A Delhi court on Wednesday, 25 September, directed technology company Apple to give location details of expelled BJP MLA Kuldeep Singh Sengar’s phone on the day he is accused to have raped a 17-year-old girl from Unnao.
District Judge Dharmesh Sharma, holding an in-chamber proceedings, directed the iPhone-maker to file the reply by 28 September when it will next hear the matter, a lawyer related to the case said.
The company has a centralised and standardised process for receiving, tracking, processing, and responding to legal requests. The Quint answers questions on what happens when Apple or a phone manufacturer/service provider is sent a request to provide data on its customers.
Will Apple Comply?
Apple has a good track record in complying with lawful legal requests from Indian law enforcement authorities. According to Apple’s Transparency report for the period July - December 2018, it complied with over 50 percent requests in all the four categories of requests it received from India:
- Device Identifier: 23 requests responded to/49 requests received
- Financial Identifier: 16/28
- Account: 11/18
- Emergency: 6/8
According to Apple’s transparency report, the company has “a centralised and standardised process for receiving, tracking, processing, and responding to legal requests from law enforcement, government, and private parties worldwide, from when a request is received until when a response is provided.”
“Our legal team reviews requests received to ensure that the requests have a valid legal basis. If they do, we comply with the requests and provide data responsive to the request. If we determine a request does not have a valid legal basis, or if we consider it to be unclear, inappropriate and/or overbroad, we challenge or reject it.”Apple Transparency Report
How Does This Compare to Call Detail Records?
The request by the Delhi court may not seem irregular to those familiar with these kinds of cases, as Call Detail Records (CDR) are commonly used in criminal trials to establish location of an accused.
Law enforcement agencies are allowed to access CDRs under the licences agreed by telecom companies, provided the request is authorised by the appropriate officials.
CDRs are not mandatorily kept for more than six months, and as the investigation into Sengar began after this period of time, the telecom company in question may not have this information anymore, necessitating the request from Apple.
However, location data from the manufacturer of a phone is not the same as a CDR, and the legal procedure for this will be different.
What About Privacy ?
Central to this will be an assessment of whether or not the right to privacy is infringed by this request – location data from Sengar’s phone would no doubt be something he would have a legitimate expectation of privacy over.
Of course, there are circumstances under law whereby even the fundamental right to privacy can be restricted. The Supreme Court has evolved a four step test of proportionality for such a situation. Applying it to the current fact situation, it would go something like this:
- Is there a law or rule in force which allows access to this information as a legitimate goal?
- Is access to information in this case a suitable means of furthering the legitimate (presumably, in this case, ensuring justice)?
- Is there any other less restrictive but equally effective way to establish Sengar’s location?
- Will access to this information have a disproportionate impact on Sengar?
The Delhi court is expected to have asked itself these questions before issuing this order, though it is unclear at present how rigorous a proportionality analysis has been conducted here.
Question 1 itself may be hard to answer, as the basis for asking Apple for this information is not certain, unlike a request to a telecom company.
Question 3 could also go against this request, though a lack of CDRs given the time frame, could rule out other effective alternatives.
To ensure Question 4 isn’t a problem. The court would have to make sure that it only asks for location data, rather than any other data from Sengar’s phone – though arguments can be made that any information about this would have a disproportionately negative impact on Sengar.
What Kind of Requests Will They Not Comply With?
Apple does not comply with requests asking them to unlock a phone or provide biometric details of its customers.
Apple had a famous public spat with the Federal Bureau of Investigation (FBI) in 2016 when it asked Apple to break encryption and unlock the phone of a dead gunman from the San Bernardino mass shooting in California on 2 December 2015.
“We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business [sic],” Apple CEO Tim Cook wrote in February 2016 in a letter to Apple’s customers when FBI moved court to compel Apple to comply.
“...encryption to protect our customers’ personal data because, we believe, it’s the only way to keep their information safe,” Cook had written in the letter.
“If Apple has the data with itself and the contents of the legal order satisfy its privacy policy, it will have the technical ability to provide such location data. Some elements of location data are stored in the device itself. However, location data may also be queried by third party apps, like Google Maps, or backed up to Apple servers,” said Apar Gupta, executive director, Internet Freedom Foundation.
“Therefore the availability of personal information, as to whether it is stored locally on the device or whether it is available, will determine compliance. This, to a degree, also depends on user preferences and privacy settings regarding GPS data which differs across individual smartphones,” Gupta added.
What Happens Next if Apple Provides GPS Data?
Sengar could potentially file a writ petition in the high court to ensure the proportionality test is properly applied. Even Apple could contest this, especially if, for instance, there is no law/rule under which such a request could have been made to them. Apple’s response on 28 September could, therefore, become a crucial flash point for privacy, much like the case in the USA.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)