Late last week, Vodafone Group released a document that provided information on the global monitoring of information on its network. It has disclosed no information for India, stating that it isn’t allowed to, under law. The company hasn’t responded to MediaNama’s queries about whether is Vodafone India is linked to the Centralised Monitoring System set up by the Indian government, and whether enforcement agencies and government bodies in India can access the networks without asking for the carrier’s permission and help.
What Vodafone has provided, however, is a fairly lucid overview of Indian laws pertaining to monitoring and interception. That can be downloaded here. We’ve created a guide below, based on Vodafone’s interpretation of Indian law. In case of any additional information, clarifications or corrections, please email firstname.lastname@example.org.
Your guide to Government interception of your personal data in India
Q: What does the law allow?
- IT Act: Request (more like a demand) for information and realtime monitoring.
- UAS License and ISP License:
- Hardware/software in the ISP equipment to allow the government enable interception and monitoring from a centralised location, and for simultaneous monitoring by the government.
- Government can prescribe which equipment has to be deployed, for monitoring.
- Mirroring of information: In case of remote access of information, the licensee is required to install suitable technical devices enabling the creation of a mirror image of the remote access information for monitoring purposes.
- Simultaneous monitoring by the government.
- Tracing facilities to trace messages or communications
- CrPC: No equipment mentioned
Q. What can they intercept/ask for?
- IT Act: Not clear, but looks like everything. In real time, they can intercept or monitor information transmitted, generated, received or stored, over any computer (includes mobile). Therefore, everything.
- UAS License and ISP License:
- Everything, in realtime. They can also ask for data later.
- ISP to maintain a log of all connected users and the service that they are using.
- ISP is also required to maintain every outward login.
- The logs and the copies of all the packets originating from the Customer Premises Equipment (modems etc, maybe mobile phones) of the ISP must be available in real time to the government call data records as well any other electronic communication.
- “any document or other thing”.
- the production of “any document or other thing necessary or desirable for the purposes of any investigation, inquiry, trial or proceeding”.
Q. Who can ask for this information?
- IT Act:
- Secretary to Min of Home Affairs (Central Govt)
- Secretary to the Home Department (State Govt)
- Person above the rank of Joint Secretary (in unavoidable circumstances)
- Once the interception order has been issued, an Additional Superintendent of Police shall make a written request to the intermediary (telecom service providers, network service providers and internet service providers) to provide all facilities and the necessary equipment for the interception of the information
- UAS License and ISP License: Designated government officials as per the clause 41.10 of the UASL and clause 34.6 of the ISP license.
- CrPC: a court or police officer in charge of a police station.
Q. Under what circumstances?
- IT Act:
- Interest of sovereignty and integrity of India
- The security of the State
- Friendly relations with foreign states
- Public order
- The prevention of incitement of offences
- UAS License and ISP License: Not clear. It’s realtime monitoring, so it appears information can be screened at any time. Call data records may be shared “as and when required by the government.” Tracing facilities may be shared in case of “investigation of a crime or for national security purposes”
- CrPC: for the purposes of any investigation.
Q. Who does the interception?
- IT Act: Not clear. In case of an emergency, when prior approval is not required, an officer not below the level of the Inspector General of Police can intercept or monitor.
- UAS License and ISP License: Not clear.
- CrPC: Interception may not be allowed. It might just be a request/demand for information, which any police officer can make.
Q. Is written permission needed?
- IT Act: Yes, but not in case of an emergency.
- UAS & ISP License: Not clear. It’s simultaneous monitoring, but an order is also mentioned.
- CrPC: Yes. “Section 91 of the CrPC permits a court or officer in charge of a police station to issue a summons or written order respectively, requiring the production of “any document or other thing necessary or desirable for the purposes of any investigation, inquiry, trial or proceeding”
Q. Is there any Oversight?
- No judicial oversight of the interception process.
- Review committee processes:
- Every order has to be reviewed: With respect to the review of the interception of telephonic communication under the ITA and the ITR, a Review Committee has been established under Rule 419-A(16) of the ITR at both the central and the state level. As per the IT Rules, every order issued by the relevant government officials has to be sent to the Review Committee. The Review Committee is required to meet once every two months and if the Review Committee is of the opinion that interception order was not in accordance with the provisions of the ITA and the ITR, it may set aside the interception order and also order the destruction of the information obtained through interception.
- In case of emergency: Rule 419- A (17) provides that in case the interception has been carried out in an emergency, the relevant government official has to be informed of such interception within three working days and the interception has to be confirmed within 7 working days, otherwise the interception will have to cease and the same message cannot be intercepted without the prior approval of Union or state Home Secretary. A similar Review Committee has also been established under the Interception Rules. Rule 22 of the Interception Rules provides for the establishment of a Review Committee to examine the interception or monitoring directions. If the Review Committee is of the opinion that the interception or monitoring directions are not in accordance with Section 69 of the IT Act, then it may set aside the direction and also order the destruction of the information obtained through interception.
Q. Which are the relevant sections of the laws pertaining to all of this?
- IT Act: Section 5(2) of the IT Act, read with Rule 419- A (I) of the Indian Telegraph Rules, 1951 (ITR). Section 69.
- IT Rules: Rule 3, 13 and 19 of the IT (Interception) Rules.
- UAS License: UASL: Clause 41.20 (xvi), Clause 42.2, Clause 41.10.
- ISP License: Clause 34. 28 (xvi) Clause 34.4, Clause 34.28(xiv), Clause 41.7, Clause 34.6, Clause 35.5, Clause 33.4.
- CrPC: Section 91
Q. What else?
- Taking over an ISP or Telco:
- The government may “take over the service, equipment and networks of the licensee” in the event that such directions are issued in the public interest by the Government of India in the event of a national emergency, war, low-intensity conflict, or any other eventuality. – Clause 41.13 of UASL and Clause 10.5 of ISP License.
- The “use of the network for anti-national activities” (such as breaking into an Indian network) may be deemed sufficient reason to revoke the license, and will be considered an offence punishable under criminal law – Clause 33.7 of the ISP License and Clause 39.14 of the UL. The IT Act, the UASL and the ISP License do not prescribe the method and the instrument that the government may use in this regard.
- Anything for countering espionage, subversive acts or “any other unlawful activity”: The licensee must “provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity”- Clause 41.1 of UASL and Clause 34.1 of ISP License
- Restricting operations in parts of India:
- The government may, through appropriate notification, block the usage of mobile terminals in certain areas of the country. In such cases, the licensee must deny service in the specified areas within six hours of receiving the request – Clause 41.11 of UASL and Clause 34.9 of ISP License.
- The government may restrict the licensee from operating in any sensitive area on national security grounds – Clause 41.20(xviii) of UASL and Clause 34.28(xviii)
- License conditions can be changed at any time: The government may revise the license clauses at any time if “considered necessary in the interest of national security and public interest” – Clause 41.5 of UASL and Clause 5.1 of the ISP License.
Why isn’t Vodafone able to disclose data?
- Indian Telegraph Act: Section 5 (2) of the Indian Telegraph Act 1885 – read with rule 419 (A) of Indian Telegraph (Amendment) Rules 2007 obliges telecommunications service providers to “maintain extreme secrecy” in matters concerning lawful interception.
- IT Rules: Under Rule 25(4) of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (Interception Rules) and Rule 11 of the IT (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 (the ‘Traffic Data Rules’), “strict confidentiality shall be maintained” in respect of directions for lawful interception, monitoring, decryption or collection of data traffic. These prohibitions extend to the very existence of such directions, and could therefore authorise the government to prevent the publication of aggregate data relating to the number of directions received by the licensee.
- IT Act: In respect of lawful interception directions made under the Information Technology Act, 2000 (IT Act) and its associated Rules, the government can prevent the publication of aggregate data in relation to lawful interception and other data disclosure demands from the government and law enforcement agencies.
- UAS License & ISP License: Under Clause 40.5 of the Unified Access Service License (UASL: the licence governing access service in India), and Clause 33.5 of the Internet Service Provider (ISP) License (the licence governing internet access service in India), the licensee is bound to maintain the secrecy and confidentiality of any confidential information disclosed to the licensee for the proper implementation of the licences. Aggregate data regarding agency and authority demands come under the purview of these provisions.