India’s surveillance state: Substantive legal framework

In this post, we will take a quick look at the relevant statutory provisions that establish the substantive framework governing Indian communications surveillance (this excludes the procedural framework of surveillance, which will be covered in a subsequent post). The focus here will specifically be on surveillance of telephone and Internet networks – the two most widely used means of communication in India.

Telephone

Surveillance of telephone networks is primarily authorized by the Indian Telegraph Act, 1885.For starters, a broad and future-proof definition of the word “telegraph” under Section 3(1AA) of the Act brings virtually any communication device – including telephones – within the Act’s purview. Section 5(2)of the Act then provides that on the occurrence of a public emergency or in the interest of public safety, Central/State Governments or any of their authorized officers may direct that telegraphic messages (which include communications made over telephones) be intercepted if it is considered necessary or expedient in the interest of:

• Sovereignty/integrity of India
• Security of the State
• Friendly relations with foreign States
• Public order
• Prevention of incitement to the commission of any offense

Thus by virtue of Section 5(2), telephone networks may be surveilled only on the occurrence of a public emergency or in the interest of public safety. While the terms ‘public emergency’ and ‘public safety’ are not defined under the Act itself, they were interpreted by the Supreme Court of India in the matter of People’s Union for Civil Liberties v. Union of India (AIR 1997 SC 568) to mean “the prevalence of a sudden condition or state of affairs affecting the people at large calling for immediate action“, and “the state or condition of freedom from danger or risk for the people at large” respectively. However, the expressions ‘sovereignty/integrity of India’, ‘security of the state’, ‘friendly relations with foreign states’, ‘public order’ or ‘prevention of incitement to the commission of any offense’ have not been defined under the Telegraph Act, which means they are open to interpretation by the concerned authority that sanctions interception.

Internet

Coming to Internet surveillance, the relevant substantive provisions may be found interspersed throughout the Information Technology Act, 2000 and Rules made thereunder. But before looking at the enabling provisions themselves, a distinction must be made between “Internet data” and “Internet meta-data”. The term “Internet data” connotes the core contents of data-packets transmitted between a user-end device and the host-server in which information accessed by the user resides. This would include the contents of websites browsed, e-mails sent/received, chat-logs and so on. “Internet meta-data” on the other hand, signifies particulars of Internet data apart from its core-contents. This would include information such as date and time of transmission, duration for which data was transmitted and location from/to which data was transmitted.

Internet data

With that out of the way, Section 69 of the IT Act, modeled extensively after Section 5(2) of the Telegraph Act, allows the Government to engage in surveillance of Internet data. It reads:

1. Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing the incitement to the commission of any cognizable offence relating to the above or for the investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

2. The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

3. The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to –

   1. provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

   2. intercept, monitor, or decrypt the information, as the case may be, or;

   3. provide information stored in computer resource

4. The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

As can be seen, Section 69 in provisioning surveillance of Internet data, draws much of its language from Section 5(2) of the Telegraph Act. The former, however, makes three notable departures from the latter. Firstly, Section 69 dispenses with the all-important sine qua non found under Section 5(2), viz. the occurrence of a public emergency or interest of public safety. Interception, monitoring, and decryption of Internet data under Section 69 is therefore not predicated on the prevalence of either conditions, and this considerably widens the Government’s surveillance avenues when it comes to Internet data. Secondly, the grounds under Section 69, in the interest of which interception etc. of Internet data may be undertaken, is slightly larger in number and significantly greater in scope, as evidenced by the comparative table given below:

Grounds under Section 5, Indian Telegraph Act	Grounds under Section 69, Information Technology Act
Sovereignty/integrity of India	Sovereignty/integrity of India
–	Defence of India
Security of the State	Security of the State
Friendly relations with foreign States	Friendly relations with foreign States
Public order	Public order
Prevention of incitement to the commission of any offence	Prevention of commission of any cognizable offence relating to the above
–	Investigation of any offence

Lastly, unlike Section 5(2), Section 69 imposes an obligation on those from whom Internet data is demanded (Internet Service Providers, for instance) to provide all assistance to the intercepting agency, failure to comply with which may result in imprisonment for up to 7 years and fines.

Internet meta-data

With surveillance of the Internet data thus provisioned by Section 69, Section 69B in turn deals with surveillance of Internet meta-data. It reads:

1. The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

2. The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.

3. The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

4. Any intermediary who intentionally or knowingly contravenes the provisions of subsection (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

   Explanation: For the purposes of this section,

   1. “Computer Contaminant” shall have the meaning assigned to it in section 43

   2. “traffic data” means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Section 69B allows the collection and monitoring of meta-data – cloaked as “traffic data” – for the twin purposes of enhancing cyber security and tackling computer contaminants. The term “cyber security” has been defined under Section 2(1)(nb) of the IT Act as the protection of information or devices from unauthorized access, use, disclosure, disruption, modification or destruction, and the term “computer contaminants” as per Section 43 of the IT Act denotes malicious software such as computer viruses. Both grounds for invocation of Section 69B are visibly broad in ambit, and essentially allow surveillance of meta-data at any given point of time.

These are the primary legislative provisions that allow Central/State Governments to intercept and/or monitor the nation’s telephone and Internet networks. As evident, the provisions are liberal in their use of broad and somewhat ambiguous terms, and stop short of clearly delineating the specific circumstances in which communications surveillance may be undertaken. The scope for subjective interpretation here is tremendous, and the presence of surveillance-validating grounds such as ‘investigation of any offence’ and ‘preventing the spread of computer contaminants’ ensures that India’s telephone and Internet networks remain open for surveillance at any given point of time.