“Most of the crimes that we are facing today have a technological aspect associated with them…which cannot be resolved by the state alone. States often demand data, which has a lot of insight, so it has become extremely core concern between the state and the service provider, and other entities to make sure that this data flows from private agencies to the state agencies and can help them with the investigation of cybercrime” noted Sukanya Thapliyal from Centre for Communications Governance (CCG) at MediaNama’s MarketsNama conference on May 19, 2023.
Thapliyal was speaking as one of the panelists about the kinds of assistance and data that law enforcement agencies seek from companies or service providers during the investigation of different crimes. The session mainly focused on the encounters between law enforcement entities and companies and how it attracts criminal liability for business stakeholders.
FREE READ of the day by MediaNama: Click here to sign-up for our daily newsletter with the top story of the day delivered daily before 9 AM in your inbox.
For context: Section 69 of the Information Technology Act allows government authorities to issue directions to monitor and decrypt information on a computer resource for reasons including national security and “defence of India”. Further, Section 69B also allows authorities to monitor and collect traffic data from computer resources for cybersecurity. Under these sections, intermediaries or service providers are obligated to provide the data and assistance demanded by the law enforcement agencies as per prescribed procedures, failing which they would be held criminally liable.
Among other things, the speakers pointed out various challenges that service providers face when they have to meet requirements of the law enforcement and the issues that need attention in the upcoming Digital India Act (DIA).
MediaNama hosted this discussion with support from Salesforce, Google and Mozilla. Internet Freedom Foundation, and our community partners, the Centre for Internet and Society and Alliance of Digital India Foundation.
Key challenges in the law enforcement process:
A. Access to data: Thapliyal highlighted that most of the time, government agencies demand data and “expedited preservation” of stored computer data or “access to metadata, traffic data, even it can go as high as access to content data as well”. “So, that remains a bit of contention between the entities, including instances wherein state agencies might require technical resources from the service providers,” she added. Venkatesh Krishnamoorthy from BSA, The Software Alliance, a panelist at the session, pointed out, “Both content and non-content data are being asked in the same sort of weight and it’s tough to give access to both.”
B. Five major operational roadblocks: Krishnamoorthy raised five major points for both the entities:
- Privacy of individuals: According to Krishnamoorthy, “Without strong privacy protection, there are a lot of challenges that companies face to give access to some kinds of data. The demand for such data, he says, is only increasing, and since everything is online, companies get called out quite easily.”
- No clarity about the data sought: He states that government requests for data are not narrowly tailored, which presumably means that companies have to give in to broad requests. He adds that government may ask for metadata, but informally other information is also sought, and the demarcation of data requests is not very clear; this is something, he states, the government is also trying to figure out. “So, one right reason is to understand how quick can the entity act. The government is not aware. Whereas there is a hanging thread timeline, for example, in the CERT-In guidelines is six hours. So, the companies also find it really challenging to respond to some requests. So, there is a constant dialogue on all of this. The government is also trying to understand what can be done within six hours,” the panelist added.
- Scope of requests: According to Krishnamoorthy, law enforcement agencies are trying to access data predominantly from across borders, and 85 percent of the crime and forensics data is digital. “That is a challenge they are trying to address through legislation, and so that sort of collaboration is required across borders,” he adds.
- No clarity over where to ask for what data: The panelist observes that the government requests for data are often sent en-masse, meaning all intermediaries like cloud service providers, hosting services, and the platforms are subject to such data requests, without any sub-categorisation of the data sought from a specific entity. “It is challenging for the government to identify how do I get access to this data, what kind of data can I get access to from this particular entity,” he adds.
- Transparency: “Trust is the single operating currency for technology service providers with their consumers. The more we lose trust in this dialogue with the government or law enforcement agencies, the more they are going to distrust the digital platform,” Krishnamoorthy states.
C. Emerging tech: Atul Kumar from the Data Security Council of India, another panelist at the session, adds that technological evolution and with it, the sophistication of cybercrimes is adding to the complexities. He states that not every investigation officer will keep up with the pace at which changes are occurring, and the lack of awareness will majorly affect the process of investigation, thereby hurting the rights of the individuals as well as the service providers in some cases. For example, Section 66A is struck down by the Supreme Court but there are cases wherein the police still file cases under the provision.
But, as MediaNama Editor Nikhil Pahwa questioned, “An adage often used for citizens is that the ignorance of the law is not an excuse. Why shouldn’t this apply to law enforcement?” The panelist responded that the problem is more about awareness and not the law. He added that there should be some kind of safeguards for these entities in the DIA, which is currently absent in the IT Act.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
“Should There Be Safe Harbour At All?”: 30 Talking Points From The Digital India Act Consultation
Video: MarketsNama 2023, Delhi, 19th May
How The IT Act Allows The Indian Government To Spy On Internet Connections
