Update: Following the outcry over the Government’s notification directing all central security and investigation agencies to intercept, monitor and decrypt “any information on any computer”, the government has now issued a clarification. It said that the order has been issued in accordance with rules framed in 2009, under the IT Act and in “vogue since then.” It said:

  • No new powers have been conferred on any security or law enforcement agencies since then.
  • The notification has been issued to notify the ISPs, TSPs, Intermediaries to codify existing orders.
  • Each case of interception, monitoring, decryption has to be approved by the Union Home secretary. Under the IT Act, these powers are also available with the competent authority in the State governments.
  • As per the Act, all such cases have to be placed before the review committee headed by the Cabinet Secretary. The review committee shall meet once in two months to review such cases. In states, such cases would be reviewed by committee headed by their respective Chief Secretaries.

However, it is still unclear why the government is notifying ISPs, TSPs and other intermediaries about this specific section now, if the rules have existed since 2009. The government says that this notification will ensure that interception, monitoring or decryption will be done by law, prevention of unauthorised use of powers by anyone else, and that the interception is lawful

***

Earlier today: The Ministry of Home Affairs has issued an order directing all central security and investigation agencies to intercept, monitor and decrypt “any information on any computer”. (The order can be read here.) It is unclear whether it refers to computers within the territory of the country or all computers.

MediaNama has reached out to the Ministry for a clarification and will update this when we hear from them.

Exercising the powers under 69(1) of the the Information Technology Act, 2000, the Ministry of Home Affairs said:

“… the Competent Authority hereby authorises the following Security and Intelligence Agencies for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the said Act…”

The following authorities can monitor all computers:

  • Intelligence Bureau
  • Narcotics Control Bureau
  • Enforcement Directorate
  • Central Board of Direct Taxes
  • Directorate of Revenue Intelligence
  • Central Bureau of Investigation
  • National Investigation Agency
  • Cabinet Secretariat (RAW)
  • Directorate of Signal Intelligence (for service areas of Jammu & Kashmir, North-East and Assam only);
  • Commissioner of Police, Delhi

According to the Act (pdf), the central or state government and its officers can surveil any computer if it is necessary or expedient –

  • “In the interest of sovereignty or integrity of India
  • defence of India
  • security of the state
  • friendly relations with foreign states or public order or
  • for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence”

The Hindu, in its report, says that any person, subscriber or service provider who is in charge of the computer resource will be bound to provide all technical assistance to the agency. They also are liable for imprisonment of seven years if they fail to do so. Note that the notice issued by the MHA does not mention anything about the imprisonment.

Lead up to surveillance unclear

The event leading the government to issue this notification is unclear. However, the notification has led to several concerns relating to violation of privacy and State’s over-reach. Reacting to the news, Sitaram Yechury, General Secretary tweeted, “Why is every Indian being treated like a criminal? This order by a govt wanting to snoop on every citizen is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement.”

Computer includes digitally connected devices

“‘Any computer’ defined under the Information Technology Act,” explains Apar Gupta, lawyer and co-founder of Internet Freedom Foundation, “includes any electronic device, like phone, tablets, smart phones. It may include Kindle, and anything which is digitized. So it is not completely limited by the nomenclature of the definition of computer.”

  • Under the act, these systems are not bound by any geography. “The application of the Information Technology Act and the provisions within it apply extra-territorially,” explains Gupta.
  • This means that the systems do not need to be physically present in India.

He explains that while the draft Data Protection Bill is completely silent on any kind of safeguards or any of oversight mechanism relating to such surveillance orders or programmes, “Very very clearly in all the judgments of the court and even in the Aadhaar judgement, the majority judgement of Justice Sikri clearly states that judicial oversight and a warrant is now necessary for sharing information which is under the Aadhaar Act. Now, arguably this grows from the privacy judgement of 2017 and upgrades a level and threshold for interception and disclosure of personal data for law enforcement,” said Gupta.

“This proportionality (of mass surveillance vs right to privacy) will now be judged by the judges, whenever specific requests for information sharing is made. However, such kind of safeguards are not statutorily recognised either under Section 69 (of the IT Act) or this notification or the rules made in 2009. And this is the core problem, the legality of the notification expands to parts which predates the Puttaswamy judgement and the requirement of proportionality which is now a binding law on all arms of the government,” Gupta said.

Previous surveillance attempts by the Indian Government

  • Currently, a case against social media surveillance by Aadhaar’s nodal agency UIDAI is in court. Mahua Moitra, a Trinamool Congress MLA, had moved the Supreme Court against UIDAI’s plan to hire a social media agency to monitor the coverage of Aadhaar in media and on social media. Moitra demanded the quashing of the proposed agency.
  • In August, the Centre withdrew its controversial Social Media Commuication Hub. However, since 2014, different parts of the government have issued six tenders to keep an eye on what users were posting on Twitter and Facebook.
  • In August 2017, the government went live with National Cyber Coordination Centre, the government’s cyber security project which scans and records meta data on the Internet.
  • In January 2014, reports of Government launching an Internet monitoring system called ‘Netra’ had surfaced. This system would be capable of detecting suspicious words like ‘attack’, ‘bomb’, ‘blast’ or ‘kill’ in real time on social media, emails, instant messaging.
  • In December 2011, Central government gave powers to RAW to tap phones and track emails.