Recent reports released by Yahoo and Facebook on requests for user data sent by Governments paint a grim picture of surveillance. The transparency report released by Yahoo on September 6, 2013 shows that the Indian Government sent 1,490 requests asking information about 2,704 user accounts. On August 27, 2013, Facebook released its first Global Government Requests Report. The figures revealed in the report accord India, the dubious distinction of being the country with the highest number of user data requests after the United States. The United States Government submitted 11,000-12,000 requests to Facebook demanding information about 20,00-21,000 users while the Indian Government submitted 3,245 requests demanding information of 4,144 users during the period from January to June 2013.
The data earlier released by Google and Microsoft also portrays an alarming picture. The Indian Government sent 2431 user data requests to Google demanding information about 4106 users during July – December 2012. In the case of Microsoft, the Government sent 418 user data requests asking for information regarding 594 user accounts in 2012. Considering these numbers, the data sought by the Government from Indian online service providers ranging from Rediff.com to MouthShut.com could also be huge. However, no such information is available.
The biggest hurdle to get information related to requests made by the Government about electronic records is the provision in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which makes all this information confidential. Rule 25(4) of these Rules mandates that strict confidentiality has to be maintained in respect of direction for interception or monitoring. Although Section 22 of the Right to Information Act, 2005 overrides the provisions in any law which are inconsistent with the RTI Act, the Government often cites national security as the reason to prevent access to this information. Thus, all we have to gauge the quantum of electronic surveillance which is going on are the transparency reports released by these online service providers.
SFLC.IN had filed an application under the RTI Act to obtain information on tapping of telephones and monitoring of emails. The Ministry of Home Affairs in its reply dated August 6, 2013 has stated that on an average 7500 to 9000 orders for interception of telephones and 300 to 500 orders for interception of emails are issued by the Central Government every month. If you add to this the orders issued by the State Governments for telephone tapping and email monitoring, the numbers will be shocking.
These figures could only be the tip of the iceberg as the legal provisions make it fairly easy for law enforcement agencies to gather this data. In India, S.91 of the Code of Criminal Procedure, 1973 (CrPC) gives powers to any officer in charge of a police station to ask for production of any document for the purpose of investigation. This broad provision is often misused by law enforcement agencies to get information from Internet Intermediaries.
Moreover, sub-rule 7 of Rule 3 of the Information Technology (Intermediaries Guidelines) Rules, 2011 makes it even easier for any law enforcement agency to obtain information from an intermediary. In addition to this, the Controller of Certifying Authorities(CCA) also has the power to request information from providers. Earlier, the CCA in reply to an application that we had filed under the RTI Act informed us that the CCA has received 103 requests for investigation from all agencies of the Government of India and State governments in the last three years and that the CCA has issued notices to Intermediaries in 73 instances. The CCA had in fact fined Yahoo for not complying with its order to provide user information. The Writ petition filed by Yahoo before the High Court of Delhi challenging this order and Rule 7(3) of the Intermediaries Guidelines Rules is pending.
Such broad provisions in the law, combined with the absence of a legislation which restricts such requests, has resulted in the Government and its agencies sending huge number of user data requests to service providers. These requests are made by agencies ranging from the Home Ministry to the local police stations. The huge numbers show that there clearly is a need for proper safeguards to be built into the system to protect the right to privacy of citizens. The sheer number of telephone tapping orders issued per month shows that the current mechanism consisting of top level officials for reviewing tapping orders, which is supposed to be a safeguard has been reduced to a mere formality.
There is an urgent need to evolve a proper legal framework to protect privacy of citizens when Government agencies request user information and monitor telephonic and electronic communication. The Supreme Court in the PUCL case had framed various guidelines to be observed while issuing orders to tap telephones. The review mechanism by which the tapping orders are reviewed by a team consisting of the Cabinet Secretary, Secretary in the Ministry of Law Affairs and Secretary of the Department of Telecommunications in the Centre and a similar mechanism in the state has in effect resulted in a system where the powers for issuing orders, execution and review are with the executive. The current legal framework as per the Telegraph Act or the Information Technology Act do not provide for a judicial oversight. In fact, the Supreme Court held in the PUCL case that that in the absence of any provision in the statute, it is not possible to provide for prior judicial scrutiny as a procedural safeguard. In view of the current surveillance rich environment cloaked in secrecy, it is time to start discussing whether judicial interference is required to balance privacy of citizens with compelling interests of the state.