Do you think someone is looking over your shoulder as you type an email, buy grocery or fill a simple raffle for that fair you visited with your child? As you give information to medical health providers or banks or airlines, do you get the feeling you are being monitored? Sounds like the conspiracy theory to beat all urban legends. Read on…
In India the right to privacy debate on monitoring of communications was addressed by the Hon’ble Supreme Court of India in the PUCL case. This case dealt with the issues of telephone tapping and guidelines were prescribed on the procedure for issuing telephone tapping orders. These guidelines were adhered to while substituting Rule 419 A of the Indian Telegraph Rules, 1951 in March 2007. Thereafter, these guidelines were incorporated by the Government in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that prescribed the procedure to be followed while issuing orders for monitoring information on the Internet.
However, we see attempts being made by the Government to bye-pass these safeguards by means of a loop-hole in the Information Technology Act, 2000 (IT Act) and the rules notified in 2011 under the IT Act. To unravel this Gordian knot we need to refer to Section 28 of the IT Act. Under this section, the Controller of Certifying Authority (CCA) is empowered to investigate contraventions of the provisions of the IT Act. This power becomes potent when seen in the light of the Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules 2011. When Section 28 is read with the proviso of Rule 6 of the aforementioned Rules: it essentially translates into the CCA having the power to obtain information, including sensitive personal information, from any company or body corporate, albeit at the request of government agencies. This power to obtain information from intermediaries is again explicitly provided under sub-rule (7) of Rule 3 of the the Information Technology (Intermediaries guidelines) Rules, 2011.
A reasonable reading of the title of Chapter VI of the IT Act (under which the subject of the Regulation of the CCA is dealt with ) seems to convey that this is an authority that deals with the Licensing of Certifying authorities that grant Electronic Signature Certificates. Until, of course, you read Section 28. Even then it does not amount to much until you dig further into the various rules that have been passed under the IT Act. So the question that comes up is: how can the government seek to deprive us of our right to privacy as simply as this. We have been asking this over and over again. These rules are made by the executive. They are made to help in the smoother functioning of any act of the parliament. However, at least, in the case of the IT Act they definitively override the mandate provided by the legislature. And so today the government agencies can seek any information regarding any person from a body corporate by sending a request to the CCA . The body has to oblige the CCA or face a stiff penalty. This incidentally is in violation of the law laid down by the Supreme Court of India on the right to privacy. It means any data belonging to you and me can be accessed by the CCA and in turn the government agencies.
So what happens if the body corporates refuse? Under Section 44 ( A) of the IT Act they can be slapped with asteep fine just as Yahoo India was. At the time of writing this blog, the case is sub-judice and hence it will be difficult to comment, but we at sflc.in wanted to find out more.
On January 10 2012 we sent an RTI to the Office of the Controller of Certifying Authority. We specifically requested for the following information:
- Number of requests received in the last three years, by the CCA from government agencies like the Intelligence Bureau , Ministry Of Home Affairs etc.
- Number of notices issued by the CCA under Section 28 of the IT Act in the last 3 years.
- Names of the recipients of notices under Section 28.
- Names of body corporates on whom a fine under Section 44 (A) has been imposed.
- Information on the methodology of scrutiny of requests from government agencies. Any rules or guidelines regarding the same.
We received areply to this RTI vide a letter dated February 8, 2012. We were told in this reply that as far as questions 1, 2 and 3 were concerned the CCA needed permission from the concerned government agencies to disclose this information . Further the response of the government agencies concerned was awaited. In response to question no. 4 we have been informed that only Yahoo India has been fined under Section 44 (A) of the IT Act. Question no.5 has elicited the response that matter concerning our query is in a confidential file and hence cannot be disclosed.
Further on March 2, 2012we received another reply to our RTI application whereby we were informed that as the CCA had sought approval from the concerned agency they could give us further information. This reply revealed that 73 ( seventy three ) notices were issued by the CCA under section 28 of the I.T. Act, in the last three years. This reply also informed us that notices have been issued to Yahoo India, Google, AOL, Facebook, Orkut and Hotmail.
While we at sflc.in shall follow the procedures provided by the Right to Information Act to find out more and dig a little deeper, it does surprise us that the CCA does not think that it is bound even by the Right to Information Act to disclose or refuse disclosure of information. Either that or our questions have made them uncomfortable and they have replied in the vaguest possible manner.
But if names like Yahoo, Google, Facebook, Orkut , Hotmail or AOL sounds familiar then we suggest you reread what is said above.