Legality of WhatsApp surveillance in India

Digital evidence is something that has to be treated differently from physical evidence, and on a higher threshold.


IN October last year, videos emerged on social media which depicted the Hyderabad City Police stopping pedestrians and citizens, and checking their WhatsApp chats on their mobile phones for keywords such as “ganja” and “weed” to look for incriminating chats. This was similar to a past operation of the Hyderabad City Police known as ‘Operation Chabutra’, as part of which police constables had detained members of the public, and had collected and checked their fingerprints, photographs, Aadhar card and drivers’ license, among others documents. At least 21 citizens reported similar surveillance in Bengaluru between December 2019 and February this year, most of which has been unreported.

Such incidents raise crucial questions, that is, whether the right to search and seizure under the Code of Criminal Procedure (‘CrPC’) includes the right to stop and search mobile phones of the members of the public without a warrant, and whether it violates the fundamental right to privacy under Article 21 and the right against self-incrimination under Article 20(3) of the Constitution.

Right to privacy in the Constitution

The Supreme Court in a nine-judge Constitution bench decision in Justice K.S. Puttaswamy (Retd.) versus Union of India (2017), held that the right to privacy is a fundamental right under Article 21.

Also read: Right to privacy as a fundamental right: Past, present and future

In a landmark judgement in the case of Virendra Khanna versus State of Karnataka & Anr. (2021), the Karnataka High Court issued a slew of guidelines that are to be followed during the search and the seizure of electronic devices in criminal investigations. Under these guidelines, the obligation to reveal passwords and provide biometrics could arise only in two circumstances:

  1. In an emergency situation where the potential evidence, which is present in an electronic device is in the danger of being destroyed,
  2. During the ordinary course of an investigation

In the second circumstance, even though an exception has been carved out in Puttaswamy, there is a requirement for the investigating officer to produce a search warrant for obtaining the passwords. The search in Hyderabad resembles more of an ‘operation’ than an ‘investigation’; the former is not defined nor recognised by the CrPC, and the latter being a procedure authorised by the magistrate. There was no search warrant which was obtained in this case, and hence cannot be considered as a legal search, according to Virendra Khanna.

Does the right to search and seizure under the CrPC include the right to stop and search mobile phones of the members of the public without a warrant, and whether it violates the fundamental right to privacy under Article 21 and the right against self-incrimination under Article 20(3) of the Constitution?

The police officers who had taken part in such an ‘operation’ are also liable to be fined under Section 19 of the Hyderabad City Police Act, which punishes any police officer who is involved in a “vexatious search, arrest, etc.” with up to six months of imprisonment or fine of Rs. 500, or both.

When we look at the United States’ jurisprudence on the same, the Supreme Court of the United States had laid down in Riley versus California (2014) that even though the information which is stored on a phone is not immune from search, a warrant is generally required. The court, in explicit terms, held that the search of a mobile phone would result in the investigating officers being able to search the phone for videos, photo albums and address books, which is a “significant diminution of privacy”.

Our Constitution protects the right to privacy of an individual, and protects an accused against self-incrimination. The Hyderabad City Police was under a duty by the Constitution to positively uphold the right to privacy of individuals. We have seen in Riley, in which the U.S. Supreme Court held that a warrant was needed for the search of the contents of a phone, as well as for other information which involve both technology and private data.

Also read: Digital evidence in the shadow of Pegasus

Right against self-incrimination in Constitution

Article 20(3) of the Constitution states that “no person accused of any offence shall be compelled to be a witness against himself”.

The right against self-incrimination in India has been discussed in two landmark judgments by the Supreme Court: State of Bombay versus Kathi Kalu Oghad (1961) and Selvi versus State of Karnataka (2010). In both, it was held that testimonial evidence includes any evidence which is in personal knowledge and which is conveyed to the authorities. Testimonial evidence is self-incriminatory when the evidence, by itself, should have the characteristics of incriminating the accused. This has also been extended to include not just confessions, but also to “furnish a link in the chain of evidence”, in order to support a conviction. The exception which is carved out is when the authorities take such evidence to use it for comparison with material which is already available with the investigating authorities.

In Selvi, it was held that testimonial evidence includes evidence that is not necessarily spoken or written in nature. It will continue to be held as the same if it provides any material or evidence which is based on personal knowledge – and as long as there is a compulsion for the same, leading to the expression of the contents of an individual’s mind, then it is a part of the evidence which is protected by Article 20(3).

This position of law which we see in India is also similar to what is prevalent in the U.S., where the right against self-incrimination also protects an accused from “having to share his thoughts and beliefs with the Government”, as has been laid down by the U.S. Supreme Court in Doe versus United States (1988).

In Seo versus State (2020), the Indiana Supreme Court in the U.S. held that forcing the defendant to unlock their iPhone would be a violation of their Fifth Amendment rights against self-incrimination. The court held that there are three kinds of personal knowledge which are provided to the investigating authorities, and these include (1) the password, (2) the knowledge of the existence of files, and (3) possession of the files. As in Indian law, unless the State can show that it is already in the knowledge of the State, the communicative aspects fall within the Fifth Amendment of the U.S. Constitution: this is known as the doctrine of foregone conclusion, which was laid down by the U.S. Supreme Court in Fisher versus United States (1976).

Placing reliance on Selvi, it can be said that this falls under the ambit of Article 20(3), as it does not fall under the exception which states that a piece of evidence is admissible if it is collected in order to compare it to the information which is already in the possession of the investigating authorities.

Another important point that is to be noted is that the persons who were stopped by the police in Hyderabad were stopped without a warrant, and were not “accused” in the first place. The term ‘accused’ is not defined under the CrPC, but in common parlance can be understood to be someone who has been charged with an offence but has not been proved guilty of the same.

The persons who were stopped by the police in Hyderabad were stopped without a warrant, and were not “accused” in the first place.

There is no indication to suggest that the persons who were stopped had any prior charges against them for possession of controlled substances. If it is assumed for the sake of argument that the persons who were searched were accused in a first information report or in other equivalent documents, placing reliance on Selvi, it can be argued that furnishing the passcode would be incriminating as it would furnish a “link in the chain of evidence” and indicate that the accused has control over the contents in the phone.

Also read: How not to Outlaw Illegal Surveillance

Search and seizure under statutory provisions

The Karnataka high court in Virendra Khanna held that Section 100 of the CrPC, which is applicable to a closed place, is also applicable for accessing a digital device. Hence, the police are required to apply for a warrant in order to access the phone.

In the case of emergent situations, the police can act under Section 165 of the CrPC, but this requires the existence of an ongoing investigation and a belief that such a thing cannot be obtained without undue delay. Both of these components are missing in the case on hand.

The Supreme Court, in State of Punjab versus Balbir Singh (1994) held that sections 100 and 165 of the CrPC would be applicable to the arrest and search which is conducted under Sections 42 and 43 of the Narcotic Drugs and Psychotropic Substances Act, 1985 (‘NDPS Act’). Section 42 predominantly deals with the search of “building, conveyance or enclosed place”, whereas section 43 deals with the power of search, seizure and arrest in a public place. In addition to this, Virendra Khanna also states that even when a search is made without a search warrant, it should follow the safeguards laid down in CrPC, and not harass innocent people.

The argument is two-fold. Firstly, since Virendra Khanna has equated the search of a digital device to “closed space”, it can be argued that the provisions of section 42 are attracted – in which case, it was held by the Supreme Court in Krishna Kanwar versus State of Rajasthan (2004) that there needs to be prior information about the commission of an offence punishable under Chapter IV of the NDPS Act, either from personal knowledge, or given by a person and taken down in writing. The court held that unless both of these components exist, section 42 has no application. In the case on hand, there was no prior information nor personal knowledge with the police conducting the search as it was a randomised search, and hence section 42 did not apply.

The alternative is a section 43 search, which grants wider powers of search and seizure to the police when the search is conducted in a public place. According to the reasoning in Virendra Khanna, a search of a digital device cannot be equated to a search in a public place. In arguendo, even if we assume that it could be a search in a public place, the NDPS Act requires the officer to have “reason to believe” that the said person has committed an offence. “Reason to believe”, under Section 26 of the Indian Penal Code, is said to exist, “if he [officer] has sufficient cause to believe that thing but not otherwise”.

According to the Supreme Court in Dr. Partap Singh versus Director of Enforcement, Foreign Exchange Regulation (1985), “reason to believe” is not just the subjective satisfaction of the officer, but this particular belief must be held in good faith and not a mere pretence. The searches which have been conducted by the Hyderabad Police, were random searches undertaken. There is no evidence to suggest that a methodology was followed to target those who were suspected to have committed an offence under the statute.

There is no evidence to suggest that a methodology was followed to target those who were suspected to have committed an offence under the statute.

On both counts, the searches which have been conducted by the Hyderabad Police cannot be considered to be section 43 searches. In addition to this, the lack of compliance with section 100 of the CrPC also makes the search an “irregular search”, hence not providing sufficient legal grounds for the searches carried out by the police to be in accordance with the statutes.

Also read: Legal issues galore around digital economy

Digital evidence versus physical evidence

When the court in Virendra Khanna holds the search of a digital device to be governed under the provisions of section 100 of the CrPC, the court is distinguishing the search of a body from the search of a device found on the body of a person.

In furtherance of this, there is a line of thought which lays down that the search of a digital device is a dual-step process, and that the same has not been considered by the CrPC. The first step in such a structure is the physical enclosure of the device, such as the hard drives, mobile phones, and laptops, which are physical objects in themselves. The process of the search and seizure of the same has been laid down in the CrPC, by way of a warrant from the relevant authorities.

The second step in this process is the search for the information which is being stored in these physical enclosures. This information includes data, images, contacts, and messages (including WhatsApp messages).

Riley talks about the advances in technology that require courts to evolve and read the Fourth and Fifth Amendments of the U.S. Constitution in a way to protect the rights of the people. In Riley, the court stated, “Modern cell phones…implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet or a purse”. It further concludes that the inspecting of an arrestee’s pockets, which resembles more of a physical search, cannot be equated to the search of digital data, with additional privacy safeguards which are required for the search of digital evidence.

Indian law on the other hand grants a wide variety of powers to the authorities for the search of evidence (including digital evidence). These include Section 28 of the Information Technology Act, 2000, which allows government officials to access any and all electronic data while investigating contraventions of the Act.

While technology has transformed and privacy is being placed at a higher pedestal, procedural guidelines have not caught up with the same. The search and seizure rules of digital data are still largely governed by the CrPC, which is a general procedural code. The few procedural guidelines which exist, such as Rule 3 of the Information Technology (Intermediaries guidelines) Rules, 2011 and Section 43A of the Information Technology Act do very little to protect the rights of the person accused or suspected.

The distinction of procedure for search between a physical object and data which is contained in a physical enclosure needs to be legislated upon in order to bring it in accordance with the fundamental right to privacy.

The lack of guidelines regarding how the digital evidence would be searched and processed can give rise to a plethora of problems. For example, in the Bhima-Koregaon case, multiple independent and credible reports suggest that incriminating documents were planted in the electronic devices of the accused through malware.

Also read: Surveillance, Data Imperialism and Transition to a Post Human World

Needed: comprehensive, targeted legislation

With the checks carried out by the Hyderabad City Police being in compliance neither with the letter nor the spirit of the Constitution, as well as not in compliance with the CrPC and the NDPS Act, there is a need for courts to take cognisance of these brazen violations to prevent further such activities from being taken up by any other police department(s) in the future.

The issue of electronic evidence needs to be deliberated upon, and guidelines, which are similar to those which have been laid down in Virendra Khanna need to be replicated across the country. The distinction of procedure for search between a physical object and data which is contained in a physical enclosure needs to be legislated upon in order to bring it in accordance with the fundamental right to privacy.

With Hyderabad earning the infamous name of a “surveillance city”, there is an urgent need for the state government and the police department in Telangana to draft policies that govern its surveillance programmes, as well as bring their checks and operations under procedural requirements that have been laid down under the CrPC and the NDPS Act.

The Leaflet