KUALA LUMPUR, May 17 — Veteran radio personality Patrick Teoh’s recent arrest over an alleged Facebook insult against the Johor royalty has cast the spotlight on police’s powers to demand for passwords and go through the suspect’s electronic gadgets for information.
With the crux of the police’s investigation banking on data retrieved from Teoh’s electronic gadgets, matters were later compounded when the police accused Teoh of claiming to have forgotten his email password, which they cited as one of the reasons for detaining him for more days under police remand to complete their investigation.
Which brings us to some burning questions about what Malaysians should know about their email and social media accounts: Can the police sift through our gadgets for information? What happens if we can’t recall the passcodes to our online accounts during police investigations?
Here’s what legal and tech experts told Malay Mail about the police’s powers and technological capabilities when it comes to data privacy.
Can the police search my phone and ask for my passwords?
In short, the simple answer is, yes, and, yes.
According to criminal lawyer Datuk Joshua Kevin, provisions within the Criminal Procedure Code (CPC) have been amended in recent times to widen the powers of the police when conducting an investigation to now include the authority to be given passwords to search through digital data.
“Under the amended Section 116B of the CPC, police have the power to access computerised data while Section 116C enables the police to even intercept communications. These powers form part of the police investigation process,” Kevin explained.
Section 116B of the CPC states that the police shall be given access to “computerised data” — whether it is stored in a computer or not — and must be provided access to the required information with the necessary passwords, encryption codes, and software or hardware.
Additionally, Section 116C states that the public prosecutor may authorise a police officer to intercept any form of communications — covering sent and received messages and to intercept, listen and record any conversations.
These new provisions were introduced and took effect from July 31, 2012 onwards, with Parliament records showing that the government had intended Section 116B to enable the police to have general powers to access computerised data and for that data to be able to be used as evidence in court.
Based on Parliament’s Hansard in May and July 2012, the government had at that time noted that the police’s powers to access computerised data during investigations were only in specific laws such as the Communications and Multimedia Act, and that Section 116B would be required to enable the police to have such access for any offences not covered by those specific laws in order to plug the legal loopholes in combating cybercrimes.
Specifically on passwords, lawyer Foong Cheng Leong confirmed that authorities can request for passwords as part of investigations to allow for digital forensic tests to be conducted on the device, in order to obtain sufficient evidence to prove their case in court.
“It is generally to determine whether a particular message or conduct originated from that device.
“The authorities are given the power to do so for most offences, including in Patrick Teoh’s case which falls under the Communications and Multimedia Act 1998,” said Foong, who is co-deputy chair of the Bar Council’s Cyber Law Committee. Teoh’s case was probed under Section 233 of the CMA.
Under Section 249 of the Communications and Multimedia Act 1998 (CMA) which is similar to the CPC’s Section 116B, police investigators who are conducting a search are to be given access to computerised data, with access again defined as including passwords, encryption codes, decryption codes, hardware or software.
While the term “computerised data” in both the CPC’s Section 116B and the CMA’s Section 249 is not defined, Foong confirmed that this would apply to passwords to social media accounts, email accounts, log-in passwords for computers, and codes to unlock a smartphone’s screen.
What happens if I refuse to reveal my passwords?
Criminal lawyer Rajsurian Pillai said that the police may view a suspect’s refusal to review passwords during investigations as a refusal to cooperate, and that this could then expose a person to potential further action by the authorities.
But Rajsurian highlighted that both Section 256(2) of the CMA and Section 112(2) compels a person to answer all questions related to a case during investigations, but at the same time allows the individual to refuse to answer any questions if the answer would have a tendency to expose him to a criminal charge or penalty.
“Simply put, the person in question need not answer a question of which the answer could incriminate him.
“Yes, he may choose not to give the password to his gadgets as it may be self-incriminating,” Rajsurian explained citing these two provisions as providing for a person’s right to remain silent in such situations.
For those who refuse to give their passwords to digital devices or social media accounts to the police during investigations, Foong pointed out that such action may be considered a crime.
“A refusal to comply with the search may amount to an offence under, among others, Section 186 of the Penal Code i.e. voluntary obstruction of a public servant’s duty to discharge of his public functions.
“If it’s a search warrant by the Court, it may amount to contempt of court. However, such affected person may apply to set aside the Court warrant,” he said.
When asked whether the right to privacy or data protection could be cited to refuse the giving up of such passwords to investigators, Foong said that such rights are generally not taken into account during a search and seizure but noted a High Court case where the judge had said the court should consider the right to privacy when issuing a search warrant.
Asked if an individual could provide the password only for the investigation period for investigations with their presence, Foong said the device would generally be taken and sent to another department for forensic tests and the person being investigated is “generally not given the right to sit and watch how the investigation is done”.
“Further, the right to do search and seizure is very wide. They can search the entire computer for all relevant information,” he said, adding that a person who was investigated could opt to sue later on if the search was wrongfully done.
What if I forget my passwords?
When asked if any legal action can be taken on someone for forgetting their passwords, Rajsurian simply replied: “No.”
Foong said it is a reasonable scenario for anyone to have forgotten their passwords to online accounts as passwords could be saved by the internet browser on a device, adding that authorities could in such cases still access the online account if they have access to the computer which were used to access the account.
“This is because that person’s computer generally would have saved the password unless that person has set it to do otherwise,” he said.
Foong highlighted however that even if an individual refuses to or is unable to furnish passwords to online accounts, they may still find that they are considered under the law as the publisher of the content of an offence unless they can prove they are not the publisher.
“The accused may take the position that they were not the originator of the message or did not do the act and there is no electronic evidence to prove that.
“Nevertheless, the prosecution may still rely on the presumption of publication under Section 114A of the Evidence Act 1950. The presumption of publication provides that a person deemed to be a publisher of a content unless proven otherwise by him or her,” he said.
Can authorities still access my data without my passwords?
For this, the answer would be, it’s complicated.
Without having the passwords in hand, the time spent to retrieve data from devices could range from minutes to hours or even several days, depending on the device model and the operating systems installed, LE Global Services (LGMS) director Fong Choong Fook told Malay Mail.
Fong pointed out that devices manufactured by Apple — whether iPhones or its laptops — are among the most difficult devices to access if missing a password, mostly due to the efficiency of their software’s encryption method.
For iPhone models released after Apple’s iPhone 5 in 2012, it is a near impossible task to retrieve information from the mobile phone if you do not have the passcode, Fong said.
“For mobile devices, iPhones are the most difficult ones, and typically in our forensic lab, if we see any iPhone above iPhone 5, where the built-in storage encryption is enabled, then it’s almost impossible unless you have the pin number,” he said.
In illustrating the difficulty faced even by reputable investigators abroad when it comes to the iPhone, Fong pointed out that the US’ Federal Bureau of Investigation (FBI) investigators had resorted to a lengthy legal process in 2016 to seek a court order to compel Apple to unlock an iPhone belonging to a shooter involved in the San Bernardino massacre in California.
The FBI later succeeded in hacking the shooter’s device despite it being without Apple’s help, but Fong said this still showed the challenges in cracking an Apple-manufactured device if one did not have access to the passcode.
On the flip side, Fong explains that retrieving data without knowing the password from devices loaded with Google’s Android and Windows operating systems is far more achievable, albeit with some effort.
“Depending on the version of the Android software, sometimes the fastest we have tried is just within a few minutes.
“Some of the latest (Android) softwares could probably take hours, if not, at most two days at least,” he said.
Once investigators have succeeded in accessing the devices, Fong explained that usual practice would see authorities cloning or copying the contents of the gadget in its entirety onto a separate physical storage space to allow them to sift through its contents later.
Can investigators still trace data after you delete your Facebook or social media post?
Even if a post was made on social media using the device but was later deleted, as in the case of 73-year-old Teoh who is said to have deleted his Facebook post hours after allegedly uploading it, Fong said data showing traces of the alleged offence being committed can still be retrieved from the gadget.
He said, however, this applies only if the memory on the computer or device was not wiped out or had its contents deleted by the owner.
“If authorities have full access to the hard drive, and the hard drive is still in its original form, meaning that once the person has deleted the information, he did not mess around with the hard drive, or try to wipe the hard drive; then chances are the authorities will be able to retrieve the traces,” Fong explained.