A Right To Information (RTI) application filed by Software Freedom Law Centre (SFLC) has revealed that on an average around 7500 – 9000 telephone interception orders are issued by the central government every month. The report on India’s Surveillance State (pdf) shows how various parliamentary Acts gives government agencies power to act beyond their mandate:

– Yahoo was fined Rs 11 lakh for refusing to provide user information to the Controller of Certifying Authorities (CCA). The CCA was allowed by Section 28 of the IT Act to act as an income tax authority, under Chapter XIII of the Income Tax Act, 1961. The Delhi High Court exempted Yahoo from paying the fine. A RTI request filed by SFLC revealed that the CCA had made 73 requests for information under Section 28 in 2011 alone.

– A vernacular blog bodhicommons.com was issued a notice in February 2013 under Section 91 based on a complaint made by Mathrubhumi, a regional media house. The blog was asked to remove an allegedly defamatory post about unfair labour practices at Mathrubhumi, and the Police used the Section 91 of the Code of Criminal Procedure, 1973 (CrPC) to pry information ‘deemed necessary’ for an investigation. MouthShut.com has also been issued several notices under Section 91 for unfavourable reviews on the site.

– Internet Service Providers (ISPs) and online portals are forced to provide user information to government agencies under Rule 3(7) of the Information Technology (Intermediaries Guidelines) Rules, 2011. Founder of Jupiter Capital and BPL Mobile Rajeev Chandrashekhar and MouthShut.com have challenged the constitutionality of this Rule in Supreme Court.

Government operated surveillance systems

NETRA, the internet surveillance system being developed by the DRDO lab CAIR, will have storage servers at over 1000 locations across India, each with a storage capacity of 300 GB. SFLC learnt this from a source with direct claimed links to the DRDO.

– Tax and bank account details, credit card transactions, visa and immigration records and itineraries of rail and air travel will be analyzed by NATGRID, and this data will be made available to all security agencies. SFLC learnt this through a response provided to an RTI request from the NATGRID office.

CMS will eliminate the need for law enforcement agencies to approach telecom service providers or ISPs on a case-by-case basis to retrieved intercepted data. All data will be stored in the CMS and all authorised government agencies will be able to access it instantaneously.

Collection of data CMS

Huge market for surveillance equipment and systems: 26 companies had expressed interest in placing bids on a tender calling for internet monitoring systems, floated by the office of the Director General of Police, Logistics & Provisioning, New Delhi. This was revealed by an RTI request filed by SFLC. These companies are: Alcatel-Lucent India, Agilis Information Technologies International, Appin Software Security, Aqsacom India, ClearTrail Technologies, Electronics Corporation of India Ltd., Information Technology & Telecom Division, HCL Infosystems, Hewlett-Packard India Sales, Innefu Labs, Intelligent Communication Systems India, ITI, Kommlabs Dezign, Law Abiding Technology, Narus Network, Netsweeper India, NICE Systems, Pyramid Cyber Security and Forensics, Siemens Information Systems, Span Technologies, Span Telecom, SS8 Network, Telecommunications Consultants India, Vehere Interactive, Verient Systems India, Vox Spectrum, and Xalted Information Systems. The various types of surveillance technologies that these companies have on offer, include phone interception, social network analysis, and data-mining and profiling.

What’s the legal procedure of intercepting telephonic communications?

There are two aspects to this:

1. Issuing of the interception order from the authorities

The interception order can be issued only by the Union Home Secretary or State Home Secretary. However, under so-called ‘unavoidable circumstances’ an officer not below the rank of a Joint Secretary to the Government of India can also issue the order. In case of an emergency the Head or the second senior most officer of the authorized law enforcement agency or officers not below the rank of Inspector General of Police (State) can also issue the order. However, in such cases the Union or State Home Secretary needs to be informed within 7 working days.

SFLC report

2. Interception process

During the interception process law enforcement agencies need to appoint a one or more nodal officers, who authenticate and relay all intercepted communication from Telecom Service Providers (TSPs) and the agencies. TSPs also need to appoint nodal officers, are responsible for receiving and handling all requisitions, including the interception order.

Interception Process

Surveillance of Internet meta-data

ISPs are required to provide geographical location of any subscriber, including base transceiver station location and latitude & longitude details to the DoT or other government agencies on request. Location details of customers accessing internet on mobile devices can also be requested by these agencies, and need to be provided as per the accuracy and time frame mentioned in the table below.

SFLC report