Darknet & Indian Laws

The darknet is an overlay network within the internet that can be accessed with specific software, configurations, or authorisation[1] and has been in use for over five decades to share encrypted data. This article aims to analyse the effectiveness of the Indian laws, viz., the Information Technology Act, 2000 (“IT Act”), the Indian Telegraph Act, 1885 (“Telegraph Act”), and the Code of Criminal Procedure, 1972 (“CrPC”) in addressing cybercrimes committed over the darknet. 

Brief Background

Darknet’s originations can be traced back to the American military’s desire to protect its telecommunications, leading to invention of public-key encryption in the late 1960s. The anonymity offered by the darknet  is an assurance to whistle-blowers seeking to share information on illegal activities, human rights activists and journalists reporting from countries with oppressive regimes, etc. However, darknet is also susceptible to abuse.  In India, cybercrimes on the darknet emerged on the law enforcement agencies’ (“LEA”) radar only in the recent past, such as trade in illicit media files and contraband drugs, heists, and leaking of personal identification documents stolen from organisations’ databases. Given the shortage of reported judicial precedents on abuse of the darknet, it becomes imperative to analyse the effectiveness of existingIndian laws in this regard.

Analysis of Indian Laws The two ways in which an individual’s illicit activities on the internet may be traced are through the (a) individual’s computing devices and online trails like mailing address; and  (b) servers of the individual’s Internet Service Providers (“ISP”).

Under Section 5 of the Telegraph Act, Central and State Governments are empowered to take temporary possession of a licenced telegraph in circumstances of public emergency or in the interest of public safety, and such telegraph may be intercepted pursuant to a written order by the appropriate authority. While the Telegraph Act does not go into further details, the licence granted to ISPs under  the Telegraph Act casts specific obligations on ISPs. Under a licence agreement, an ISP is expected to, inter alia, make its facilities available for inspection and monitoring by the Government, and provide the identity of its subscriber including his/her geographical location at any given time.

Similarly, under section 69 of the IT Act, the Central and State Governments, pursuant to an order in writing by the appropriate authority, have the right to intercept, monitor, or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. Section 69B enables the Government to monitor and collect traffic data or information generated, transmitted, received, or stored in any computer resource. It further requires, inter alia, ISPs to provide technical assistance and extend all facilities to the Government as and when required.

The CrPC confers wide powers to a police officer to summon witnesses (section 160), interrogate (section 161) and compel production of things (section 91). An ISP may be summoned under section 91 of the CrPC, by way of a written order, by a court or a police officer, to produce details regarding a computer suspected to have been used to commit an offence, and its non-compliance would invite charges under the Indian Penal Code.

IP Address, Hidden Exchanges and the Darknet

In their seminal article, Daniel Moore and Thomas Rid (2016)[2] describe the architecture of the darknet as consisting of five fundamental properties: privacy, authentication, anonymity, cryptographic payments, and hidden exchanges. While the first four properties are common features on the internet, it is ‘hidden exchanges’ which is the hallmark characteristic of the darknet.

Hidden exchanges mean that the identity including the Internet Protocol (“IP”) address of (i) an individual either simply browsing through a website on the darknet or buying something in exchange of cryptocurrency, (ii) the individual owning the website and/or selling their goods or services, and often (iii) the server, is untraceable. This is done by ensuring that the websites on the darknet do not correspond to any IP address. In the words of Daniel Moore and Thomas Rid (supra), “this allows circumvention of all known forms of content restrictions or surveillance. Neither the Internet Service Providers (ISPs) that route the traffic, nor law-enforcement agencies, (…) have visibility into the hosted service’s location, or the identity of its operator.” At this juncture, it is necessary to understand the role of an IP address. An IP address is a numeric label, a set of numbers, that is assigned to every device participating on the internet.[3] It serves two functions (a) identification of host or network; and (b) location addressing. The IP address trail is what the LEA rely on while trying to locate a computer. The aforementioned provisions of the Telegraph Act, the IT Act and the CrPC essentially empower the Government/LEA, to obtain a computer’s IP address from an ISP, basis which the agencies may intercept, monitor, collect, and decrypt digital data. However, without an IP address, it is impossible to locate a computer. This is where the problem arises for a crime on the darknet.

Conclusion

By its very nature, the darknet hides the IP address of its users. The powers of the Government/LEA under the Telegraph Act, the IT Act and section 91 of the CrPC are rendered ineffective, as the IP address for a cybercrime is untraceable.

There appears to be no ambiguity in other provisions under the CrPC on jurisdiction and power of criminal courts. Offences will be inquired and tried by the court in whose local jurisdiction suc offences were committed. For example, if the database of an organization in Hyderabad is hacked and its data is released on the darknet, there is no doubt that the first point of contact would be the Telangana Police, and a Magistrate in Hyderabad would take cognizance of the offence.

The need is to expand the existing laws and develop tools to find a way around the IP address. The Bureau of Police Research and Development has recently invited private entities to help develop tools to monitor the darknet for cybercrimes.[4] At the same time, it will be interesting to see how this issue is addressed without stifling the freedom of those who use the darknet for legitimate reasons. Since use of cryptocurrencies is common on the darknet, parallels may be drawn with how restrictions on the use of cryptocurrencies was considered by the Indian Supreme Court which held, inter alia, that measures introduced to control cryptocurrencies must adhere to the doctrine of proportionality[5]. Similarly, any means to address the regulatory vacuum on the darknet must be proportionate to the ends sought to be achieved.

It appears that the settled principles of law under the CrPC do not pose an issue when it comes to cybercrimes on the darknet. However, the  concern is the dependence of the Government/LEA on IP addresses to investigate cybercrimes. In the absence of laws and tools to plug this lacuna, cybercrimes on the darknet will continue to pose a  challenge in India.

The views and opinions expressed in this article belong solely to the author and do not reflect the position of Tatva Legal, Hyderabad.

[1] Gayard, Laurent, Darknet: Geopolitics and Uses Hoboken, page 158, (1st edition, 2018).

[2]Daniel Moore & Thomas Rid (2016) Cryptopolitik and the Darknet, Survival, 58:1, 7-38, DOI: 10.1080/00396338.2016.1142085

[3]Iyengar, Prashant, Online Privacy: IP Addresses and Expeditious Disclosure of Identity in India (2011). http://dx.doi.org/10.2139/ssrn.1875659

[4] F. No. M-12014(02)/1/2019-PSO (E) – Part 2 dated 29.05.2020 issued by the Bureau of Police Research and Development, Ministry of Home Affairs

[5] Internet and Mobile Association of India vs. Reserve Bank of India Writ Petition (2020) SCC Online SC 275