Systematic Government Access to Private-Sector Data in India
Systematic Government Access to Private-Sector Data in India
Abstract and Keywords
This chapter focuses on India’s policies and practices regarding systematic government access to private-sector data. India does not have many laws that explicitly prescribe or prohibit systematic government access to private-sector data apart from provisions in laws such as the Information Technology Act, Anti-Money Laundering Act, and Epidemic Diseases Act. Nevertheless, the appetite in some parts of the government for systematic access appears to be growing. In February 2012, the Intelligence Bureau wrote to the Department of Telecom demanding that telecom operators and ISPs cooperate to enable comprehensive real-time tracking of Internet usage on mobile phones. This included the establishment of a core group “for finalisation of Internet Protocol Detail Record (IPDR) for Internet and GPRS service, and standardisation of parameters that will have to be stored by mobile phone companies….” The chapter also discusses proposals for the NATGRID and the Comprehensive Monitoring System.
India does not have many laws that explicitly prescribe or prohibit systematic government access to private-sector data apart from some provisions in laws such as the Information Technology Act, Anti-Money Laundering Act, and Epidemic Diseases Act. Security consultants and employees of private-sector organizations impacted by such regulation who spoke under conditions of anonymity did not agree regarding the existence and scope of systematic government access. Security consultants paint a picture of comprehensive and unfettered access to databases of personal information, while employees claim strict adherence to the letter and spirit of the law both in terms of proactive and reactive systematic access to data. The truth must lie somewhere in-between.
The appetite in some parts of the government for systematic access appears to be growing. In February 2012, the Intelligence Bureau (IB) wrote to the Department of Telecom demanding that telecom operators and ISPs cooperate to enable comprehensive real-time tracking of Internet usage on mobile phones. This included plans for India-centric “Skype” for use by government officials and to address national security and the establishment of a core group “for finalisation of Internet Protocol Detail Record (IPDR) for Internet and GPRS service, and standardisation of parameters that will have to be stored by mobile phone companies in a log.”1 This is because apparently the telecom operators and ISPs were unable to identify mobile customers who had visited specific websites.
(p.260) A month later, a national newspaper obtained documents that revealed that the government was planning amendments to the operator licenses to ensure real-time monitoring of “location data” of all mobile phones.2 Combined with large scale surveillance projects in the Unique Identity (UID), National Population Registry (NPR), NATGRID, and CMS project, it would be fair to say that systematic access of private-sector data in India is growing steadily. This chapter provides an overview of the policies and practices around systematic access.
II. National Legal Context and Fundamental Principles
In India, the Constitution establishes a federal structure of governance comprised of a central government and multiple national states. Both the central government and the states have various levels of legislative and executive authority. The Indian Constitution also establishes a framework for the judiciary that is composed of the Supreme Court, High Courts, and subordinate courts that exist at the state and substate level. In this system courts are granted jurisdiction over issues found in both federal and state laws, while the higher judiciary is empowered to take decisions on constitutional issues. Additionally, a range of tribunals and special courts have been established with authority over specific sectoral issues.
Provisions defining what information can be disclosed and accessed by a government in Indian law are typically found under specific sectoral legislation, and are reflections of an intent to protect a broad and fundamental right to privacy. Currently, in India there is no explicit or fundamental right to private and no horizontal privacy law. Instead, various statutes covering other subject matters contain provisions that either implicitly or explicitly protect privacy rights. In addition, the right to privacy has been read into the Constitution of India by the Supreme Court as a component of the right to life and personal liberty under Article 21. The Indian judicial system has also addressed a right to privacy. A recent example of this is the Naz Foundation case. In 2009, the Delhi High Court reinterpreted Section 377 of the Indian Penal Code, which up until this point in time was routinely used to criminalize homosexuality in India. A critical aspect of the ruling was the court’s recognition of the citizen’s fundamental right to privacy. However, in 2013 the Supreme Court of India overturned the decision on the basis that only the parliament can change a law.
Currently, the Department of Personnel and Training (DoPT) and the Ministry of Law have been working on a draft privacy bill. Several versions of the draft bill have leaked. When the bill becomes law it would serve as the umbrella of privacy legislation, defining key principles and instituting the office of the ombudsman or privacy commissioner. In the absence of such overarching privacy legislation, (p.261) questions of jurisdiction and boundaries of governmental access to private-sector data are currently defined predominantly through case law, other sectoral acts and rules, and executive orders. But not all sectors have addressed the question. For instance, there is no explicit policy or case law addressing government access to images captured on CCTV cameras by private companies. Furthermore, sectors that have defined boundaries have defined them at varying levels. For example, in the financial sector, there are provisions that clearly limit governmental access to information held by private companies, whereas in the telecommunications sector a multi-tiered blanket surveillance regime exists.
III. Statutory and Regulatory Overview
In the context of governmental access and disclosure to information held by the private sector, there are legal requirements for private industry to report transactions to the government in order to prevent the carriage of offenses, and to protect public order and health. For example, typically all employers must disclose business transactions to the government, doctors must report the occurrence of specific diseases, and banks must report suspicious transactions that could be connected to money laundering. A growing global trend, though, that has also begun in India, is systematic governmental access, disclosure, retention, and collection of information for the purposes of surveillance, national security, and crime detection.
The four mechanisms—access, disclosure, collection, and retention—are interrelated, but signify different levels of surveillance. Systematic access often bypasses traditional safeguards in place to protect against excessive access to information by the government. Systematic disclosure is based on a requirement from the government that the private entity routinely disclose information. Proactive disclosure by default allows systematic access by the government. Augmenting the extent of systematic access and disclosure of information are data collection and retention standards. The more information collected, the longer the retention of information, the more information available for access or disclosure to the government.
In India, the adoption of these practices is slowly being incorporated into already established legislation through rules and amendments, is emerging in draft legislation, and at the same time is largely being practiced outside the legislative scope. Each sector in India has a set of laws that establishes provisions regulating governmental access to information held by businesses. In some cases, like for the telecommunication sector, governmental access bypasses traditional safeguards, whereas in other cases the access still must be mediated and substantiated with a court order.
A. Systematic Access
In India, systematic access to information by the government does not necessarily entail a complete bypassing of traditional safeguards, but is enabled instead (p.262) through generic application of provisions, extended data retention periods, and broad collection of data. Three bodies of Indian law that enable systematic access to information by the government include legislation pertaining to: traditional search and seizure, banking and securities, and health.
B. Search and Seizure Law
The government has always had generic access to information held by private entities via the technologically neutral Section 91 of The Code of Criminal Procedure, 1973 (CrPc),”any court or any officer in charge of a police station” to issue “summons to produce document or other thing” and Section 92, which enables “commissioner of police or District Superintendent of police” to “cause search to be made for and to detain such document, parcel or thing pending the order of a document, parcel or thing.” Even today, law enforcement officials approach private-sector organizations using CrPc Section 91 and 92, instead of relevant sections under the appropriate legislation. Though access to information under the CrPc is subject to traditional safeguards, as a court order must be issued by a magistrate before accessing information, the generic use of the provision transforms it into a policy tool that can be used for systematic access.
C. Banking Law
Under the Reserve Bank Act, the Reserve Bank of India (RBI) is the authority responsible for collecting information. For the government to access documents, it must either request access from the Reserve Bank, or obtain a court order and request information from the banking branches themselves. As a safeguard to access, the provisions of the Bankers Book Evidence Act applies to all information or documents maintained by the system provider. Under the Bankers Book Evidence Act, banks are not compelled to produce a Bankers Book in a case to which they are not a party—unless ordered to by a court or judge. The RBI is allowed to disclose information only in four instances: (1) protect the integrity, effectiveness, and security of the payment system; (2) in the interest of banking or monetary policy; (3) in the operation of the banking system; (4) or in the public interest. System providers are allowed to disclose information in only three instances: (1) when it is required under the provisions of the Act; (2) if it is expressly consented to by the system participant; or (3) if it is in obedience to the orders passed by a court or statutory authority.
The Reserve Bank Act established the Know Your Customer (KYC) norms as a transparency and accountability measure for clients. The purpose of the KYC norms is to enable banks to monitor customer transactions in order to detect illegal activities such as ghost accounts [Benami], tax fraud, money laundering, financing of terror, and phishing. According to the KYC norms, full details of the name and address as well as copies of ID documents must be kept on record. Banks are permitted to create customer profiles based on risk categorization that (p.263) include information pertaining to the customer’s identity, social and financial status, nature of business, and clients. Banks must also monitor and proactively disclose complex large transactions, and all unusual patterns that do not seem to have an economic or lawful purpose. All transaction records are to be retained for at least five years. Banks must ensure that a record of transactions in the accounts is preserved and maintained. Access to KYC information is currently governed by the regulations in the Reserve Bank Act, which requires a court order for access.
D. Securities Law
The legislation was passed for the purposes of protecting and regulating the interests of investors in the financial market. In the Act, systematic access by the government is enabled through the SEBI Board, which is empowered with broad access to private-sector data. For example, the board is vested with the same powers as a civil court, including requiring the discovery and production of account books and other documents. The board also has the authority to call for information, undertake inspection, and make inquiries into the stock exchanges and mutual funds of: intermediaries, self-regulatory organizations, banks, or any other corporation established under a Central or State Act in the securities market. As a safeguard to unauthorized access and disclosure, the board is permitted to undertake inspection only if it has reasonable grounds to believe that the company has been indulging in insider trading or fraudulent and unfair trading practices. Expanding the amount of systematic access possible, documents collected as evidence must be retained by the authority for a period of six months. Last, the Act enforces a penalty for failure of companies to furnish information on returns, and a penalty for nondisclosure of acquisition of shares and takeovers.3
E. Health Law
The Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1996 which mandates the reservation of job posts for persons with disabilities, allows for systematic access. To do this the Act permits any person who is authorized by the Special Employment Exchange as well as persons authorized by general or special order by the government, to access, inspect, question, and copy any relevant record, document or information in the possession of any establishment.4
In India, legislation that enables systematic access specifically to law enforcement agencies or on the grounds of national security often (1) does not require law enforcement or government agencies to produce a court or executive order for access; (2) does not define how the agency can use the accessed information; (3) does not restrict access to information to specific ranks of officials, but instead allows for any officer of any agency to access information; and (4) penalizes the private entity noncompliance with disclosure or access requests. Systematic access to information by law enforcement agencies or for reasons of national security can be found under India’s Internet law, communications law, and terrorist legislation.
A. Internet Law
The Information Technology Act (ITA) 2008 allows the governmental security agencies for investigation purposes broad systematic access to user information held by the private sector. The provisions are unique in the fact that though they grant broad access to security agencies, they do not establish grounds for access, that is, national security. This augments the amount of access possible as it removes a standard for permitted access. The following sections and rules are relevant:
1. “Data Protection” section and the “Reasonable Security Practices and Procedures and Sensitive Personal Information” rules: Systematic access by the government is allowed by (a) not requiring security agencies to gain prior authorization before accessing information; (b) permitting access to any governmental agency; (c) permitting access to any type of “sensitive personal data or information”; and (d) permitting accessed data to be used for broad and generic purposes. For instance, body corporates are required to share information on receipt of merely a written request from any governmental agency. These agencies are not required to state in writing the reason for requesting information; thus the provision does not protect against the nonspecific collection of personal information. When obtained, sensitive personal information may be used by governmental agencies broadly for: verification of identity, prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses. The rules represent a dilution from traditional procedure established under the CrPc as they do not require a court order from a specified authority to access information, and they do not require the type of information sought to be identified.
2. Intermediary Liability section and due diligence rules: These provisions facilitate systematic access in two ways. First, by requiring (p.265) intermediaries to provide any authorized governmental agency with information that is requested in writing, and second, by enforcing extensive data retention for a period of 90 days to aid with investigation after take-down notices are received, thus lowering the standard for what types of data can be retained as any affected party can send a take-down notice.
3. The “Cyber Café ” rules: These rules facilitate access to law enforcement and security agencies by mandating ID disclosure and a one year of data retention at the Cyber Café. Also, the seniority level of the authorized official and circumstances for data access are lowered. Any Inspector authorized by the registering agency is allowed to inspect the premises of any Cyber Café whenever he/she chooses. The Cyber Café owner must, and is held legally responsible for, providing every related document, register, and necessary information to the inspecting officer on demand. The scope of access by the government is augmented by the amount of personal information collected and retained by Cyber Cafés. In addition to systematic access, the rules require monthly disclosure of the log register showing data-wise usage details to an agency identified by the registration agency.
B. Communications Law
Systematic access by governmental security agencies can be found in Indian interception law. The three laws that address the interception of communications are the Indian Post Office Act 1898, the Information Technology Act 2008, and the Telegraph Act 1885. When compared, it is possible to see a weakening of standards among the interception regulations found in these Acts. For example, under the Post Office Act, interception of postal articles is permitted in the occurrence of a public emergency, or in the interest of public safety or tranquility. Under the Telegraph Act, interception of telephone calls is permitted in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense. Under the IT interception of electronic communications is permitted for the additional reason of preventing incitement to the commission of a cognizable offense relating to the above.
Furthermore, the ITA legal access to information begins with permission to intercept communication data, which must be granted by the Competent Authority. According to the ITA, conditions in which interception, monitoring, and decryption are permitted include: in the interest of the sovereignty or integrity of India, the defense of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of any cognizable offense, or for investigation of any offense. These conditions are a dilution of the conditions laid out in the Telegraph Act as they allow for information to be intercepted for the additional purpose of investigation.
(p.266) Furthermore, under the ITA the Competent Authority may issue directions to any agency of the government to monitor and collect traffic data for a range of “cybersecurity” purposes including, inter alia, “identifying or tracking of any person who has breached, is suspected of having breached, or being likely to breach cybersecurity.” Also under the ITA, if permission is granted, any agency of the government may intercept, monitor, or decrypt information transmitted, received, or stored in any computer resource. Thus, intermediaries must provide all facilities, cooperation, and assistance for the interception, monitoring, and decryption of information to authorized agencies. This includes assisting in: the installation of equipment of the authorized agency; the maintenance, testing, or use of such equipment; the removal of such equipment; and any action required for accessing stored information under the direction. This requirement is also not found in the Telegraph Act, which requires service providers only to appoint nodal officers in charge of handling the interception orders.
Augmenting the degree of access to information under the ITA are three mechanisms:
1. Decryption Key Holders are required to disclose both the decryption key and provide assistance in decrypting information to authorized authorities. Thus, once the government is in possession of the disclosed decryption key, hypothetically it can access the information at any point of time.
2. If an intermediary fails to comply with directions issued by governmental agencies, they are held criminally liable.
3. Real-time collection of traffic data from any computer resource either in transit or in storage is permitted; thus agencies have the ability to access large amounts of unspecified data.
Though authorized agencies are prohibited from using or disclosing contents of intercepted communications for any purpose besides investigation, they are permitted to share the contents with other security agencies for the purpose of investigation or in judicial proceedings, and, additionally, if a security agency of the central government asks for intercepted information from agencies at the state level.
C. Terrorist Legislation
Systematic access is also found in Indian terrorist legislation. Since its independence, India has seen the enactment of many central and state legislations focused on containing and combating terrorism. Out of these, at least three have imparted greater powers of systematic access to police, security agencies, and the government by lowering interception standards. These include: The Maintenance of Internal Security Act (1971–1978), the Maharashtra Control of Organised Crime Act (1999), The Prevention of Terrorism Act (2002), and the Unlawful Activities Prevention Act (1967) amended in (2004). Through these acts, wiretapping standards at the time have been diluted by: (1) permitting wiretapping (p.267) without authorization or warrant, (2) permitting wiretaps to be conducted without a given time limit, (3) permitting all wiretaps (authorized and unauthorized) to be used as evidence in court, and (4) removing traditional wiretapping safeguards found in Indian law.
For the private sector, the rules allowing systematic access are dangerous as they hold specific actors responsible for providing information to the government, while failing to provide a form of redress if an official abuses this power, or if the information is used for unauthorized purposes. Additionally, the rules do not establish if the government is responsible for the security of collected or inspected data. Thus, it is unclear who will be held liable if there is a data breach.
V. Broad Disclosure
In India there are three categories of legislation and policy that explicitly require the proactive disclosure of information to the government: banking laws (including anti-money laundering), health laws (including legislation pertaining to epidemics), and ISP policy found under communication law.
A. Banking Laws
Private-sector banks are most directly implicated by proactive disclosure requirements in Indian law. The Prevention of Money Laundering Act, 2002 (PMLA) mandates all banking companies, financial institutions, and intermediaries to maintain records pertaining to suspicious client transactions to be disclosed to the RBI.5 Though these records are not disclosed directly to the government, they are indirectly disclosed because the central government, through the RBI, establishes the procedure and manner of maintaining and furnishing these records. Additionally, if the principal officer of a banking company, financial institution, or intermediary notices suspicious transaction, the officer must furnish the information to the RBI within the prescribed time. Records are to be maintained for a period of 10 years from the date of cessation of the transactions.
B. ISP and Telecom Policy
The government of India has put in place a proactive disclosure regime specifically for communication data through powers established in the ISP license [called the UASL: Unified Access Service License] The license provides the government with expansive access to communication data held by ISPs and Telcos. They are required to maintain and make available to different authorities a wide range of information including:
• A list of all subscribers to its services on a password-protected website for easy access by government authorities. This website should also (p.268) contain a traceable identity and the geographical location of any subscriber at any given time. ISPs must also be prepared to make available a log of all users connected to its service, and a record of the service they are using (mail, telnet, http, etc.). The log must be available to the government “at any prescribed moment.”
• User logs along with copies of the packets originating from the Customer Premises Equipment of the ISP must be available to the Telecom Authority.
• A log of commercial records with regard to the communications exchanged on the network for a period of “at least one year” must be made available to the licensor for security reasons.6
Though ISP agreements are rooted in the Telegraph Act and thus are subjected to its safeguards, the proactive disclosure regime under the ISP license is so expansive because (1) there is no regulation governing how long information held by intermediaries can be retained, and (2) there is no differentiation in terms of levels of access and disclosure protection between different categories of data; user logs are subjected to the same protection as the geographical location of an individual.
For the private sector the implications of these provisions are severe, as under law service providers are held to a double-edged sword, where on one hand they are held criminally liable if they do not comply with governmental requests for interception, and on the other hand they are held responsible for violations pertaining to secrecy, confidentiality, and unauthorized interception.
C. Health Legislation
Broad disclosure of health-related information has implications for both private and public institutions. The rationale for proactive disclosure in the health sector, unlike banking or telecommunications, has primarily to do with public safety, order, and health as in the case of tracking epidemics. The Epidemic Diseases Act of 1947 requires that the government be informed if any part of the state is “visited by, or threatened with, an outbreak of any dangerous epidemic disease.” In order to prevent the outbreak of a disease the government authorizes authorities to inspect persons traveling within the country or across a national border and inform the government of the findings of such inspections.
Proactive disclosure is also being enforced by the government through real-time monitoring of health patients. For example, launched on March 8, 2009, the Save The Baby Girl (STBG) Project was created with the objective of curbing female feticide and enhancing the sex ratio.7 The STBG system is implemented in (p.269) two phases: an online portal and the installation of a video-capture device called Silent Observer (SIOB) to the ultrasound machines. The SIOB, also known as the “active tracker,” monitors ultrasound tests and records sonography images of each sonography conducted. The sonography video is accessible to doctors and a few government and company officials.
In 2006, the Indian Council of Medical Research (ICMR) published the Ethical Guidelines for Biomedical Research on Human Subjects. The guidelines outline general principles that should be followed when conducting research on human participants. Principles that protect patient privacy include: principle of informed consent, principle of privacy and confidentiality, principle of accountability and transparency, and principle of compliance. Under the guidelines, proactive disclosure is facilitated through government-initiated surveillance studies. Surveillance studies require ongoing, systematic collection, analysis, interpretation, and dissemination of data regarding a health-related event or to measure the burden of a disease.
VI. Categories of Data
Indian law does not make specific distinctions on the role of the court for access to different categories of communication data. For example, the interception of communications can be carried out through a court order, but security agencies are not required to explicitly obtain an order for certain types of data.
The clearest distinction between categories of data and the standards required for access to information by the government is from the 1997 case PUCL v. Union of India. The Supreme Court of India held that the interception of communications was an infraction of the constitutionally guaranteed right to life and personal liberty, unless permitted under the procedure established by law. Subsequently, the Supreme Court framed guidelines to be followed when intercepting telephone lines. The Central Government subsequently notified the Supreme Court’s procedural safeguards as rules under the Telegraph Act. The rules state that: only a home secretary from the central or state government can authorize a wiretap; requests for interception must specify how the information will be used; each order unless canceled earlier will be valid for 60 days and can be extended to a maximum of 180 days; a review committee at the central/state level will validate the legality of the wiretap; before an interception order can be approved, all other possibilities of acquiring the information must be considered; the committee can revoke orders and destroy the data intercepted; records pertaining to an interception order will be destroyed every six months, unless required for functional purposes; and records pertaining to an interception maintained by the service provider will be destroyed every two months.
In the case of an emergency, immediate interception is permitted to be authorized by the Joint Secretary or any official above, provided that that the Union Home Secretary is informed within three days, and receives confirmation within seven days. However, according to some security experts based in Delhi and in Mumbai: (1) all phone calls in sensitive cities such as Mumbai are recorded for (p.270) two or three days, these records are reviewed by the police, and specific numbers are then retained for longer durations; and (2) all international voice traffic is retained for two or three days. However, representatives of Indian telecos speaking under conditions of anonymity assured us that such blanket voice retention measures were neither technically nor economically possible. The truth however lies somewhere in-between.
Telecos engage in data retention of voice and Internet traffic and metadata, but have rolled out legal interception equipment based upon the big data opportunity and the frequency of intercept or information requests. By examining media coverage of crime one can make an informed guess about the scope and nature of data retention. During the investigation of Arushi’s murder it was clear that Internet traffic logs detailing search engine queries and details of when the modem was turned on and switched off could be recovered weeks after the incident. In contrast during the investigation of Sister Valsa John’s murder it was not possible to recover her call records without finding the device.
VII. Standards for Use
Standards for governmental use of accessed information vary across sectors, and in most cases are nonexistent. Apart from these safeguards for telephonic interception, which can be extrapolated to proactive disclosure, no other explicit standards for use or safeguards against abuse are mentioned in sectoral law. One of the six safeguards notified in the Telegraph Act rules as a result of the Supreme Court’s verdict in PUCL v. Union of India impacts use of intercepted information: “all copies of the intercepted material must be destroyed as soon as their retention is not necessary under the terms of the Act.”8 The ITA Interception Rules prescribe maintenance of records by the designated officer to include “the name and other particulars of the officer or the authority to whom the intercepted or monitored or decrypted information has been disclosed, the number of copies, including corresponding electronic records of the intercepted or monitored or decrypted information made and the mode or method by which such copies, including corresponding electronic record are made, the date of destruction of the copies.” However, in contrast, the “Guidelines for anti-money laundering measures” issued by Sebi do not mention any similar privacy safeguards under the sections dealing with “record keeping” and “retention of records.”
VIII. Cross-Border and Multi-jurisdictional Issues
The ITA 2008 in its preliminary chapter clarifies that it does not only apply to India’s jurisdiction; it says it “applies also to any offense or contravention (p.271) thereunder committed outside India by any person.”9 This is in contrast with the Telegraph Act, which only “extends to the whole of India.”
IX. Recent Controversies and/or Pending Unresolved Issues
The four years of negotiations between the Indian government and Research in Motion (RIM) demonstrate how the Indian government includes an element of proactive disclosure outside of the legislative sphere. Since March 2008, India has threatened to place a ban on RIM’s Blackberry services, unless given real-time and direct access to communication traffic. The Indian government during negotiations has proposed six solutions to allow for direct access to the BlackBerry network. The solutions involve: (1) physically locating the servers (Network Operating Centres) within India, thus giving the government clear jurisdiction; (2) enforcing a blanket data retention of all Internet data and email for a minimum period of six months; (3) lowering RIM’s encryption to 40 bit from the current 256 bit to allow easy interception of communications; (4) encryption key escrow for both BIS and BES with the Indian government; (5) negotiate a “Government to Government” solution where legal interception orders will be routed through the US or Canadian governments, who will then comply and carry out interception on behalf of the Indian government; or (6) complying with the requirements of the Central Monitoring System (CMS), an interception network that allows security agencies to intercept emails, cyber chats, monitor voice calls, SMS, MMS, GPRS, fax communications on landlines, and CDMA and GSM networks—all in real time.10
If enforced, the CMS will create a system where the government will not need to require disclosure of information from the private sector, but instead will be able to access this information on its own. Solutions 4 and 6 proposed by the Indian government explicitly fall into the category of proactive disclosure, allowing the government to bypass the private actor and legal safeguards. This will also subvert the legal protections and safeguards found in confidentiality clauses, and take away an accountability and transparency mechanism that is typically in place when private entities protect information under contract. The policy and practice emerging from the standoff between RIM and the Indian government is commonly understood within and outside government to set the standard for data access and interception for other private-sector companies offering similar cloud-based encrypted communication services such as Google (p.272) Mail and Skype. RIM made several counteroffers to the Indian government often without directly responding to their demands. However, most recently RIM has opened a NOC in Mumbai that would subject it to the terms and conditions of the Unified Access Service License. This arrangement would allow for interception of PIN messages, and BIS traffic but not BES traffic, and would also resolve the government’s anxiety over domestic traffic being routed to foreign NOCs. It is unclear from media reports whether key escrow for BIS users has been implemented. The Indian government however continues to demand interception of corporate or BES traffic. This could only be resolved via proactive disclosure or key escrow as mandated in the UASL (though never implemented).
In 2011, the National Intelligence Grid (NATGRID) was established as an attached office of the Ministry of Home Affairs; it facilitates governmental systematic access by providing security agencies with a license to go through and link 21 databases from government and private-sector organizations such as an tax records; air, train, and bus travel; Internet; and phone telecom records.11 NATGRID complicates the picture of governmental access to information, because it does not operate via legislation, and claims only to connect databases. Thus, regulations and procedures do not exist. For the private sector this means that NATGRID could override any safeguards in place.
Though the ITA rules do not comprehensively protect against systematic access, they do establish certain safeguards to prevent systematic access by the government. However, in practice the government often ignores these safeguards. Recently, in Mumbai, two city assistant police commissioners were accused of selling call details from conversations of high-profile individuals.12 The police commissioners allegedly used their position to gain access to the communication records from telecos. Only one of the telcos responded when the investigating police officers approached seeking the names of the officers to whom details had been disclosed. This incident reveals that law enforcement officials abuse their positions to dilute data access safeguards. This demonstrates the loose implementation of the interception safeguard. In addition, it is clear that service providers are not transparent about data access either, because it is illegal or because (p.273) they are afraid of consequences demonstrating the lack of redress and protection for service providers that is given if there is abuse by government entities.
There are no specific laws governing the use of CCTV (closed circuit television) cameras in shops, offices, colleges, hostels, and other private-sector establishments. However, in New Delhi, other metro cities, and state capitals, the police have been strongly advocating the installation of CCTV cameras in private-sector establishments. Hotels are asked to install CCTV cameras at reception desks, front entrances, car parks, and all lobbies of the hotel until the guests enter their private rooms. The police have also been encouraging private establishments to make CCTV camera feeds available in real time by using web-streaming technologies. Most recently, the Delhi police called for mandatory real-time feeds of bars and pubs in Noida following the gang rape of an ex-employee. CCTV camera footage has been successfully used by the police to secure convictions for a wide variety of crimes. For example, CCTV cameras have been installed in response to terror attacks, such as the German bakery blast that took place in Pune. After the attacks that took place in 2010, the city amended the development control rules and made it mandatory for 24/7 cameras to be installed in public areas.13 CCTVs are an example of an area where systematic access of private-sector data is growing rapidly in the absence of any regulatory framework.
X. Concluding Observations
The practices around systematic access of private-sector data in India are difficult to understand clearly as very few members of the private sector are willing to speak about it even under conditions of anonymity. When it comes to policy, in many cases there is no explicit policy; where policy does exist it is unclear and lacking sufficient safeguards, allowing for a wide range of interpretations. When data retention is prescribed there are usually very few safeguards—no breach notification, no transparency requirements, usually not even internal record-keeping is required, no mandatory deletion/obfuscation policy, no requirement to publish a data-retention policy.
Given unclear policy and the cost of data retention, private-sector practices vary across the different organizations, across geographic regions, across market segments, and also across sectors. No indigenous private-sector organization publishes a data retention policy or is transparent about government access. No indigenous private-sector organization appears to publicly resist data access or surveillance demands of the government. In its annual report, Bharati Airtel says “In the lawful interception domain, we received 422 appreciation letters (p.274) from various law enforcement agencies in the last one year alone.”14 The report is not clear about the total number of interceptions facilitated.
Surveillance and systematic access is usually permitted under law during a “public emergency” on when “public safety or tranquility,” “sovereignty and integrity of India,” “security of the state,” “friendly relations with foreign states,” or “public order” is undermined or to “prevent incitement to the commission of any offense.” Over time the standards for surveillance and systematic access have been diluted from a “public emergency” to “prevent incitement to the commission of any offense.” This is a pretty significant dilution given that the ITA has placed what some consider unconstitutional limits of freedom of expression by criminalizing acts such as “sending, by means of a computer resource or a communication device, any content that is grossly offensive or has menacing character; or any content which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.” Given this lowering of the threshold on free speech, the government could order surveillance or systematic access to private-sector data using different provisions of the law involving trivial reasons.
The government of India does not seem to exercise a scientific temper or adopt principles of natural justice when it comes to surveillance and systematic access to private-sector data. It appears to be sold on a techno-utopian vision of “surveillance for surveillance’s sake” or very little appreciation of “privacy by design principles” or “privacy as a prerequisite for security” or “excessive surveillance compromising security.” Massive surveillance projects are being rolled out without waiting for enabling legislation. This attitude of government is best understood via the design and implementation of projects such as the Baby Girl project, NATGRID, and CMS.
Given the policy vacuum, the lack of clarity in policy, and the distance between policy and implementation, the impact on the private sector has four dimensions: (1) unclear liability when personal data fall into the wrong hands, (2) lack of redress system available to the private sector in case of abuse by a government official, (3) a tendency for collusion between government actors and private-sector actors that can result in tampering of cyber-evidence, and (4) the likelihood that without transparency and access to recourse this will result in a private surveillance and censorship regime.
(*) Editor’s Note: This chapter has not been updated since originally published in 2012.
(1.) ET Bureau, “Intelligence Bureau Want Telcos to Keep Eye on Internet Traffic on Mobile Phones,” The Economic Times (February 23, 2012), http://articles.economictimes.indiatimes.com/2012-02-23/news/31091065_1_phones-ip-internet-usage.
(2.) Atideb Sarkar, “Soon, Govt Will Keep Track of Where Every Mobile User Is,” The Indian Express (February 16, 2012), http://www.indianexpress.com/news/soon-govt-will-keep-track-of-where-every-mobile-user-is/912681/0.
(3.) The Securities and Exchange Board of India Act, 1992.
(4.) Chapter 5 Employment, Persons With Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act (1996).
(5.) Prevention of Money Laundering Act of 2002 § 15.
(6.) Guidelines for Cyber Café Rules § 5(3). The log register must contain the user’s name, address, gender, contact number, type and detail of identification document, date, computer terminal identification, log-in time, and log-out time.
(8.) “FAQs on Telephone Tapping,” PRS Blog (Apr. 27, 2010), http://www.prsindia.org/theprsblog/?tag=telephone-tapping.
(9.) ITA Interception Rules § 16 (2009).
(10.) John Ribeiro, “India to Set Up Automatic Monitoring of Communications,” PC World (November 26, 2009), http://www.pcworld.com/article/183229/india_to_set_up_automatic_monitoring_of_communications.html.
(11.) Vibhuti Agarwal, “Q&A: NATGRID Chief Raghu Raman,” Wall Street Journal (June 29, 2011), http://blogs.wsj.com/indiarealtime/2011/06/29/qa-natgrid-chief-raghu-raman/.
(12.) “Two Delhi Cops May Land in the Dock for Selling Cell Call Records,” Times of India (March 11, 2012), http://articles.timesofindia.indiatimes.com/2012-03-11/mumbai/31144815_1_delhi-officers-delhi-cops-service-providers.
(13.) Radheshyam Jadhav, “CCTV Cameras in Public Places Will Need Govt’s Go-Ahead,” Times of India (February 9, 2011), http://articles.timesofindia.indiatimes.com/2011-02-09/pune/28545041_1_cctv-cameras-fire-stations-pmc.
(14.) Bharati Airtel Annual Report, 2010–2011.