The number of incidents with the involvement of third parties like ethical hackers, in criminal and civil investigations is on the rise. More than ever now, I have been dealing with such cases of blatant violation of rights of individuals where proper procedures are not followed.
Today, let me talk to you about a recent case that I have been working on. I got this lady as a client who is a director of an international fashion firm. She left an earlier employer in a fashion and model coordination company which is popular and pretty well known in the fashion circuits. She was slapped with a case of Data Theft as an outcry of revenge by her employers. The local police station was bought out and they started gunning for her life to be arrested. Even Section 420 of IPC was added to make the whole thing non-bailable. According to Hon. Supreme Court’s recent judgment, no one should be arrested for the crime which has Punishment below 7 years of imprisonment unless the accused is absconding, not cooperating, is a threat to society etc. The Supreme Court in another case has held that IT Act,2000 is a Special Act, hence sections of another Act for the same crime will not be applicable unless an offense in the IT Act is made out.
Let’s leave this apathy of police. They are a service organisation giving service to the wrong end of the society and this is nothing new. What police did next is that they called a private forensics guy from Pune, who confiscated and kept the accused lady’s laptop in his custody to perform forensics and find data that could suggest her involvement. This can be called a blatant violation of Chain of custody under the Indian Evidence Act, i.e a private investigator handling the evidence and thereby arguably tampering or vitiating it. This ends up in such evidence not being accepted in the courts of law merely for non-adherence to the chain of custody and probable intention to maliciously tamper data on the laptop.
The act of interference of the private forensics guy amounts to destruction or tampering of evidence which in itself is a non-bailable offence. Now the heart of this article is what happens next. This Influential complainant is allegedly tipped by some police officials or others to take help of an ethical hacker by the name of Shub** Si*** staying in suburbs of Mumbai. The tipper said this guy helps police in these nefarious activities of hacking and snooping and is paid by virtue of cash or kind. So complainant hires services of this hacker, who hacks into Gmail and other services of this lady victim to find evidence of data theft so as to substantiate for the case. So there are now Ethical hackers on both sides of the isle.
My Question is,”Under which law and authority do police or LEAs use these services of hackers?” The Police definitely have better intentions to protect the society but why are these experts not enlisted? Neither is it found what they (the hackers) do in their part time, how do they make money for a living, their means or whether they are doing it under the banner of the police forces. These hackers supposedly get a license to hack the moment they click pictures with police officers or when they train some police officials.
I feel the Police needs to make databases of all such hackers who want to serve the nation, which happens to be their punch line. Police should inform them that, even hacking for police is a crime and stealing data for police also not legal, because as per law, there can be separate actions for violation of the Consitutional rights and other offenses under the IT Act against the person who contravenes and commits such offences. As a matter of fact, in an unrelated case however, the Delhi High Court has also opined that informers or the people who have access to secret information (Khabris, as they are called) cannot be relied upon as good samaritans because they were/are part of some illegal network. The best analogy that I can think of is that the police avails services of Key Maker and he gets a blanket permission to break into houses of citizens, thereby earning his livelihood.
Now, all this critique does not mean that I am against it. It’s time that the State makes a policy for taking services of hackers and to pay them officially, otherwise, incidents like Eknath Khadse will keep happening. I am not against lawful hackers, I am against such hackers who are desperate to showcase their skills and make money, and for this sole motive hack into a husband’s or a wife’s account to lead them to divorces. I am against such hackers who to please one party, hack into another parties account when the matter is with police or court, thereby becoming criminals themselves. I want first of all these “Ethical Hackers” as titles to be abolished and have a respectable name for them, probably “Cyber Security Researchers.” I want that, if they are earning money in Bugbounty or other good ways they should declare their money in income tax returns and State should give them a subsidy.
It is not a matter of “when” anymore. It is a matter of how fast you cope up. Because the cyber space is evolving at a massive rate and also the number of so called ethical hackers.
About the Author:
The author of this post is Advocate Prashant Mali, one of India’s leading Cyber Lawyer and Cyber Security Expert. He is a techno lawyer, an author and a speaker with over 20 years of experience in the field of Information Technology and Law. Apart from being a Chevening Cybersecurity fellow(UK) & IVLP (USA) in Cyber Crime Law Enforcement, he regularly also trains Judges, Prosecutors and Police officers in Cyber crime and Electronic Evidence.
You can read more on this from our friends at Cyber Cops here: Is Ethical Hacking Legal in India?