Cross Border Cooperation on Criminal Matters - A Perspective from India

With internet transactions, especially when they do not involve a centralized or governmental agency, traditional physical borders between nation states become increasingly irrelevant. This is equally true for both legal as well as illegal transactions. It is perhaps due to this that there has been an increase in the number of transnational crimes, especially cyber crimes, in the recent past.

It has been widely accepted that cooperation and sharing of information on a regular and sustained basis between nation states is a very important tool in tackling incidents of international cyber crime. For example, the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security established by the Secretary General of the United Nations, explicitly prescribes the following norms:

• (a) ….. States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
• (d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
• (h) States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
• (j) States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;

In a similar vein, on June 7th 2016, the Prime Minister’s Office released a fact sheet on the framework for the US-India Cyber Relationship. The fact sheet, which should result in a signed Framework in 60 days time from the signing, articulated a number of principles to frame and guide the U.S-India cyber relationship. The following principles of the framework focus on cross border sharing of information:

• A commitment to promote cooperation between and among the private sector and government authorities on cybercrime and cybersecurity
• A recognition of the importance of bilateral and international cooperation for combating cyber threats and promoting cybersecurity;
• A commitment to promote closer cooperation among law enforcement agencies to combat cybercrime between the two countries;
• Sharing information on a real time or near real time basis, when practical and consistent with existing bilateral arrangements, about cybersecurity threats, attacks and activities, and establishing appropriate mechanisms to improve such information sharing;
• Developing joint mechanisms for practical cooperation to mitigate cyber threats to the security of ICT infrastructure and information contained         therein consistent with their respective obligations under domestic and international law;

Processes for Crossborder Sharing

The process by which the Indian government could access data stored with a U.S company depends most importantly on if the data is meta data (location data or subscriber information) or content data (content of emails). If the data is meta data, the Indian government could approach the company directly for access, at which point it is at the company’s discretion to share the data. For example, with respect to requests for user data Google states:

“Respect for the privacy and security of data you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google's policies. Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we'll seek to narrow it.”

Due to provisions in the Electronic Communications Privacy Act, if the data is content, than the Indian government must use an international instrument, such as an MLAT request or a Letter of Rogatory, to access the information. In the case of a MLAT or Letter of Rogatory, the U.S government recieves a court order and issues a search warrant to the company for the data and shares it back with India. For the Indian request to be approved it must at a minimum 1. meet the terms of the relevant treaty 2. comply with US law including fourth and fifth amendemnt rights and probable cause when applicable.

Legal Provisions to operationalise requests in criminal matters in India

In terms of Indian law, section 105 of the Criminal Procedure Code (Cr.P.C.) speaks of reciprocal arrangements to be made by Central Government with the Foreign Governments with regard to the service of summons/warrants/judicial processes. In case of countries with which India has an operational MLAT, the process envisaged in the MLAT coupled with the provisions of section 105 Cr.P.C. are to be followed, while in case of other countries the ministry makes a request on the basis of assurance of reciprocity to the concerned foreign government through the mission / Embassy. The difference between the two categories of the countries is that the country having an MLAT has an obligation to consider serving the documents whereas the non-MLAT countries do not have any obligation to consider such a request. The summons issued by the Foreign Courts/Authorities and received in the Ministry of Home Affairs are served by the State Police through CBI-Interpol.

Although the process for service of summons/warrants/judicial processes has been dealt with in section 105 of the Cr.P.C. some MLATs such as the one with the United Kingdom may provide for even greater assistance such as attachment and forfeiture of property as well as warrants for arrest. Since the Cr.P.C. as originally drafted did not have provisions for such therefore Chapter VIIA was inserted into the Cr.P.C. The statement of Objects and Reasons for the Amendment Act bringing the said chapter into the Cr.P.C. states:

“The Government of India has signed an agreement with the Government of United Kingdom of Great Britain and Northern Ireland for extending assistance in the investigation and prosecution of crime and the tracing, restraint and confiscation of the proceeds of crime (including crimes involving currency -transfer) and terrorist funds, with a view to check the terrorist activities in India and the United Kingdom. For giving full effect to this agreement, it is proposed to amend the Code of Criminal Procedure, 1973 to provide for-

(a) the transfer of persons between the contracting States including persons in custody for the purpose of assisting in investigation or giving evidence in proceedings;

(b) attachment and forfeiture of properties obtained or derived from the commission of an offence that may have been or has been committed in the other country; and

(c) enforcement of attachment and forfeiture orders issued by a Court in the other country.”

Conflict between Treaty provisions and Indian Law

One question which sometimes arises for discussion is what happens when a request is made by a foreign state under an MLAT for information which is not legally enforceable even by Indian authorities. Usually the treaties themselves are very clear on this point and have a provision which precludes a state from acting upon a request if the same is not enforceable under its domestic law. Even so, in the hypothetical scenario that such a provision does not exist in a treaty, the law in India is pretty clear, that in case of a conflict between the provisions of the treaty and Indian law, the provisions of Indian law shall prevail. This was held by the Supreme Court in the case of Bhavesh Jayanti Lakhani v. State of Maharashtra and others, wherein the Court said:

“The Act as also the treaties entered into by and between India and foreign countries are admittedly subject to our municipal law. Enforcement of a treaty is in the hands of the Executive. But such enforcement must conform to the domestic law of the country. Whenever, it is well known, a conflict arises between a treaty and the domestic law or a municipal law, the latter shall prevail.”

MLATs in India

India currently has MLATs with 39 countries.The nodal Ministry for concluding Mutual Legal Assistance Treaties in Criminal Matters is Ministry of Home Affairs, which is responsible for facilitating measures of mutual assistance in investigation, prosecution and prevention of crime, service of summons and other judicial documents, execution of warrants and other judicial commissions and tracing, restraint, forfeiture or confiscation of proceeds and instruments of crime.

It must be noted here that unlike countries like the United States, Indian law does not require parliamentary approval for treaties to become operation and therefore MLATs enter into force in accordance with the requirements stipulated in their provisions.^[1] This means that some MLATs may enter into force as soon as they are signed if the terms of those MLATs provide as such, while others may require ratification. Ratification is usually done through an Instrument of Ratification which is signed by the President of India and ratification is considered complete only after the Instruments of Ratification are exchanged between the signatory states.

As an additional note, MLAT's between countries are not the same. For example, the US/EU MLAT is  different from the US/India MLAT. Significant differences in scope include:

• Types of offenses: US/EU MLAT requires assistance for offenses that are recognized in both the EU and US, serious offenses punishable under the laws of both states, or offenses pununishable with 4-2 years in prison. In contrasts the US/India MLAT requires assitance without regard to if the investigation would constitute an offence under the laws of the requested state.

• Forms of cooperation:Forms of cooperation found in the US/EU MLAT but not the US/India MLAT include joint investigiative teams, expediated means of communication, specific provision for identifaction of banking information.

• Use of obtained evidence: The US/EU MLAT places clear limitations on the use of personal and other data where as the US/India MLAT maintains that the requested state can place a limitation on use and confidentiality if they wish to.
• Review and application: The US/EU treaty applies to offenses committed before and after entering into the MLAT and requires review five years after it comes into force. The US/India treaty does not incorporate either of these aspects.

Letters Rogatory in India

The process of sending Letters Rogatory is enabled via 166A of the CrPc, which allows an investigating officer to issue a letter of request to a Court. The Court can issue such letter to the Central Government, who will then send it to the courts in the U.S. In 2007, the Ministry of Home Affairs issued comprehensive guidelines regarding letters of rogatory, extradition requests, and contact with foreign police – sighting issues in consistent and accurate use of such tools and processes. Examples of Letters of Rogatory issued by India to the US, include on theChase Manhattan Bank,David Headley,Louis Berger, and in theSheena Bora murder case.

Challenges in Cross Border Sharing of Information

Cyber crimes have the unique feature of making geographical boundaries irrelevant, thus creating challenges of jurisdiction and applicable legal standards. For example, a person sitting in the US may commit a crime against a victim in India without leaving the U.S - raising questions of which law would apply to the individual. Or a person sitting in India may commit a crime against a victim in India, but the evidence would be stored with a U.S company located outside of India - raising questions again over which law would apply to the data. As pointed out by the Centre for Law and Democracy, the question of jurisdiction can be based on a number of vantage points including location of the data, citizenship of the individual, location of the individual, place of the crime, or incorporation of the company holding the data.

The challenge of jurisdiction is further exacberated by the capabilities of technologies today. For example, if the data of the Indian citizen contains information about a U.S citizen, the information about the Indian would receive different levels of legal protections than that of the U.S citizen while stored in the U.S. Indian courts can also try to claim jurisdiction over Indian data/persons being subject to U.S law. For example, in 2012  Indian courts attempted to issue summons on U.S ICT companies. Also in 2012, the court of a District Judge in Vishakhapatnam, the Court issued an order restraining Google Inc. from complying with a subpoena issued by the Superior Court of California that ordered Google to share the password of the Gmail account belonging to an Indian citizen residing in Vishakhapatnam. Although this was only an interim order and was given by a District Court, and thus did not have  any precedent value, the case demonstrates the need to have in place systems and mechanisms to ensure that law enforcement and judicial authorities do not trip over each other while dealing with cross jurisdictional issues in the realm of cyber crimes and cyber disputes.

Challenges in cross border sharing of information do rest only with the question of jurisdiction. All bi-lateral and multi-lateral processes for cross border sharing of information and cooperation have their own complexities. Such complexities could include bureaucracy, mistakes in issuing and/or processing requests, lack of competency, and differing legal requirements. For example, experts have noted that many requests for access to communications from foreign governments are rejected as they fail to meet the requirement that a U.S court find probable cause for issuing an order to a company for disclosure of communications.  In the case of MLATs and Letters of Rogatory, these complexities have resulted in slow processing times for requests, rejection of requests due to errors in submission, or rejection of requests for legal reasons. For example, according to the President’s Review Group on Intelligence and Communications Technologies, it takes approximately 10 months for the US to process and respond to an MLAT request from a foreign government. In the age of the internet, where situations require real time access to data, such delays are frustrating and can severely hamper an investigation.

Solutions to the Challenges

Law enforcement agencies, governments, academia, and civil society across the world over have realized the complexity of this situation, and have been trying to find effective solutions.

A recent proposal is the one that is being negotiated between theUS and the UK. Which, simply put, would allow the UK government and intelligence agencies to access content data directly from ICT companies in the US when the content and the crime do not pertain to a US citizen. There is talk that this agreement would be extended to other countries on the condition that they meet certain standards and requirements. At the same time the U.S has recently reached thePrivacy Shield Agreement with the EU. The agreement establishes more stringent standards and protocols for sharing data between the US and EU and includes requirements for transparency of U.S government access to EU citizen's data. In 2016 the U.S enacted theJudicial Redress Act . The Act authorizes the Department of Justice to approve countries whose citizens may bring civil action under the Privacy Act 1974 against specified US agencies. Countries will be assessed as per their privacy protections, if data can be freely passed between the US and the applying country, and the Department of Justice has certified data transfer policies that do not impede the national security interests of the U.S.

Parallel to these policy developments,  civil society and academics are also discussing alternative frameworks. Some of these include:

Daskal-Woods: Proposed by Jennifer Daskal, Assistance Professor of Law and American University Washington College of Law and Andrew Woods, Assistant Professor of law and the University of Kentucky, - the framework seeks to address repercussions arising from roadblocks in the cross border sharing of data including data localization requests, heavy handed encryption policies, and governmental demands for built in back doors. The framework could be extended to countries meeting a set of established criteria including basic human rights requirements. Importantly, the framework proposes replacing the requirement of probable cause with that of a strong factual basis that a crime has been or will be committed. This would likely be a welcomed change for the Indian Government as it could make it easier for requests for be approved, though for Indian citizens, it might be a less welcomed change as they would lose the privacy protection that the probabal cause standard affords them against requests from the Indian government and other foreign governments. India does not require probable cause to be demonstrated and access to the content of communications can be authorized by the Joint Secretary to the Ministry of Home Affairs on the grounds laid out in section 5 of the Telegraph Act and section 69 of the IT Act.

• Strawman: Proposed by the Centre for Democracy and Technology, suggests a framework that would treat MLAT requests in which the location of the crime, the citizenship and location of thevictim, the perpetrator, and data subject are in the same country - primarily to the requesting country’s domestic law. Such a framework would bring content and non-content under its scope. This framework would be extended to countries that meet baseline human rights standards.
• Peter Swire and Justin Hemmings: Swire and Hemmings have proposed a number of process reforms to help streamline the MLAT process including increasing the resources to the Office of International Affairs, streamlining the number of steps in the MLAT request process, and streamlining the provision of requested records back to the requesting country. They also proposed a system that would prioritize or streamline requests from ‘pre approved’ countries and explore joint criminal investigations between law enforcement officials from different countries as alternative means for obtaining access to information.

Conclusion

Due to the pervasive nature of the internet and technology in our everyday lives there is a greater danger of criminal activities being conducted from great distances and often from across international borders. One of the most important means to tackle this increase in cross border criminal activities is to increase international cooperation and information sharing through more efficient processes.  As negotiations take place between the U.S and the U.K and the U.S and the EU on finding alternatives to enhance cross border sharing of information, it is encouraging that the US-India cyber framework touches on cross border sharing of information and references the Expert Group, but India needs to participate in the larger global debate that is happening around cross border sharing of information and needs to focus on improving internall chain of custody for sending requests and strengthening privacy practices domestically.

Questions that India should be asking with respect to the developments in the US and EU include:

• By what criteria will non-EU countries be evaluated for participation in such partnerships? If India does not immediately meet the set criteria, is there the will to make the needed amendments to domestic policy and practice? What are the pro’s and con’s of India participating in such partnerships? This is an important question to ask and for India to reflect upon as it is not clear that current practices and policy would meet set human rights standards. For example, an issue could be the India has provisions for the death penalty for heinous crimes and terror attacks.
• Once evaluated will agreements and processes between the US and various countries be standard? i.e, will the EU - US agreement be the same as an India - US agreement? Will the process for engagement between the EU-US and Indian-US be the same? If not, what will determine differences?

As the Centre for Internet and Society continues to research into MLATs and cross border sharing of information, some questions we are seeking to answer include:

• For what differing purposes does India send Letters Rogatory and/or MLAT requests?
• What is the process followed for issuing and recieving Letters Rogatory/MLAT? CBI has issued comprehensive guidelines for issuing these requests, but are these followed? what are challenges in the implementation of these processes?
• How much money is spent on sending/processing Letters of Rogatory/MLATs?
• Is one instrument preferred over another i.e, Letters Rogatory vs. MLATs, and why?
• How many requests originating from India to the US have been rejected and why?
• What level of privacy protection is afforded to the data transferred? Who has access to such data?

^[1] The issue of parliamentary approval was raised in the case of the Indus Waters Treaty, 1960 on the ground that it involved a huge financial commitment and its ratification without parliamentary approval amounted to an encroachment upon the financial powers of the Parliament. Deciding on this point the   Speaker of the House said “Wherever the Government enters into a treaty-Parliament may or may not agree-primary right under the Constitution is with the Government to enter into a treaty..................We cannot now take away powers which have been vested in the Government under the Constitution….. In accordance with previous practice, it is not obligatory on the Government to place treaties before this House for ratification unless, as constituent parts of those treaties, the respective Governments have agreed to place them before Parliament and obtain their ratification.” Decisions from the Chair, Lok Sabha, available at http://www.parliamentofindia.nic.in/ls/decision/decp84.htm