Cyber Law – The Law Blog

Admissibility of Electronic Evidence – Part III (Post-Anvar situation & development of jurisprudence)

Posted on 27 Nov 2018 by The Law Blog

This post constitutes the third and final part of a three-post-series blog post dealing with the courtroom trend with respect to the development of jurisprudence with regard to the admissibility of electronic evidence.

The first part dealt with the background and the problems with the admissibility of the electronic evidence where the author has given an account of the manifestation of the provision in brevity. The second part dealt with the initial development of the jurisprudence on the admissibility of electronic evidence and pre-Anvar P.V. status. This post (the third part) deals with the post-Anvar P.V. status of the provision and the current scenario and conclusion of the series.

Ankur Chawla v. CBI[1], was the case where the High Court of Delhi decided upon the admissibility of audio and video clips in the form of a compact disc for this particular case and stated that it is inadmissible. The trial court admitted the electronic evidence in this case in an erroneous manner. In another case of Jagdeo Singh v. State[2], the court rejected the electronic evidence which was a compact disc, having the data of an intercepted phone call records, because they were not produced along with the certificate which is required by virtue of section 65B. In Sanjaysinh Ramrao v. D. G. Phalke[3], the court upheld the decision of the apex court in the case of Anvar P.V.v. P.K.Basheer[4], and said that since the recorder was not verified, therefore, the transcription and the translation of the recorded voice cannot be admitted as evidence. It pressed upon the question of the authenticity of the source.

In Anvar P.V.[5], the court acknowledged the addition of the special provision to the Act by way of an amendment, after the framing of the IT Act. This case is known for changing the plots in the courtroom, and is a landmark case, as in this judgment by a three-judge-bench, the court discussed about the reliability of secondary data and decided that the secondary data (all the electronic evidences) cannot be treated as admissible evidence unless they are accompanied by the certificate of which section 65B talks about. The certificate ascertains the authenticity of the evidence here. Thus, The case is known for its attempt in setting up the threshold for the admissibility of electronic evidence under section 65B of the Act.

The court also made a distinction in this case, by putting forth its reasoning for the treatment of CD as primary evidence and the recordings as secondary evidence. The court while making a distinction said that since the recordings are made using other electronic devices, therefore they have to be categorized under the head of secondary evidence, whereas, the compact discs are solely used in their very form and hence could be considered as a primary evidence. Later, the Rajasthan High Court adhering to the aforementioned distinction ruled that the recording done on a camera having an HDD can be considered as primary evidence and thus the applicability of section 65B will not be followed in this situation.[6] Therefore, it is imperative to make a distinction between the primary evidence and the secondary evidence in every case as this delineates the requirement of certificate and the provision under which the evidence can be admitted.

The court in the aforementioned case did bring the clarity regarding the electronic evidence and the need of certificate while adducing it, but it did not make it clear as to when are the certificates required precisely. Considering the procedural aspect of the Act, it is the basic rule that the courts cannot deny justice for any flaw in the adherence to the procedures. The whole idea of procedural law is to ease out the process of attainment of justice. The courts, in the cases, such as Paras Jain v. State of Rajasthan[7], and Kundan Singh v. State[8], have also pronounced the same. In both the cases, the Rajasthan High Court, and the Delhi High Court, respectively, said that, the certificate required for the admissibility of the secondary evidence in the form of electronic evidence could be provided at the later stage of trial initiation, post the charge sheet is filed, and this will not dilute its gravity and value.

“23. When legal position is that additional evidence, oral or documentary, can be produced during the course of trial if in the opinion of the Court production of it is essential for the proper disposal of the case, how it can be held that the certificate as required under Section 65-B of the Evidence Act cannot be produced subsequently in any circumstances if the same was not procured alongwith the electronic record and not produced in the Court with the charge-sheet. In my opinion it is only an irregularity not going to the root of the matter and is curable. It is also pertinent to note that certificate was produced alongwith the charge-sheet but it was not in a proper form but during the course of hearing of these petitioners, it has been produced on the prescribed form.”[9]

“40. The computer output – when provisions of section 65-B are satisfied is treated as evidence of the contents of the original or facts therein of which direct evidence is admissible. The secondary evidence in the form of a paper print out or media output produced by copying, recording or storing files is treated as a document and are admissible and bear the same status as “direct evidence” on the question of admissibility. The provision, therefore, negates and does not require production of the original computer/equipment/media, on which the data was stored and from which computer output be it in the form of printed paper or optical or magnetic media data has been obtained. The expression “direct evidence” as strictly understood in the Evidence Act, has been explained below.

Paragraph 21 quoted above records and notices that in State (NCT of Delhi)v. Navjot Sandhu alias Afzal Guru, (2005) 11 SCC 600, a responsible officer had certified the document at the time of production itself and the signatures in the certificate were also identified and, therefore, there was compliance of Section 65B of the Evidence Act. In these circumstances, we do not accept the legal ratio in Ankur Chawla v. Central Bureau of Investigation, (Crl. M.C. No. 2455/12 & Crl. M.A. Nos. 8308 and 8318/2014 and Crl. Rev. P. 385/2012 decided on 20^th November, 2014 by the Delhi High Court) wherein it has been held that the certificate under Section 65B must be issued when the computer output was formally filed in the court and certificate under Section 65B cannot be produced when the evidence in form of electronic record is tendered in the court as evidence to be marked as an exhibit. The said certificate can be produced when the electronic record is to be admitted and taken on record, i.e., when the prosecution, defence or a party to the civil litigation wants the electronic record to be marked as an exhibit and read in evidence. As far back as 1931, the Lahore High Court in Baldeo Sahai v. Ram Chander, AIR 1931 Lahore 546 had stated:-

“There are two stages relating to documents. One is the stage when all the documents on which the parties rely are filed by them in Court. The next stage is when the documents proved and formally tendered in evidence. It is at this later stage that the Court has to decide whether they should be admitted or rejected. If they are admitted and proved then the seal of the Court is put on them giving certain details laid down by law, otherwise the documents are resumed to the party who produced them with an endorsement thereon to that effect.” ”[10]

Essentially, the judgment in the Anvar P.V.[11], actually shed light upon the correct procedure of law and the manner in which the electronic evidence can be adduced. The importance of the certificate was made paramount, and courts around the country, heavily relied upon the rationale of this case. For instance, Bala Shaheb Gurling Todkari v. State of Maharashtra[12], Ankur Chawla[13], and D.G.Phalke[14], are few of the cases which relied their decisions upon the aforementioned Supreme Court judgment.

There have also been a plethora of cases where the Supreme Court itself along with the High Courts resorted to an alternate view regarding the admissibility of secondary evidence in form of electronic evidence. For instance, in the case of Thomas Bruno v. State of U.P.[15], the apex court cited the judgment given in the Navjot Sandhu[16] case, regarding the admissibility of electronic evidence. Though the court did not go against the ruling and the basic principle and rationale which the Anvar P.V.[17] case spawned.

The most recent view of the apex court on the debate surrounding the admissibility of the electronic evidence has relied upon the Anvar[18], judgment where the two-judge-bench of A.K.Goel J. and U.U.Lalit J., decided and said that, if a party is not in possession of the device responsible for the procurement of the information, then it is obvious that he will not be able to produce the required certificate, and hence, this cannot come in way of dissemination and impartation of justice. The decision was given considering the fact that the requirement of the certificate is only a procedural need and this cannot and should not be acting as a threat to justice delivery.

“29. The applicability of procedural requirement under Section 65-B(4) of the Evidence Act of furnishing certificate is to be applied only when such electronic evidence is produced by a person who is in a position to produce such certificate being in control of the said device and not of the opposite party. In a case where electronic evidence is produced by a party who is not in possession of a device, applicability of Sections 63 and 65 of the Evidence Act cannot be held to be excluded. In such case, procedure under the said sections can certainly be invoked. If this is not so permitted, it will be denial of justice to the person who is in possession of authentic evidence/witness but on account of manner of proving, such document is kept out of consideration by the court in the absence of certificate under Section 65-B(4) of the Evidence Act, which party producing cannot possibly secure. Thus, requirement of certificate under Section 65-B(4) is not always mandatory”[19]

This judgment seems per incuriam though, considering two factors essentially. One, the judgment being in contravention to the rationale which was provided in the relying case which necessitated the need of the certificate, and second, the bench strength is less than what it needs to be to overturn the decision.

Thus, the legal scenario post the Anvar P.V.[20] case seems quite incoherent to some extent but also welcoming as it widens the door for the admissibility of electronic evidence and brings down the threshold of the authenticity of the same, though with a caveat of scepticism attached to it regarding the proper implementation of this procedure, which cannot be done away with.

Conclusion

This seems quite obvious seeing the trend in which the court has expanded the ambit of the rule for the admissibility of the electronic evidence, that the court’s only motive is to impart justice in the best way possible so that none of the person could be denied of its right to justice. Also, this is not done blindly.

As seen from the development of the jurisprudence in the Indian scenario, there are a plethora of issues which revolve around the electronic evidence, such as the probability of it getting manipulated or the question of its genuineness. In such cases, the court had initially let the allowed the admission of the electronic evidence without much hassle and procedural safeguards. But subsequent to the increasing usage of technology, and framing of the IT Act, there was an amendment brought into the Act. The court interpreted this amendment in a strict sense in order to not let the justice delivered to the wrong person.

It should always be remembered that the Act is applicable to civil as well as criminal matter in a non-bias manner. The evidence adduced does not ascertain the validity of the information in any manner. The burden of proof lies on the accused and on the person who is adducing the evidence, regarding the fact that how valid is the content of the evidence procured.

Over the years, the court has raised the bar for admissibility of electronic evidence in a gradual manner. The requirement of the certificate was made mandatory, and the adherence to the requirements enlisted under the provision of section 65B was necessitated for an electronic evidence to be made admissible. This has been a step much appreciated as this prevents the abuse of the concept of the electronic evidence. The reason for this is also to safeguard the interest of any single innocent person, as it would be extremely unjust if any innocent person is denied justice due to the admissibility of flawed evidence.

The judgments by Supreme Court have made the rule a stricter one over the years and have well delineated the jurisprudence in this arena for the welfare of all. It cannot be alleged that the apex court did not consider the daily scenario which a common mass might face in such regards. The most recent case of Shafhi Mohammad v. State of Himachal Pradesh[21], is an example par excellence for this. The court relaxed the requirement of the certificate in certain scenario where a common man might just be unable to adduce it due to the absence of possession of the device. At the same time, this case also elucidates that the court itself is not certain regarding the usage and implementation of the procedure, as has been mentioned already. Therefore, the trend over the years, according to the pronouncements and interpretation of the provisions related to the admissibility of the electronic evidence has been pretty relaxed yet a strict one. The Courts have always been inclined towards incorporating the needs of changing time and technology along with the need of the people, for justice dissemination.

[1] Ankur Chawla v. CBI, 2014 SCC OnLine Del 6461.

[2] Jagdeo Singh v. State, Crl. A. Nos. 527, 529 and 607 of 2014.

[3] Sanjaysinh Ramrao v. D.G.Phalke, (2015) 3 SCC 123.

[4] Arnav P.V. v. P.K.Basheer, AIR 2015 SC 180.

[5] Id.

[6] Preeti Jain v. Kunal Jain, AIR 2016 Raj 153.

[7] Paras Jain v. State of Rajasthan, (2016) 2 RLW 945 (Raj).

[8] Kundan Singh v. State, 2015 SCC OnLine Del 13647.

[9] Supra 27.

[10] Supra 28.

[11] Supra 24.

[12] Bala Saheb Gurling Todkari v. State of Maharashtra, 2015 SCC OnLine Bom 3360.

[13] Supra 21.

[14] Supra 23.

[15] Thomas Bruno v. State of U.P., (2015) 7 SCC 178.

[16] Supra 14.

[17] Supra 24.

[18] Supra 24.

[19] Shafhi Mohammad v. state of Himachal Pradesh, (2018) 1 SCC (Cri) 860.

[20] Supra 24.

[21] Id.

ABOUT THE WRITER

Shivam Sharan

Shivam Sharan is a third-year law student at NALSAR University of Law, Hyderabad. Although he has no particular area of interests as such in the legal field, but he likes to keep experimenting with new things and is open to edification by way of exploration. Apart from his work, he likes painting and listening to music.

Admissibility of Electronic Evidence – Part II (Case laws review & analysis of trend set by judicial pronouncements)

Posted on 27 Nov 201827 Nov 2018 by The Law Blog

This post constitutes the second part of a three-post-series blog post dealing with the courtroom trend with respect to the development of jurisprudence with regard to the admissibility of electronic evidence.

This post (the second part) deals with the initial development of the jurisprudence on the admissibility of electronic evidence and pre-Anvar P.V. status. The first part dealt with the background and the problems with the admissibility of the electronic evidence where the author has given an account of the manifestation of the provision in brevity. The third part shall deal with the post-Anvar P.V. status of the provision and the current scenario and conclusion of the series.

One can trace the advent of the admissibility of electronic evidence and the surrounding debate from the case of, Som Prakash v. Sate of Delhi[1], where the Supreme Court of India observed the need of statutory change to include the electronic evidence. The court insinuated that denying such discoveries to be admitted in the court of law is crude and that a statutory change could help criminal trials.

“10. It is but meet that science-oriented detection of crime is made a massive programme of police work, for in our technological age nothing more primitive can be conceived of than denying the discoveries of the sciences as aids to crime suppression and nothing cruder can retard forensic efficiency than swearing by traditional oral evidence only thereby discouraging the liberal use of scientific research to prove guilt.”[2]

Later on, in the case of SIL Import v. Exim Aides Exporters[3], the apex court again promoted and encouraged the use of technology, by saying that when parliament is considering the advancement in technology while framing the laws then the courts in the country should not condone the usage of the same. And information from it should be included.

“15. Facsimile (or fax) is a way of sending handwritten or printed or typed material as well as pictures by wire or radio. In the West such mode of transmission came to wide use even way back in the late 1930s. By 1954 the International News Service began to use facsimile quite extensively. Technological advancement like facsimile, internet, e-mail etc. were in swift progress even before the Bill for the Amendment Act was discussed by Parliament. So when Parliament contemplated notice in writing to be given we cannot overlook the fact that Parliament was aware of modern devices and equipment already in vogue.”[4]

These cases established a threshold of admissibility of electronic evidences to the courtroom. This was further substantiated in Grid Corporation of Orissa v. AES Corporation[5], the issue involved two arbitrators who had to sit together in order to appoint a third arbitrator. The court said that it is not necessary to meet the people in person, when it could be done through electronic means.

“23. enience of the parties and also saves them from avoidable expenditure. When an effective consultation can be achieved by resort to electronic media and remote conferencing it is not necessary that the two persons required to act in consultation with each other must necessarily sit together at one place unless it is the requirement of law or of the ruling contract between the parties. The appointment need not necessarily be by a writing signed by the two arbitrators; it satisfies the requirement of law if the appointment (i) has been actually made, (ii) is preceded by such consultation as to amount to appointment by the two, and (iii) is communicated. It is not essential to the validity of the appointment that the parties should be consulted, or involved in the process of appointment or given a previous notice of the proposed appointment.”[6]

Pre Anwar P.V. v. P.K. Basheer state

The very first instance of the case which required the admissibility of electronic evidence emerged in the case of, State v. Mohd. Afzal and Ors.[7]. This case is also referred to as the parliament attack case and was further decided by the Supreme Court. The Delhi High Court, in this case, pronounced that, the data and information which are produced by a computer can be treated as electronic evidence and should be admitted. The only pre-requisite for the admissibility is that the evidence of this sort should adhere to the checklist provided in the provisions mentioned under section 65B of the Act.

In 2005, the Supreme Court had to decide upon the requirement of the certificate as mentioned under section 65B of the Act, for adducing the evidence. This was in the case of State v. Navjot Sandhu[8], where the court said, that the phone records can be admitted. In this case, the court did not consider the need for a certificate. It just said that the call records can be admitted as secondary evidence, under sections 63 and 65 of the Act. The provision for the requirement of a certificate is mentioned under section 65B. Further, the court said that if the certificate is not being provided, then also the evidence could be put forth in the court if it is a legitimate one and fulfils the requirements given under the section 63 and section 65.

“150. According to Section 63, secondary evidence means and includes, among other things, “copies made from the original by mechanical processes which in themselves insure the accuracy of the copy, and copies compared with such copies”. Section 65 enables secondary evidence of the contents of a document to be adduced if the original is of such a nature as not to be easily movable. It is not in dispute that the information contained in the call records is stored in huge servers which cannot be easily moved and produced in the court. That is what the High Court has also observed at para 276. Hence, printouts taken from the computers/servers by mechanical process and certified by a responsible official of the service-providing company can be led in evidence through a witness who can identify the signatures of the certifying officer or otherwise speak of the facts based on his personal knowledge. Irrespective of the compliance with the requirements of Section 65-B, which is a provision dealing with admissibility of electronic records, there is no bar to adducing secondary evidence under the other provisions of the Evidence Act, namely, Sections 63 and 65. It may be that the certificate containing the details in sub-section (4) of Section 65-B is not filed in the instant case, but that does not mean that secondary evidence cannot be given even if the law permits such evidence to be given in the circumstances mentioned in the relevant provisions, namely, Sections 63 and 65.”[9]

In Rakesh Kumar v. State[10], the Delhi High Court affirmed with the abovementioned decision of the apex court regarding the adducing of the call records as secondary evidence.

In State of Maharashtra v. Dr. Praful B. Desai[11], the court while turning the decision of the high court, allowed the witness to give the statement through video conferencing, and also spawned the advantages of the mode as follows:

“20. Recording of evidence by video-conferencing also satisfies the object of providing, in Section 273, that evidence be recorded in the presence of the accused. The accused and his pleader can see the witness as clearly as if the witness was actually sitting before them. In fact the accused may be able to see the witness better than he may have been able to if he was sitting in the dock in a crowded courtroom. They can observe his or her demeanour. In fact the facility to playback would enable better observation of demeanour. They can hear and rehear the deposition of the witness. The accused would be able to instruct his pleader immediately and thus cross-examination of the witness is as effective, if not better. The facility of playback would give an added advantage whilst cross-examining the witness. The witness can be confronted with documents or other material or statement in the same manner as if he/she was in court. All these objects would be fully met when evidence is recorded by video-conferencing. Thus no prejudice, of whatsoever nature, is caused to the accused. Of course, as set out hereinafter, evidence by video-conferencing has to be on some conditions”[12]

The case of Avnish Bajaj v. State[13], was the case where the court had to look upon the question that what differences exist between ISP and CP. It did highlight that the police needs to be abreast with the changing times and that they need to get edified about the same. At the end, the court propounded that as the ISP was the accused in this case, therefore, the burden lies upon the ISP to provide the proof of its allegations and innocence.

In Abdul Rahman Kunji v. The State of West Bengal[14], the Calcutta High Court was deciding upon the admissibility of an email as electronic evidence. The court said that the witness’ statement could be admitted to ascertain the genuineness of the copy of the email as an evidence.

Therefore, we see that the court did not necessitate the requirement of the certificate until this stage and the admissibility of the electronic evidence was not contingent upon the certificate proving the authenticity of the evidence.

[1] Som Prakash v. State of Delhi, AIR 1974 SC 989.

[2] Id.

[3] SIL Import v. Exim Aides Exporters, (1999) 4 SCC 567.

[4] Id.

[5] Grid Corpn. of Orissa ltd. v. AES Corpn., 2002 AIR (SC) 3435.

[6] Id.

[7] State v. Mohd. Afzal & Ors., (2003) DLT 385.

[8] State v. Navjot Sandhu, AIR 2005 SC 3820.

[9] Id.

[10] Rakesh Kumar v. State, (2009) 163 DLT 658.

[11] State of Maharashtra v. Dr. Praful B. Desai, (2003) 4 SCC 601.

[12] Id.

[13] Avnish Bajaj v. State, 2008 (105) DRJ 721.

[14] Abdul Rahman Kunji v. The State of West Bengal, (2015) 1 Cal LT 318.

ABOUT THE WRITER

Shivam Sharan

Cyber Law, Law of Evidence

Admissibility of Electronic Evidence – Part I (The Progress and Vision)

Posted on 27 Nov 201827 Nov 2018 by The Law Blog

This post constitutes the first part of a three-post-series blog post dealing with the courtroom trend with respect to the development of jurisprudence with regard to the admissibility of electronic evidence.

This post (the first part) deals with the background and the problems with the admissibility of the electronic evidence where the author has given an account of the manifestation of the provision in brevity. The second part shall deal with the initial development of the jurisprudence on the admissibility of electronic evidence and pre-Anvar P.V. status. The third part shall deal with the post-Anvar P.V. status of the provision and the current scenario and conclusion of the series.

The Evidence Act, 1872[1] (hereinafter, the Act), is said to be one of the brilliant pieces of legislation drafted during the colonial era, and which is still being followed. The brilliance could be elucidated by the fact that there have not been a lot of amendments proposed to this act since the time it was framed. One of the major amendments that were brought into the Act was the inclusion of the provision dealing with the admissibility of electronic evidence.

Being a party to the UNCITRAL, India was obligated to frame a law which could govern the actions undertaken in the arena of information technology. This gave way for the framing of the Information Technology Act[2] (hereinafter, the IT Act), in the year 2000. The advent of this act legitimately governed the transactions through the internet and other acts undertaken through the electronic medium. This set the path for the use of the electronic records as evidence to prove the factum probanda. In order to accommodate such a requirement, the amendment of the Act was necessary. This amendment manifested as a provision regarding the inclusion and admissibility of electronic evidence.

Section 64[3] of the Act limits itself to the primary evidence, whereas; section 65[4] deals with secondary evidence. The adduced evidence which does not get categorized under the ambit of section 64 inevitably falls into the ambit of section 65. In the case of secondary evidences, the burden of proof lies on the party putting forth the secondary evidence. The amendments brought forth were under section 65, as, section 65A[5] and section 65B[6]. Section 65A concerned itself with the admissibility of those electronic evidences which fulfill the criteria mentioned under section 65B. Therefore, in order to adduce the electronic evidence, it should satisfy the requirements mentioned under section 65B. This work primarily will be shedding light on this very development to an extent. The work will majorly deal with the analysis of the trend in which the courts have developed the jurisprudence, with respect to the rules regarding electronic evidence. The pronouncement of some of the major cases has been taken into account and the change in course of decision by the courts will be studied.

Issues with Admissibility of Electronic Evidence

The debate around the admissibility of electronic evidence exists for a long time now, especially due to a plethora of reasons associated to the genuineness and authenticity of the evidence so provided. Some of the issues related to the same are given below:

One of the most clichéd issues is that there might be a possibility of alteration or manipulation done to the evidence between the date it came into being and the date it was produced before the court. This also forces an individual to reflect upon the fact that how much one can trust and rely upon the software or the algorithm responsible for the production of the data created.
Since electronic devices are prone to the threat of being hacked unethically, this casts upon a question on the nexus between the document so produced as evidence and the person responsible for the creation of such document.
The world today seems connected by virtue of virtual platforms of the likes of Facebook, Twitter, Snapchat, and Instagram etc. where finding the origin of the information could be difficult, and hence, relying on information extracted from such platforms also seems problematic.
Considering the aforementioned, it might also be difficult to prove that who all had access to the device which created the information/data. There have been a large number of instances where people who executed a command in a device were not the actual users of the same. This problem is also faced in computers connected to Local Area Network (LAN).
Tracking down the data through the internet has become complicated especially after the advent of the technology of cloud computing, as extracting such data might entail an obligation to follow contractual terms which will then be followed by taking proper permissions from courts of different jurisdictions.
Another issue might emerge regarding the time when the data was created, as websites usually are seen to be updated constantly. This could pose a procedural as well as a substantive difficulty.
Social media platforms have been facing the problem of fake information since its advent. Ascertaining the authenticity of the information and the place of origin is another huge problem which is faced in this law.
Admissibility of electronic evidence is also said to be responsible for diminishing the line of difference between the primary evidence and the secondary evidence. This is because the statute has opened the gate for the inclusion of a large number of evidences associated with the electronic medium to be considered as primary evidence. This is especially because of the fact that most of the data produced by the electronic devices are not in the tangible form. Now, considering the same, it might be a brilliant contention of treating a printout of a word document as secondary evidence when the word document itself is a primary one. But then, we need to understand that the production of the primary evidence becomes impossible in case of electronic evidence.
Though it is now an established conjecture that after the acceptance of electronic evidence, it has become comparatively easier to punish the perpetrators of terror attacks, due to the fact that they themselves resort to the use of advanced technology. But, it cannot be denied that such evidences are too prone to manipulation. Evidence tampering is an issue which is being faced since time immemorial, and it is even easier to introduce this when it comes to electronic evidence. Albeit the fact that the cyber forensics has come up with advanced algorithm to find out the possible tampers with evidences, but still, the area lies in the grey zone and is debatable.
It is pretty obvious that the usage of electronic devices is increasing day by day. If a positivist approach is adhered to, then it might result in a possible opening of a floodgate for the admission of all sorts of electronic data as evidence. It is another debatable issue that to what extent does the ambit needs to be relaxed in case of admissibility of electronic evidence.

[1] The Indian Evidence Act of 1872.

[2] The Information Technology Act of 2000.

[3] Supra 1, section 64.

[4] Supra 1, section 65.

[5] Supra 1, section 65A.

[6] Supra 1, section 65B.

ABOUT THE WRITER

Shivam Sharan

Critical Analysis, Cyber Law

Legal Issues Surrounding Cloud Computing

Posted on 30 Jan 201830 Jan 2018 by The Law Blog

With the explosive growth of innovations in the Information Technology industry, the Legal provisions are currently lagging behind and desperately looking for ways to cope up with the never-seen-before advancements. Cloud computing, being one of such recent advancements, have raised a number of legal issues including privacy and data security, contracting issues, issues relating to the location of the data, and business considerations.

The abovementioned issues are the primary ones faced by almost all the nations across the globe. However, when it comes to the Indian scenario, a number of additional complicated issues are faced by India owing to lack of awareness and lack of resources. With the ‘Digital India’ initiative in the news, it is obvious that more and more individuals and organisations will be using online services and infrastructure via the Cloud in the near future; and it is, therefore, necessary to analyse our position thereon and discuss whether our legal system is ready for such a revolutionary change.

The legal issues that frequently arise in the cloud are wide-ranging. However, attempting a broad generalisation, mainly four types of issues arise therein:

Privacy of data and data security
Issues relating to contractual relation between the cloud service provider and the customer
Complex jurisdictional issues, or issues relating to the location of the data and the set of laws applicable
Commercial as well as business considerations

At the outset, it may very well be clarified that though cloud computing enables the customer access to computing, networking, storage resources just like traditional outsourcing services and Application Service Providers (ASPs), it has a legal nature quite different from these two owing to its distinctive features like ‘on-demand access’, and ‘unit-based pricing’ (pay-per-use).

Privacy and data security issues:

Seemingly, the main privacy/data security issue relating to the cloud is ‘data breach’. Data breach may be in the generic sense defined as the loss of unencrypted electronically stored personal information (Buyya, Broberg, & Goscinski, 2015). A data breach can cause loss to both the provider as well as the customer in numerous ways; with identity theft and chances of debit/credit card fraud to the customer, and financial harm, loss of customer, loss of reputation, potential lawsuits et cetera for the provider.

The American law requires data breach notification to be issued of affected persons in such case of a data breach. Almost all the states in the United States now require notification of affected persons upon the occurrence of a data breach.

Talking about the Indian scenario, most of the providers are seen to attempt at lessening their risk liability in case of a data breach scenario. However, as more sensitive information is entering the cloud every passing day, businesses and corporations have started negotiating the contracts so as to insert terms that expand the contractual obligations of the providers.

Problem arises when the data is subject to more than one jurisdictions, and the jurisdictions have different laws regarding data privacy. For example, the European Union Data Privacy Directive clearly states that ‘Data cannot leave the EU unless it goes to a country that ensures an “adequate level of protection”.’ Now, although such statement makes the EU provisions easily enforceable, but it restricts the data movement thereby reducing the data efficiency.

Contracting Issues:

Clearly, licensing agreements are fundamentally different from Service agreements. Cloud essentially, in all its permutations (IaaS, PaaS, SaaS), is a service, and therefore is governed by a Service agreement instead of a Licensing agreement.

However, the main issue regarding the Cloud Service agreements is ‘contract of adhesion’. Owing to the limited expansion of Cloud Services in India, most of the time the ‘Click-wrap agreement’ model is used, causing the contract to be one of the contract of adhesion. It leaves no or little scope for negotiation on the part of the user/customer.

With the expansion of the Cloud computing, gradually the negotiation power of the large corporation will cause the Cloud Contracts to be standard and negotiated ones. However, at an individual level, this is still a far destination.

Legal provisions clearly cannot force the cloud providers to have a negotiating session with each and every customer. However, legal provisions may be made to ensure that the liability and risk responsibility clauses follow a standard pattern which compensates the user for the lack of negotiation during the formation of the contract.

Jurisdictional Issues:

Jurisdiction is the authority of a court to judge acts committed in a certain territory. Jurisdiction in case of legal issues relating to the Cloud services becomes difficult and critical because of the features of Cloud like ‘Virtualization’, and ‘Multi-tenancy’.

While virtualization ensures the requirement of less hardware and consumption of less power thereby ensuring computing efficiency, it also on the other hand makes it difficult for the cloud user or the cloud provider to know what information is housed on various machines at any given time.

Multi-tenancy refers to the ability of a cloud provider to deliver services to many individuals or organisations from a single shared software. The risk with this is that it makes it highly possible that the data of one user may be accessed in an unauthorised manner by another user since the data of various users are only virtually separated and not physically. Also, it makes it difficult to back up and restore data.

The cloud enables a great deal of flexibility in data location, which ensures maximum efficiency in data usage and accessibility. However, it creates a number of legal issues as well. It makes it quite possible a scenario that the same data may be stored in multiple locations at a given time. Now, if the multiple locations are subject to different jurisdiction and different legal system, there arises a possibility that there may be conflicting legal provisions regarding data in the two aforementioned different locations. This gives rise to most of the jurisdictional issues in Cloud computing.

Also, laws relating to confidentiality and Government access to data are different across different nations. While the Indian laws manage to strike a balance between national security and individual privacy, most of the nations do not prefer a balance and have adopted a biased view on this. Problem of conflict of laws arises herein, in such cases.

Commercial and Business Considerations:

Other commercial and business considerations like the urge to minimize risk, maintain data integrity, accessibility and availability of data as well as Service level Agreements have also significantly shaped the present as well as future of Cloud Computing in India. It also creates a number of foreseeable as well as unforeseeable issues that needs to be addressed by dedicated legislations therefor.

It is an accepted truth that Law always lags behind technical innovations, and the complexities of the Cloud innovations and related Cloud Services like Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) will force the law and legislations to catch up in order for an effective legal system that provides legal remedies to prevent and redress the resultant harms.

Raising awareness, ensuring universal access to information, and resource mobilizing are complimentary solutions that’ll never go wrong for the Indian scenario in order to add to the effectiveness of an effective legal system.

Note: This post first appeared here.

ABOUT THE AUTHOR

ANSHUMAN SAHOO
Founder, Editor-in-chief

‘Passionate!’ That’s the only word he uses to describe himself. Questioning assumptions. Challenging hypocrisies. Making the planet a better place to live in. Can be found at www.anshumansahoo.com.

Cyber Law

Deepening Roots of State-Sponsored Cyber Espionage

Posted on 7 Jun 2017 by The Law Blog

With a giant leap of technology, the concept of cyberspace emerged, demarcated by its virtual boundaries. These virtual boundaries are being penetrated through spying programmes like GhostNet, Trojan, logic-bombs or other associated malwares, shaping the concept of Cyber Espionage.

Various factors like extent and magnitude of damage caused by attacks, nature and identity of attacks and how much sensitive information is lost, play a leading role to define cyber espionage. That’s why, this concept is still devoid of any well accepted definition and different nations have their own version of cyber espionage. As per Tallinn Manual, “cyber espionage is an act undertaken clandestinely or under false pretences that uses cyber capabilities to gather information with the intention of communicating it to the opposing party.”

Increasing dependence on technology, where classified information finds its place in databases, the amount of state-sponsored espionage has also increased. Espionage is an age old state tacit, which also finds mention in Kautilya’s Arthasastra. Edward Snowden revelations in June 2013 and recent global cyber espionage incidents brought that issue on centre stage. These cyber stunts not only insult the sovereignty of a State but also lead to major economic drain.

Concerning the gravity of issue, it cannot be attached to mere incidents of technology misuse but revolves around serious politico-legal repercussions. Cyber espionage has the potential to steal trade secrets, valuable intellectual property as well as confidential information regarding a nation’s security system. Leading members of world fraternity are being accused of crossing their red line in the virtual space. Russia, China and America are proclaimed as most notorious violators of cyber ethics. Though, it would be a great folly to limit these violations only to few standard countries. In the secret cover of screens, many countries around the world are committing cyber-espionage.

Demands are being raised by various national groups to declare it a warfare activity. International law is still trying to establish a basic framework to encounter this global challenge. Ingredients that constitute offence and defence are shaping themselves in the umbrella of international law. As per Tallinn Manual, cyber space being the sovereign territory gives rise to a legitimate logic of treating cyber attacks with same seriousness as attacks on physical territory. Thus, victim nations shall be entitled to justice and reparations under the ambit of international law and propounds evolution of law thereto.

It goes without any doubt that implications of cyber espionage are indeed severe and concept like cyber warfare can take shape as a natural consequence. However, certain section of experts rejects the claims of cyber warfare in Toto. They declare that cyber attacks are too disorganised and disjointed to take shape of real war. Owing to constant media coverage, public perception hints towards the escalation of cyber attacks into full-scale war. The reality check rejects all these perception because the scale of these attacks is less than 4%. Public perception is being shaped by media as well as politics. One can sensitise the issue and broadcast a productive story while others can direct public policy in lieu of combating cyber espionage. However, barring the equation of cyber espionage with warfare, cyber attacks do deserve a legal sensitive framework governing the international fraternity.

ABOUT THE AUTHOR

DEEPIKA SANGWAN

Deepika Sangwan is a second-year student at Army Institute of Law, Mohali. She is an Editor at college magazine ‘AILITE 2016-2017’. She believes that writing gives clarity & depth to one’s thoughts. Apart from decorating facts with reasoning, cycling is her favourite pass time.

Cyber Law

Beware of the Hacker!

Posted on 21 Mar 201712 Mar 2017 by The Law Blog

A friend was pissed off recently because he was informed by others of unusual posts from his Facebook account. He had been offline for sometime only to be called back with abnormal activity happening on his wall. A rant from him partly read as follows,

“Am sorry friends for all the posts on your walls in my name. Please know that am not responsible. Some fellow has hacked my account and is out to spoil my good name. Am fixing things and hope to find this fellow.”

Well, my friend was not the first one to have their Facebook account hacked. I had seen several complaints from different people, even from other social media platforms. Thing is, the culprits are in most cases never found and so, after the owners of the accounts have fixed things and changed their privacy settings, the incidents are soon forgotten and life goes on.

Hacking is just but one form of cyber crime, maybe the most common and yet the one that people mostly brush off as not being serious, despite the serious consequences that come with it. The definitions of cyber crime vary largely because of the vast forms it takes as well as the jurisdictions. However, what remains constant in those various definitions is the fact that the computer, computer system or internet is often involved either as a target or a medium of committing the crime.[1] In this blog post though, I will restrain myself to hacking as an offence and why any hacker out there should think twice before continuing with their acts.

A straight forward definition of hacking is the use of a computer to gain unauthorized access to data in a system. Norton classifies hacking as a type 1 cyber crime done where hackers take advantage of the flaws in a computer system to carry out a crime.[2] Hackers hack into computer databases for various reasons, including facilitation of identity theft to be able to commit other crimes, to defraud corporations or individuals as well as hacking government databases to expose state secrets.[3]

In the UK, hacking is an offence under the Computer Misuse Act of 1990. This is provided for by Section 1 of the Act which provides for unauthorized access to computer material, which hacking is part of. The Police and Justice Act of 2006 made some amendments to sections 1-3 of the Computer Misuse Act making the maximum sentence the offence of unauthorized access to computer material to be two years. The Indian Information Technology Act of 2000 under section 65 provides for 3 years imprisonment or a fine of up to 2 Iakhs or both for the offence of tampering with computer source documents which hacking is part of.

In the US, hackers are punished for their acts by a number of different crimes depending on the varying circumstances under which the crimes were committed as well as par the different computer crime statutes available. The penalties include imprisonment of between six months and twenty years depending on the statute under which one is found liable and the veracity of the crime as well as fines between $ 1000 to $15000 or both the prescribed fine and imprisonment.

Advances in technology coupled with increased internet use are some of the reasons hacking has become common across the globe. Criminals have thus realized that they need not be physically present at a place to commit whatever crimes they want and are thus hiding behind keyboards and doing so much mischief. Some do it for fun; just to show others how good they are with technology. This is why more and more governments have or are coming up with laws to curb hacking and protect themselves as well as their subjects from the acts of hackers.

Most forms of cyber crime, hacking included have a concept of being borderless, that is, they can be committed in a different country and the effects are felt in another country. With this concept may arise the problem of jurisdiction, especially so where one country lacks provisions on a form of cyber crime. This is the reason international and regional instruments such as the Budapest Convention and the African Union Convention on Cyber Security and Personal Data Protection encourage cooperation between states in the prosecution of cybercrimes and other computer related crimes.

It goes without saying therefore that you ought to take hacking seriously as an offence punishable under law just in case you were not. One may ask why it is an offence, and here is the reason. Hacking is a breach to key human rights such as the right to privacy and right to property because most of the information targeted by hackers is private and confidential which they use against their victims. Also, the property being violated does not belong to the hacker and hence hackers interfere with the real owner’s right to enjoy the ownership and use of their property.

[1] <https://cybercrime.org.za/definition> accessed on 9/3/2017

[2] <https://us.norton.com/cybercrime-definition > accessed on 9/3/2017

[3] <www.inbrief.co.uk/offences/hacking-of-computers/> accessed on 10/3/2017

ABOUT THE AUTHOR

DEBORAH MULEMIAH

Deborah Mulemiah is currently a postgraduate diploma in Law at the Kenya School of Law. Passionate about law and literature.