New Delhi: India’s home affairs ministry has authorised ten central agencies and bodies to intercept, monitor, and decrypt “any information generated, transmitted, received or stored in any computer”.
The authorisation comes under Section 69 (1) of the Information Technology Act, 2000 and Rule 4 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules.
These rules, which allow snooping of electronic information, have been around since 2009 but it appears that the Centre has only now authorised specific agencies to carry out interception and decryption of computer information.
The ten central agencies that have been given permission include the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation; National Investigation Agency, Cabinet Secretariat (R&AW), Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only) and Commissioner of Police, Delhi.
According to regulations under the IT Act, the interception, monitoring and decryption of electronic information can only happen under specific circumstances which includes: “the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.”
Legal experts say that these authorised agencies will still have to function within the bounds of Rule 3 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, which insists that “no person shall carry out the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub-section (2) of section 69 of the Act, except by an order issued by the competent authority”.
The competent authority in this case the union home secretary or “secretary-in-charge of home department in a state government”.
“As far as I can see, this is not much of a change, given these agencies are authorized to conduct interception and monitoring under the Telegraph Rules. But what is curious is that these are only being notified now. That seems to suggest that usage of interception and monitoring devices under s.69, and any decryption that these agencies have engaged in till today have invalid and without legal authority” Pranesh Prakash, a technology policy analyst and affiliated fellow at the Yale Law School’s Information Society Project, told The Wire.
“I also believe that Section 69 and 69B of the IT Act are unconstitutional for being over-broad in what they allow interception and monitoring for, in demanding decryption from accused persons, and the punishments that they prescribe,” Prakash added.
According to the Internet Freedom Foundation, a New Delhi-based digital rights organisation, the decision to authorise electronic snooping is “unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar judgement”.
Home Ministry order goes much beyond mere telephone tapping:
1) Content streams are much richer, pervasive and personal.
2) Phrasing of, “intercept” in the rules includes traffic diversion. May permit code injections and malware attacks.
— Internet Freedom Foundation (IFF) (@internetfreedom) December 21, 2018