Electronic Evidence and the Authentication Certificate

Section 63 of the BSA 2023 is the primary provision governing the admissibility of electronic records in Indian courts. It carries forward the core structure of the repealed Section 65B but resolves the interpretive disputes that accumulated over two decades of litigation. The provision establishes that an electronic record is admissible only if a certificate accompanies it. The certificate must be signed by a person in a responsible official position in relation to the operation of the relevant device or the management of the relevant activities. It must identify the device or system that produced the record, state that the device was operating properly at the relevant time, and confirm that the electronic output is an accurate reproduction of the stored data.

The BSA 2023 also carries forward the concept of "electronic records" broadly defined: the provision covers data generated, sent, received, or stored in magnetic, optical, or any other electronic form. This captures emails, call data records, GPS location logs, CCTV footage, banking transaction logs, social media data extracted by law enforcement, and any document created or edited on a computer. The broad definition reflects the reality that the majority of documentary evidence in modern criminal cases has an electronic origin.

Where the electronic record is stored by a third party, such as a telecom provider, cloud storage operator, or social media platform, the certificate must come from an official of that organisation who has knowledge of the relevant systems. A police officer who merely received the data from a third party cannot sign the certificate in place of the data controller. This requirement creates practical challenges when the third party is foreign: Indian courts have addressed this through mutual legal assistance requests, though the process can be slow.

Section 65B of the Indian Evidence Act 1872 was introduced by the Information Technology Act 2000. Its text required a certificate but left three questions unanswered that courts divided over for two decades. First, was the certificate a precondition of admissibility or merely a rule going to weight? Second, who could sign it? Third, what remedies existed if the certificate had not been obtained but the original record was available? These gaps produced conflicting High Court decisions and practical uncertainty for investigators and prosecutors.

The Supreme Court of India resolved all three questions in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) 7 SCC 1. The Court held that the certificate is mandatory for admissibility, not merely a weight question. It held that the certificate must be from a person in a responsible official position in relation to the relevant computer system, and that a generic IT officer with no specific knowledge of the system concerned does not qualify. On the third question, it held that where the original electronic device is produced in court and directly inspected, a certificate may not be strictly necessary, but this exception is narrow and should not become a routine workaround.

The Arjun Panditrao judgment did not end controversy entirely. Courts continued to grapple with how to apply the ruling when certificates were available but signed by persons of uncertain authority, or when the certificate covered a device but not the specific extraction process. The BSA 2023 addressed these residual questions by requiring the certificate to identify the device, confirm proper operation, and attest to the accuracy of the reproduction, all in one instrument.

The United States Federal Rules of Evidence do not use a single certificate mechanism equivalent to Section 63 BSA. Instead, authentication of electronic records is governed by Rule 901 (general authentication requirement) and Rule 902 (self-authenticating documents). Under Rule 901, a proponent must produce evidence sufficient to support a finding that the item is what it is claimed to be. For electronic records, this can be achieved through witness testimony about the system that generated the record, metadata analysis, hash value comparison, or expert testimony about the reliability of the acquisition process.

In 2017, the Federal Rules were amended to add Rules 902(13) and 902(14). Rule 902(13) creates a self-authentication route for records generated by an electronic process or system that produces an accurate result, supported by a certification from a qualified person. Rule 902(14) does the same for data copied from an electronic device, storage medium, or file, again with a certification. The certification must comply with 28 U.S.C. Section 1746 (unsworn declaration under penalty of perjury) or be made under oath. These amendments were designed to reduce the need for live testimony from IT personnel solely for foundation purposes, paralleling the efficiency goals of the Indian certificate regime.

US courts have also developed detailed case law on specific types of electronic evidence. Social media content, text messages, and emails have each generated distinct authentication challenges. Courts have required proponents to authenticate not only that the account or number exists but that the specific defendant controlled it at the relevant time. A printout of a Facebook page bearing the defendant's name is not automatically authenticated as the defendant's own posting: the proponent must show control and authorship through additional evidence.

England and Wales took a different path from both India and the United States. Section 69 of the Police and Criminal Evidence Act 1984 required that before a computer-generated record could be admitted, the party relying on it had to prove that the computer was operating properly. This was a precondition of admissibility. In the 1980s and 1990s, as computers became ubiquitous in business, the provision generated a large volume of formal compliance work: prosecutors had to obtain certificates of computer reliability for records from banks, telecoms operators, and government databases.

Section 69 PACE was repealed by the Youth Justice and Criminal Evidence Act 1999. Parliament's reasoning was that the provision had become unworkable: requiring proof of computer reliability for every computer-generated record in an era when virtually all business records were digital created disproportionate procedural burden. The repeal replaced the mandatory proof requirement with a rebuttable presumption: courts now presume that a computer was operating correctly unless specific evidence of malfunction is raised. The Civil Evidence Act 1995 applies to civil proceedings and takes a similar approach.

The current English position has been criticised. The Post Office Horizon IT scandal, in which hundreds of sub-postmasters were wrongly convicted partly on the basis of accounting records from a defective computer system, exposed the risk of the presumption of regularity. Courts accepted Horizon output without rigorous scrutiny for years. Subsequent reviews and appeals led to mass exonerations and calls for legislative reform. The UK government and Law Commission have since examined whether a stronger authentication requirement should be reinstated for criminal proceedings.

Across all jurisdictions, the certificate or authentication requirement ultimately rests on a factual claim: that the electronic record produced in court is the same as the data that existed at the point of seizure or collection. The technical mechanism that supports this claim is hash verification. A forensic examiner computes a hash of the acquired data using a standard algorithm, typically SHA-256 for current practice. The hash value is recorded in the acquisition log and, in Indian proceedings, forms part of the basis for the certificate. Before producing the data in court, the examiner recomputes the hash. Matching hash values demonstrate that the file has not changed.

Chain of custody documentation supplements hash verification by recording the human handling of the evidence. The acquisition log records who performed the imaging, on what equipment, at what time, and in what physical context. Access logs for forensic workstations record who opened the forensic image and when. Storage logs record where physical media were held between examination sessions. Together, these records allow a court to trace the journey of the electronic evidence from the original device to the courtroom exhibit, and to identify any point at which tampering would have been possible.

The EU eIDAS Regulation (Regulation 910/2014) addresses a related but distinct question: the legal effect of electronic signatures and electronic time-stamps across member states. Qualified electronic signatures under eIDAS carry the same legal effect as handwritten signatures in all member states. Electronic time-stamps certified by a qualified trust service provider create a presumption of integrity and correct date for the data they cover. While eIDAS is not a criminal evidence statute, its provisions are increasingly relevant when electronic records bearing qualified signatures or time-stamps are produced in EU court proceedings.

A forensic scientist or digital investigator who collects electronic evidence needs to understand the certificate regime of the jurisdiction in which the evidence will be used, not only how to acquire the data. In an Indian criminal matter, the practitioner must ensure that a certificate compliant with Section 63 BSA is obtained from the appropriate person before the evidence is presented. If the evidence comes from a third-party service provider, the practitioner must initiate the process of obtaining the provider's certificate early in the investigation, because delays are common and courts will not wait indefinitely.

In cross-border cases, the picture is more complex. Where a device is seized in India but the cloud data associated with it is stored on servers in the United States, two legal frameworks apply simultaneously. The US data will require either a mutual legal assistance treaty request or, in some circumstances, a preservation request and voluntary disclosure under 18 U.S.C. Section 2703 (the Stored Communications Act). The Indian certificate will cover the local acquisition; a separate certification process governs the foreign-stored data. Practitioners who treat cross-border electronic evidence as equivalent to domestically seized physical exhibits will find their evidence challenged at the admissibility stage.

The forensic report that accompanies digital evidence should set out: the acquisition method and tool used, the hash values computed at acquisition and at the time of production, the chain of custody summary, the identity of the person who will sign or has signed the certificate, and confirmation that the device was operating normally at the time of acquisition. See The Expert Report: Structure and Duties for the general requirements that apply to expert reports across forensic disciplines.