Digital Footprints: How OTPs and Food Orders Aid Police Investigations Explained
Digital footprints from OTPs and food orders are increasingly crucial for police in solving crimes.
Photo by Markus Spiske
Background Context
Why It Matters Now
Key Takeaways
- •Understand the types of digital data used (CDRs, IP addresses, device IDs, app transaction logs)
- •Know the entities involved in providing data (TSPs, ISPs, app companies)
- •Recognize the legal basis required for police to access this data
- •Appreciate the dual impact: enhanced crime solving vs. privacy concerns.
Different Perspectives
- •While digital clues are powerful for law enforcement, critics argue about the potential for misuse, mass surveillance, and the erosion of privacy rights, emphasizing the need for strict legal safeguards and oversight.
The article explains how digital footprints, ranging from One-Time Passwords (OTPs) to food delivery orders, are becoming invaluable tools for law enforcement in solving crimes. Police are increasingly relying on data from telecom service providers (TSPs), internet service providers (ISPs), and various digital platforms to trace suspects, establish alibis, and gather evidence.
This includes analyzing call detail records (CDRs), IP addresses, device IDs, and even transaction details from apps like food delivery services. The process involves legal requests to these entities, highlighting the growing intersection of digital technology and criminal investigations, and raising important questions about data privacy and security.
Key Facts
Police use CDRs, IP addresses, device IDs, OTPs, food order data for investigations
Data is sought from TSPs, ISPs, and digital platforms via legal requests
UPSC Exam Angles
Constitutional Right to Privacy (Article 21 and Puttaswamy judgment)
Legal framework for surveillance and data access (CrPC, IT Act, Telegraph Act, DPDP Act)
Role and powers of law enforcement agencies in the digital age
Challenges of balancing national security/crime investigation with individual fundamental rights
Technological aspects of digital evidence (metadata, encryption, data retention)
Intermediary liability and obligations of digital service providers
Visual Insights
Digital Footprint Investigation: From Crime to Evidence
This flowchart illustrates the typical process by which law enforcement agencies (LEAs) utilize digital footprints, such as OTPs and food orders, to investigate and solve crimes in India, highlighting the legal and technical steps involved.
- 1.Crime Reported & Initial Investigation
- 2.Identification of Potential Digital Clues (e.g., suspect's phone number, email, app usage)
- 3.Legal Request to Data Fiduciary (TSP, ISP, Digital Platform like Food Delivery App)
- 4.Legal Basis for Request (CrPC, IT Act, DPDP Act 2023 exemptions for investigation)
- 5.Data Fiduciary Processes Request & Provides Data (e.g., CDRs, IP logs, transaction details, device IDs)
- 6.Digital Forensics & Data Analysis by LEA (linking footprints to suspect, establishing alibi/presence)
- 7.Digital Evidence Integrated into Case File
- 8.Prosecution & Adjudication (Evidence presented in court under Bharatiya Sakshya Adhiniyam 2023)
Practice Questions (MCQs)
1. Consider the following statements regarding the legal framework for police access to digital data in India: 1. Police can access Call Detail Records (CDRs) and IP addresses of individuals solely based on an FIR, without any further judicial or executive authorization. 2. The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under the IT Act, 2000, govern the interception of digital communications. 3. The Supreme Court's judgment in K.S. Puttaswamy v. Union of India affirmed that the Right to Privacy is an absolute right and cannot be subjected to any restrictions for law enforcement purposes. Which of the statements given above is/are correct?
- A.1 and 2 only
- B.2 only
- C.1 and 3 only
- D.1, 2 and 3
Show Answer
Answer: B
Statement 1 is incorrect. While police can request CDRs and IP addresses, it typically requires authorization from a senior police officer (e.g., Superintendent of Police level) or a court order, depending on the nature of the data and the specific legal provision (e.g., Section 91 CrPC, Section 69 IT Act, or Telegraph Act). Access is not automatic based on an FIR alone without further checks. Statement 2 is correct. These rules, along with Section 69 of the IT Act, 2000, and Section 5(2) of the Indian Telegraph Act, 1885, provide the legal basis and procedure for lawful interception and monitoring of digital information by authorized agencies. Statement 3 is incorrect. The K.S. Puttaswamy judgment declared the Right to Privacy as a fundamental right under Article 21 but also clarified that it is not an absolute right. It can be subject to reasonable restrictions based on legality, legitimate state aim, proportionality, and procedural safeguards, especially in matters of national security and public order, including crime investigation.
2. In the context of digital footprints and criminal investigations, which of the following statements best describes 'metadata'?
- A.It refers to the actual content of a communication, such as the text of an SMS or the audio of a call.
- B.It is data that provides information about other data, like the time, duration, and participants of a call, but not its content.
- C.It is encrypted data that cannot be accessed by law enforcement agencies under any circumstances.
- D.It refers exclusively to location data obtained from GPS sensors in mobile devices.
Show Answer
Answer: B
Metadata is 'data about data'. In the context of digital communications, it includes information like the source and destination of a communication, the time and duration of a call, the size of a file, or the IP address from which an activity originated. It does not include the actual content of the communication (e.g., the words spoken in a call or the text of a message). While metadata can reveal significant patterns of association and activity, it is distinct from content. Options A, C, and D are incorrect as they either misdefine metadata, impose absolute restrictions, or limit its scope too narrowly.
3. Which of the following provisions of Indian law primarily deals with the obligations of intermediaries (like Telecom Service Providers and Internet Service Providers) to assist law enforcement agencies in accessing digital information?
- A.Section 124A of the Indian Penal Code, 1860
- B.Section 69 of the Information Technology Act, 2000
- C.Section 377 of the Indian Penal Code, 1860
- D.Section 144 of the Code of Criminal Procedure, 1973
Show Answer
Answer: B
Section 69 of the Information Technology Act, 2000, empowers the Central or State Government to direct any agency of the Government to intercept, monitor, or decrypt any information generated, transmitted, received, or stored in any computer resource. It also mandates intermediaries to provide all facilities and technical assistance to enable such interception or monitoring. This is the primary provision for compelling intermediaries to assist law enforcement in accessing digital information. Section 124A IPC deals with sedition. Section 377 IPC deals with unnatural offences. Section 144 CrPC deals with the power to issue orders in urgent cases of nuisance or apprehended danger.
4. Consider the following statements regarding the Data Protection Bill, 2023 (now Digital Personal Data Protection Act, 2023): 1. It mandates data fiduciaries to obtain explicit consent from data principals before processing their personal data, except in certain 'legitimate uses'. 2. It grants the Central Government the power to exempt any government agency from the provisions of the Act in the interest of national security or public order. 3. It establishes a Data Protection Board of India to adjudicate on matters of non-compliance and impose penalties. Which of the statements given above is/are correct?
- A.1 and 2 only
- B.2 and 3 only
- C.1 and 3 only
- D.1, 2 and 3
Show Answer
Answer: D
All three statements are correct regarding the Digital Personal Data Protection Act, 2023. 1. The Act is built on the principle of consent, requiring data fiduciaries (entities processing personal data) to obtain clear and affirmative consent from data principals (individuals whose data is being processed). However, it also outlines 'legitimate uses' where consent is not required, such as for enforcing legal rights, responding to medical emergencies, or for certain state functions. 2. The Act includes provisions allowing the Central Government to exempt government agencies from its application in specific circumstances, particularly in the interest of national security, public order, or preventing/investigating offenses. This provision has been a point of debate regarding its potential impact on privacy. 3. The Act establishes the Data Protection Board of India as an independent body responsible for enforcing the provisions of the Act, inquiring into breaches, and imposing penalties on non-compliant entities.
Source Articles
OTPs, FASTag, food orders: How digital breadcrumbs are reshaping policing in India | Explained News - The Indian Express
Five OTPs before breakfast — and why that’s a problem | The Indian Express
GST 2.0: Domino’s, direct restaurant orders to have edge over food delivery via Zomato, Swiggy | Business News - The Indian Express
ONDC is the new player in the food delivery game: Can it take on Zomato and Swiggy? | Technology News - The Indian Express
Kerala couple registers marriage instantly via Video KYC, goes viral as state embraces digital governance: ‘100% literacy for a reason’ | Trending News - The Indian Express