india

Updated: Dec 22, 2018 07:58 IST

The outrage over the statutory order (SO) issued by Union home secretary Rajiv Gauba on Thursday authorising 10 security and intelligence agencies to lawfully “intercept, monitor and decrypt” information through a “computer resource” seems misplaced simply because these agencies already had this power under the Information Technology (IT) Act and the rules framed under the act, according to current and former government officials.

Still, the order may violate aspects of the privacy judgment given by the Supreme Court on August 23 last year, one expert said. Opposition parties on Friday criticised the government over the move, describing it as “unconstitutional and an assault on fundamental rights”, alleging that country was being turned into a “police state”.

The 10 agencies are the Central Bureau of Investigation, the National Investigation Agency, the Research and Analysis Wing, Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, the Central Board of Direct Taxes, Directorate of Revenue Intelligence, Directorate of Signal Intelligence (in service areas of J-K, North East and Assam) and the Commissioner, Delhi Police.

According to the officials, none of whom wished to be identified, the SO limits the number of agencies that can snoop on computer traffic. Before the order was issued, there was no bar on any agency, which could approach the competent authority, Union home secretary in their case, seeking interception or monitoring of computer traffic, the officials added. This included the Serious Fraud Investigation Office (SFIO) or Securities and Exchange Board of India (SEBI). Indeed, SEBI has been demanding powers to intercept phone calls and messages.

By listing out the agencies authorised to “intercept, monitor and decrypt” data, delays in sharing information with agencies by various service providers including applications such as WhatsApp will end, said a senior official who did not wish to be named. “Earlier, our requests were delayed or rejected because agencies weren’t expressly listed out,” he said. “Now if data isn’t shared, there is a possibility that the service providers can be prosecuted,” he added.

There are two main acts governing the legal provisions for surveillance in India: the Telegraph Act of 1885 and the Information Technology Act of 2000.

The first allows for the interception of calls and messages while the second deals with provisions to intercept digital information including data stored on a computer, internet traffic and other data flows.

The power to intercept and monitor the computer traffic comes from section 69 (1) of the IT Act. The section states that the Centre or a state government or any of its officers specially authorised for the purpose can order or direct any government agency to “intercept, monitor or decrypt” any information “generated, transmitted, received or stored” in any computer resource if they are satisfied it is necessary to do so “in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence”.

The government has further codified rules in this regard.

Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules of 2009 provides that ‘the competent authority (home secretary in case of the central government) may “authorise an agency” of the government to intercept, monitor or decrypt computer resource traffic.

“But since 2009, since the rules were framed, no agency was notified under rule 4 by the government. Now the anomaly has been rectified with by the SO issued on Thursday,” said a home ministry official.

Government officials and independent experts agree that the SO issued on Thursday doesn’t confer any new powers to any of the security or law enforcement agencies.

“Notification has been issued to notify the Internet Service Providers, Telecommunication Service Providers, intermediaries etc. to codify the existing orders. The order has been issued to ensure that any interception, monitoring or decryption of any information through any computer resource is done as per due process of law. It will also prevent any unauthorised use of these powers by any agency, individual or intermediary,” said Bharat Bhushan Babu, the MHA spokesperson, adding that even with the SO, all cases of interception or monitoring or decryption will still require approval by the Union home secretary.

In states, the principal secretary of the home department will be the competent authority to grant such approvals.

Former chief of Bureau of Police Research and Development, NR Wasan too says there is nothing new in the SO except for the fact the government has now limited the number of agencies authorised to intercept or monitor the traffic.

“Law enforcement agencies were using powers to intercept or monitor computer traffic earlier also under the IT Act and Rules, with the prior approval of the home secretary. But technically, before the SO was issued, any agency could technically approach the home secretary to seek approval for interception or monitoring of computer traffic but now only 10 central agencies will have such authorisation,” said Wasan who has served both in the Central Bureau of Investigation and the national Investigation Agency.

Cyber law expert Pavan Duggal concurred that nothing has changed. “The government has just exercised its power under Section 69 of the IT Act and the rules framed under it,” he said.

But independent of the notification, the powers under the ambit of section 69 itself need to be re-examined following the privacy judgment as it can have a detrimental impact on personal privacy and data privacy, he added.

Section 69 was last challenged in SC in 2015 when the right to privacy was not defined. In the judgment pronounced on August 23 last year, the Supreme Court held that privacy is a fundamental right. If the section is now challenged in Court, Duggal explained, judges will reexamine if the powers that the state enjoys under section 69 are still constitutionally valid.

Experts also say that though the SO brings the IT Act at par with the Telegraph Act—the same 10 agencies have been authorised for interception—there is an inherent difference in their respective scopes. The Telegraph Act says there should be a condition of a “public emergency” or “interest of public safety” for intercepting information but the IT Act is silent about these .

“The grounds under the IT act are wider and lack some of the safeguards provided under the Telegraph Act,” said Smriti Parsheera, a technology policy researcher at the National Institute of Public Finance and Policy, an autonomous government research institute.

The government has clarified that like the Telegraph Act, there are clauses in the IT Act and rules as well to prevent any misuse of the interception mechanism.

“All such cases of interception are reviewed by a committee headed by the cabinet secretary. The committee meets at least once in every two months. In states, the chief secretary holds the power to review the cases,” said the home ministry spokesman.

To be sure, Government agencies regularly ask tech companies to turn over user data. Companies like Google and Facebook share a transparency report every six months where they disclose the number of requests. In January to June 2018, the Indian government made a total of 16,580 requests to Facebook requesting user data of 23,047 Facebook users. In 53% of the cases, “some data” was produced—but it is not clear what information was provided. In the same period, the government made 5,105 requests to Google to get user data of 10,676 users. Information was produced in 58% of the cases. To put this in perspective, only the US government made more requests (42,466 requests for 70,528 accounts) to Facebook than the Indian government.