S. 69 of the Information Technology Act and the Decryption Rules : Absence of adequate procedural safeguards
(This blog post is the fifth in the “Encryption and human rights” series by SFLC.in.)
There exists a legal framework in India which enables the Government to conduct surveillance on certain conditions including the investigation and commission of certain offences. The legal framework for surveillance is defined by the respective laws such as the Indian Telegraph Act, 1885 and the rules therein, the Information Technology Act, 2000 and the rules therein, the Unified license, and through the monitoring systems in India which includes the Central Monitoring System (CMS), National Intelligence Grid (NATGRID), and the Network Traffic Analysis (NETRA).
S. 69 of the Information Technology Act, 2000
S. 69 of the Information Technology Act, 2000 is modeled extensively after Section 5(2) of the Telegraph Act, 1885. Section 69 of the Information Technology Act, 2000 provides for the “power to issue directions for interception or monitoring or decryption of any information through any computer resource.” It lays down certain grounds including:
i. Sovereignty or integrity of India;
ii. Defence of India;
iii. Security of the State;
iv. Friendly Relations with foreign states;
v. Public order
vi. Preventing incitement to the commission of any cognisable offence
vii. For investigation of any offence.
The Central Government or State government officers when specially authorised by them, after recording reasons in writing, by order, can direct any agency of the appropriate government to intercept, monitor or decrypt or cause to be intercepted or decrypted any information received, generated, stored or transmitted in any computer resource. The Rules notified under S. 69 lay down the procedure for interception, monitoring and interception to be followed by the authorities. These rules are known as The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
The sub-clause (3) of Section 69 requires any subscriber or intermediary or any person in-charge of the computer resource to assist such agency in providing access to the computer resource and to decrypt such information as well. In case of failure to provide such assistance, such person or intermediary or subscriber may be held liable for a term of seven years and a fine. While the aforementioned grounds for the application of Section 69 are well defined, the lack of adequate procedural safeguards particularly the absence of judicial oversight provide a license to the executive to decrypt any computer device.
Facebook Inc vs Union of India (TP Civ. No.(s) 1943-1946/2019)1
The Supreme Court of India in Facebook Inc. v Union of India in an order dated 24th September, 2019 had stated that easy availability of decryption could defeat fundamental rights and that it should be relied on only in special circumstances ensuring that privacy of an individual is not invaded. At the same time, the Supreme Court had also noted that “the sovereignty of the State and the dignity and reputation of an individual are required to be protected. For purposes of detection, prevention and investigation of certain criminal activities it may be necessary to obtain such information. De-encryption and revelation of the identity of the originator may be necessary in certain other cases..”
The Information Technology (Procedure and safeguards for interception, monitoring and decryption of information) Rules, 2009
These rules have been notified under the clause (y) of sub-section (2) of Section 87 read with sub-section (2) of Section 69 of the Information Technology Act, 2000. Rule 3 is an elaborate provision which mandates that decryption or monitoring or interception of any information will be done only by an order issued by a competent authority.2 However, in unavoidable circumstances, even a government officer of the rank of a joint secretary to the government of India or above can issue such an order. The phrase “unavoidable circumstances” has not been defined anywhere.
In cases of an emergency meaning that it is a remote area where prior instructions are not possible or in case of operational reasons, the interception or monitoring or decryption may be carried out with the approval of the second senior most officer or the head of the security and law enforcement agency at the Central level. However, such officers must not be below the rank of the Inspector General of Police or an officer of equivalent rank at the State or Union territory level. Such approvals have to be informed in writing to the competent authority by the officer who had approved such interception or decryption.3
Rule 8 however, requires the competent authority to consider alternative means of acquiring such information before ordering access to decryption keys of a device. This provision significantly limits the application of Rule 3 as it shall be applied only when it is not possible to obtain such information through other reasonable means. However, proviso to Rule 3 where it is stated that while informing the competent authority have to be informed in writing about the decryption or interception order, it nowhere specifies that such reasons should include if Rule 8 was followed or not and if alternative means of acquiring such information were available then why they were not resorted to by such authority.
The competent authority can also issue decryption directions to the key holder of any information having a computer resource.4 Interestingly, in a hypothetical situation where the decryption key holder may also be an accused in a case, this will be a challenge to such accused’s constitutional right against self-incrimination enshrined in Article 20(3) of the Indian Constitution. This has been discussed in detail in the later part of the report.
For a state to make a decryption or interception request beyond its jurisdiction, it has to make a request to the Secretary of Ministry of Home Affairs, Government of India to issue directions to such appropriate authority.
The rules also require such orders to be reviewed by the competent authority within a period of seven days.5 Such directions remain in force for a period of sixty days from the date of its issue and could be renewed for a period not exceeding 180 days.6 In addition to this, the rules also require an authorized agency to designate a nodal officer for interception or decryption purposes, maintenance of records by a designated officer, review of directions and destruction of records of interception.
What are the problems with the Rules?
While the Rules lay down the procedural safeguards to be adhered to by the Competent Authority, they fall short on adequately safeguarding the rights of those who are monitored, and do not qualify the proportionality, adequacy, necessity test. The Rules suffer from the following challenges:
a. Lack of judicial scrutiny leading to conflict of interest: The Competent Authority and the Review Committee envisaged under the Rules only include members from the executive. The orders for decryption are passed by the Competent Authority, and the Review Committee puts a rubber stamp on the legality of the orders passed by the former. This leads to conflict of interest as the orders are passed and reviewed by the executive. The element of judicial scrutiny to ascertain that the decryption orders quality the proportionality, necessity, and adequacy requirement is absent in the Rules.
b. Opacity behind the procedures adopted: SFLC.in has filed RTI applications seeking the details of decryption orders passed by the Review Committee in the past. The RTI applications were denied citing that the orders are destroyed after 180 days per the Rules. The current framework envisaged under Section 69 allows for and enables opacity behind the procedures adopted, and the number of decryption orders passed every year leading to no data on India’s surveillance framework. There is no way to ascertain if the Review Committee meets every two months or not, and if it deems any orders passed by the Competent Authority in contravention of the procedure laid down in the Rules.
c. Destruction of records of interception or monitoring or decryption of information: The Rules mandate the destruction of records within 180 days or 6 months after such order has passed. This leads to denial of information of the number of such decryption orders which have passed. It also means that in case an aggrieved party learns that she has been surveilled upon by the law enforcement agencies, she has no way to prove it in the court of law that her right to privacy and anonymity was infringed upon.
What now?
While the Rules lay down the procedural safeguards to be followed by the Competent Authority while decrypting, intercepting or monitoring information, they are inadequate to safeguard the right of privacy, anonymity and free speech and expression of citizens. The Rules do not adhere to the principles of proportionality, necessity and adequacy laid down in the Puttaswamy I judgment (2017). The absence of judicial scrutiny in orders passed by the Competent Authority leads to conflict of interest and allows the executive to be judge in its own cause. To ensure that the surveillance framework envisaged under Section 69 does not infringe on human rights of citizens, it is important that there must be adoption of a clear, precise, accessible, comprehensive and non-discriminatory legislative framework governing surveillance. There must be judicial scrutiny of decryption orders passed by the Competent Authority to ensure that the orders are compliant of the law. Steps must be taken to ensure that effective and independent oversight regimes are in place.
(Check out Report on India’s Surveillance State here.)
1Facebook Inc. v. Union of India, T.P. Civ. No.(s) 1943-1946/2019, https://main.sci.gov.in/supremecourt/2019/27178/27178_2019_13_24_17064_Order_24-Sep-2019.pdf.
2Rule 2(d), Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 as secretary in the Ministry of Home Affairs, in case of the Central Government, or the Secretary in charge of the Home Department, in case of the State Government.
3Rule 3, Information Technology ((Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
4Rule 5, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
5Rule 7, The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
6Rule 11, The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.