THE UNION HOME MINISTRY’S DECEMBER 20 order drew sharp reactions from the political community, cybersecurity experts and advocates of Internet freedom against what they perceived as an attempt at mass surveillance. They felt that it provided a “legal basis” for non-consensual access to data under the garb of national security. The issue gained traction as the opposition came down heavily on the government at the winter session of Parliament.
On December 21, the Revolutionary Socialist Party member N.K. Premachandran raised the issue in the Lok Sabha, and Anand Sharma of the Congress took it up in the Rajya Sabha. In the Lok Sabha, while members such as P.K. Biju of the Communist Party of India (CPI) associated themselves with the question, not much discussion took place as the matter came up almost towards the end of the day’s proceedings. The issue was raised by political parties outside Parliament in the form of press briefings and comments on social media. Leaders belonging to the Janata Dal (Secular), the Communist Party of India (Marxist), the Rashtriya Janata Dal, the Samajwadi Party (S.P.), the Trinamool Congress and the
Opposition parties and cybersecurity specialists raise concerns about the possibility of gross misuse of data, especially for political purposes.
All India Majlis-e-ittehadul Muslimeen (AIMIM) criticised the notification while the allies of the Bharatiya Janata Party (BJP) in the ruling National Democratic Alliance (NDA) maintained a studious silence.
Defending the notification, Finance Minister Arun Jaitley told the opposition benches, particularly the Congress: “Your government has used it in the past. Our governments have also used it. Every government has used it. The same agencies had the power earlier. In 2009, rules were framed, which authorised the same agencies to intercept anybody who played with national security, public order and integrity of India.” The Ministry of Home Affairs clarified that the notification did not “confer any new powers”, that “every individual case will continue to require prior approval” of the Ministry (Home) and the State government, that “adequate safeguards” were provided in the Information Technology (IT) Act, 2000, and that similar provisions and identical safeguards existed in the Indian Telegraph Act. The Ministry also spelled out that it had not delegated its powers to any law enforcement or security agency.
The listing of 10 agencies, critics said, was unnecessary if powers had not been delegated and the agencies had not been granted unfettered access to service providers and intermediaries. Ghulam Nabi Azad, the Leader of the Opposition in the Rajya Sabha, said the order did not mention “national security” anywhere. He said now anybody’s data could be intercepted at will and that there was an “undeclared emergency”. Former Home Minister P. Chidambaram, under whose watch the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, were drafted, described the order as “Orwellian”, while S.P. leader Ram Gopal Yadav cautioned the ruling party against “digging” a pit for itself, especially as the order would be invalid in four months with a change of government at the Centre.
Sitaram Yechury, CPI(M) general secretary, said in his Twitter handle: “Why is every Indian being treated like a criminal? This order by a govt wanting to snoop on every citizen is unconstitutional and in breach of the telephone tapping guidelines, the privacy judgment and the aadhaar judgment.” West Bengal Chief Minister Mamata Banerjee called it “dangerous” while Delhi Chief Minister Arvind Kejriwal described it as an “undeclared emergency”. Asaduddin Owaisi, AIMIM chief and Lok Sabha MP, tweeted: “Who knew this is what they meant when they said ‘ghar ghar Modi’.”
On December 24, the Union Ministry of Electronics and Information Technology issued the draft rules amending Section 79 of the IT Act, which deals with exemptions from liabilities of intermediaries, and invited comments on it from all relevant stakeholders. The comments are to be sent by January 15, 2019. This appeared as a knee-jerk reaction to the opposition’s sharp responses to the December 20 order and in effect appeared to provide a framework to justify the Home Ministry order. Section 79 of the IT Act had a proviso to exempt intermediaries from liability in certain cases. In 2011, the Information Technology (Intermediaries Guidelines) Rules were notified under Section 79 (2) (c), which stipulates that intermediaries “must observe due diligence while discharging their duties, and also observe such other guidelines as prescribed by the Central government”.
While status quo could have prevailed as far as the 2009 rules and the 2011 guidelines were concerned, the Electronics & IT Ministry went a step further and amended the rules on the grounds that it was necessary to regulate social media platforms to prevent misuse and spread of fake news. It referred to a calling attention motion on the subject, in the Rajya Sabha on July 26, 2018, of “misuse of social media platforms and spreading of fake news”, which was admitted in the monsoon session. In his reply the Minister for Electronics and IT assured Parliament of the government’s resolve to strengthen the legal framework and to make social media platforms accountable under the law. It needs to be mentioned here that social media has been repeatedly used to spread communal disharmony; spawn hate crimes, including lynching; and lampoon political opponents but the government had not reacted to these.
The draft IT (Intermediaries Guidelines (Amendment) Rules) has been put up for discussion.
At a separate press conference, Congress spokesperson and Rajya Sabha member Abhishek Manu Singhvi said that the government and large online platforms were “privately discussing” how to censor and break encryption of private data, social media posts, emails, messages and calls. He pointed that the rules framed in 2011 provided online platforms and Internet service providers (ISPS) with immunity for content that was transmitted and published by end users, allowing the “conduits of information to facilitate a core function of free expression”. The draft rules, he said, would “legally end this immunity”, which may lead to “gross misuse of data..., especially for political purposes”.
In a statement calling for the rescinding of the order, the CPI(M) Polit Bureau described it as a “brazen attack on the fundamental right to privacy given to every citizen by our Constitution”. It pointed out that “the track record of this government in harassing and persecuting citizens who do not share the Rashtriya Swayamsewak Sangh/ BJP viewpoint is there for everyone to see. Individuals have been picked up for social media posts that are seen as being inimical to their image.”
D. Raja, CPI member of the Rajya Sabha, told Frontline that the order was another example of an attack on citizenship rights by the NDA government headed by Narendra Modi. “Anyone who questions the police or the powers of the government is being dubbed as anti-national. There is a context to this. Whatever was there in the Information Technology Act was already known. Why do they want to specify it further is the question? Now I cannot speak freely to my close family members or friends without being apprehensive that I am being tapped and conversation is being followed by an agency specified in the order. It is not good for democracy. The order is a grave threat to the Indian Constitution and democracy. What is the ground for intercepting conversation? The government itself is indulging in cybercrime,” he said. The government was creating a fear psychosis and indulging in scaremongering, he said, pointing out that while at one level, it pretended to be democratic at another level it was indulging in open authoritarianism.
“The [November/december Assembly] election results have clearly rattled them. This order is a form of open intimidation. There are many laws in the Constitution that are hardly being implemented. The MHA order will be opposed by political parties as well as all democratic sections of society,” he said.
While some argue that the government’s powers of surveillance always existed, for example, the Telegraph
Act, which also lists out some 10 agencies that can monitor phone calls and related forms of communication, the government has taken the logical step of listing out agencies under the IT Act to monitor electronic communication and related information.
Pawan Singh, a cybersecurity expert, told Frontline that intelligence agencies the world over were known to keep “tabs” through various covert methods that did not necessarily leave a paper trail. “There is no document that specifies the methods used. But it doesn’t mean it is not taking place,” he said. The powers to intercept, he said, were always there, especially data in transit. It fell under the domain of “lawful interception”. The difference now was that data lying in one’s computer was not easily accessible to the government. People would now be forced to give their passwords and it could be at will. “No one can deny law enforcement agencies data, but there have to be very, very specific conditions in which it can be asked for. There cannot be continued interception. One will have to put in a request to the service provider. Audits of service providers are also done. These checks already exist. Under the new draft rules, any of these 10 agencies can walk into my home and make a lawful seizure of my equipment and ask for my password. If I am a suspect or even a target of suspicion, they can ask for the encryption data. Where does this leave my right to privacy then? There are nodal agencies within ISPS that deal with law enforcement agencies. The systems are already there,” he said.
Prashant Mali, a cybersecurity and cyberlaw expert, told Frontline from Mumbai that the draft amendments and guidelines could be challenged in court as they pointed to mass surveillance. “National security and public order are not defined anywhere in the draft rules. Under the garb of national security, the privacy of citizens can be easily violated. In 2009 [rules], who will decrypt was not there. It also contradicts the privacy judgment. Blanket decryption powers were not there and the competent authorities were not defined. The present guidelines point towards mass surveillance,” he said.
There are also fears that the Home Ministry order and the rules under Section 69 do not require any approval by the Union Home Secretary. The certified agencies, it was pointed out, were delegated with the powers to intercept and decrypt, and a review could only happen if the Home Ministry willed it.
The question, some critics say, is whether such blanket surveillance was justified even with the consent and authorisation of the Home Secretary, who in any case would not act without the instructions of the government in power. That such powers can be misused and that there are no safeguards against a wide swathe of agencies authorised to intercept, monitor and decrypt and even demand compliance by intermediaries are valid concerns. Earlier, permission was required from intermediaries and service providers; now the situation is different. Mere authorisation is enough; consent is not a part of the process. “Information need not be asked or requisitioned any more. It can be pulled out directly from cell phones without the knowledge of the user, from all telephone services and digital providers as well,” said a cyberlaw expert. The government, meanwhile, defended the process.
Arun Jaitley wrote in his blog post that “an interception or monitoring is only authorised under a specific approval of the Home Secretary. It can only be in cases which deal with the purposes mentioned under Section 69 of the Act. These are restrictions on which free speech can be curtailed under Article 19(2) of the Constitution.” Incidentally, he himself was a victim of unauthorised interception of call records by the police when the BJP was in the opposition.
There are other concerns as well. One is the timing of the order and, two, the non-statutory nature of the agencies, which essentially means that they are accountable only to the executive and not to Parliament.
Pranesh Prakash, Fellow with the Centre for Internet and Society and an affiliated Fellow with the Yale Law School Information Society Project, told Frontline that Rule 4 did not supersede Rule 3, which stipulates that in order for interception and monitoring to be valid prior approval of the Home Secretary is required. But the issue went beyond seeking permission of the Home Secretary. He said there were already multiple agencies that enable “legal interception” as provided for in Section 69 and Section 69 (b) of the IT Act, in the Telegraph Act and in the Maharashtra Control of Organised Crime Act. In the Code for Criminal Procedure, he said, Section 92 allowed for inspection of call records. The Centre for Internet and Society, he said, had expressed concerns when the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules were drafted, arguing that they were constitutionally infirm on multiple grounds, including Article 19 (1)A and Article 21. Prakash has maintained in earlier posts that the bar for interception has been set far lower in the IT Act than in colonial legislation.
“After the K.S. Puttuswamy judgment, our conviction that the parent provision, Section 69, was constitutionally infirm was further affirmed,” he said. There were, he said, three sets of problems with the recent notification. First, that the listed agencies were not constituted under any statute of Parliament but were constituted by an executive order. This, he said, meant that they were essentially not accountable to Parliament. Second, in a matter concerning the Telegraph Act, the Supreme Court ruled in 1976 (Hukum Chand Shyam Lal vs Union of India) that an economic emergency did not constitute a public emergency. In that particular case, the telephones of appellants were disconnected on the charge that illegal forward trading in agricultural commodities was being practised.
The IT Act, Prakash said, had widened the scope of encryption, which was contrary to the 1976 judgment. He also said that by specifying the agencies, the government had more or less admitted that the surveillance under-
taken by such agencies until now was illegal. “Can it be presumed that until such time as the government introduces rules authorising surveillance, all such monitoring and surveillance is illegal?” he asked. In every democracy, he said, these agencies ought to be accountable to Parliament.
In 2011, Manish Tewari, Information and Broadcasting Minister in the United Progressive Alliance (UPA) government, introduced a private member’s Bill titled Intelligence Services (Powers and Regulation) Bill that had sought to put limits on actions of the Intelligence Bureau (I.B.), the Research and Analysis Wing and the National Technical Research Organisation that could “further the interest of any political party or coalition”. The Bill also provided for a designated authority to issue warrants for certain actions, such as intercepting communications and covert operations of the I.B. The agencies were required to give a biannual report to the Prime Minister, which would be placed in Parliament.
“It is surprising that none raised concerns, not even Amar Singh and Arun Jaitely, both of whom had complained that their phones were under surveillance then. Even a government was brought down on the charge of phone tapping,” said Prakash.
Third, it was an issue of “proportionality” where the punishment provided for infringement of the Act and rules was far greater than the punishment for violating the Official Secrets Act. The question of proportionality had not been addressed sufficiently, he said, especially in the context of the judgments on privacy and Aadhaar. “The IT Act and the present rules should be amended by judicial scrutiny [to act] as a check on executive power. Even when it comes to personal data, there ought to be exemptions as narrow as possible for intelligence agencies so as to not provide them a carte blanche,” he said.
CLOCK TURNED BACK
Y. Kiran Chandra, general secretary of the Free Software Movement of India, told Frontline that the notification marked a fresh assault on the privacy of citizens and was another step in the direction of creating a surveillance state. He said the move needed to be seen in the context of governments across the world targeting encryption, which is the basis of secure communication. “The notification provides more ground for the government to pressure digital service providers and device manufacturers to provide encryption keys and back doors. This process also remains entirely under the control of the executive
The order raises concerns. One is its timing and, two, the nonstatutory nature of the agencies named in it.
Chandra said the government’s argument that the notification was merely built on past legal provisions was not sustainable. Ever since it was framed, the Central Monitoring System has come into being, expanding the government’s surveillance powers and enabling it to tap the infrastructure of telecom firms. The notification is based on a legal framework, according to which the Home Secretary signs off on requests for surveillance. Right to Information enquiries have revealed that the Home Secretary approves thousands of requests each month. Important Supreme Court verdicts in this decade on Section 66A of the IT Act, privacy and Aadhaar have strengthened the framework of privacy and digital rights. The notification ignores all this and turns the clock back on privacy and digital rights.
He said the draft IT (Intermediary Guidelines) Rules needed to be seen along with the notification. “Intermediaries are required to proactively identify and remove content. This compromises the very essence of communication and, yet again, targets encryption. It seems like this is a government bid to harness the power of big tech firms to target dissenting voices,” he said. He pointed out that the privacy judgment laid down three tests for any intrusion into the privacy of individuals: legality, fairness and proportionality. Similarly, the Aadhaar judgment talked about the need for judicial monitoring. The notification sweeps all this aside.
“It is true that the UPA government passed the legislation, sections of which were struck down because they were unconstitutional. The UPA defended clauses such as Section 66A. The NDA government is going ahead with executive orders, reducing the spirit of the Supreme Court judgment on issues such as privacy and Section 66A. Both the UPA and the NDA are on the same page on the issue of surveillance; they merely criticise while in the opposition,” he said.
The Internet Freedom Foundation, an advocacy organisation working on the rights of free and open Internet and online freedom, has also pointed out serious infirmities with certain clauses of the amended draft rules like the one that provides for breaking encryption. Clause 5 in the amended rules states that “the intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised” in conditions where the security of the state, cybersecurity or investigation or detection or prosecution or prevention of offences are concerned.
No one has an issue with a nation’s sovereign right to take measures to safeguard its internal security. The problem is more with the route and the rhetoric adopted. The problem also lies with the possibility of misuse of the law and of mass violations of personal data on the pretext of national security. But more importantly, it is the belief in the assumed superiority of the executive over Parliament that is most worrisome in the entire controversy, more so in the era of hypernationalism.
with no judicial or parliamentary oversight,” he
A PROTEST NEAR the Telugu Desam Party office in Visakhapatnam against the Centre’s December 20 notification.
CONGRESS MP GHULAM Nabi Azad addresses mediapersons outside Parliament building in New Delhi on December 17. Congress leaders Kapil Sibal, Ahmad Patel and Abhishek Manu Singhvi, and CPI leader D. Raja are also seen. Azad said the Home Ministry order did not mention national security anywhere. Raja said the order “is a grave threat to the Indian Constitution and democracy”.