A recent amendment empowering Union and state home secretaries to delete records of surveillance within six months has raised concerns among digital rights activists and transparency advocates.
The move, according to them, will not just lead to greater opacity in surveillance but also make it more difficult to trace illegality. It could even hamper the scope of Section 6(3) of the RTI Act, which seeks to provide information about events preceding an RTI application by two decades, they said.
But what was the change to the law?
In a gazette notification late Monday, the ministry of electronics and information technology issued amendments to the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules. The amendment grants power to the Union and state home secretaries to delete records of interception, monitoring, and decryption within six months. This covers electronic as well as non-electronic records.
The notification says that in rule 23 of the act, the word “security agency” will be replaced with “the competent authority and the security agency.” The competent authority here refers to Union and state home secretaries. So with the amendment, rule 23 (1) of the act should now be read as, “Every record, including electronic records pertaining to such directions for interception or monitoring or decryption of information and of intercepted or monitored or decrypted information shall be destroyed by the competent authority and security agency [in every six months, except in a case where such information is required, or likely to be required for functional requirements.”
This widening of the scope to include home ministries has raised concerns among activists, especially considering the recent alerts from Apple that state-sponsored attackers might be targeting iPhones, and evidence of Pegasus on the phones of several journalists and opposition leaders.
“The provision in itself shrouds the process of investigation in secrecy. Lack of transparency entails rampant e-surveillance which potentially infringes one’s fundamental rights without any checks and balances,” said Radhiya Roy, litigation counsel at Internet Freedom Foundation. “Widening the ambit to include MHA and State Home Departments makes matters worse and can lead to even greater opaqueness in surveillance. It has and will continue to allow the government to evade any form of accountability.”
Record-keeping
Rule 23 (2), which deals with intermediaries, states exceptions to maintain records – in case of ongoing investigations, criminal complaints, or legal proceedings.
“Save as otherwise required for the purpose of any ongoing investigation, criminal complaint, or legal proceedings, the intermediary or person in-charge of computer resources shall destroy records pertaining to directions for interception of information within a period of two months of discontinuance of the interception or monitoring or decryption of such information and in doing so they shall maintain extreme secrecy,” it states.
But what do these records contain?
According to Mishi Chaudhary, technology lawyer and founder of Software Freedom Law Centre (SFLC), such records contain names and designations of officers to whom intercepted or monitored or decrypted information is disclosed, among other details.
“It's curious why this amendment was issued at this stage, three months before elections by a government fraught with allegations of both mass and targeted surveillance,” she said. “Section 69 requires the central government or state government to direct agencies to intercept. But there is lack of judicial scrutiny and the committees and authority are all constituted of executive members who can issue the orders and thereafter delete them leaving no trace of what was done.”
Chaudhary said that this framework essentially “enables opacity so there's no way to ascertain if the safeguards built into the process are even followed”. If an aggrieved party learns or suspects that they were under surveillance they have no way to prove in the court of law that their right to privacy was infringed, she said.
“While one would assume that the competent authority is now tasked with directing the security agency to destroy records, a bare reading of Rule 23 implies that the competent authority will be empowered to destroy records of interception, monitoring or decryption of information. It does, however, remain unclear how the hierarchy or the division of tasks will play out,” said IFF’s Roy.
Prasanna S, a lawyer at the Article 21 Trust, agreed, calling the amendment “unimaginable in a democracy that is accountable to the public”. In the case of something like Pegasus, he said, there would be no way to prove surveillance.
Amid the Pegasus snooping row in 2021, the government had said that it did not maintain records of telephone interceptions conducted under the existing laws and regularly destroyed records of lawful interceptions.
In 2018, the MHA had authorised 10 security and intelligence agencies to intercept, monitor and decrypt information under Section 69 of the IT Act, and also required them to destroy those records within six months as per the 2009 Rules. These ten agencies are: Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Research and Analysis Wing/Cabinet Secretariat, Directorate of Signal Intelligence, and the Delhi Police Commissioner.
The other aspect to MeitY’s order says that all computer resources used by the National Investigation Agency for its information and office management system must be protected as “critical information infrastructure” under Section 70 of the Information Technology Act, 2000.
Whistleblowers and impact on RTI
“Everything will be destroyed, and the only way we would get to know is through whistleblowers. But the Whistleblowers Protection Act is not operational, despite being introduced a decade ago. So effectively, it's a measure to cover any illegality,” said Prasanna S.
The Whistleblowers Protection Act was passed in 2014 after protests by RTI activists. An amendment bill to the act was brought in, which experts criticised for “diluting several key provisions of the law”.
Section 6(3) of the RTI Act meanwhile says that any information relating to any occurrence, event, or matter which has taken place, occurred, or happened 20 years before the date on which any request is made shall be provided to any person making a request under that section.
In this context, the amendment will leave no room to retrieve even past information.
“The amendment is trying to legally destroy evidence that can be used potentially for any future investigations,” said Srinivas Kodali, an independent researcher working on data, governance, and the internet. “Of all the existing 10 agencies that delete records too, each department uses it in different scenarios. Each has oversight mechanisms, it does not apply to them universally. So while it administratively looks like the same powers, each agency functions differently.”
Roy, meanwhile, added that the IFF has been seeking statistical data regarding the number of e-surveillance orders issued under Section 69 of the IT Act since 2018, but had yet to receive a response to the same.
“If they are not willing to provide even the statistical data, one can only guess what the actual order contains,” she said.
This report was republished from Newslaundry as part of The News Minute-Newslaundry alliance. Read more about our partnership here.