Concern for
Privacy Rights Vs National Security
The first version of the amendments to
ITA 2000 culminating in the passing of the Information Technology
Amendment act 2008 on Dec 22/23 in the Indian Parliament was the
recommendation of the "Expert Committee" (ITAA 2005). Published on
August 29, 2005, it created a huge backlash amongst those who were
concerned about Cyber Crimes. Naavi was in the forefront of a volatile
campaign against the proposals in very strong terms. The toned down
version which was introduced as the next version of the proposed
amendments was Information Technology Amendment bill 2006 (ITAA 2006).
While ITAA 2006 was an improvement over ITAA 2005 and had
removed some ridiculous suggestions contained there in, it continued
to be heavily slanted in favour of Intermediaries and ignored the
needs of the Police and National Security. The timely intervention of
the Parliamentary Standing Committee seems to have worked wonders and
the slant in the final version (ITA 2008) now passed by the Parliament
has swung drastically to the other extreme where sweeping powers have
been provided for Interception, Monitoring, Blocking of websites etc.
This has naturally raised some criticisms from the Privacy supporters
and this article tries to analyse the provisions of ITA 2008 in this
regard. ..... Naavi
Comments of Naavi on the Amendments Proposed to
ITA-2000 vide ITAA 2008 Regarding Privacy Concerns
(This is Part II of
the article: Part I,
Part III)
The First step in "Infringement in Privacy Protection" is the curtailment of
the existing rights. In ITA 2008 we may therefore explore such sections
where there are provisions that may infringe the Privacy of a person.
In ITA 2008, there are three sections 69, 69
A and 69 B which have evoked wide protests as attempts to impose censorship
on Internet.
Section 69
States as follows:
69: Powers to issue directions for interception or monitoring or
decryption of any information through any computer resource
(1) Where the central Government
or a State Government or any of its officer specially authorized by the Central
Government or the State Government, as the case may be, in this behalf may, if satisfied that it
is necessary or expedient to do in the interest of the sovereignty or integrity
of India, defense of India, security of the State, friendly relations with
foreign States or public order or for preventing incitement to the commission of
any cognizable offence relating to above or for investigation of any offence, it
may, subject to the provisions of sub-section (2), for reasons to be recorded in
writing, by order, direct any agency of the appropriate Government to intercept, monitor or
decrypt or cause to be intercepted or monitored or decrypted any
information
transmitted received or stored through any computer resource.
(2) The
Procedure and safeguards subject to which such interception or monitoring or
decryption may be carried out, shall be such as may be prescribed
(3) The subscriber or intermediary or any person in charge
of the computer resource shall, when called upon by any agency which has been
directed under sub section (1), extend all facilities and technical assistance
to -
(a) provide access to
or secure access to the computer resource
generating, transmitting, receiving or storing such
information; or
(b) intercept or monitor or decrypt the
information, as the case may be;
or
(c) provide information stored in
computer resource.
4) The subscriber or intermediary or any person who fails to assist the agency
referred to in sub-section (3) shall be punished with an imprisonment for a term
which may extend to seven years and shall also be liable
to fine.
This section provides the powers to a
notified agency to order interception, monitoring or decryption of
information which may be with a Cyber Cafe, a Mobile Company (including
Blackberry) or even a private Company or person if the designated person
can justify the requirement. The reasons could be in the interests of the
security of the nation or even to prevent commission of any
"Cognizable" offence. The word "cognizable" here should be interpreted as
being applicable to not only ITA 2008 but also to IPC or other
statutes.(though a clarification on this should have been provided)
We may note that the section itself mandates that the reasons for invoking
the powers under this section should be "recorded in writing". Further
procedures and safeguards subject to which such blocking may be
carried out needs to be prescribed.
Any persons who fails to comply with the order of a
designated agency or to provide assistance under the above section may be
liable to face an imprisonment term of 7 years.
Section 69 A States as follows:
69 A: Power to issue directions for blocking for public
access of any information through any computer resource
(1) Where the Central Government or any of its
officer specially authorized by it in this behalf is satisfied that it is
necessary or expedient so to do in the interest of sovereignty and integrity of
India, defense of India, security of the State, friendly relations with foreign
states or public order or for preventing incitement to the commission of any
cognizable offence relating to above, it may subject to the provisions of
sub-sections (2) for reasons to be recorded in writing, by order direct any
agency of the Government or intermediary to block access by the public or
cause
to be blocked for access by public any information generated, transmitted,
received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such
blocking for access by the public may be carried out shall be such as may be
prescribed.
(3) The intermediary who fails to comply with the
direction issued under sub-section (1) shall be punished with an imprisonment
for a term which may extend to seven years and also be liable to fine.
(4) The subscriber or intermediary or any person who fails to assist the agency
referred to in sub-section (3) shall be punished with an imprisonment for a term
which may extend to seven years and shall also be liable
to fine.
This section provides the powers to a notified agency to
order blocking of websites which may contain information that is inimical to
the interests of the Country or may incite commission of any "Cognizable"
offence. The word "cognizable" here should be interpreted as being
applicable to not only ITA 2008 but also to IPC or other statutes.
We may note that the section itself mandates that the reasons for blocking
should be "recorded in writing". Further procedures and safeguards subject
to which such blocking may be carried out needs to be prescribed.
Any "Intermediary" who fails to comply with the order of
a designated agency or to provide assistance under the above section may be
liable to face an imprisonment term of 7 years.
Section 69
(B) States as under:
69 B: Power to authorize to monitor and collect traffic
data or information through any computer resource for Cyber Security
(1) The Central Government may, to enhance Cyber
Security and for identification, analysis and prevention of any intrusion or
spread of computer contaminant in the country, by notification in the official
Gazette, authorize any agency of the Government to monitor and collect traffic
data or information generated, transmitted, received or stored in any computer
resource.
(2) The Intermediary or any person in-charge of
the Computer resource shall when called upon by the agency which has been
authorized under sub-section (1), provide technical assistance and
extend all facilities to such agency to enable online access or to secure and
provide online access to the computer resource generating , transmitting,
receiving or storing such traffic data or information.
(3) The procedure and safeguards for monitoring
and collecting traffic data or information, shall be such as may be
prescribed.
(4) Any intermediary who intentionally or
knowingly contravenes the provisions of sub-section (2) shall be punished with
an imprisonment for a term which may extend to three years and shall also be
liable to fine.
Explanation: For the purposes of this section,
(i) "Computer Contaminant" shall have the meaning
assigned to it in section 43
(ii) "traffic data" means any data identifying or
purporting to identify any person, computer system or computer network or
location to or from which the communication is or may be transmitted and
includes communications origin, destination, route, time, date, size, duration
or type of underlying service or any other information.
This section empowers the Government to monitor
information with the ISPs and Mobile Service Providers (MSPs) such as the IP
address, IMEI number, etc. Imprisonment for violation under this section is
3 years.
There is no doubt that the above three sections
confer enormous powers to monitor, block or access personal data and could
lead to privacy concerns. However, looked at from the requirements of the
security agencies confronting terrorism and information wars in cyber space,
one cannot deny the requirements of the security agencies. After the Mumbai
terrorist attacks, many are asking the Government why our police are given
only .303 rifles while the terrorists use AK 47 and why our "Bullet Proof"
jackets could be easily pierced by the bullets of the terrorists. They have
vociferously advocated upgradation of the security equipments used by the
Police. Similar logic should be applied even in Cyber Space to ensure that
our Cyber Policing is effective.
We need not take objection to the fact that the sections
confer powers not only when national security interests are threatened but
also when "Cognizable Offences" are committed. The reason is that the
dividing line between "Cyber Crime" and "Cyber Terrorism" is very thin. For
example, a series of "Phishing Offences" may actually be part of a Cyber
Terrorist's plan to 'Destabilize the economy". Hence we cannot control Cyber
Terrorism or Cyber Wars without controlling Cyber Crimes. Hence the powers
conferred by the sections are considered essential though the risk of abuse
is very real and needs to be addressed.
There would
however be an obvious question about how an Intermediary or any other person
would be compensated for any misuse of the powers under this section and
what would be the procedure for disputing the order of the agency meant to
exercise the powers under Sections 69, 69A and 69 B.
We
need to note that these sections donot automatically provide powers to the
Police. They vest the powers with an agency to be designated. It is however
possible that in the notification, Police may be designated as one of the
agencies. But there is an option available to the Government to deposit the
powers under these sections with a different agency other than the Police.
However it would be necessary to vest some authority with the Police for
collection of data such as IP address etc from Intermediaries. Hence there
has to be some mechanism where the required freedom is provided to the
Police without providng scope for abuse.
Naavi.org
therefore suggests setting up of an agency which may be called the "National
Netizen's Rights Commission" and could be developed on the lines of the NHRC.
Alternatively, a "Privacy Advisory Group" can be set up to advice the
officer of the Government otherwise authorized for the purpose of
interception etc consisting of private individual of repute which should
monitor the activities of the monitoring agency.
(This is Part II of
the article: Part I,
Part III)
Naavi
December 30, 2008
Related Article:
Why USPATRIOT ACT is Required in India-2
Why US PATRIOT Act is required in India? ..1
Unified approach key to National Cyber security
IT Act Amendments and Cyber Terrorism
5 Key Steps to Cyber Security
National
Seminar on Privacy Rights and Data Protection in Cyber Space
Other Articles on ITA 2008