One of the several provisions that gives the government lawful access to data is Section 28 of the Information Technology Act 2000. This section provides that while investigating a case of contravention of any provision of the Information Technology Act, the Controller of Certifying Authorities (CCA) - the entity responsible for licensing and regulating the working of certifying authorities shall have the same powers as that conferred on income-tax authorities under Chapter XIII of the Income Tax Act, 1961. A reading of the provisions of the Income Tax Act throws light on these powers. The CCA shall have the power to enter and search any premises- in cases where keys are not available, the CCA may even break open doors, cupboards etc., and further the CCA can even seize any documents/ records for the purpose of investigation. Powers afforded under this section not only enable the CCA to compel the production of documents from any person who is responsible for such documents, but also enables him to enforce the attendance of any person. Where anyone fails to comply with directions under this Section, he can be made liable to pay a fine. Because ISPs/ intermediaries facilitate the use of Internet for 'netizens', they are most likely to bear the brunt of this provision.
Such extensive powers in the hands of the Controller is not the most alarming factor about Section 28. What makes one really worry is the fact that no guidelines/rules have been framed for the implementation of this provision. Therefore, we don't know the procedure under which requests for investigation are made before the CCA and the procedure adopted for such investigations. Moreover, there is no definite answer as to 'who' can make such requests or complaints.
In order to gain a little clarity on the implementation of Section 28, SFLC.IN had filed an RTI Application with the Controller of Certifying Authorities, asking questions about the methodology for implementation of Section 28.
SFLC.IN: How many requests/references have been received by the CCA for investigation from the Intelligence Bureau, Ministry of Home Affairs or other agencies of the Government of India as well as the State Government in the last three years? CCA: 103
SFLC.IN: Kindly provide the number of notices issued under Section 28 of the I.T. Act to various service providers/ intermediaries seeking details for the purposes of an investigation in the last three years. CCA: 73
SFLC.IN: Kindly provide names of all such service providers/intermediaries who have been issued such notices. CCA: Yahoo India, Google, AOL, Facebook, Orkut, Hotmail
SFLC.IN: Kindly provide the number of service providers/ intermediaries on whom a fine under Section 44(a) of the I.T. Act has been levied. CCA: 01
SFLC.IN: Kindly provide information with regard to the methodology followed by CCA for scrutiny of requests sent by Intelligence Bureau, Ministry of Home Affairs, or other agencies of the Government like for a notice to be issued to service providers/ intermediaries. Please provide any rules/ guidelines or file notes that may have been prepared for the procedure to be followed with respect to such requests. CCA: The matter is been dealt in a confidential file. As this is in relation with National Security. The information cannot be disclosed.
While we at SFLC.IN do believe that when the Indian Government is 'for the people, of the people and by the people', there is no reason for the Government to hide from us the procedure that is being adhered to in investigating offences. Especially when it relates to matters of access to information of Indian citizens. Thus, while we try to get more information on this particular provision and its implementation, we will also appeal the decision of the CCA. Got suggestions? Feel free to let us know by emailing us your comments.