Let's Build a Responsible Cyber Society

Visit
www.ceac.in


Visit
www.arbitration.in

Concern for Privacy Rights Vs National Security

The first version of the amendments to ITA 2000 culminating in the passing of the Information Technology Amendment act 2008 on Dec 22/23 in the Indian Parliament was the recommendation of the "Expert Committee" (ITAA 2005). Published on August 29, 2005, it created a huge backlash amongst those who were concerned about Cyber Crimes. Naavi was in the forefront of a volatile campaign against the proposals in very strong terms. The toned down version which was introduced as the next version of the proposed amendments was Information Technology Amendment bill 2006 (ITAA 2006). While ITAA 2006  was an improvement over ITAA 2005 and had removed some ridiculous suggestions contained there in, it continued to be heavily slanted in favour of Intermediaries and ignored the needs of the Police and National Security. The timely intervention of the Parliamentary Standing Committee seems to have worked wonders and the slant in the final version (ITA 2008) now passed by the Parliament has swung drastically to the other extreme where sweeping powers have been provided for Interception, Monitoring, Blocking of websites etc. This has naturally raised some criticisms from the Privacy supporters and this article tries to analyse the provisions of ITA 2008 in this regard. ..... Naavi

Comments of Naavi on the Amendments Proposed to ITA-2000 vide ITAA 2008 Regarding Privacy Concerns

(This is Part II of the article: Part I, Part III)

The First step in "Infringement in Privacy Protection" is the curtailment of the existing rights. In ITA 2008 we may therefore explore such sections where there are provisions that may infringe the Privacy of a person.

In ITA 2008, there are three sections 69, 69 A and 69 B which have evoked wide protests as attempts to impose censorship on Internet.

Section 69 States as follows:

69: Powers to issue directions for interception or monitoring or decryption of any information  through any computer resource

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if  satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -

(a) provide access to or secure access to the computer resource  generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(c)  provide information stored  in computer resource.

4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

This section provides the powers to a notified agency to order interception, monitoring or decryption of information which may be with a Cyber Cafe, a Mobile Company (including Blackberry) or even a private Company or person if the designated person can justify the requirement. The reasons could be in the interests of the security of the nation or even to prevent  commission of any "Cognizable" offence. The word "cognizable" here should be interpreted as being applicable to not only ITA 2008 but also to IPC or other statutes.(though a clarification on this should have been provided)

We may note that the section itself mandates that the reasons for invoking the powers under this section should be "recorded in writing". Further procedures and safeguards subject to which such blocking may be  carried out needs to be prescribed.

Any persons who fails to comply with the order of a designated agency or to provide assistance under the above section may be liable to face an imprisonment term of 7 years.

Section 69 A  States as follows: 

69 A: Power to issue directions for blocking for public access of any information through any computer resource

(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-sections (2) for reasons to be recorded in writing, by order direct any agency of the Government or intermediary to block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource.

(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed.

(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

This section provides the powers to a notified agency to order blocking of websites which may contain information that is inimical to the interests of the Country or may incite commission of any "Cognizable" offence. The word "cognizable" here should be interpreted as being applicable to not only ITA 2008 but also to IPC or other statutes.

We may note that the section itself mandates that the reasons for blocking should be "recorded in writing". Further procedures and safeguards subject to which such blocking may be  carried out needs to be prescribed.

Any "Intermediary" who fails to comply with the order of a designated agency or to provide assistance under the above section may be liable to face an imprisonment term of 7 years.

Section 69 (B) States as under:

69 B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized  under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section,

(i) "Computer Contaminant" shall have the meaning assigned to it in section 43

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

This section empowers the Government to monitor information with the ISPs and Mobile Service Providers (MSPs) such as the IP address, IMEI number, etc. Imprisonment for violation under this section is 3 years.

There is no doubt that the above three sections confer enormous powers to monitor, block or access personal data and could lead to privacy concerns. However, looked at from the requirements of the security agencies confronting terrorism and information wars in cyber space, one cannot deny the requirements of the security agencies. After the Mumbai terrorist attacks, many are asking the Government why our police are given only .303 rifles while the terrorists use AK 47 and why our "Bullet Proof" jackets could be easily pierced by the bullets of the terrorists. They have vociferously advocated upgradation of the security equipments used by the Police. Similar logic should be applied even in Cyber Space to ensure that our Cyber Policing is effective.

We need not take objection to the fact that the sections confer powers not only when national security interests are threatened but also when "Cognizable Offences" are committed. The reason is that the dividing line between "Cyber Crime" and "Cyber Terrorism" is very thin. For example, a series of "Phishing Offences" may actually be part of a Cyber Terrorist's plan to 'Destabilize the economy". Hence we cannot control Cyber Terrorism or Cyber Wars without controlling Cyber Crimes. Hence the powers conferred by the sections are considered essential though the risk of abuse is very real and needs to be addressed.

There would however be an obvious question about how an Intermediary or any other person would be compensated for any misuse of the powers under this section and what would be the procedure for disputing the order of the agency meant to exercise the powers under Sections 69, 69A and 69 B.

We need to note that these sections donot automatically provide powers to the Police. They vest the powers with an agency to be designated. It is however possible that in the notification, Police may be designated as one of the agencies. But there is an option available to the Government to deposit the powers under these sections with a different agency other than the Police. However it would be necessary to vest some authority with the Police for collection of data such as IP address etc from Intermediaries. Hence there has to be some mechanism where the required freedom is provided to the Police without providng scope for abuse.

Naavi.org therefore suggests setting up of an agency which may be called the "National Netizen's Rights Commission" and could be developed on the lines of the NHRC.

Alternatively, a "Privacy Advisory Group" can be set up to advice the officer of the Government otherwise authorized for the purpose of interception etc consisting of private individual of repute which should monitor the activities of the monitoring agency.

(This is Part II of the article: Part I, Part III)

Naavi

December 30, 2008

Related Article:

Why USPATRIOT ACT is Required in India-2

Why US PATRIOT Act is required in India? ..1

Unified approach key to National Cyber security

IT Act Amendments and Cyber Terrorism

5 Key Steps to Cyber Security

National Seminar on Privacy Rights and Data Protection in Cyber Space 

Other Articles on ITA 2008

Visit
www.Naavi.net

Visit
www.lookalikes.in