On the morning of October 3, the Delhi police conducted numerous home searches throughout the capital city, confiscating the mobile phones and laptops of journalists, activists, and satirists, associated with the news outlet NewsClick. Among those raided were NewsClick editor-in-chief Prabir Purkayastha, journalists Abhisar Sharma, Bhasha Singh, Urmilesh and others.
Reportedly, the police action came in response to a case against NewsClick and Purkayastha days after the New York Times alleged that the news portal received funding from American tech mogul Neville Roy Singham for pushing Chinese propaganda.
Nevertheless, are there provisions within current laws permitting raids for search and seizure without a warrant? And what rights do individuals possess when confronted with such actions by law enforcement? BOOM spoke to experts who provided insights into technological and legal guidance for journalists to protect their digital information during a time of growing police searches.
What does the law say?
As per the law, the police can lawfully confiscate and search the phones of a suspect once they have obtained a search warrant. The Code of Criminal Procedure (CrPC), 1974 allows any police officer to seize property if it's believed to be stolen or if it's found under suspicious circumstances related to a crime.
To obtain a search and seizure warrant, the police must also demonstrate how the phone is connected to the alleged offense before taking it into custody. Furthermore, they are required to promptly notify the jurisdictional magistrate once the phone has been seized.
Mishi Choudhary, a technlogy lawyer, told BOOM that, as of now, in India a petition is pending before the Supreme Court on issuance of guidelines for search and seizure of digital devices. According to her, current laws are wide and give maximum discretion to police and courts to authorise seizing anything with even remote relevance.
She added, "Courts have been incorrect in the enforcement of rules of evidence and criminal procedures when it comes to devices that hold all of a person's data on matters entirely unrelated to the allegations."
Choudhary pointed out that Karnataka High Court has issued some guidelines in this regard. Some of these guidelines are as follows-
- Police cannot force an accuse to provide a password to open smart phone and email account
- There is at least a minimum requirement of having a forensic examiner to accompany police when carrying out such search and seizure.
- Only the examiner can look into devices not police officers.
- Photos have to be taken to capture the state of the computer, wires, etc and every stage of looking into the device.
- Take mobile phones and put them in a Faraday bag.
A Faraday bag is a specially designed pouch or container that is made of materials that block electromagnetic signals, such as radio waves, Wi-Fi, Bluetooth, and cellular signals. These bags are used to shield electronic devices like smartphones and laptops from outside electromagnetic interference or to prevent them from emitting signals that could be tracked or hacked remotely.
Digital security tips
Speaking to BOOM, security researcher Karan Saini, threw light on some essential tips for securing digital communications and devices in various scenarios, including where they may be confiscated, illegally retained or threatened with destruction.
Use strong passwords
Saini advocated for a strong password for maintaining digital security. He said, "Fingerprints can be requested or taken forcefully to unlock devices, as they fall under physical evidence. Use a password or passphrase to secure access to your devices."
He advised against writing passwords down on paper or as a note on the phone, using common words (like “password”, "Computer" , "computer1", "Computer!” or "Computer123") as passwords, or using passwords related to any known family, interests/hobbies or date of birth.
He also recommended using a password manager such as Bitwarden or KeePass for generating, storing and retrieving account passwords. "Using a password manager makes it more convenient to use unique passwords for different services," he added.
Use two-factor authentication (2FA) for additional layer of protection for accounts
Most popular online services support 2FA as it provides effective protection against common password attacks, like weak or reused passwords.
He said, "The most popular form of second factor is the SMS OTP. Unfortunately SMS based OTP suffers from many security drawbacks like SIM confiscation or wiretapping." Other options available include : Google Authenticator, Microsoft Authenticator, Google Prompt, Duo Push.
Saini said, "Yet, most two-factor methods themselves are susceptible to phishing. If you are really paranoid or need the highest security you can get a hold of, you should get Security Keys."
Vigilance while allowing third party apps access to data
According to Saini, one must pay a lot of attention while granting apps access to one's data. "For e.g. if a bus ticket booking app asks for access to your Contacts List, you should ask yourself whether this is reasonable or not," he said.
Moreover, Facebook, Google and other API providers also provide tools for reviewing the third party apps that have access to our data. One must review them periodically and revoke access to apps that are no longer in use.
Security for social media
One must disable syncing of contacts as contact information can be compromised due to sync with Facebook or Twitter; and enable 2FA on social media accounts. "Two-way conversations can be compromised from either end, so when communicating sensitive details with someone else, make sure that they too are following basic operational security procedures, " said Saini.
Document storage
Saini suggested using Google Takeout for maintaining offline backups instead of online ones, as it allows us to retain more control. "If online backups must be made, make sure to use a reputed service which can also guarantee the security, integrity and privacy of uploaded data," he said.