Virendra Khanna v State of Karnataka –Passwords and the Dilution of the Right Against Self-Incrimination

-By Kashish Khandelwal

The Password on your Device, the Right to Privacy & Protection against Self  Incrimination || Rising Kashmir

In Riley v California, while holding that an accused cannot be forced by the police to reveal their password, the US Supreme Court observed that owing to the rapid development of technology, the majority of the people “typically carry a cache of sensitive personal information” in their pockets. However, this has also raised certain fundamental issues in criminal investigations. Recently, in Virendra Khanna v State of Karnataka, the Karnataka High Court adjudicatedan issue emerging from the interplay of law and technology. Although the High Court was moved to ascertain the validity of an order permitting a polygraph test, it framed seven issues and one of them was whether or not a direction to reveal a password violates Article 20(3) of the Constitution. Answering the question negatively, the High Court held that an accused can be directed to reveal a password to the police to unlock a smartphone. This article seeks to examine this judgment and argues that the High Court has reached an incorrect conclusion as it’s based on an erroneous interpretation of the law.

Factual Matrix

In September 2020, Bangalore Police arrested the Petitioner from Delhi in connection to a case registered in 2018. The Petitioner had a smartphone and the same was seized by the Police.Subsequently, the Police moved a Special Court seeking permission to subject the Petitioner to a Polygraph Test because the Petitioner allegedly refused to reveal the passwords of his smartphone and email accounts. Though, the Petitioner alleged that he had already revealed his passwords to the police. Interestingly, the Special Court accepted the application butdidn’t give the Petitioner a hearing on the application. Consequently, the Petitioner approached the Special Court towithdraw its order because his consent was not taken and it violated Article 20(3) of the Constitution. But the Special Courtrefused to recall its order and thereafter, a petition was filed before the Karnataka High Court.

Testimonial Compulsion

The High Court opined that providing passcodes or biometrics wouldn’t amount to testimonial compulsion. Relying upon State of Bombay v Kathi Kalu Oghad, it held that the act of simply providing access to a smartphone or an email account wouldn’t be included in the expression “to be a witness.”This is so because the mere presence of a document on a smartphone or email account wouldn’t establish the guilt or innocence of the accused, and any documents so recovered will have to be proved according to the evidence law. Moreover, the High Court observed that if it’s accepted that revealing passcode or biometrics would amount to self-incrimination, then it would lead to chaos. It stated thatsuch an interpretation wouldn’t allow the taking of blood samples, handwriting samples, DNA samples, etc.The High Court also held that a direction to reveal a passcode or biometrics is tantamount to a direction to produce a document, and no oral or written statement is being made by the accused.

At this point, it is important to note what is meant by the terms “passcodes” and “biometrics”.While a passcode uses a series of character to verify the identity of a person, a biometric password employs unique biological traits such as fingerprints, iris scans or facial patterns to authenticate the identify of a person. In this article, the term ‘password’ has been used for the sake of brevity and it connotes both a passcode as well as a biometric password.

The Legal Framework

Article 20(3) guarantees the right against self-incrimination which can beinvokedif (i) the accused (ii) is put under compulsion (iii) to be a witness against themself. In Kathi Kalu Oghad,the Supreme Court held that ‘self-incrimination’ means the communication of such information based on the personal knowledge of the accused which may assist in the determination of guilt and is not simply restricted to the “mechanical process of producing documents.”Thus,the phrase “to be a witness” has beenconstruedto mean the conveying of information about relevant facts to investigation agencies by an individual who has the personal knowledge of the facts being communicated.

In MP Sharma v Satish Chandra, the Supreme Court observed that a witness can communicate personal knowledge not only through oral or written mediums but by gestures and other modes as well. Though, it’s settled law that an accused can becompelledto give fingerprints, handwriting samples, voice samples, etc. as they are “wholly innocuous” by themselves and are utilized only for identification and making comparisons.Although the giving of such samples amounts to “furnishing of evidence” in the broader sense,it can’t be included within the meaning of “to be a witness” since it’s not a “personal testimony.”

In Selvi v State of Karnataka, the Apex Court held that the guarantee of Article 20(3) comes into play if the statement given by the accused would lead to incrimination by itself or establish a “link in the chain of evidence.”Additionally, the Court differentiated between a “testimonial response” required to substantiatethe facts already known to the police and a “testimonial response” that leads to the detection of any new facts relevant to the ongoing investigation and unknown to the investigation agency, wherein the latter is against the protection guaranteed by Article 20(3).

A Liberal Approach

Now, inVirendra Khanna v State of Karnataka, the High Court made an error by equating a ‘password’ to any other ‘physical evidence’ and holding that a direction to reveal the same wouldn’t result in testimonial compulsion.Given the legal framework of the right against self-incrimination discussed above, any compulsion to reveal a password amounts to the violation of Article 20(3).

Since a numeric/alphanumeric passcode itself is based on an individual’s personal knowledge, providing the same to the police would amount to a “testimonial response” and not just an act of producing any other ‘physical document’ to corroborate the facts already known to the police. Insofar as biometric passwords are concerned, any direction to provide fingerprints or facial scan for unlocking a device cannot be treated as a “wholly innocuous” actbecause instead of using the biometrics for making a comparison or identification, they would be used to access information derived from personal knowledge.

Thus, in both situations, any direction to reveal the passcode or biometrics for unlocking a smartphone would amount to a “testimonial compulsion” because the ultimate result of this direction would allow the police to access information based on an accused’s personal knowledge which was otherwise not available to them. If not for such compulsion, the enforcement agency would have no prior knowledge, either actual or constructive, concerning the content of the smartphone. Further, the content so accessed might also establish a “link in the chain of evidence” and such access was termed incriminatory inSelvi.

In sum, any direction to reveal a password to unlock a smartphone would amount to a testimonial compulsion and therefore, barred by Article 20(3). In Virendra Khanna, the High Court erroneously equated ‘passwords’ to ‘physical documents’ without considering that passwords are based on personal knowledge and can act as a “link in the chain of evidence.” So, forcing an accused to reveal a password is tantamount to compelling them “to be a witness” against themselves since the accused is giving a personal testimony be revealing the password.

Doctrine of Forgone Conclusion

At this juncture, it is important to examine the doctrine of foregone conclusion. In the United States, the right against self-incrimination is protected by the Fifth Amendment. However, the forgone conclusion doctrine is an exception to this right. In Fisher v United States, the Court ruled that if the government is aware of the possession, authenticity and existence of incriminating evidence, then an order to produce such evidence would not violate the right guaranteed by the Fifth Amendment because the production of such evidence would not amount to testimonial compulsion. However, the application of this doctrine to cases wherein the accused has been compelled to produce passcode/biometric passwords is unclear because US courts have given conflicting judgments on the issue.

In Grand Jury Subpoena v John Doe, it was held that an accused cannot be compelled to reveal a password until and unless the investigation agency knows that the accused possesses the password, and it is sure with reasonable particularity that the concerned device contains incriminatory evidence. In the instant case, since the investigation agency was not aware of the presence of incriminatory evidence in the seized device, the accused was protected by the Fifth Amendment. However, in State v Robert Andrews, the majority bench stated that passcodes do not have any independent evidentiary significance and if the government establishes that a passcode exists and the accused has control over it, then the forgone conclusion doctrine is applicable and the accused can be compelled to reveal the passcode. With respect to biometric passwords, in Commonwealth of Virginia v David Charles Baust, the court permitted the scanning of fingerprints to unlock a device and treated it as a non-testimonial act.

It is critical to note that Indian Courts have not applied the Doctrine of Forgone Conclusion in cases of self-incrimination till date, and it is to be seen how Indian Courts will deal with such cases in the future.If the ratio of Grand Jury Subpoena is applied to the facts of Virendra Khanna, then the accused cannot be compelled to reveal his passwords because the factual matrix does not indicate that the investigation agency knows with reasonable particularity that the seized device contains any incriminatory evidence.


Despite the protection given to informational privacy by the Puttaswamy case, the High Court also held that a direction to reveal the password wouldn’t affect the right to privacy. Regardless, the approach adopted by the Karnataka High Court restricted the constitutional protection afforded to the citizens instead of enhancing it. With the increase in the use of password-protected devices, this is only the first of the many such cases to come.

In Selvi v State of Karnataka, the Supreme Court had paved the way to follow a ‘Due Process Model’based on protecting individual liberty for interpreting constitutional provisions.Therefore, to fully enhance the protection offered by the Constitution, the courts must give primacy to individual rights.Interestingly, in 2018, the Kerala High Court in TG Mohandas v State of Keralahad held that a person cannot be compelled to produce their mobile phone for carrying out an investigation because it would amount to self-incrimination under Article 20(3) of the Constitution.

The Author is a third-year law student at National Law University Delhi . He has a keen interest in constitutional law and criminal law. 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s