A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications
This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.
The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: http://necessaryandproportionate.net/
The Principles:
1. Principle - Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.
Indian Legislation: In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.
- The Indian Telegraph Amendment Rules 2007: These Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications.
- License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL): This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
- License Agreement for Provision of Internet Services: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
- The Information Technology Act, 2000
- Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009: These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource.
- Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009: These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.
2. Principle - Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.
Indian Legislation: In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.
Below are the circumstances for which access is allowed by each Act, Rule, and License:
- On the occurrence of any public emergency
- In the interest of the public safety
- In the interests of the sovereignty and integrity of India
- The security of the state
- Friendly relations with foreign states
- Public order
- Preventing incitement to the commission of an offence
- In the interest of the sovereignty or integrity of India,
- Defense of India
- Security of the state
- Friendly relations with foreign states
- Public order
- Preventing incitement to the commission of any cognizable offence relating to the above
- For investigation of any offence
- Forecasting of imminent cyber incidents
- Monitoring network application with traffic data or information on computer resources
- Identification and determination of viruses or computer contaminant
- Tracking cyber security breaches or cyber security incidents
- Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants
- Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security.
- Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.
- Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.
- Any other matter relating to cyber security.
- Reasons defined in the Telegraph Act. (Section 41.20 (xix))
- National Security. (Section 41.20 (xvii))
- To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)
- Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. (Section 40.4)
- In the interests of security. (Section 41.7)
- For security reasons. (Section 41.20 (iii))
- To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 34.1)
- In the interests of security. (Section 34.4)
- For security reasons. (Section 34.28 (iii))
- Reasons defined in the Telegraph Act. (Section 35.2)
3. Principle - Necessity: Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.
Indian Legislation: Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.
Below are summaries of the relevant provisions:
- TA Rules 2007: Any order for interception issued by the competent authority must contain reasons for the direction (Section 2). While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means (Section 3).
- ITA Interception and Monitoring Rules: Any direction issued by the competent authority must contain reasons for such direction (Section 7). The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means (Section 8).
- ITA Traffic Monitoring Rules: Any direction issued by the competent authority must contain reasons for the direction (Section 3(3)).
- UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.
4. Principle - Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.
Indian Legislation: In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.
5. Principle - Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.
Indian Legislation: In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.
Below are summaries of relevant provisions:
- The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level
- The Secretary to the State Government in charge of the Home Department in the case of the State Government.
- In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.
- In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. (Section 1(2)).
- ITA Interception and Monitoring Rules: Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
- The Secretary in the Ministry of Home Affairs in case of the Central Government.
- The Secretary in charge of the Home Department, in case of a State Government or Union Territory.
- In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority.
- In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. (Section 3).
- ITA Monitoring and Collecting Traffic Data Rules: Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
- The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. (Section 2(d)).
- An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. (Section 9 (2)).
- UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.
6. Principle - Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.
Indian Legislation: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA Safeguards for Monitoring and Collecting Traffic Data or Information Rules.
Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.
Below is a summary of the relevant provisions:
- Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. (Section 19).
- Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. (Section 3).
- The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. (Section 4).
- The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 6).
- ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 7).
- The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. (Section 8).
- The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. (Section 9).
- The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 10).
- ITA Traffic and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 3(3)).
- Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. (Section 8).
7. Principle - Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)
Indian Legislation: In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.
- All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
- ITA Interception and Monitoring Rules:
- All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
- ITA Monitoring of Traffic Rules:
- The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.
8. Principle - User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.
Indian Legislation: In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.
9. Principle - Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.
Indian Legislation: In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.
10. Principle - Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)
Indian Legislation: In relevant Indian legislation there are requirements for a review committee to be established. The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.
The relevant provisions are summarized below:
- A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. (Section 17). Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. (Section 2).
- ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 22).
- ITA Traffic Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 7).
11. Principles - Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.
Indian Legislation: In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.
Relevant provisions are summarized below:
Provisions requiring the provision of facilities, assistance, and retention:
- The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction (Section 13(2)).
- If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. (Section 17).
- The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. (Section 4(7)).
- The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. (Section 39.1).
- The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.(Section 40.4).
- Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
- The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. (Section 41.10).
- The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. (Section 41.10).
- The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 41.11).
- The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. (Section 41.14). The database of subscribers must also be made available to the licensor or its representatives. (Section 41.16).
- The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. (Section 41.17).
- Calling Line Identification must be provided and the network should also support Malicious Call Identification. (Section 41.18).
- Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis (Section 41.19).
- Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. (Section 41.19(iv)).
- The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. (41.20 (ix)).
- On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. (41.20 (x))
- Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. (41.20 (xiv)).
- A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. (Section 41.20 (xv)).
- For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. (Section 41.20 (xx)).
- The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. (Section 2.2(vii)).
- The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. (Section 9.1).
- The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. (Section 33.4).
- The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. (Section 30.1).
- The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. (Section 34.1).
- In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. (Section 34.4).
- The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. (Section 34.6).
- The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. (Section 34.7).
- ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. (Section 34.8).
- The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 34.9).
- The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. (Section 34.12).
- The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies. (Section 34.13).
- Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. (Section 34.15).
- The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. (Section 34.22).
- The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. (Section 34.23).
- Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
- Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).
- Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. (Section 34.27 (a(v)).
- The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. (Section 34.27 (ix)).
- On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. (Section 34.27 (x)).
- Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. (Section 34.27 (xiv)).
- A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. (Section 34.27 (xv)).
- ISPs must provide access of their network and other facilities, as well as books to security agencies. (Section 34.27 (xx)).
12. Principle - Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.
Indian Legislation: India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.
Below is a summary of the relevant provisions:
13. Principle - Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.
Indian Legislation: Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.
The relevant provisions are summarized below:
- In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. (Section 41.20 (xix)).
- Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).
- In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. (Section 34.28 (xix)).
- The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. (Section 8.4).
- Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).
14. Principle - Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.
Indian Legislation: In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.
Below are summaries of relevant provisions:
- Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).
- Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
- The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. (Section 41.10).
- The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. (Section 41.20 (xvi)).
- ISP License:
- Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).
- The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. (Section 34.7).
- Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
- Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).