Logo

Defender of your Digital Freedom

All Posts | Nov 21,2019

Letter To The Standing Committee on Information Technology

Recommendations to The Parliamentary Standing Committee on Information Technology for Surveillance Reforms in lieu of WhatsApp-NSO Revelations

Recommendations sent to Dr. Shashi Tharoor, Chairperson to The Parliamentary Standing Committee on Information Technology before the meeting with representatives of Home Ministry, The Ministry of Electronics and Information Technology (MeitY), and The Department of Atomic Energy (DAE) to discuss WhatsApp-Pegasus Surveillance revelations. SFLC.IN also issued its Statement on the WhatsApp Surveillance Issue

To support our work on fighting for privacy and security online, you may donate to us at - https://sflc.in/donate.

All Posts | Nov 07,2019

FAQ on surveillance in India.

What exactly is surveillance?

The Merrian - Webster dictionary defines surveillance as “keeping a close watch kept on someone or something”. In the context of this FAQ we refer to the word ‘surveillance’ only to the act of real-time surveillance conducted by Governments through telecommunication systems (namely, telephones and the Internet), though private actors may also conduct surveillance through various methods and offline methods are also used by governments to conduct surveillance.

 

Is there a way that survellience can happen offline as well?

Yes, Section 26 of the Indian Post Office Act, 1898 gives the government the power to intercept articles for public good. It has been mentioned in the section that when there is an occurrence of a public emergency or in the interest of public safety/tranquility an authorized officer of either the state or the central government by making an order in writing can intercept, detain or dispose of any kind of postal article. The subsection (2) of the section mentions that when there is unsurity of if the interception/detention or disposing off was done in public interest, a certificate issued by the government will be conclusive proof. However, for the purpose of this article, we will not be diving into details of offline surveillance.

 

Is suveillance in India legal?

Yes, as there exists a legal framework which enables the Government to conduct surveillance on the occurrence of certain circumstances. However, the surveillance has to be undertaken within the boundaries of this legal framework.

 

Which are the laws that regulate surveillance conducted by the government?

Telephones

1. The Indian Telegraph Act, 1885

  1. Section 3(1AA): Defines what a 'telegraph' is and means, “...any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means...”
  2. Section 5(2): This section is invoked to conduct surveillance over telegraph lines (as defined above, but with the occurence and condition of the pre-requisites of a public emergency or the interest of public safety.

2. Indian Telegraph Rules, 1951

  1. Rule 419A: This provision lays down the procedural law regarding telephone tapping. It was introduced by way of an amendment in 2007, which was necessitated by the Supreme Court's condemnation in the case People's Union for Civil Liberties v. Union of India (AIR 1997 SC 568) of the lack of procedure governing telephone tapping. The provision mandates that telephone tapping can be done only through a lawful order.
diagram explaining how lawful order to tap telephones are procured

Internet

Provisions dealing with Internet surveillance may be found interspersed throughout the Information Technology Act 2000 and several rules made thereunder.

1. Information Technology Act, 2000

diagram depicting the differences between the grounds for interception under Section 5 clause 2 of the Telelegraph Act and Section 69 B of the information technology act

 

  1. Section 69: Modeled extensively after Section 5(2) of the Telegraph Act, allows the Government to engage in surveillance of Internet data. However, there exists no pre- requisites for the invocation of Section 69 when compared with Section 5(2) of the Indian Telegraph Act, 1885 and has enlarged grounds.>
  2. Section 69B: This provision in turn deals with the surveillance of Internet metadata as compared to Internet data. Metadata is any data that gives information about other data. For example, if person A sends a message to person B, then the content of the message will be data and the data such as the time and date of sending and receiving the message, information about the devices from which the message was sent and received, profile information, etc. would be the metadata.

2. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69 of the Information Technology Act.

3. Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69B of the Information Technology Act.

Under both the above Rules, the procedure laid down is substantially similar to the procedure laid down in Rule 419A of the Indian Telegraph Rules, 1951.

In addition to these laws, license agreements such as the Unified Access Service License (UASL), Internet Service License (ISL), and the Unified License (UL) which incorporates the former two licenses between the Department of Telecommunications and telecommunications service providers also enable the government to receive assistance from telecommunication service providers in conducting surveillance. Licensees must also provide in the interests of security, 'suitable monitoring equipment as per the requirement of the DOT or law enforcement agencies.

 

Are there any monitoring systems in place in India?

As per available information, the Central Monitoring System (CMS) and the National Intelligence Grid (NATGRID) are the two intelligence systems in place in India. Also, another system named Network Traffic Analysis (NETRA) was rumoured to be launched in 2014. NETRA was developed by the Centre for Artificial Intelligence and Robotics (CAIR), a lab under the Defense Research and Development Organisation (DRDO). However, not much information is available regarding the project.

In additions to such dedicated systems, state police forces also conduct monitoring of social media platforms and the web. For example, the Mumbai police force monitored social media platforms to tackle fake news surrounding the Maharashtra elections and similarly, the Uttar Pradesh police force has been put on ‘high alert’ in anticipation of the Ayodhya verdict and as part of vigilance, is conducting social media monitoring. However, this is purely not ‘backdoor’ surveillance but a scan and analysis of publicly available social media posts.

 

Which are the government agencies involved or carry out surveillance in India?

In a starred question which was raised in the Lok Sabha and answered on 11.02.2014, the names of the agencies authorised to intercept and collect details of telephonic conversations under Section 5(2) of the Indian Telegraph Act, 1885 read with Rule 419A of Indian Telegraph (Amendment) Rules, 2007. were listed as follows:


# Central Agencies

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Directorate of Enforcement

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Research & Analysis Wing (R&AW)

  9. Directorate of Signal Intelligence, Ministry of Defence - for Jammu & Kashmir, North East & Assam Service Areas only

# State Agencies

  1. Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area only


As per the order of the Ministry of Home Affairs S.O. 6227(E) dated 20.12.2018 the following Security and Intelligence Agences were authorised “for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the Sub-section 69 (1) of the Information Technology Act, 2000 (21 of 2000) read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Enforcement Directorate

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Cabinet Secretariat (RAW)

  9. Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only)

  10. Commissioner of Police, Delhi

 

 

What is the remedy available in case you suspect that you have been placed under surveillance illegaly, for example the WhatsApp-NSO scandal?

Judicial recourse is obviously the effective remedy available for negating unlawful monitoring/surveillance efforts by the Government. Illegal monitoring methods, such as the one employed in the WhatsApp-NSO Spyware employs malicious hacking (also known has black-hat hacking) methods which amount to violation of Sections 43 and 66 of the Information Technology Act, 2000, which ascribes liability on the perpetrator of the crime.

Section 43

Section 43 of the Information Technology Act, 2000 deals with penalties and compensation for damage to computer, computer system etc. Section 43 ascribes civil liability to anyone who causes any damage to a computer or a computer system and demands the actor to pay damages (compensation) to the affected person.

Section 66

Section 66 deals with computer related offences. If any person, dishonestly or fraudulently, does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. Section 66 ascribes criminal liability onto the prepetrator of a cyber crime.

 

 

How can I approach forums for securing a remedy?

1. Approaching Cyber Cells

All state police forces have a cybercrime division or a cyber cell or a dedicated cybercrime police station established where victims of cybercrimes can file complaints in case of a malicious cyber incident. First Information Reports can be filed under S. 154 of the Criminal Procedure Code, 1973 in case you are a victim of a cyber crime such as malicious hacking.

It is advised to provide as much information as you can while filing such complaints, including information regarding application and system logs, IP addresses, relevant screenshots. It would be wise to approach a cyber security expert or a digital forensics examiner if you are unaware of how to retrieve necessary information.

2. Approaching Magistrate Courts

If under any circumstances, the police officer/cell refuses to receive or investigate your complaint, recourse may be taken by approaching the Magistrate court through Section 156 (3) read with Section 190 of the Criminal Procedure Code, 1973 by filing a private complaint and seek a direction to the police station concerned to investigate the matter (called a ‘forwarding petition’).

3. Approaching the High Courts

If you suspect that you are being placed under surveillance through an illegal order in contravention to Section 5(2) of the Indian Telegraph Act, 1955 and Rule 419A of the Indian Telegraph Rules, 1951, or under Section 69 of the Information Technology Act, 2000, you can approach the appropriate state High Court under Article 226 of the Constitution of India invoking the ‘writ’ jurisdiction of the High Court to quash the illegal surveillance order and also for exemplary compensation. It is advisable to obtain relevant information regarding the surveillance order by filing RTI applications.

If you suspect that you are a victim of the WhatsApp-NSO Spyware row, then you can approach the High Court if your name has been revealed in any list released by Citizen Lab or any other publicly reported list.

What if the Information Officer under the State/Central authority refuses to furnish information your RTI Application is rejected citing exemptions under Section 8 of the Right to Information Act, 2005 or is delayed?

Under the RTI Act, application for information maybe refused to be furnished citing exemption from disclosure under different grounds enumerated in Section 8 of the Act (and also Section 9 if it infringes copyright of a person other than the State).

Normally, information sought by an application under the RTI Act, has to be furnished within 30 days from the receipt of the application by the public authority and if the information sought for by the applicant is concerned with the life and liberty of a person, it is to be provided within 48 (forty-eight) hours.

If any of the above is a case concerning your application or if you are not satisfied with the information supplied to you, you can still raise an appeal (within 30 days) to the first appellate authority (who is an officer senior in rank to the Information Officer) in the office of the public authority wherein you sought the application. If in case the first appellate authority also furnishes unsatisfactory information, you can approach the State/Central Information Commission (depending on whether the public authority is under the State or Central Government) by filing an appeal.

All Posts | May 14,2019

Critical security advisory: WhatsApp vulnerability

WhatsApp has reported that a security vulnerability in the app was exploited to install the NSO Pegasus spyware in certain iPhones and Android phones. The spyware can be installed by calling a target device. Even if the call is missed, the device could still be infected. The Financial Times has reported that a log of the call could disappear from the device, leaving no trace that the device was called and infected if the user of the device missed the call. The spyware can retrieve your calls, messages and data, and activate your camera and microphone, among malicious activities.

WhatsApp has stated the the vulnerability has been fixed in a recent update to the app. We urge all our readers to upgrade the app on your phone as soon as possible. If you noticed an incoming call that later disappeared from your call log, we advise that you erase / reset your phone.

In general, we advise updating your device's OS (such as iOS or Android) and apps as often as possible so that you have the latest security patches installed on your phone. We further advise purchasing your devices from only those manufacturers that have a reputation of keeping the OS updated for at least as long as you plan to use the device.

For more details regarding the security vulnerability in WhatsApp, please see https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers-install-government-grade-spyware-on-phones/

For more information on keeping yourself safe and secure online, please visit https://security.sflc.in/

All Posts | Nov 11,2017

FAQ: Legal Position of Encryption in India

The Indian Supreme Court on 29 June 2016 refused to entertain a petition that sought a ban on WhatsApp and other similar applications that use strong end to end encryption technologies to safeguard the communications on their services. The petition stated that employment of such stringent encryption standards rendered a national security hazard as it would be impossible for law enforcement agencies to uncover communications of/amongst parties that pose a threat to the safety and security of the country. With WhatsApp, a widely used messaging application enabling a default 256 bit encryption recently in April, 2016, there has been a lot of talk surrounding the legal position of encryption under the current Indian framework. We created an FAQ to help understand the status of encryption, and services that use encryption in India. This FAQ was originally published on 29 June 2016. It was last updated on 11 November 2017.

1. Do we have a comprehensive law regulating encryption?
No, India does not have a dedicated law on encryption. Although, a number of sectoral regulations including in the banking, finance and telecommunication industries carry stipulations such as the minimum standards of encryption to be used in securing transactions. A draft National Policy on Encryption under Section 84A of the Information Technology Act, 2000 was published on 21st September, 2015 and invited comments from the public, but was withdrawn on 23rd September, 2015. Section 84A permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce.

2. How did the draft National Encryption Policy seek to regulate the use of encryption?
The draft Policy applied to use of encryption technologies for storage and communication of information held with the government, businesses, and citizens. The Central Government was delegated the power to specify and notify the encryption protocols and technologies that can be used in this regard. This policy was withdrawn due to certain problematic provisions in the policy that caused upheaval not only in the IT sector, but also with the users. A proposed addendum to the draft encryption policy was issued by DeitY soon after the release of the draft policy. The proposed addendum exempted the following from the purview of the draft national encryption policy:

  1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc.
  2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India.
  3. SSL/TLS encryption products being used for e-commerce and password based transactions.

3. Why was this draft Policy withdrawn?
The draft National Policy on Encryption was withdrawn within two days of its release due to its unfeasible and unclear provisions with respect to the usage of encryption technologies. Mr. Ravi Shankar Prasad, Union Minister of Communications and Information Technology said that India is lacking any sort of encryption policy, and the original draft will be refined for this purpose. The draft Policy received a large amount of criticism from the businesses, IT sector, users and civil society advocacy groups. The following were a few major points of criticism leveled against the policy:

  • The provision that mandated the retaining of plain text copies of encrypted communications for 90 days by users and businesses.
  • Registration for foreign service providers before they make their services available to the Indian population.
  • The security concerns associated with retaining plain text copies for 90 days.
  • The Government specifying the key length, and algorithm to be used in encryption technologies for all users and businesses entailed that the Government could restrict the maximum standard of encryption that could be used, without leaving any room for discretion for a user to subscribe to stricter security standards.
  • The provision that put the primary responsibility on users of foreign services for retaining and handing plain text copies of communications when sought by a law enforcement agency.

4. Was there a second draft of the National Policy on Encryption?

According to media reports, in mid-2016 the Ministry of Information and Technology (MeitY) wrote a letter seeking comments from Cellular Operators Association of India (COAI), Association of Unified Telecom Service Providers of India (AUSPI), and Internet Service Providers Association of India (ISPAI), among other industry leaders, in order to come up with a second draft National Policy on Encryption. This second draft was never released.

5. Are there other laws and/or recommendations pertaining to the use or regulation of encryption and other such technologies in India?
The Information Technology Act, 2000 that regulates the electronic and wireless modes of communication is silent on any substantive provision or policy on encryption apart from Section 84A that delegates the Central Government the authority to frame any rules on the use and regulation of encryption. Till date, no such rules have been framed by the Central Government under this section. Besides that, the following are few sectors where the use of encryption technology and products have been regulated and mandated by specific conditions and terms:

Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)
The terms and conditions of the license agreement between the DoT & the ISPs permit use of encryption technologies only up to 40 bits with RSA algorithms or its equivalent without any prior approval from the DoT. A higher encryption standard can only be employed with a permission and submission of the decryption key split in two parts to the DoT. Moreover, there is a complete prohibition on using bulk encryption by ISPs under these license terms (Clause 2.2 (vii) of the License Agreement between DoT & ISP, January 2010). However, it is important to note that although the terms of the Unified Service License Agreement also explicitly prohibit bulk encryption (Clause 37.1), they do not prescribe to a 40 bit standard. Rather, they state that the permissible encryption standard under this Agreement will be governed by the policies made under Information Technology Act, 2000(Clause 37.5). But, as stated earlier, no rules have yet been drafted that prescribe or regulate the usage of encryption technologies in India under the IT Act.

Securities and Exchange Board of India (SEBI) Guidelines on Internet based Trading and Services
As per the Report on Internet Trading by the SEBI Committee on Internet based Trading & Services, 2000, a 64/128 bit encryption standard is advisable to secure transactions and online tradings. It strongly recommended that "128 bit encryption should be allowed to be freely used". However, it is qualified with a condition that the DoT prescribed policy and regulation will be adhered to with respect to encryption. In paragraph 30 of the cyber security and cyber resilience framework of Stock Exchanges, Clearance Corporations and Depositories, and for Registrars to an Issue / Share Transfer Agent with a portfolio of over two crore, SEBI requires that "Data in motion and data at rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc."

Reserve Bank of India (RBI)
In paragraph 6.4.5 of the Report on Internet Banking released in 2001, RBI mandated a minimum security standard of using of SSL for server authentication and the use of client side certificates, the use of 128-bit SSL encryption for communication between browsers and the server, and encryption of sensitive data like passwords in transit within the enterprise itself.

Information Technology (Certifying Authorities) Rules, 2000
These Rules specify the manner in which digital signatures are to be authenticated. Under Rule 3, a digital signature authentication is mandated to be undertaken via a public key encryption method. Rule 6 of these Certifying Authorities Rules provide the requisite standards for public keys that can be used for this purpose, such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard. Most of the standards listed under this rule resort to an encryption strength higher than 40 bits, which is the maximum permitted standard under the license terms of an agreement between an ISP and DoT.

Data Security Council of India’s (DSCI) recommendation
The DSCI & NASSCOM with other industry inputs submitted recommendations to the Department of Information Technology in 2009 regarding an Encryption Policy for India. One of the recommendations made therewith is the departure from a 40 bit standard as enshrined in the DoT license to ISPs, and to upgrade to a 256 bit encryption standard with AES algorithm or other equivalents for e-commerce platforms, along with SSL for end to end authentication.

6. Is there a restriction/prohibition on using encryption technologies?
The license agreement between the ISP & DoT carries a stipulation to the effect that users are not permitted to use encryption standards higher than 40 bits with symmetric key algorithms or equivalent algorithms without prior approval and deposition of decryption keys. As mentioned above, there are various other regulations & guidelines that employ a higher standard of encryption than 40 bits for certain specific sectors. Also, in the absence of a comprehensive encryption policy /regulation, or any procedures detailed under the Information Technology Act, 2000, the service providers under the terms of Unified Service License Agreement don’t have any limitation on encryption strength. Therefore, the restriction of 40 bits effectively applies only to the individuals, organizations, or groups using the platform of ISPs that function under the license agreement between DoT & ISP.

7. What is the legal status of services like WhatsApp that enable end to end encryption?
In April 2016, WhatsApp, a messaging application enabled end to end encryption for all its users at 256 bits. This service is owned by Facebook Inc. and is not an individual, group, or organization as is covered under the license terms between the DoT & ISP. Applications like WhatsApp are termed as ‘Over The Top’ (OTT) services and in the absence of any specific regulation pertaining to them, are governed by the provisions of the IT Act and/or other legislations applicable to their services. The term 'Over The Top' is not formally defined anywhere in our laws. The term has developed as a result of common usage in the telecommunications sector. An application that is only making its service available to consumers is not bound by any license agreement that restricts encryption usage. Therefore, due to the absence of stipulated encryption standards under the IT Act, or a comprehensive encryption policy, OTTs, such as WhatsApp that use higher encryption standards are currently operating in a grey area with no legal precedent or rules to deny or allow its use of a 256 bit, end to end encryption for the communications made on its service.

Image Credits: System Lock Credit: Yuri Samoilov/ Flickr CC BY 2.0

All Posts | Apr 18,2017

WhatsApp: Privacy, Data Sharing & Encryption – Supreme Court Litigation Update (18th April, 2017)

This case, which has come in appeal from the High Court of Delhi, wherein WhatsApp was directed by the honorable Court, to delete all information & data of its users collected on their servers up to 25th September 2016, the date on which their new privacy policy came into effect.

You can read more about it in our previous 2 posts titled “The WhatsApp Privacy Saga”.

This case was listed today before a 5 judge bench comprising honorable Justices Dipak Misra, A.K. Sikri, Amitava Roy, A.M. Khanwilkar and Mohan M. Shantanagoudar.

In today’s hearing, Senior Advocate Mr. Harish N. Salve, appearing for the petitioners, after giving some introduction with regards to the functioning of the internet, drew the Court’s attention to the affidavit filed by the Telecom Regulatory Authority of India (TRAI) and the counter affidavit filed by the Union of India. At this juncture, Mr. Mukul Rohatgi, learned Attorney General of India submitted that the stand of the Union of India is that there is going to be a regulatory regime to save the data base to guide the concept of net-neutrality.

On being questioned by the honorable court as to the real issues involved in the petition, before Mr. Salve could answer, Senior Advocate Mr. Kapil Sibal, appearing for WhatsApp, submitted that the matter could not have been referred to the Constitution Bench without framing the questions that needed to be referred. The same submission was made by Senior Advocate Mr. Sidharth Luthra appearing for Facebook.

This preliminary objection was resisted by Mr. Salve on the grounds that the direction for listing the matter before a five-Judge Bench need not be treated as a reference as postulated under Article 145 of the Constitution of India. He the Court that the Chief Justice of India is the master of the roster and he has the authority on the administrative side to place the matter before a five-Judge Bench, regard being had to the gravity, significance, and importance of the matter. The Court held that they shall delve into this preliminary objection at the time of delivery of the final verdict. Justice Dipak Misra said that when an issue is raised before the Bench, it must necessarily be addressed and that the Bench will be the one to put any controversies to rest in this regard.

Mr. Salve submitted that the policy that is formulated by WhatsApp is unconscionable and unacceptable, and also suffers from constitutional vulnerability since it maladroitedly affects the freedom, which is a cherished right of an individual under the Constitution. He contended that by imposition, WhatsApp cannot formulate such a policy under the garb of data sharing.

Mr. Sibal, vehemently resisting the submission of Mr. Salve, contended that WhatsApp does not share data such as voice and messages, so no part of the content which is exchanged between two individuals is ever revealed to a third party and, therefore, the submission of Mr. Salve is sans substance. It was also submitted by Mr. Sibal and Mr. Luthra that their action is compliant with Section 79 of the Information Technology Act, 2000. It was contended by them that the actions of WhatsApp and Facebook were in consonance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The Court directed Mr. Salve to formulate his propositions and file it by 24th April, 2017.

The matter was adjourned to be listed again on 27th April, 2017 at 3 P.M.

The details of the hearing on 27th April are given here.