In the wake of heightened attention being garnered by issues involving the privacy and personal liberty of individuals, the Central Government surprisingly issued an Order on 20th December 2018 (hereinafter, “the Order”) authorizing 10 governmental agencies for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource.[i] The Order received heated criticism from all corners including politicians, lawyers and social activists and was labelled as a Snooping Order, Orwellian in nature. Thus, this piece discusses the emergence of a regime of surveillance through sporadic rules and Regulations arising from Section 69 of the Information and Technology Act (hereinafter, “IT Act”)[ii] and the truth behind the Order, is the Order Orwellian in nature or not?
The Order
Before we move to the larger question at hand i.e. governmental surveillance, it is necessary to understand the Order. The governmental agencies which have been authorized by the Order are:
Intelligence Bureau
Narcotics Control Bureau
Enforcement Directorate
Central Board of Direct Taxes
Directorate of Revenue Intelligence
Central Bureau of Investigation (CBI)
National Investigation Agency
Cabinet Secretariat (Research and Analysis Wing)
Directorate of Signal Intelligence (in Jammu and Kashmir, North-East and Assam only)
The Delhi Police Commissioner.
The Order stipulating that certain agencies are authorized to intercept, monitor and decrypt is an exercise of the powers conferred by Section 69 of the IT Act read with Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (hereinafter, “IT Rules”).
The word ‘computer network’ as used in the Order means the linkage between two or more computers through communication channels for the purpose of communicating data electronically. These computer networks include Local Area Networks (LAN) or Wide-Area Networks (WAN). In this sense, the usage of the phrase “computer resource” gives a wide amplitude of powers to the agencies. Moreover, the order provides the authority to track the transmitting material along with the material already stored in the computer or the database.
When the Order was issued, on its bare reading it appeared that the aforementioned authorities are granted authorization or access to the data of any individual without any requirement of permission from the Secretary, and thus, the hullabaloo emerged regarding the Order being “Orwellian”. However, it is pertinent to note that the Order confers no new powers on the Agencies. The following becomes clear through the Clarifications[iii] that the Government issued regarding the Order (hereinafter, “Clarifications”).
Structure for Surveillance in India
India does not have a single encompassing legislation for governmental surveillance. However, it is governed through various regulations and laws. Section 69 of the IT Act provides the authority for surveillance to agencies only if it is necessary or expedient inter alia in the interests of “the sovereignty or integrity of India, the security of the State, friendly relations with foreign States”[iv]. Rule 419A of the Indian Telegraph Act of 1885 provides for the interception of phone calls. Internal protocol to be followed by both intercepting agencies and Telecom Service Providers in handling requisitions for interception is guided by Standard Operating Procedures.[v] However, the murky fact is that they are not available in the public domain. Astonishingly, to punish unlawful interception, the Telegraph Act carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).[vi]
Section 12 of the Maharashtra Control of Organized Crimes Act, 1999 and Section 14 of the Andhra Pradesh Control of Organized Crimes Act, 2001 allow for the collection of evidence in the form of interceptions of any wire, electronic or oral communication.[vii] The Central Government notified the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 in pursuance of Section 69 of the IT Act. These Rules provide the teeth to authorized governmental surveillance, as it lays down the structure and the mechanism to be maintained by agencies involved in interception, monitoring and decryption. The Government stipulated in the Clarifications[viii] that the powers empowering the agencies for interception, is exercised through these Rules.
Accountability of Intelligence Agencies vis-à-vis Surveillance
The main reason for issuance of the governmental Order regarding interception, which was highlighted in the Clarifications, was that it would “prevent unauthorized use of these powers by any agency, individual or intermediary.”[ix] However, as per Rule 4 of the IT Rules, only governmental agencies had the power to intercept, decrypt or monitor and individuals or intermediaries never had the following powers. Also, the authorized use of following powers is to be taken with a pinch of salt due to the cloud of mystery over accountability of intelligence agencies. In India, surveillance is conducted majorly by intelligence agencies. The bleak or virtually nonexistent accountability that these agencies have is due to the fact that they were made by executive orders and there is no law/statute that governs them.[x] Thus, they do not have clearly defined roles, duties and functioning mechanisms. Hence, it is necessary to look at the regulatory framework of other States to understand oversight in governmental surveillance. The reason Oversight for intelligence agencies are ideally split among the three branches of the Government, in order to avoid concentration of power, to increase transparency and accountability of people who are tasked with handling sensitive information related to national security.[xi]
The following countries being discussed are a part of Five Eyes. The Five Eyes Intelligence Community is the most exclusive intelligence sharing club in the world, comprising of the U.K., New Zealand, the U.S.A., Canada and Australia.[xii] In the United Kingdom, the Investigatory Powers Tribunal is established to hear complaints of surveillance against the Government. In New Zealand, the Intelligence and Security Act, 2017 governs interception by Intelligence Agencies. Intelligence warrants are issued that authorize the Security and Intelligence Agencies “to carry out an otherwise unlawful activity for the purpose of collecting information.”[xiii] There exist Commissioners of Intelligence Warrants who are appointed by the Prime Minister. Moreover, the leader of Opposition is to be consulted by the Prime Minister before such appointment.[xiv]
The U.S.A. has a more elaborate structure vis-à-vis oversight of surveillance by intelligence agencies. A warrant is required to be issued by the competent federal judge to carry out the interception of either telephonic or electronic communication.[xv] The Executive has the President’s Intelligence Advisory Board and the Privacy and Civil Liberties Oversight Board, along with a network of Inspectors General, who are responsible for investigation and audit of intelligence activities. Moreover, “The Foreign Intelligence Surveillance Court reviews applications for warrants related to the collection of foreign intelligence by the US Government.”[xvi]
However, under the IT Rules and the Order, only the approval of the competent authority i.e. the Union Secretary is required. The actions of these agencies related to interception, decryption or monitoring will be placed before the review committee headed by Cabinet Secretary, which shall meet at least once in two months to review such actions.[xvii] Now, the Supreme Court in the Aadhaar Judgment[xviii] clearly laid down the fact that for granting of permissions of interception inter alia, there has to be a high ranking officer, “preferably, a judicial officer (a sitting judge of the High Court)” along with the Joint Secretary or Cabinet Secretary (in the instant case). Thus, the insights from the U.S. law and the Aadhaar judgment indicate a grave lack of oversight of the Judiciary in cases of surveillance.
Challenge of the Order
The Order issued by the Ministry of Home Affairs has been dealt with fire with a string of petitions filed against it. Advocates ML Sharma[xix] and Amit Sahni filed the petition on 24th December 2018 just 4 days after its notification.[xx] Recently, on 14 January 2019, the Internet Freedom Foundation (IFF) has also filed a PIL seeking quashing of the Notification citing it as a serious breach of privacy and a violation of the Golden Triangle[xxi] (Articles 14, 19 and 21of the Indian Constitution). Consequently, the Supreme Court bench comprising CJI Ranjan Gogoi and Justices SK Kaul and Ashok Bhushan issued a notice to the Minister of Home Affairs, however, the bench declined to give an interim stay on the operation of the order.[xxii]
Conclusion
The challenge of the instant “snooping order” is bound to fail, as it does not provide any carte blanche powers regarding surveillance, rather, it is a reproduction of the IT Rules. The Order only specifies the agencies which are authorized for such surveillance. The instant Order is not the issue of concern, but it is our network of surveillance itself which is inherently prejudiced against accountability of agencies conducting surveillance. Unlike the countries discussed above, there exists a vacuum of judicial oversight regarding surveillance by intelligence agencies. There is no medium of redressal for the individuals. Thus, instead of questioning and clattering over the instant Order, a tougher analysis of the surveillance framework as a whole is needed. The law regarding surveillance, which is guised as interception, monitoring, and decryption should have a separate regulatory regime, which unequivocally lays down the limitations of such powers and mechanisms of grievance redressal, thus increasing the accountability of intelligence agencies has to be increased.
[i] S.O. 6227(E), Ministry of Home Affairs (Cyber and Information Security Division), 20th December, 2018.
[ii] The Information Technology Act, 2000, s. 69.
[iii]PIB, ‘Some points on Lawful interception or monitoring or decryption of information through computer resource’ (2018), Government of India, available at- http://www.pib.nic.in/PressReleseDetail.aspx?PRID=1556945 (last accessed 19 January 2019).
[iv]The IT Act, s. 69(1).
[v]Editors, ‘India’s surveillance state: Procedural legal framework’ (2015), SFLC,available at-https://sflc.in/indias-surveillance-state-procedural-legal-framework (last accessed 19 January 2019).
[vi]Pranesh Prakash, ‘How Surveillance works in India’ (2013), The New York Times, available at- https://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/ (last accessed 19 January 2018).
[vii] The Maharshtra Control of Organised Crimes Act, 1999, s. 12; The Andhra Pradesh Control of Organised Crimes Act, 2001, s. 14.
[viii] PIB, ‘Some points on Lawful interception or monitoring or decryption of information through computer resource’ (2018), Government of India, available at- http://www.pib.nic.in/PressReleseDetail.aspx?PRID=1556945 (last accessed 19 January 2019).
[ix]ibid.
[x]Supra note 12.
[xi]Paul G Buchanan, The Interpreter, Lowy institute available at https://www.lowyinstitute.org/the-interpreter/democratic-oversight-intelligence-agencies-primer.
[xii]James Cox, ‘Canada and the Five Eyes Intelligence Community’ (2012), Canada International Council, available at- http://cdfai.org.previewmysite.com/PDF/Canada%20and%20the%20Five%20Eyes%20Intelligence%20Community.pdf (last accessed 19 January 2019).
[xiii] The Intelligence and Security Act, 2017, s. 53 (New Zealand).
[xiv] The Intelligence and Security Act, 2017, s. 112 (New Zealand).
[xv]18 U.S. Code § 2516 (2012).
[xvi] Cat Barker & Claire Petrie , et.al, ‘Oversight of intelligence agencies: a comparison of the ‘Five Eyes’ nations’ (2017), Parliament of Australia, available at- https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/rp1718/OversightIntelligenceAgencies (last accessed 19 January 2019).
[xvii] The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, s. 22.
[xviii] Justice K.S. Puttaswamy (Retd.) v. Union of India, 2018 SCCOnLine SC 1642.
[xix]Devika, ‘Government order allowing interception and monitoring of data challenged in SC’ (2018),SCC Online, available at- https://www.scconline.com/blog/post/tag/advocate-ml-sharma/ (last accessed 17 January 2019).
[xx]Akanksha Jain, ‘Advocate Challenges MHA’s Surveillance Order Before SC’ (2018), Live Law, available at- https://www.livelaw.in/advocate-challenges-mhas-surveillance-order-before-sc/ (last accessed 17 January 2019).
[xxi]ShivangiGangwar, ‘Due Process v. Procedure established by Law: Framing and Working The Indian Constitution’, Manupatra, available at- http://docs.manupatra.in/newsline/articles/Upload/04244C3D-E95A-4B0B-882F-6E6202ED3E73.3-b__constitution.pdf (last accessed 19 January 2019).
[xxii]Mehal Jain, ‘Notification on Monitoring Computers: SC Issues Notice To Centre’ (2019), Live Law, available at- https://www.livelaw.in/top-stories/challenge-against-69-it-act-and-mha-notification-on-monitoring-computers-sc-issues-notice-to-centre-142098 (last accessed 17 January 2019).
By- Shrey Nautiyal, Executive Editor and Aditya Vyas, Associate Editor, RSRR Editorial Board