India’s cyber infrastructure needs more than patches

There has been a steady spike in cases of cybercrime in the last five years. According to the National Crime Records Bureau (NCRB), from 12,317 cases of cybercrime in 2016, there were 50,035 cases registered in 2020. In India, cybercrime is increasing with the increased use of information and communication technology (ICT). However, despite this alarming trend, the capacity of the enforcement agencies to investigate cybercrime remains limited.

As far as the admissibility of electronic evidence is concerned, though there were some conflicting judgments of the Supreme Court of India earlier, the law was finally settled in Arjun Pandit Rao Khotkar vs Kailash Kushanrao Gorantyal & Ors. The Court held that a certificate under Section 65B(4) of the Indian Evidence (IE) Act was a mandatory pre-requisite for the admissibility of (secondary) electronic record if the original record could not be produced.

Also Read

With ‘police’ and ‘public order’ being in the State List, the primary obligation to check crime and create the necessary cyberinfrastructure lies with States. At the same time, with the IT Act and major laws being central legislations, the central government is no less responsible to evolve uniform statutory procedures for the enforcement agencies. Though the Government of India has taken steps that include the setting up of the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs to deal with all types of cybercrime, much needs to be done to plug the infrastructural deficit.

No procedural code

There is no separate procedural code for the investigation of cyber or computer-related offences. As electronic evidence is entirely different in nature when compared with evidence of traditional crime, laying down standard and uniform procedures to deal with electronic evidence is essential. The broad ‘guidelines for the identification, collection, acquisition and preservation of digital evidence’ are given in the Indian Standard IS/ISO/IEC 27037: 2012, issued by the Bureau of Indian Standards (BIS). This document is fairly comprehensive and easy to comprehend for both the first responder (who could be an authorised and trained police officer of a police station) as well as the specialist (who has specialised knowledge, skills and the abilities to handle a wide range of technical issues). The guidelines, if followed meticulously, may ensure that electronic evidence is neither tampered with nor subject to spoliation during investigation.

A significant attempt has been made by the higher judiciary in this field also. As resolved in the Conference of the Chief Justices of the High Court in April 2016, a five-judge committee was constituted in July 2018 to frame the draft rules which could serve as a model for the reception of digital evidence by courts.

The committee, after extensive deliberations with experts, the police and investigation agencies, finalised its report in November 2018, but the suggested Draft Rules for the Reception, Retrieval, Authentication and Preservation of Electronic Records are yet to be given a statutory force.

Shortage of technical staff

Second, there have been half-hearted efforts by the States to recruit technical staff for the investigation of cybercrime. A regular police officer, with an academic background in the arts, commerce, literature, or management may be unable to understand the nuances of the working of a computer or the Internet. He can at best, after proper training, act as a first responder who could identify digital evidence and secure the scene of crime or preserve digital evidence till the arrival of an expert. It is only a technically qualified staff who could acquire and analyse digital evidence.

It is relevant here to mention that the Court, during the trial of the infamous State of Goa, through C.I.D. C.B., North Goa, Goa. vs Tarunjit Tejpal took objection to the fact that the investigating sub-inspector, who seized the relevant CDs, did not know the meaning of the term ‘hash value’.

Similarly, in the Aarushi murder case of Noida, reported as Dr. (Smt.) Nupur Talwar vs State of U.P. and Anr., the Allahabad High Court observed that the Indian Computer Emergency Response Team (CERT-IN) expert was not provided with the details of the Internet logs, router logs and laptop logs to prove whether the Internet was physically operated on the fateful night. Even the certificate under Section 65B of the IE Act (which is statutorily required), was undated, and hence rejected by the trial court.

Therefore, it is essential that State governments build up sufficient capacity to deal with cybercrime. It could be done either by setting up a separate cyberpolice station in each district or range, or having technically qualified staff in every police station.

Further, the Information Technology (IT) Act, 2000 insists that offences registered under the Act should be investigated by a police officer not below the rank of an inspector. The fact is that police inspectors are limited in number in districts, and most of the field investigation is done by sub-inspectors. Therefore, it will be pragmatic to consider a suitable amendment in Section 80 of the Act and make sub-inspectors eligible to take up investigation of cybercrimes.

Upgrade cyber labs

Third, the cyber forensic laboratories of States must be upgraded with the advent of new technologies. Offences related to crypto-currency remain under-reported as the capacity to solve such crimes remains limited. The central government has proposed launching a digital rupee using blockchain technology soon. State enforcement agencies need to be ready for these technologies. The Centre helps in upgrading the State laboratories by providing modernisation funds, though the corpus has gradually shrunk over the years. While most State cyber labs are sufficiently equipped to analyse hard disks and mobile phones, many are yet to be notified as ‘Examiner of Electronic Evidence’ (by the central government) to enable them to provide expert opinion on electronic records. Since there is now a state-of-art National Cyber Forensic Lab and the Cyber Prevention, Awareness and Detection Centre (CyPAD) of the Delhi Police, there may be an extension of professional help to States in getting their labs notified.

Need for localisation

Most cybercrimes are trans-national in nature with extra-territorial jurisdiction. The collection of evidence from foreign territories is not only a difficult but also a tardy process. India has extradition treaties and extradition arrangements with 48 and 12 countries, respectively. In most social media crimes, except for the prompt blocking of an objectionable website or suspect’s account, other details do not come forth quickly from large IT firms. Therefore, ‘data localisation’ must feature in the proposed Personal Data Protection law so that enforcement agencies are able to get timely access to the data of suspected Indian citizens. Also, the police still get CyberTipline reports on online Child Sexual Abuse Material (CSAM) from the U.S.’s non-profit agency, the National Center for Missing & Exploited Children (NCMEC). It would be a step forward if India develops its in-house capacity and/or makes intermediaries accountable to identify and remove online CSAM for immediate action by the police.

In fact, the Centre and States must not only work in tandem and frame statutory guidelines to facilitate investigation of cybercrime but also need to commit sufficient funds to develop much-awaited and required cyber infrastructure.

R.K. Vij is a former Special Director General of Police of Chhattisgarh. The views expressed are personal