NASSCOM Policy Brief
10.01.2019
Ministry of Home Affairs’ Order on Lawful Interception or Monitoring or Decryption of Information through Computer Resource
[Statutory Order No. 6227(E) (2018)]
Context
On 20th December, 2018 the Ministry of Home Affairs ( ‘MHA’) issued Order S.O. 6227(E) (‘S.O.’) authorising ten security and intelligence agencies to intercept, monitor and decrypt any information in any computer resource in accordance with the Information Technology Act, 2000 (‘IT Act’) and the relevant rules made thereunder.
The S.O. has been issued under section 69 of the IT Act. This section provides that the Controller of Certifying Authorities established under the IT Act can direct any government agency to intercept any information transmitted through any computer resource on grounds including sovereignty or integrity of India, State security, public order and prevention of incitement to commit any offence.
A day after the release of the S.O., the MHA issued a Press Release to address concerns emanating from the S.O. This states that the S.O. is intended to ensure that any interception, monitoring or decryption of information is lawful and only by the security and intelligence agencies notified under the S.O.
The S.O. has been challenged before the Supreme Court on grounds of violation of right to privacy.[1]
The S.O has to be read in conjunction with Rule 4 under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (‘IT Rules 2009’), notified by the Ministry of Electronics and Information Technology (MeitY) in October 2009. Under rule 4, the competent authority has the power to authorise a government agency to intercept, monitor and decrypt any information generated, received, stored or transmitted in any computer resource as provided under section 69 of the IT Act.
Many of the provisions in the IT Rules 2009 relating to interception of communication correspond to the provisions of rule 419A of the Indian Telegraph Rules, 1951.[2]
Analysis
Unauthorised interception of communication is a problem. For example, in February 2014, it was reported that incidents of surveillance had taken place in Gujarat, Himachal Pradesh and the National Capital Territory of Delhi without due authorization and a Commission of Inquiry was set up to look into these incidents; the outcome of the inquiry is not known[3].
- Ostensibly, the change as a result of the S.O. vis-à-vis rule 4 of the IT Rules 2009 is that the government has now notified the government agencies authorised to intercept/monitor/decrypt information.[4] The Press Release too clarifies that the S.O. did not vest the notified agencies with any new power than had already been conferred by the IT Rules 2009.
- There is apparently no blanket power to intercept by the government. The Press Release clarifies that each case of interception, decryption or monitoring is to be approved by the competent authority, i.e. the Union Home Secretary.[5] The Press Release informs that these powers are also available to the competent authority in the State Governments in accordance with the IT Rules 2009.
There are specific grounds under section 69 of the IT Act for exercising the powers of interception/monitoring/decryption of information, namely:
- sovereignty or integrity of India,
- the security of the State,
- friendly relations with foreign States
- public order, and
- preventing incitement to the commission of any cognizable offence.
- Further, IT Rules 2009 provide for the following checks:
Rule 8: The competent authority shall issue any direction to intercept information only when alternative means of interception are not available.
Rule 10: A direction to intercept information should specify the designation of the officer of the competent authority to whom the information would be disclosed.
Rule 14: Places an obligation on intermediaries or persons in-charge of a computer resource to designate an officer to receive information requisition requests and another to handle such requisition. The designated officers must also maintain records of any information which is intercepted, monitored or decrypted.
Rule 18: To confirm the authenticity of interception orders, the designated officers are required to submit (once in fifteen days) the list of decryption/interception/monitoring order received by them to the agencies notified under rule 4.
- The Press Release notes that that there would be a review of cases of interception/monitoring/decryption of information by a Review Committee which shall meet once in two months as provided under rule 22 of the IT Rules 2009. However, there is no procedure of screening such cases in an expeditious manner to detect whether there is any unlawful interception of information. This might be a cause for concern.[6]
In case the industry has any specific concerns with respect to the S.O., NASSCOM shall look into them in detail.
Annexure A
Interception or monitoring or decryption of information through computer resource
The ten security and intelligence agencies which have been notified in the S.O. are:
- Intelligence Bureau
- Narcotics Control Bureau
- Enforcement Directorate
- Central Board of Direct Taxes
- Directorate of Revenue Intelligence
- Central Bureau of Investigation
- National Investigation Agency
- Cabinet Secretariat (RAW)
- Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only)
- Commissioner of Police, Delhi
Annexure B
The agencies which have been authorised under rule 419A of the Telegraph Rules are:
- Intelligence Bureau,
- Narcotics Control Bureau
- Directorate of Enforcement
- Central Board of Direct Taxes
- Directorate of Revenue Intelligence
- Central Bureau of Investigation
- National Investigation Agency
- Research & Analysis Wing (R&AW)
- Directorate of Signal Intelligence, Ministry of Defence- for Jammu & Kashmir, North East & Assam Service Areas only
Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area only.
[1] ‘Judges, officials snooped on after December 20 order, lawyer tells Supreme Court’, The Hindu, 3 January 2019; available at: https://www.thehindu.com/news/national/judges-officials-snooped-on-after-december-20-order-lawyer-tells-supreme-court/article25902767.ece (last accessed 04.01.2019).
[2] The procedure to be followed for lawful interception of telephones permissible under section 5(2) of the Indian Telegraph Act 1885 is governed by rule 419A as provided in the Indian Telegraph (Amendment) Rules, 2007. Section 5(2) of the Indian Telegraph Act, 1885 popularly known as the ‘wire-tapping clause’ provides for interception of messages transmitted or received by any telegraph by government agencies on similar grounds as stipulated in the IT Act. Rule 419A of the Indian Telegraph Rules, 1951 came into effect in March 2007. The Indian Telegraph Act, 1885 is available at http://dot.gov.in/actrules/indian-telegraph-act-1885. Various amendments to the Indian Telegraph Rules, 1951 are available at http://dot.gov.in/act-rules-content/2423 (last accessed 09.01.2019). The list of law agencies authorised under rule 419A is stated in Annexure B.
[3] Anuj Srivas, ‘Is the Modi government snooping on you? Here are five questions you should be asking’, The Wire, 21 December 2018; available at: https://thewire.in/government/narendra-modi-snooping-it-act-home-ministry (last accessed 04.01.2019)
[4] The list of agencies is specified in Annexure A.
[5] This was also clarified in 2012 by the then Minister of State of Home Affairs in written reply to a question in the Lok Sabha available at http://pib.nic.in/newsite/PrintRelease.aspx?relid=80829. Under section 2(d) of the IT Rules 2009, the competent authority is the Secretary in the Ministry of Home Affairs, in case of the Central Government.
[6] Under section 7 of the IT Rules 2009, any direction issued by a competent authority under rule 3 shall contain the reasons for such direction and a copy of the direction is to be forwarded to the Review Committee within 7 working days.
Comment