MHA notification: Authorised agencies don't have suo motu powers to issue interception, monitoring directions

The recent notification issued by the Ministry of Home Affairs **authorises 10 Central government agencies** as agencies for the purpose of interception, monitoring and decryption of data in any computer resource. The agencies authorised include the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, CBI, National Investigation Agency, Cabinet Secretariat (R&AW), Directorate of Signal Intelligence (in Jammu and Kashmir, North-East and Assam only) and the Delhi Police Commissioner. The release of the notification has created a furore among the people, particularly with the Orwellian possibilities of the notification. In some respite to the concerns that have emerged, a closer reading of Section 69 of the Information Technology Act, 2000 (the IT Act) and the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (the IT Interception Rules), makes it clear that these agencies themselves simply do not have the power to authorise interception, monitoring or decryption in any form. The notification, thus, is not blanket empowerment of these agencies to carry out surveillance. [caption id=“attachment_4852081” align=“alignnone” width=“1024”] Representational image.[/caption]

Only the MHA Secretary can issue the directions

The agencies under this MHA notification have been appointed as ‘agencies’ under Rule 4 of the IT Interception Rules. As per these rules, the actual direction to carry out the interception, monitoring or decryption (interception, etc.), can be issued only by the ‘competent authority’ under Rule 3. The competent authority, in this case, is the Secretary in the Ministry of Home Affairs for the Central Government, or the Secretary in charge of the Home Department for the State Government, as defined under Rule 2(d) of the IT Interception Rules. As per the procedure under the Rules, the directions of the competent authority are to be directed to an agency, who will then direct the intermediary or another person as required to carry out the interception. In other words, a direction to carry out the interception etc. comes from the Secretary; this is directed to an agency, say the Intelligence Bureau, who in turn will direct the intermediary or person-in-charge, say an internet service provider, to carry out the direction.

Limited powers of the agency

Further clarity to the scope of the powers of the agencies thus appointed under this notification can be achieved through a reading of the accompanying rules under the IT Interception Rules. Rule 9, for instance, requires an agency appointed under Rule 4 to appoint a nodal officer. The job of this nodal officer will be to ‘authenticate and send the requisition containing (the) direction issued under Rule 3’ to the concerned intermediary or person-in-charge. Clearly, a direction can only be issued under Rule 3, ie, through a competent authority, and the agency’s role is to ‘authenticate’ it and ‘send’ it. Nowhere under the rules are the agencies thus appointed empowered to themselves issue a direction.

Notification does not empower carrying out unlimited surveillance

Rule 3 further states that no person shall carry out an interception, etc. unless the direction to do so comes from a competent authority. This also means that it would be illegal for a person to carry out interception if the direction came directly from the agency and not the competent authority. The governmental bodies in the MHA notification, have been appointed as agencies, and an appointment as a competent authority, in fact, would require an amendment to the law in itself, and cannot be achieved through a mere governmental notification. The notification thus, in itself does not empower the agencies listed therein to carry out unlimited surveillance. Such an authorisation, in fact, would not stand the scrutiny of the law — be it the procedures prescribed under the IT Interception Rules and Section 69 themselves, or those prescribed for a lawful invasion of privacy under the Puttaswamy judgment on the fundamental right to privacy.

JUST IN: MHA issues clarification on its notification authorising 10 central agencies to carry out interception, monitoring &decryption of any Information. MHA says that the same is done as per due process of law and approval of competent authority i.e. Union Home Secretary. pic.twitter.com/xSuCfelpHA

— The Leaflet (@TheLeaflet_in) December 21, 2018

Challenging the constitutionality of surveillance powers of the State

The notification, has, however, given new impetus to the debate on the State’s powers to carry out surveillance, and on the constitutional validity of Section 69 and the IT Interception Rules themselves. The procedural safeguards under the IT Interception Rules, in fact, are similar to those prescribed for telephone tapping in the PUCL case, and those for the blocking of websites under Section 69A, which were upheld in the Shreya Singhal case. These include, for instance, a limitation on who can issue a direction, the requirement for reasons to be recorded in writing, an upper limit of 180 days for the interception, etc., and the requirement for periodic reviews of the direction issued. The situation here, however, is quite different. Firstly, the invasion of privacy caused by the interception, etc. of a computer resource is thus much broader than that caused by tapping a telephone or blocking a website. A ‘computer resource’ in fact, by definition, can include any computer — which today includes a smartphone, tablet, PC and even IoT devices; together with any network, data, computer database or even software. Secondly, there is a much higher standard to be met to authorise an invasion of privacy, as laid out under the Puttaswamy judgment. The judgment established the following three tests to be met before the right to privacy could be invaded — first, there must be a law, second, there must be a legitimate purpose to be met, and third, the infringement of privacy must be proportional to the purpose sought to be met. The meeting of the third criteria, proportionality, in particular, is difficult given the vast scope of surveillance via a ‘computer resource’ today.

Need for new benchmarks for lawful interception

In the new internet and data age, surveillance needs a very different approach. The extent of invasion of privacy enabled thereby makes it vital to reconsider the adequacy and constitutionality of Section 69 and of the procedural safeguards prescribed for an interception, etc. under the Rules.  The safeguards as laid down under the PUCL case and upheld under the Shreya Singhal case should not be taken as the benchmark to judge the constitutionality of surveillance safeguards as well. The author is a lawyer specialising in technology, privacy and cyber laws.