The Department of Telecommunications on August 28 published draft rules to govern the interception of messages under the Telecommunications Act, 2023. They replace the legal regime under the Indian Telegraph Rules, 1951, that was notified in 2007.
As it turns out, the Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024, are almost exactly the same as the 1951 rules, ensuring that the procedure for intercepting phone messages under the new rules will be more or less the same.
The new rules became necessary because of the enactment in December of the Telecommunications Act, which repealed and replaced the Telegraph Act, 1885. Rules 419 and 419A of the Indian Telegraph Rules, 1951 – the subordinate legislation of the act – contained the procedure for intercepting messages under the Telegraph Act.
Scroll explains how the procedure the state must follow to intercept messages under the draft rules is almost the same and why legal experts believe the continuation of the previous regime is a “missed opportunity”. But experts added that the rules may allow over-the-top communication services such as Whatsapp to also be intercepted.
What the draft rules say
Section 20 of the Telecommunications Act allows the government to intercept phone messages to or from any person or related to any subject “[o]n the occurrence of any public emergency or in the interest of public safety”. This has been permitted on the grounds of national security and defence, the sovereignty and integrity of India, maintaining foreign relations, public order or preventing the incitement to commit any criminal offence.
These are standard legal grounds for restricting fundamental rights that are found in most other such laws in India.
Under the draft rules, the Union government can authorise specific security and law enforcement agencies to intercept messages. Under the previous legal regime, the agencies authorised to do so were the Intelligence Bureau, the Narcotics Control Bureau, the Directorate of Enforcement, the Central Board of Direct Taxes, the Directorate of Revenue Intelligence, the Central Bureau of Investigation, the National Investigation Agency and the Research and Analysis Wing.
The Directorate of Signal Intelligence in the Ministry of Defence was permitted interception for the Jammu and Kashmir and the North East and Assam service areas. Authorisation was also given to the director general of police of each state as well as, for the Delhi Metro service area, to the Delhi Police Commissioner.
The home secretary at the Union or state level or any officer of the rank of joint secretary to the union government or above can issue an interception order.
In urgent situations where obtaining such an order is not feasible, senior police officers of at least the rank of inspector general with the authorised security agency can authorise interception. However, these orders must be submitted for confirmation to home secretary within three days. If not confirmed within seven days, the interception must cease and the intercepted messages must be destroyed.
Interception orders are to be only issued when the government determines that the information cannot be acquired by other reasonable means. These orders must specify the agency responsible for the interception and detail the reasons. The orders are valid for up to 60 days, extendable to a maximum of 180 days.
The agency conducting the interception must maintain secure records of the intercepted messages and their handling, with records of both the interception order and the intercepted messages being destroyed every six months unless needed for functional reasons. The Department of Telecommunications and the telecommunication company too must destroy records related to an interception order within two months after the interception has ended.
Implementing an interception order involves nodal officers within authorised agencies, the Department of Telecommunications and telecommunication entities. These officers are responsible for handling all matters related to interception orders, ensuring confidentiality and preventing unauthorised interceptions.
A review committee, consisting of three senior government officials at both the central and state levels, shall review interception orders every two months. The committee is to ensure that the orders comply with the legal provisions and has the authority to set aside non-compliant orders and mandate the destruction of intercepted messages.
Departure from previous regime
The procedure under the draft rules is almost identical to the previous legal regime under Rules 419 and 419A of the Telegraph Rules, 1951. There are only two points of departure.
First, the 1951 rules have a penalty clause if the secrecy and confidentiality of intercepted messages is violated. In addition, telecom service providers that intercept communication without authorisation face a fine and could have their licence revoked.
This penal provision is absent in the new draft rules, as has been widely reported. However, the Telecommunications Act itself, under Section 32 and 42(2), provides for the government to impose penalties – including fines, imprisonment and suspension of the telecommunication service – for breaching the terms and conditions of the licence granted under the act or the unlawful interception of messages.
“This is sufficient to cover violations of confidentiality related to intercepted messages under the new rules,” Nikhil Narendran, technology and telecom communication lawyer and partner at Trilegal, a law firm, told Scroll.
Second, the new rules exempt the rules being applied to the “demonstration and testing of lawful interception systems and monitoring facilities” that the government may require telecommunication agencies to put in place.
The rules or the parent act do not elaborate on what “lawful interception systems and monitoring facilities” are.
‘Missed opportunity’
Legal experts to whom Scroll spoke were disappointed that the government chose to broadly reproduce the previous rules and did not introduce any provisions for independent oversight of interception orders.
“There are absolutely no safeguards introduced,” said Shruti Narayan, Asia Pacific Policy Counsel at Access Now, an international non-profit organisation that advocates for and defends digital rights. “There is no structure for any independent parliamentary or judicial oversight. As under the previous rules, the interception regime continues to remains a closed executive-controlled structure.”
She added: “This was an opportunity for the government to bring interception rules in line with where we are post the acknowledgment of the right to privacy.”
The right to privacy was acknowledged by the Supreme Court as a fundamental right by the Supreme Court in a landmark judgment in 2017.
Narendran called the draft rules a missed opportunity, citing the lack of any substantive privacy safeguards. After the Supreme Court’s 2017 judgment, “this is arguably an unconstitutional state of affairs”, he said.
Narayan referred to the Union government-constituted Committee of Experts on a Data Protection Framework for India, chaired by Justice BN Srikrishna, had in a 2018 report recommended that the government provide for meaningful oversight, outside of the executive, for its intelligence collection and interception operations.
Both Narendran and Narayan pointed out that India is the only large democracy without any judicial or legislative review of interception directions. They also noted that the periodic destruction of interception orders, mandated under the previous legal regime, has been continued under the new draft rules.
“We are completely in dark as to what kind of intelligence is gathered and whose phones are tapped,” said Narayan.
The only review mechanism under the rules is a three-member committee that would meet every two months and review interception orders. Since the Union government itself passes 9,000 interception orders every month, according to Union Home Ministry data released in 2012, the review committee would have to study at least 18,000 interception orders in each meeting.
In such a situation, it is not realistic to expect the committee to apply its mind to each order, said Narayan.
Said Narendran, “This is more of an administrative verification process than a review one.”
OTT services subject to interception?
Another concern is the wide definition of “telecommunication entity” in the draft rules. This includes “any person providing telecommunication services, or establishing, operating, maintaining, or expanding telecommunication network”, It specifically includes services that are exempt from being granted a licence under the Telecommunications Act.
The definition of “telecommunications” itself under the act is excessively broad, including “transmission, emission or reception of any messages, by wire, radio, optical or other electro-magnetic systems”, noted Narendran.
“This opens the door for even over-the-top communication services like Whatsapp, Signal, Telegram or Facebook Messenger and even IT services to be included within the ambit of the rules,” he said.
Said Narayan, “We wouldn’t even know if such online services would be covered since all information under the rules is secret.”