The Web We Want grant enabled SFLC.in to conduct a complete legal analysis of the provisions relating to monitoring and surveillance in India. This is particularly important in the context of an extensive monitoring mechanism called the Centralised Monitoring System, currently being planned in India. In this project, SFLC.in conducted a detailed legal analysis of the surveillance and monitoring mechanisms and their compliance with the International Principles on the Application of Human Rights to Communications Surveillance. This research will contribute to SFLC.in’s ongoing efforts to create a hub that will collate information on monitoring and surveillance laws and incidents of misuse of these laws. Recently, SFLC.in organised a conference titled the “Internet We Want” to launch a campaign to draft a bill of rights to protect the rights of citizens on the Internet. The conference aimed at involving Parliamentarians in the discourse related to open Internet and freedom of expression on the Internet. This grant will further help to create awareness about the need for a policy environment that will encourage a free and open Internet for the benefit of the citizens.
The report delves into communications surveillance in India and takes an in-depth look at various aspects of India’s surveillance machinery, including enabling provisions of law, service provider obligations, and known mechanisms. It examines compliance of India’s legal provisions on surveillance with the International Principles on the Application of Human Rights to Communications Surveillance that were formulated after a global consultation with civil society groups, industry, and international experts in communications surveillance law, policy, and technology.
Some major points brought out in this report:
- An application under the Right to Information Act filed by SFLC.in revealed a list of 26 companies, including foreign companies, that had expressed interest in placing bids on a tender floated for Internet monitoring systems clearly evincing a large number of firms active in selling surveillance equipment in India. Several of these companies have incidentally been included in the list disclosed as part of the Spy Files project of Wikileaks.
- Another revelation was that on an average more than a lakh (100,000) of telephone interception orders are issued by the Central government alone every year. On adding the surveillance orders issued by the State Governments to this, it becomes clear that India routinely surveills her citizens’ communications on a truly staggering scale.
- State surveillance of citizens’ private communications is authorized by legislative enactments such as the Indian Telegraph Act and the Information Technology Act, which allow Indian law enforcement agencies to closely monitor phone calls, texts, e-mails and general Internet activity on a number of broadly worded grounds. They establish an opaque surveillance regime that is run solely by the Executive arm of the Government, and make no provisions for independent oversight of the surveillance process.
- An unknown number of Lawful Interception and Monitoring (LIM) systems tasked with the collection and analysis of citizens’ communications data and meta-data are already installed into India’s communication networks. On top of these, capability-enhancing technologies and databases such as the Central Monitoring System (CMS), Network Traffic Analysis (NETRA) and National Intelligence Grid (NATGRID) are in varying stages of deployment. The Government of India is also known to outsource surveillance initiatives to private third parties, some of which go so far as to infect target devices using malicious software in order to gain access to information stored within.
- It was revealed by a source that NETRA storage servers will be installed at more than 1000 locations across India, each with a storage capacity of 300 GB totalling to 300 TB of storage initially.
- Section 69 of the Information Technology Act, 2000 imposes an obligation by which Internet Service Providers are to provide all assistance to the government agencies to intercept any communication and a failure to comply with it may result in imprisonment for upto 7 years and fines.
- The Controller of Certifying Authorities uses Section 28 of the IT Act, an ambiguous provision, to collect user data from technology companies. An RTI request revealed that they have made 73 requests under this provision in 2011.
- Indian laws, policies and practices with respect to surveillance are not in conformity with International human rights law as evinced by the report of the UN High Commissioner on Human Rights released on June 30, 2014.
- Considering how all the above takes place in a framework that has yet to accord legislative recognition to the existence of a Right to Privacy, no concerns over undue State surveillance can be termed as unfounded.
A copy of the report can be downloaded here.