While Section 5(2) of the Telegraph Act and Sections 69 and 69B of the Information Technology Act (IT Act) collectively set the stage for direct surveillance of India's telephone and Internet networks, more provisions of the IT Act allow indirect surveillance i.e. they allow the Central/State Governments and their agents such as the Controller of Certifying Authorities and police officers to collect "information" under specified circumstances. In the absence of clarifications on the nature of information that can be collected, these provisions serve as alternate means to collect Internet data and meta-data when surveillance by means of Sections 69 and 69B may not be feasible:
Section 28 of the Information Technology Act allows Government officials to access any electronic data while investigating contraventions of the Act and Rules or regulations made under the Act. The Section states that the Controller of Certifying Authorities (CCA) or any authorized officer may direct production of information towards investigating contraventions of the Act or connected Rules and regulations. It confers on them the powers of Income-tax authorities as under Chapter XIII of the Income Tax Act, 1961 for the purposes of such investigation. Chapter XIII of the Income Tax Act awards the authorities significant powers of investigation, including the power to compel production of information stored electronically. Thus, the CCA in effect has the same authority under Section 28, provided such authority is exercised in the course of investigating a contravention of the IT Act.
In 2011, the CCA had imposed a fine on Yahoo! To the tune of Rs. 11 lakhs for its refusal to provide user information requested under Section 28. An interim order staying the fine was issued by the Delhi High Court in 2011, and a final order setting aside the fine was issued in February 2014.
Further, a Right to Information request filed by SFLC.in revealed that the CCA had made 73 requests for information in 2011 under Section 28.
Section 29 of the Information Technology Act provides the CCA or authorized officers with the power to access computers and their data on a reasonable cause to suspect contravention of Chapter VI of the Act. Chapter VI deals with regulation of Certifying Authorities and contains a number of provisions, whose contravention could be easily and reasonably suspected. Since no framework for the access of computers and data has been prescribed by the Section, it is frighteningly easy for Section 29 to be wrongfully invoked to access private user information from Certifying Authorities.
Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, says that though a body corporate is disallowed from disclosing sensitive personal data or information to third parties without the prior consent of the provider of the information, it may disclose the same to Government agencies mandated under law without prior consent for the purpose of identity verification, prevention, investigation of offences etc. It further states that any sensitive personal data or information shall be disclosed to third parties by an order under law, presumably without prior consent of the provider.
Rule 3(7) of the Information Technology (Intermediaries Guidelines) Rules, 2011, requires that intermediaries such as ISPs and on-line portals must provide information or any assistance to authorized Government agencies for the purpose of identity verification, prevention or investigation of offences etc., when asked to do so by a lawful order. There is some confusion here regarding the term 'lawful order' since the Rule uses it interchangeably with the term 'request in writing'. This seemingly implies that a 'lawful order' as envisioned under the Rule is nothing more than a written letter from authorized Government agencies, which does not bear adequate force of law. As a result, the process of directing the production of information under Rule 3(7) is inordinately simplified, and this is evident in general practise.
The constitutionality of this provision was challenged by Yahoo in a Writ Petition filed before the Delhi High Court, following the imposition of a hefty fine for refusal to provide information to the CCA under Section 28 of the IT Act. Though the fine itself was set aside by the Court, larger questions of law such as the constitutionality of Rule 3(7) were left undecided. The Rule has also been challenged before the Supreme Court in the cases of Rajeev Chandrashekhar v. UoI and MouthShut.com v. UoI as being violative of the citizens' right to privacy. Both cases are currently pending before the Supreme Court, awaiting judgement.
Rule 7 of the Information Technology (Guidelines for Cyber Cafe) Rules, 2011, states that an officer authorized by the registration agency, is authorized to check or inspect the cyber cafe and the computer resource or network established therein at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand. This is especially interesting, considering that cyber cafes are also classified as intermediaries under the IT Act. Thus, Rule 7 can be used to access personal information from cyber cafes including Internet histories and other user-related information.
Apart from the IT Act and Rules, Section 91 of the Code of Criminal Procedure, 1973 (CrPC) says that any Court or officer in charge of a police station may require the production of any document or 'other thing' if it is considered necessary for the purposes of an investigation, inquiry, trial or any other proceeding under the CrPC. Since this is the legislation which the police authorities are familiar with, it is often found that requisitions sent to intermediaries directly by the police often ask for information based on Section 91. For instance, a vernacular blog bodhicommons.org was issued a notice in February 2013 under Section 91 based on a complaint made by a regional media house Mathrubhumi, where the blog was asked to remove an allegedly defamatory post containing discussions on unfair labour practises at Mathrubhumi. The notice also directed bodhicommons to furnish registration details of the URL (sic) from which the offending post was originally made. Again, a consumer review website mouthshut.com was issued notices under Section 91 demanding identification details regarding the up-loaders of several unfavourable reviews found on the website.