Under the IT Act, a subscriber must extend all facilities and technical assistance to decrypt the information. A ‘subscriber’ is defined under Sec. 2(zg) as a person in whose name the Digital Signature Certificate is issued. In default, a subscriber shall be punished with an imprisonment for a term which may extend to seven years. I believe that this forced disclosure of encrypted data violates the constitutional proscription against self-incrimination under Art. 20(3). First, the term subscriber is wide enough to include individuals ‘accused of any offence.’ Second, the disclosure envisaged in Sec. 69(2) is self-incriminatory. It is in this second string that I agree with and adopt Abhinav’s reasoning.
A subscriber includes an Individual ‘Accused of Any Offence.’
Keeping in mind the broad character of the constitutional guarantee against self-incrimination, this Court has interpreted the phrase ‘accused of any offence’ to include persons other than those who are formally accused. In Shah v. Guha (AIR 1973 SC 1196), the Court clarified that an accused includes a person against whom a complaint has been lodged with the police in the form of a first information report. In fact, in Nandini Satpathy v. PL Dani (AIR 1978 SC 1025, para 46), the Court unambiguously went further to state that even those suspected of an offence may claim the privilege against self-incrimination.
A catena of cases have categorically held that Art. 20(3) extends to the anterior stages of the investigative process as well, before a case is presented to the Court. Indeed, a contrary interpretation would render the protection in Art. 20(3) rather weak. (Kathi Kalu Oghad, supra, pg. 26-28; State (N.C.T. of Delhi) v. Navjot Sandhu @ Afsan Guru, 2005 Cri LJ 3950; Directorate of Enforcement v. Deepak Mahajan and Anr., 1994 Cri LJ 2269; and Balkishan A. Devidayal v. State of Maharashtra, 1980 Cri LJ 1424).
Accordingly, I believe than an accused, as defined above, may be a subscriber under the Act, i.e. if information pertaining to the alleged crime by the accused is contained in a digital resource protected by an encrypted key in the possession of the accused. In such cases, Sec. 69 mandates the disclosure of encrypted information by the accused himself, which clearly brings it within the ambit of Sec. 20(3).
The disclosure envisaged in Sec. 69(2) is self-incriminatory.
This section of the argument proceeds in line with Abhinav’s argument. As he points out, Article 20(3) incorporates a guarantee against testimonial compulsion (M.P. Sharma v. Satish Chandra,  SCR 1077, pg. 1087-88). There, the Court noted that ‘every positive volitional act which furnished evidence is testimony’. This was met with approval in Kathi Kalu Oghad, supra, by the majority (pg. 26-28) and minority (pg. 40).
To add to Abhinav’s reasoning, I refer to the European Court of Human Rights decision in Funke v. France, ( 1 CMLR 897 25) which (in a brilliantly explained judgment) specifically supported this construction – noting that the evidence must have an existence independent of the will of the suspect (Funke clarifies and follows the Saunders test).
Abhinav refers to the question of intangibility of the evidence; and the absence of an independent physical existence. To add to that, one must remember that a password or encryption key has an existence which depends upon the will of the accused, in that if he refuses to or is unable to disclose it – the password does not exist anymore. Unlike the key-drawer example, where a refusal to disclose would not render its existence defunct, a refusal to disclose an encryption key or password have a markedly different effect in fact. Indeed, many have argued for the extension of rules applicable to physical evidence in case of digital evidence as well, by analogy and implication. However, as with other areas of law, one cannot simple extend rules operating in the physical realm to digital developments given the conceptual difference – which is demonstrated here by diametrically opposite factual consequence of a failure to obey on the existence of the information itself.
Moreover, in Selvi, the Court recognized Oghad, supra, as the controlling precedent and reiterated the two main premises for defining ‘testimonial compulsion’: “The first is that ordinarily it is the oral or written statements which convey the personal knowledge of a person in respect of relevant facts that amount to `personal testimony’ thereby coming within the prohibition contemplated by Article 20(3). In most cases, such `personal testimony’ can be readily distinguished from material evidence such as bodily substances and other physical objects. The second premise is that in some cases, oral or written statements can be relied upon but only for the purpose of identification or comparison with facts and materials that are already in the possession of the investigators.” Thus, even if the password in itself is not testimonial evidence, the act of disclosing it is testimonial as it reveals the personal knowledge of the suspect, which can be distinguished from independently existing material and physical objects of facts used for purposes of comparison and identification. Indeed, this distinction between testimonial facts and physical evidence is expressly recognized by the Supreme Court in Selvi, supra, para 137, as also the American Supreme Court in Armando Schmerber v. California, 384 US 757 (1966).
Further, Sec. 69(2) mandates the disclosure of information by an accused, which may include incriminatory evidence. In this regard, I believe that the testimonial evidence in question is two-fold: First, the information itself being revealed by the accused could have a “tendency of incriminating the accused” or disclose a “guilt character” (Oghad, supra, pg. 128). In Selvi, supra, the Court noted that the relevant consideration for extending the protection of Article 20(3) is whether the materials are likely to lead to incrimination by themselves or furnish a link in the chain of evidence which could lead to the same result. In this context, disclosure of the contents of a data resource by the accused could include incriminatory evidence. The fact that at the time of disclosure, the authorities are not aware of whether the information will be inculpatory or exculpatory is irrelevant (Selvi, para 130). This, indeed, is recognized – as Abhinav points out – in In re Boucher as well.
The operation of Article 20(3) to such forms of evidence is to be closely analyzed. Given the pervasive nature of digital information, I believe that the competing interests of self-incrimination and assistance of investigative authorities must be re-considered wholly, rather than blindly extending traditional analogies to these developments.
Raag Yadava studies law at the National Law School of India University, Bangalore