India’s cyberinfrastructure needs more than fixes

There has been a steady increase in cybercrime cases over the past five years. According to the National Crime Records Bureau (NCRB), from 12,317 cybercrime cases in 2016, there were 50,035 recorded cases in 2020. Cybercrime in India is increasing with increased use of information and communication technology (TIC). However, despite this alarming trend, the ability of law enforcement agencies to investigate cybercrime remains limited.

Regarding the admissibility of electronic evidence, although there were conflicting judgments from the Supreme Court of India earlier, the law was finally settled in Arjun Pandit Rao Khotkar v Kailash Kushanrao Gorantyal & Ors. The Court held that a certificate under Section 65B(4) of the Indian Evidence Act (IE) was a mandatory prerequisite for the admissibility of an electronic (secondary) record if the original record could not be produced.

Read also

With “police” and “public order” on the list of states, the primary obligation to control crime and create the necessary cyber infrastructure rests with states. At the same time, since the Computer Law and major laws are central legislations, the central government is nonetheless responsible for developing uniform statutory procedures for enforcement agencies. Although the Government of India has taken steps including the establishment of the Indian Cybercrime Coordination Center (I4C) under the Ministry of Home Affairs to deal with all types of cybercrime, there is still a lot to be done. to fill the infrastructure gap.

No procedure code

There is no separate procedural code for investigating cybersecurity or computer related crimes. Since electronic evidence is completely different in nature from traditional crime evidence, it is essential to establish standard and uniform procedures for handling electronic evidence. “General guidelines for the identification, collection, acquisition and preservation of digital evidence” are given in the Indian standard IS/ISO/IEC 27037:2012, published by the Bureau of Indian Standards (BIS). This document is quite comprehensive and easy to understand for both the first responder (who may be an authorized and trained police officer from a police station) and the specialist (who has specialized knowledge, skills and abilities to manage a wide range of technical issues). The guidelines, if followed carefully, can ensure that electronic evidence is not tampered with or subject to misappropriation during the investigation.

A significant attempt has been made by the higher judiciary in this area as well. As decided at the Conference of Chief Justices of the High Court in April 2016, a committee of five judges was constituted in July 2018 to develop the draft rules which could serve as a model for the receipt of digital evidence by the courts.

The committee, after extensive deliberations with experts, police and investigative agencies, finalized its report in November 2018, but proposed draft rules for the receipt, retrieval, authentication and retention of electronic records has not yet received legal force.

Shortage of technical staff

Second, states have made tentative efforts to recruit technical personnel to investigate cybercrime. An ordinary police officer, with a college education in the arts, commerce, literature, or management, may be unable to understand the nuances of how a computer or the Internet works. He can at best, after proper training, act as a first responder who could identify digital evidence and secure the crime scene or hold digital evidence until an expert arrives. Only technically qualified personnel can acquire and analyze digital evidence.

It is pertinent here to mention that the Court in the trial of the infamous State of Goa through CIDCB, North Goa, Goa. vs. Tarunjit Tejpal disputed that the sub-inspector in charge of the investigation, who seized the affected CDs, did not know the meaning of the term “hash value”.

Similarly, in Aarushi Murder Case of Noida, reported as Dr (Smt.) Nupur Talwar vs State of UP and Anr., Allahabad High Court observed that the expert of the India’s Computer Emergency Response Team (CERT-IN) had not received details from internet logs, router logs and laptop logs to prove whether the internet was physically exploited on the fateful night. Even the certificate under Section 65B of the IE Act (which is required by law) was not dated and was therefore rejected by the trial court.

Therefore, it is essential that state governments put in place sufficient capacity to deal with cybercrime. This could be done either by creating a separate cyber police station in each district or sector, or by having technically qualified personnel in each police station.

In addition, the Information Technology (IT) Act 2000 insists that offenses recorded under the Act must be investigated by a police officer not of the rank less than that of inspector. The fact is that police inspectors are in short supply in the districts and most field investigations are carried out by sub-inspectors. Therefore, it will be pragmatic to consider an appropriate amendment to Section 80 of the Act and make sub-inspectors eligible to investigate cyber crimes.

Upgrade cyber labs

Third, state cybercrime labs need to be modernized with the advent of new technologies. Cryptocurrency-related offenses remain underreported as the ability to solve such crimes remains limited. The central government has proposed to launch a digital rupee using blockchain technology soon. State law enforcement agencies need to be ready for these technologies. The Center contributes to the upgrading of state laboratories by providing modernization funds, even though the corpus has gradually shrunk over the years. While most state cyber labs are sufficiently equipped to analyze hard drives and cell phones, many have not yet been notified as an “electronic evidence examiner” (by the central government) to allow them to provide expert advice on electronic records. Since there is now a state-of-the-art National Cybercrime Laboratory and the Delhi Police’s Cybercrime Prevention, Awareness and Detection Center (CyPAD), there could be an extension of professional help States to have their laboratories notified.

Need for localization

Most cybercrimes are transnational in nature with extraterritorial jurisdiction. Collecting evidence from foreign territories is not only a difficult process but also a slow one. India has extradition treaties and extradition agreements with 48 and 12 countries, respectively. In most social media crimes, with the exception of quickly blocking an objectionable website or a suspect’s account, other details are not promptly released by major IT companies. Therefore, “data location” must be included in the proposed Personal Data Protection Act so that law enforcement authorities can timely access the data of suspected Indian citizens. In addition, police are still receiving CyberTipline reports of online child sexual abuse material (CSAM) from the US non-profit agency, the National Center for Missing & Exploited Children (NCMEC). It would be a step forward if India developed its internal capacity and/or made intermediaries responsible for identifying and removing CSAM online for immediate action by the police.

In fact, the Center and States must not only work in tandem and develop statutory guidelines to facilitate cybercrime investigations, but must also commit sufficient funds to develop the long-awaited and necessary cyberinfrastructure.

RK Vij is a former Special Director General of Chhattisgarh Police. Opinions expressed are personal