A notification issued by the Union Ministry of Home Affairs on Thursday allowing ten agencies to intercept, monitor and decrypt any information generated from any computer poses a grave threat to the fundamental right to privacy, said lawyers and cyber security experts.

The notification led to a political storm on Friday and criticism from the Opposition forced Parliament to be adjourned. However, Union Finance Minister Arun Jaitley accused the Opposition of “making a mountain where a molehill does not exist”. The government on Friday issued a clarification stating that the directive does not confer any new powers on it and has the legal backing of the Information Technology Act.

Experts agreed that Thursday’s notification lists powers already available to the authorities in the Information Technology Act 2000. The legal provisions to allow interception were introduced in 2008 by the Congress-led United Progressive Alliance government. However, with the fresh directive, experts said that the Bharatiya Janata Party-led government seems to be trying to formalise surveillance through the interception of computer information, they said.

“It is true that such [interception] powers already existed,” said Pavan Duggal, a lawyer with expertise in cyber security. “But neither any such formal directives were issued which I know of, nor any agency were specifically notified to have those powers.”

Privacy test

The Information Technology Act 2000 was amended in 2008 to allow to the monitoring and interception of computer information, while the rules under which this would operate were promulgated in 2009. In 2017, the Supreme Court delivered a judgment establishing privacy as a fundamental right. The legal foundation of the computer interception directive could be still be challenged in court because it has not yet been considered in light of the privacy judgment, said Duggal. “It is now a matter of Constitutional validity,” he said

Thursday’s notification lists the agencies authorised to intercept, monitor and decrypt computer data: the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (RAW), Directorate of Signal Intelligence (for service areas of Jammu and Kashmir, North East and Assam) and the Commissioner of Police, Delhi. The Act provides a jail term of seven years for anyone who refuses to cooperate with these agencies.

On Friday, experts questioned whether a notification listing the 10 agencies had actually been issued earlier, as the Centre claimed.

“It is a fresh notification,” said Apar Gupta, a lawyer who specialises in technology and media issues. “With this, interception of computers has received formal acceptance in the public domain and it can have serious implications on privacy.”

Senior officials of the Delhi Police also said this appeared to be a fresh order. Asked if this meant that the agencies would not need to ask for authorisation in every case since a blanket order has been issued, the officials said that this still needs to be clarified.

Lacking proportionality

The order has raised questions about the validity of the cases of interception of computer information conducted by the state police and other security agencies between 2009 (the year the interception rules were promulgated) and 2018 (the year the notification has been issued), Pranesh Prakash, co-founder of the Centre for Internet and Society.

One possibility, he said, may be that they were all unlawful.

But if they were indeed conducted with legal backing, Prakash said, then permission for this would been sanctioned in the form of an order by a competent authority. This is what Rule 3 of the interception rules mandate. But if so, Rule 4, which deals with the government authorising agencies to conduct such interceptions, is redundant. “How can it not be when any state police or other agency is capable of acquiring an order for interception under Rule 3?” he said

Besides, Prakash said, the new directive does not pass the test of proportionality.

In 2007, the Central government introduced rules to amend the Indian Telegraph Act 1951 to allow for information to be intercepted, Prakash said. However, the rules say that the competent authority should resort to interception only after considering all alternative means to acquire information. Thursday’s directive, though, is silent about the circumstances in which interception will be permitted, he said.