April 1, 2012
|
Security agencies can easily spy on personal online information. Source: GOI Monitor

Security concerns have forced India to beef up its monitoring apparatus but unlimited access to private information raises serious concerns

Have you ever felt like someone is looking over your shoulder as you write an email, transfer money through netbanking or fill a simple contest form?

This concern should trouble us more often as we increasingly exchange personal information online taking it for granted that the whole set up is secure and snoop- proof.

The recent case involving Yahoo India can be a good starting point to help understand that the truth is quite contrary.

If censuring of content by social networking sites was criticised for being against freedom of expression, the Yahoo India case may very well threaten the right to privacy of an individual.

The Controller of Certifying Authorities (CCA), a regulatory authority under the Information Technology Act 2000 had slapped a fine of Rs 11 lakh against Yahoo for not providing personal information related to some of its users.

Though the fine has been stayed by the court, the incident underscores the point that companies like Yahoo, Google and Facebook can easily be arm twisted to provide personal information including content of emails belonging to their users: that is you and me.  

In India, the right to privacy debate on monitoring of communications was addressed by the Supreme Court in 1996 while hearing a petition by the People’s Union for Civil Liberties (PUCL) questioning the constitutional validity of telephone tapping under Clause 5(2) of the Indian Telegraph Act 1885.

The Supreme Court ordered that “unless a public emergency has occurred or the interest of public safety demands, the authorities have no jurisdiction to exercise the powers” given to them under the law.

The court went on to define public emergency as “prevailing of a sudden condition or state of affairs affecting the people at large calling for immediate action”, and public safety as “the state or condition of freedom from danger or risk for the people at large”.

Unless a public emergency has occurred or the interest of public safety demands, the authorities have no jurisdiction to exercise the powers” given to them under the law

While the Telegraph Act was amended to incorporate these guidelines, the Information Technology Act, initially envisaged to facilitate rules and laws for e-commerce, does not have any such references thus making interception of online communication by government agencies unquestionable. Moreover, these agencies continue to exist without any Constitutional status.

Our Constitution mandates that a “Central Intelligence Bureau” would be created by “an Act of Parliament”. However, while the Intelligence Bureau (IB) was created by the British rulers, R&AW and the National Technical Research Organisation (NTRO) are running on the basis of executive decisions.

Recently, the Karnataka High Court asked clarification from the Union Home Ministry on legal status of IB in response to a PIL filed by a retired IB officer. In the absence of such safeguards, regulation of their operations becomes questionable.

While Intelligence Bureau (IB) was created by the British rulers, R&AW and the National Technical Research Organisation (NTRO) are running on the basis of executive decisions 

Recently, the Karnataka High Court sought clarification from the Union Home Ministry on legal status of IB

None of the governments tried to rectify these anomalies fearing loss of right to spy on their opponents. In current times of democratically-elected but indifferent governments, the privilege can easily be misused to deal with any voice of dissent whether it belongs to a social activist involved in anti-corruption movement, a lawyer pursuing public interest litigations or a journalist on trail of a scam.

The fact that our political parties have also been accused of genocides against particular communities in the past, also underscores the need for essential safeguards against harassment. On the contrary, the Constitutional invalidity of these rules and monitoring agencies, like CCA, only aggravates the situation.

The rules are made by the executive, not the elected representatives, to ensure smoother functioning of the Act. However, at least, in the case of the IT Act they definitively override the mandate provided by the parliament since they grant debatable powers to CCA. Under Section 28 of the IT Act, CCA is empowered to investigate contraventions of the provisions of the Act.

This power becomes potent post the Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules formulated in 2011 allowing CCA to obtain information, including sensitive personal information, from any company or body corporate, on request of a government agency.

The body has to oblige the CCA or face a stiff penalty as Yahoo India did.  On January 10, 2012, Software Freedom Law Centre, India (SFLC.in) sought following information from CCA through an RTI application:

  1. Number of requests received in last three years, by the CCA from government agencies like the Intelligence Bureau, Ministry Of Home Affairs etc.
  2. Number of notices issued by the CCA under Section 28 of the IT Act in the last three years.
  3. Names of the recipients of notices under Section 28.
  4. Names of body corporates on whom a fine under Section 44 (A) has been imposed.
  5. Information on the methodology of scrutiny of requests from government agencies. Any rules or guidelines regarding the same.
  6. SFLC received a reply on February 8, 2012, mentioning that for the first three questions the CCA needed permission from the concerned government agencies to disclose this information.

In response to question no. 4 it informed that only Yahoo India has been fined under Section 44 (A) of the IT Act. Information related to question no. 5 was denied on the basis that it was a confidential matter.

Another reply furnished on March 2, 2012, mentioned that CCA had got approval from the concerned agency. It also informed that 73 notices were issued by the CCA under section 28 of the IT Act in the last three years to respondents including Yahoo India, Google, AOL, Facebook, Orkut and Hotmail.

Statutory motion moved in Rajya Sabha

P Rajeeve, MP representing Kerala in the Rajya Sabha has moved a statutory motion to get the Information Technology (Intermediary Guidelines) 2011 annulled. This motion has been admitted and will be coming up before the Rajya Sabha soon.

The Intermediary rules have resulted in a mechanism whereby intermediaries like Google and Facebook receive protection from legal liability in return for trading away the freedom of expression and privacy of users. The rules require the intermediaries to provide the Government agencies information of users without any safeguards besides requiring the intermediaries to initiate action for taking down the content within 36 hours of receiving a complaint.

The rules in the current form are ultra-vires of the parent Act and are also violative of the Constitution of India.

Substantial information for the content was provided by SFLC, India