New Forensics

The widespread use of digital technologies has given law enforcement brand new opportunities to use sophisticated tools for detecting crimes. That said, simply because technology has opened up new pathways for investigation does not mean that we should use them in ways that violate personal privacy.

This article first appeared in the Mint. You can read the original here. If you would like to receive these articles in your inbox every week please consider subscribing by clicking on this link.

In 2011, the US Federal Bureau of Investigation identified Timothy Carpenter as the ringleader of a string of armed robberies in Michigan and Ohio. Instead of obtaining a search warrant to gather evidence, they chose to obtain a court order compelling his mobile carrier to hand over cell-site location data. This allowed investigators to review Carpenter’s digital history—across a total of 12,898 separate location points—and map his precise movements over a four-month period. Armed with this data, the prosecution was able to place him at the scene of the robberies using his own cellphone data and secure a conviction.

New Approaches to Investigation

The digital trails we leave behind have given law enforcement new ways to investigate crimes. In addition to location information (used in the Carpenter case), sleuths can access a range of other data sources, such as messages exchanged and digital payments made, to uncover criminal activity that would have otherwise gone undetected. While governments around the world have moved aggressively to expand their surveillance capabilities, the methods they are adopting threaten long-standing constitutional protections.

The UK Home Office, under the Investigatory Powers Act, recently required mobile phone companies to ensure that their devices can decrypt user data on request, forcing manufacturers to weaken end-to-end encryption on devices sold in the UK. France’s Senate recently attempted to pass an amendment to its Justice Bill requiring messaging platforms to create technical backdoors that would allow the police to read encrypted messages during investigations. France later became the primary backer of the EU’s ‘Chat Control’ initiative, which requires platforms to scan messages before they are encrypted. If potentially illegal content is detected, the message is blocked and the user reported.

These attempts at making the most of what technology has to offer will likely face stiff opposition from courts. When the Carpenter case reached the US Supreme Court, Chief Justice Roberts held that warrantless seizure was unconstitutional, observing that such access allows the government to “travel back in time to retrace a person’s whereabouts.” While courts are yet to rule on the recent initiatives in the UK and France, the European Court of Justice has previously held laws requiring telecom companies to retain metadata on all their users as invalid. Germany’s Federal Constitutional Court extended this logic to algorithmic policing, preventing the police in Hesse from deploying Palantir software to identify crime.

India’s regulatory trajectory mirrors these global trends, raising similar constitutional concerns. Amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules that require significant social media intermediaries to “enable the identification of the first originator of information” on request have been challenged before the courts on the ground that in order for messaging platforms to comply, they would need to disable end-to-end encryption. Indian tax authorities have, in a similar vein, issued notices to payment aggregators and third-party application providers, directing them to furnish UPI transaction data to identify unregistered merchants and potential tax defaulters.

Both these initiatives will need to pass the four-fold test laid down in Puttaswamy vs Union of India, India’s seminal right-to-privacy judgement. One of the four prongs of the test is necessity, under which the government must establish that these legislative measures are the least restrictive means available to achieve its stated objective. Broad and non-specific data requests that apply en masse to everyone in the country without reasonable cause or suspicion are unlikely to pass muster. They cast an excessively broad net that has the effect of treating “every resident of the country as a suspicious person.” As held by the Supreme Court, the mere possibility of misuse by a few individuals does not warrant sweeping intrusion into the private lives of the entire population.

New Forensic Tools

Even though ubiquitous digitization has made it possible for law enforcement agencies to deploy new mechanisms of forensic investigation, since most democracies guarantee their citizens the right to personal privacy, these tools cannot be deployed en masse over the entire population in order to identify the few among them who might be guilty of a transgression. As a result, even though criminals may be taking full advantage of these new technologies to carry out crimes that would not have been possible had it not been for what the digital realm has enabled, law enforcement cannot respond with measures that undermine constitutional safeguards.

What they must do instead is develop forensic tools suited to the digital age. Techniques such as differential privacy, secure multi-party computation and anomaly-detection algorithms can reveal behavioural patterns in aggregated data-sets without exposing individual identities. It is only if such an analysis raises a suspicion of wrongdoing that investigators should be allowed to request access to personal information.

This requires a shift in institutional mindset and a willingness to embrace investigative techniques that protect the innocent while enabling effective policing. These methods may operate differently from traditional surveillance, but they adhere far more closely to constitutional principles and the values of a democratic society.