Erstwhile, the only substantive law supporting the state surveillance activities was the Indian Telegraph Act, 1855, however, with the technological boom and revolution, the Information Technology Act, 2000 was introduced to facilitate internet surveillance.
According to Section 5(2) of the Indian Telegraph Act, 1885, “On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order: Provided that the press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this sub-section.”
While Section 5(2) forms the substantive part of the law, the procedure for the same is prescribed under Rule 419A of the Indian Telegraph Rules, 1951, introduced via amendment Act of 2007. As per this rule, the direction for interception, as specified in Section 5(2) of the Indian Telegraph Act, can only be given by Union/ State Home Secretary. However, in unavoidable circumstances, a lawful order may be issued by, with the prior permission of the Union or State Home Secretary, an officer not below the rank of Joint Secretary to GoI. Pursuant to Rule 419A, service providers required by law enforcement to intercept communications are mandated to comply with certain provisions which include the appointment of nodal officers to deal with interception requests and to prevent its unauthorised usage. The licenses of the service providers stand to be revoked on non- compliance of these rules, resulting in breach of secrecy.
Sections 69 and 69B of Information Technology Act, 2000 pertain to matters of web surveillance. Section 69, is similar to Section 5(2) of the Indian Telegraph Act, 1855. It provides for interception, monitoring and decryption of computer sources by Central and State Governments in national interest. While Section 69B, grants the Central Government the “power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security”.
Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 lay down the procedure for invoking Section 69 of the Information Technology Act, 2000 and is a replica of Rule 419A (as stated above).
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 prescribe the procedure for invoking Section 69B of the Information Technology Act, 2000 and is near- identical to rule 419A.
As per Rule 6 of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, a body corporate though disallowed from divesting information to a third party without the consent of the provider, may disclose the same without consent of the provider to the government agencies mandated under law for the purpose of verification, investigation etc.
Rule 3(7) of Information Technology (Intermediaries Guidelines) Rules, 2011, requires the ISP’s etc, under a lawful order to provide authorized government agencies with information for identity verification etc.
As per Rule 7,Information Technology (Guidelines for Cyber Cafe) Rules, 2011, an officer may investigate the records of a cyber cafe and the owner has to be comply with same and provide all the records, search history etc.
Aadhar Act, 2016 is one of the most controversial acts, it was passed by the Lok Sabha in March,2016 to provide a legal backing to the UIDAI Scheme.
The government is in the process of developing rules for the compliance of Section 67C of the IT Act, 2000, which may require the ISP’s and apps like FaceBook etc. to store and collect data. For this purpose, the Data Retention Rules Bill has been drafted.
These rules put in place several checks and balances and try to ensure that there is an established “chain of custody” and paperwork for each and every detection and interception request. The assumption is that with a clearly defined chain of due diligence and paperwork, the possibility of unauthorized interception is reduced, which ensures that the powers of the interception are not misused. However, although these checks and balances exist on paper, there is not enough information in the public domain about the whole mechanism of the interception for anyone to make a clear judgment as to whether the system in fact reduces the number of unauthorized interceptions