-->

A blog about technology

Wednesday, 2 January 2019

Government surveillance order raises 'power of attorney' question

The way the central notification on digital surveillance has been drafted has fuelled suspicion that it is aimed at granting “power-of-attorney-type” authority to 10 government agencies to intercept and decrypt information from any computer.
A power of attorney empowers a representative to act on behalf of the principal. In the context of the notification issued by the Union home ministry on Thursday, the fear is that the power of the competent authority (in this case, the Union home secretary) to clear surveillance has been delegated to the agencies instead of the prescribed policy of giving approval on a case-by-case basis.
The apprehension stems from the choice of a rule mentioned in the notification and the omission of another.
The notification mentions Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. In the typically impenetrable manner in which notifications are drafted in the country, the document gazetted on Thursday does not mention what Rule 4 says, for which the citizens are expected to undertake their own research.
According to a gazette notification on October 27, 2009, Rule 4 says: “The competent authority may authorise an agency of the government to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer resource for the purpose specified in sub-section (1) of Section 69 of the Act (the Information Technology Act, 2000).” (A detour to the law itself will show that sub-section (1) lists the offences that can justify surveillance.)
Thursday’s notification does not mention any other rule — and at least one omission stands out. Rule 3, which precedes Rule 4, details “directions for interception or monitoring or decryption of any information”. It says “no person shall carry out the interception or monitoring or decryption of any information” in any computer “except by an order issued by the competent authority”. Rule 3 then lists in detail the procedure to be followed in case of emergencies or unavoidable circumstances.
None of the provisions in Rule 3 is mentioned in Thursday’s notification.
When controversy broke on Friday, the Union home ministry issued a media release to insist that each case of interception, monitoring or decryption needs to be approved by the Union home secretary. The ministry added that all cases for interception, monitoring, or decryption are to be placed before a review committee headed by the cabinet secretary or by a committee headed by the state chief secretary.
But Raman Jit Singh Chima, a privacy rights lawyer, said: “The press release has zero legal value — the notification is akin to a power-of-attorney document that delegates the authority to the agencies.”
Chima, policy director for AccessNow, an organisation campaigning for digital rights, added: “Without an addendum to the notification specifying the requirement to seek approval, this move confers massive powers on the agencies.”
Thursday’s notification authorises the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Research and Analysis Wing, the Directorate of Signal Intelligence and the Delhi police commissioner to intercept and decrypt information on computers.
Chima, with other cyber law and security specialists, also highlighted that the validity of the 2009 rules that the notification has cited can be questioned in the light of a Supreme Court judgment of 2017 that held privacy as a fundamental right.
The August 2017 verdict, Chima said, raised the bar for any intrusion of privacy through interception by referring to requirements for tests for “necessity and proportionality”, implying that agencies wishing to intercept information should establish the need and its criticality.
But a veteran investigative officer felt that the notification might help streamline the process.
Shantanu Sen, a former CBI joint director, said such delegation of authority could be viewed as “making governance simpler”.
He said that seeking approval each time through the home secretary could sometimes delay critical interceptions by hours or even days.
“We’ve been doing interception for years as part of our work; we had to create dossiers and seek approvals,” he said.
“The agencies are headed by senior officers — secretary-level officers of the government. It is possible that the agencies have earned the trust of the government.”
About the controversy, Sen said it was “understandable”.
“There are suspicions that this authority might be misused — so it is perfectly legitimate for Opposition parties and others fearful of being victimised to seek safeguards.”
In a reply to Parliament in February 2014, the home ministry had listed the same nine agencies, Delhi police and the state directors-general of police as those authorised to intercept communications under The Indian Telegraph (Amendment) Rules 2007.
The ministry had told Parliament that it had issued standard operating procedures to the agencies for “interception, handling, use, sharing, copying, storage and destruction of records”, and that the telecom department had issued “standard operating procedures” for “lawful interception” of communication.
The reply made a significant acknowledgement: “Incidents of physical/ electronic surveillance in the states of Gujarat and Himachal Pradesh, and the National Capital Territory of Delhi, allegedly without authorisation have been reported.”
There is a difference between the government’s 2014 Parliament reply and its notification on Thursday, Chima said.
“The ministry was free to incorporate exactly the same approach and a flag to the safeguards when it issued this current notification — but it did not do so,” Chima said.
He said the 2014 answer showed that the ministry was aware of the widespread concern about potentially unauthorised surveillance.
“The current notification delegating competency to several agencies without ensuring proper oversight is even more concerning,” Chima said. “The previous system was officially indicated as problematic — and this notification makes it worse.” 

No comments:

Post a Comment