AnalysisCriminal LawLaw and TechnologyRight to PrivacyThe Leaflet Debate

THE LEAFLET DEBATE: Is MHA order a ‘licence to snoop’?

and ·
Home
Analysis

[dropcap]A[/dropcap] look at social media trends and hashtags suggests that an Orwellian state or a police state has been unleashed by Ministry of Home Affairs (MHA). The Leaflet published a legal analytical piece ringing alarm bells.

This current piece is an endeavour to examine the MHA Order dated December 20, 2018 solely from the point of view of law and understand if it poses any reasonable threat. To this end, it shall touch upon the provisions of Information Technology Act, 2000 (IT Act) and Rule 4 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (IT Rules), which are of relevance in the context of MHA order.

The MHA order has been issued by Cyber and Information Security Division of the Ministry of Home Affairs. Broadly speaking, some of the responsibilities discharged by MHA are as under:

  1. Internal security
  2. Border management
  3. Centre-State relations
  4. Administration of Union Territories
  5. Management of Central Armed Police Forces
  6. Disaster management

Though in terms of Entries 1 and 2 of List II – ‘State List’ – in the Seventh Schedule to the Constitution of India, ‘public order’ and ‘police’ are the responsibilities of States, Article 355 of the Constitution enjoins the Central Government to protect every State against external aggression and internal disturbance and to ensure that the Government of every State is carried on in accordance with the provisions of the Constitution.

In pursuance of these obligations, MHA continuously monitors the internal security situation, issues appropriate advisories, shares intelligence inputs, extends manpower and financial support, guidance and expertise to the State Governments for maintenance of security, peace and harmony without encroaching upon the constitutional rights of the States.

Upon a bare perusal of MHA order, it transpires that:

  • It authorises 10 Security and Intelligence Agencies for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under IT Act.
  • Furthermore, MHA order makes it clear that, such authorisation has been granted in exercise of the powers conferred by Section 69(1) of IT Act read with Rule 4 of IT Rules.

 

Also read: The curious case of a cryptic notification: MHA’s mass snoop diktat is not only unconstitutional, but contrary to IT Safeguard Rules, 2009

Analysis of Section 69(1) of IT Act

 

While adverting to Section 69(1) of IT Act, one is bound to observe the heading i.e.,   “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”. The language used in this heading makes it appear as though Section 69(1) of IT Act confers an indiscriminate power to issue directions for interception or monitoring or decryption of any information through any computer resource.

However, if we were to dissect Section 69(1) of IT Act, the following would emerge:

  1. The Central Government or a State Government or any of its officers especially authorised by the Central Government or a State Government, as the case may be, should be satisfied that:
  2. It is necessary or expedient to direct any agency of the Central Government or a State Government, as the case may be, to intercept, monitor, or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
  3. Such satisfaction should be:
  4. In the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States; or
  5. public order; or
  6. for preventing incitement to the commission of any cognizable offence relating to the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order; or
  7. for investigation of any offence,
  8. In the event that there is satisfaction as detailed above:
  9. The Central Government or a State Government or any of its officers specially authorised by the Central Government or a State Government, as the case may be, may direct any agency of the Central Government or the State Government respectively to intercept, monitor, or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
  10. The above act of directing is subject to the provisions of Section 69(2) of IT Act and for reasons to be recorded in writing by order.

Analysis of Section 69(2) of IT Act

 

  1. The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

Analysis of Rule 4 of IT Rules

 

  1. The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, are contained in Rule 4 of IT Rules.
  2. The heading of Rule 4 of IT Rules is “Authorisation of agency of Government”. The said provision mandates that, the competent authority may authorise an agency of the Central Government or a State Government, as the case may be, to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer resource for the purpose specified in Section 69(1) of IT Act.
  3. Section 2(d) of IT Rules defines ‘competent authority’ as the Secretary in MHA, in case of the Central Government or the Secretary in charge of the Home Department, in case of a State Government or Union Territory, as the case may be.

 

 

Considering the elaborate scheme of Sections 69(1) of IT Act, 69(2) of IT Act and Rule 4 of IT Rules, even a cursory glance at MHA order would reveal that, MHA order is merely an authorisation and not a direction. It follows as a logical corollary that, the 10 agencies which have been authorised, cannot, merely based on MHA order, intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted or received or stored in any computer resource; at least legally.

An endeavour to examine MHA order, solely from the point of view of law and understand if it poses any reasonable threat, would be rendered incomplete if it does not refer to Rule 3 of IT Rules.

 

Analysis of Rule 3 of IT Rules

 

In fact, Rule 3 of IT Rules prescribes an elaborate procedure for interception or monitoring or decryption of any information. Evidently, MHA Order is not one under Rule 3 of IT Rules.The heading of Rule 3 of IT Rules is “Directions for interception or monitoring or decryption of any information”. Pertinently, Rule 3 of IT Rules, in as many words, stipulates that, no person shall carry out the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under Section 69(2) of IT Act, except by an order issued by the competent authority.

However, Rule 3 of IT Rules envisages the following exceptions.

  1. In an unavoidable circumstances (sic):
  2. An officer, not below the rank of the Joint Secretary to the Government of India, who has been duly authorised by the competent authority, may issue an order to carry out the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under Section 69(2) of IT Act.
  3. In a case of emergency:
  4. in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible, the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource may be carried out with the prior approval of the Head or the second senior most officer of the security and law enforcement agency at the Central level and the officer authorised in this behalf, not below the rank of the Inspector General of Police or an officer of equivalent rank, at the State or Union Territory level.
  5. For operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible, then also, the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource may be carried out with the prior approval of the Head or the second senior most officer of the security and law enforcement agency at the Central level and the officer authorised in this behalf, not below the rank of the Inspector General of Police or an officer of equivalent rank, at the State or Union Territory level.

It would not be out of place to mention that, furthermore, in case of emergency:

  1. The officer, who approved such interception or monitoring or decryption of information in case of emergency, shall inform in writing to the competent authority about the emergency and of such interception or monitoring or decryption within 3 working days; and
  2. obtain the approval of the competent authority thereon within a period of 7 working days.
  3. If the approval of competent authority is not obtained within the said period of 7 working days, such interception or monitoring or decryption shall cease and the information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the competent authority.

Conclusion

 

A strict legal analysis seems to indicate that, the paranoia surrounding MHA order as to installation of an Orwellian state or a police state by MHA, seems to be premature and unfair, at least at this stage. In fact, MHA has issued a press release dated December 21, 2018, titled ‘Some points on Lawful interception or monitoring or decryption of information through computer resource’, wherein, MHA has spelt out the ways in which MHA order will help. IT Rules are in force since 2009. However, MHA Order has been issued only now, much against the popular opinion, which, in all likelihood, shall raise eyebrows. The same does not necessarily make MHA order bad in law, as it has been issued very much within the four corners of IT Act and IT Rules, as they stand today.

 

Mayank Sapra and Arjun Natarajan, are Delhi-based advocates. The views expressed in this piece are personal.

[Full Disclosure: Mayank Sapra has appeared against the Union of India and various State agencies in several matters including the challenge to the vires of the Aadhaar Act. Arjun Natarajan has been advising and representing Telecom Regulatory Authority of India, since January 2018.]

© 2021 The Leaflet