The Delhi High Court, in Sanket Bhadresh Modi v. CBI & Anr, held that an accused person cannot be compelled or coerced into revealing passwords, PINs, or other access credentials of digital devices during a criminal investigation. Justice Saurabh Banerjee ruled that the protection against self-incrimination guaranteed under Article 20(3) of the Constitution extends to the compelled disclosure of digital passwords and encryption keys.
Background
The matter arose during a criminal investigation conducted by the Central Bureau of Investigation, in which the investigating agency sought to compel the accused to provide passwords and access credentials for digital devices seized during the course of the investigation. The accused challenged this demand, contending that being forced to reveal passwords amounted to testimonial compulsion prohibited by Article 20(3) of the Constitution.
Article 20(3) provides that no person accused of any offence shall be compelled to be a witness against himself. The scope of this protection has been interpreted by the Supreme Court in Nandini Satpathy v. P.L. Dani (1978) and Selvi v. State of Karnataka (2010), with the latter holding that involuntary narco-analysis, brain-mapping, and polygraph tests violate Article 20(3). However, the specific question of whether compelling disclosure of digital device passwords falls within the ambit of testimonial compulsion had not been conclusively settled, making this ruling particularly significant in the digital age.
Key Holdings
The Delhi High Court held as follows:
Passwords as testimonial evidence: Compelling an accused to disclose a password or encryption key amounts to testimonial compulsion within the meaning of Article 20(3). A password is information existing in the mind of the accused, and compelling its disclosure forces the accused to furnish evidence of a testimonial character against himself.
Extension of Article 20(3) to digital domain: The constitutional protection against self-incrimination must be interpreted to keep pace with technological developments. Just as an accused cannot be compelled to produce documents from memory or reveal the location of incriminating evidence, he cannot be forced to provide the keys that unlock digital repositories of potentially incriminating material.
Distinction from physical evidence: The Court distinguished between compelling the production of physical objects (which may not attract Article 20(3) protection, as held in State of Bombay v. Kathi Kalu Oghad (1961)) and compelling the disclosure of knowledge or information from the accused's mind, which squarely falls within testimonial compulsion.
Investigation alternatives: The Court noted that investigating agencies are not without recourse. They may employ technical means to access digital devices, seek assistance from forensic experts, or approach the device manufacturer through lawful channels, without compelling the accused to provide passwords.
Implications for Practitioners
This judgment establishes an important precedent at the intersection of constitutional rights and digital investigations. Defence counsel now have a clear basis to resist demands from investigating agencies for password disclosure, whether in CBI matters, ED investigations, or state police proceedings.
For investigating agencies, the practical consequence is significant. They must invest in digital forensic capabilities and pursue technical avenues for device access rather than relying on accused persons to voluntarily surrender credentials. Agencies should also be cautious about recording any statements regarding passwords obtained during interrogation, as these could face admissibility challenges under both Article 20(3) and Section 25 of the Indian Evidence Act.
The ruling leaves open the question of whether the same protection extends to biometric access mechanisms such as fingerprint or facial recognition unlocking. Since biometric data may be classified as physical rather than testimonial evidence under existing Kathi Kalu Oghad jurisprudence, this distinction is likely to generate further litigation as digital security mechanisms evolve.