The lens of surveillance
Arising in the aftermath of the 26/11 Mumbai attacks, surveillance of internet data in India has lacked cohesive foresight despite urgency, discusses Meetu Jain
As the little storm over India becoming a surveillance state abates with the Ministry of Home Affairs specifying names of agencies that can intercept electronic communication through a computer resource, Intelligence officials admit that it was a lacuna in the law that's finally been addressed.
While the ancient Indian Telegraph Act, 1885 was far more robust and detailed and specifies names of agencies allowed to intercept, the Information Technology Act as amended in 2008, failed to specify the names of agencies allowed to do the interception. It was this lacuna that was being exploited by telecom service providers to deny agencies the required data. The question is what led to this glaring omission. Was it because the amendment was brought about in a hurry post 26/11 in December 2008. The amended IT Act, as well as several other legislation aimed at making the country safer from terror attacks, was passed by both Houses of Parliament without a murmur.
Although to his credit, P Chidambaram, the newly appointed Home Minister, did try to tie up several loose ends of the Act, first passed in 2000. The amendments for instance specified who the 'Competent Authority' would be; the Union Home Secretary or the state Home secretaries. Significantly, the controversial section, 69 B, was added in 2008, enabling the government to mount surveillance on citizens' data in computers. But while the opposition cried foul and Finance Minister Arun Jaitley said in the Parliament that this is akin to making a mountain where a molehill doesn't exist, the context in 2008 for launching future surveillance operations was different.
In fact, a lot of amendments to the Act were made keeping the Mumbai terror attacks in mind that had taken place less than a month ago. India was still waking up to making calls over the internet (and therefore encrypted) better known as Voice over Internet Protocol (VoIP). And, the stories the media was picking up included how one Javed Iqbal, a resident of Barcelona, had acquired VoIP numbers in Spain and Italy that were then used by terrorists during the 26/11 attacks.
So, how did the newly minted Home Minister with an eye for detail (the Act amended in the shadow of the Mumbai attacks even made provisions for child pornography offences, hitherto lacking in the 2000 law) miss this specification? Officials privy to discussions point to bickerings between the babus of North Block and Sanchar Bhavan. While the Telegraph Act specified that the 'Competent Authority' was the Union Home Secretary, the IT Act did not clarify this position. Officials in the IT ministry thus insisted that as per the law, enacted by their ministry, the competent authority should be a joint secretary and above officer. In the to and fro and rush by an embattled UPA to be seen to as passing a legislation that secured the nation, the little detail of the 10 agencies that could do the snooping fell through.
In fact, Standard Operating Procedures (SOPs) issued in 2011 and accessed by Millenium Post, clearly shows where the problem lies. As per the SOPs, "The request for interception and monitoring shall be made by the Head of the Authorised Security and Law Enforcement Agency … giving justification in accordance with Section 5 (2) of the Indian Telegraph Act, 1885 or section 69 of the Information Technology (Amendment) Act, 2008…"
While the reference to the "head of the authorised security agency" crops up again and again, the annexure fails to mention which these agencies are. In fact, Appendix A of the 2011 SOPs even specifies the manner in which intercepted data is to be destroyed after the requirement is over.
"For intercepts stored on computer storage media …the same shall be destroyed by grinding into finest powder possible." In fact, there are also provisions for how to deal with the outdated floppy discs which have to be mandatorily shredded or burnt! "If a hard disk becomes defective, under no circumstances should it be taken to vendors for repair/rectification".
(The views expressed are strictly personal)