How secure is your phone data? 

US tech giant Apple defied the Enforcement Directorate orders to allow them access to Delhi chief minister Arvind Kejriwal’s phone earlier this week. It was part of an investigation into the excise policy scam. 

The company stated that the data could only be accessed with the password set by the device’s owner.

The incident has triggered questions about how private one’s data is and who can access such information. Metrolife checked with data and cybersecurity, and legal experts.

Karan Saini, a security researcher, points out that unless backup on cloud (iCloud or Google) services has been enabled on mobile phones, one’s data is secure. “If your data is backed up on the cloud, and you do not maintain good password hygiene or you reuse passwords, then you are prone to safety risks,” he says.    

The most common way one’s data is compromised is when people try to “sell their mobile phones for some quick money after just deleting the data from their device and handing it over to the buyer”, says cybersecurity researcher Somdev Sangwan.

To avoid such risks, one can add some junk data (data that you do not mind sharing) and delete after initially deleting the sensitive data. Adding another layer of data and then deleting it saves your sensitive data from being compromised. “Some service centres have tools that can bypass security features of a phone,” he says. 

The way you have locked your phone also matters — be it a pin code, fingerprint, or facial recognition. “Earlier, facial recognition could be bypassed by using the owner’s photograph. Slowly phones with infra-red sensors were able to distinguish between a 2D and 3D image and some miscreants used physical 3D models to exploit the feature. Today, some devices are still vulnerable to these techniques,” he explains.

If the software or tools used to unlock a device are leaked, it can cause a security threat to all phones, Sangwan adds.   

Law and order authorities may approach a phone manufacturer for such access as the last resort, says Sangwan. 

Cloud data is accessible only once a password for the same has been shared. “If someone refuses to share their password or says that they have forgotten it, the police can request for a password reset via OTP from the mobile number associated with the cloud account. An OTP can be acquired after making a request to the phone’s telecom provider,” he adds.

Saini adds that cloud services like iCloud have the option to enable encryption on your phone data in such a way that even if your cloud account is accessed elsewhere, the information cannot be accessed.

The law says...

A city-based lawyer who did not want to be named, says that citizens can be provided protection according to provisions in Article 21 of the Indian Constitution, which covers ‘protection of life and personal liberty’. This means that no person shall be deprived of their life or personal liberty except according to procedure established by law. This fundamental right is applicable to every citizen and even foreigners in India, she added.

So, who can check your phone? Advocate Indra Dhanush says that investigation officers have all the power to seize any citizen’s phones, laptops, and documents for investigation. “There are no laws apart from right to privacy bill that can be cited in such cases, but it depends on each case. However, one has all the rights to refuse to share password or data as one cannot be a witness in a case filed against him,” says Dhanush.

Saini adds that recently the Delhi High Court ruled that an accused cannot be coerced to disclose passwords of gadgets or online accounts in connection to a pending trial. This is covered under Article 20 (3) of the Constitution, which says that “no person accused of any offence shall be compelled to be a witness against himself”.   

If the owner of a device refuses access to it, the police can summon it (or any document or information) under Section 91 or Section 102 of the Code of Criminal Procedure (CrPC). “Police should have a case/warrant/suspicion against such persons to interfere with,” Dhanush adds.

Dhanush cites that Apple has expressed “such an attitude in earlier incidents, even with US’ Federal agents and not cooperated in the past due to their data privacy laws promised to its customers”.