertising to an advertiser and the advertiser may  buy it under the premise that the data subject must have provided the necessary consent.

Is the secondary data user expected to check if the original consent provided to the data collector permits  such use or not is a matter yet to be clearly defined in law though it could be an ethical and moral issue. Also in many cases, even the buyer may not be aware how exactly he is going to use the data and how he can benefit from it. He may be simply buying it speculatively and discover some value added derivatives out of it which he may trade.

It is therefore hypocritical for us to express surprise that FB data could be used for profiling and profiled information can be used for advertising and such advertising could be for political campaigns. All this has to be expected in the era of Big Data anaytics and Artificial Inteligence.

In fact while the laws or privacy so far have missed the need to impose “Due Diligence” by the secondary user of personal data and this can be taken note of and included in the Indian Data Protection Laws, we can draw attention to Section 66B of the ITA 2008 which provides a possibility for “Stretching the legislative intent indicated in the section” to cover the misuse of data. Section 66B is actually meant for punishing the use of stolen computers and mobiles and uses the term “dishonestly receives and retains any stolen Computer Resources”. If we can consider data as a computer resource and the act of use of data for a purpose other than what it was meant as “Stealing”, then Section 66B can be stretched to the data misuse scenario though it is not recommended.

May be the Justice Srikrishna panel may include a clause that

“Any user of personal data shall exercise due diligence to ensure that the purpose for which it may be used is consistent with the consent provided”

Perhaps this is the lesson we can take out of this incident apart from what we have already discussed as to the need of an intermediary called “Data Trust” in the Data Protection environment.

Naavi