: All records related to interception, including orders and intercepted messages, must be destroyed securely and “with utmost confidentiality” by the Government Review Committee, as well as authorized entities – Union or State Home Secretaries – and law enforcement agencies. Six months into the new blockchain rules notified by the Centre, experts have raised questions on accountability and transparency.
The Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024 – which replace Rules 419 and 419A of the Telegraph Rules, 1951 – were promulgated by the Department of Telecommunications (DoT) on Friday. The draft rules were released for public consultation on 29 August.
These have been issued under the Telecommunications Act, 2023, which allows the Center to specify one or more agencies to intercept messages for five reasons – sovereignty and integrity of India, defense and security of the state, conflict with foreign states. In the interest of friendly relations with. , public order, and to prevent incitement to commit any offence.
“Although under the earlier rule, one could still hope to get some information about interception orders by filing an RTI related to the review committee, that too is now over. It would be as if the blockage never existed. Then where is the scope for monitoring and accountability?” said Namrata Maheshwari, senior policy advisor and encryption policy lead at Access Now.
Under the new rules, the findings of the review committee, which is responsible for assessing the legality of interception orders, will also be required to be destroyed. This review committee has the power to cancel non-compliant detention orders.
Interception records that law enforcement agencies are required to maintain include details of messages intercepted, the person whose messages are intercepted, the officer or agency to whom the message has been disclosed, the number of copies of the message, the number of copies Includes date and period of destruction. For which the blocking order was in force.
The composition of the review committees that confirm blocking orders at the central and state levels also remains the same. For Maheshwari, this is a problem because it means the review committee is not independent from the executive. “Independent judicial oversight or parliamentary oversight over surveillance orders, as is the case in many other areas, should be the norm,” he said.
The Department of Telecommunications and the Telecom Unit will also have to destroy the records within two months of the interception stopping, as is the case now and was reiterated in the draft rules.
According to the rules, the interception order must specify: the authorized agency that will carry out the interception; and one or more of the five reasons for which blocking may be ordered and will limit the use of blocked messages to these reasons only. Unless canceled earlier, the order will remain in force for a maximum of 60 days but can be renewed. No order can remain in force for more than 180 days.
According to the rules, if the information can be obtained through “other reasonable means”, the interception order cannot be passed.
Detention order can be issued by the Central or State Home Secretary. In “unavoidable circumstances”, a duly authorized joint secretary level officer can issue the order.
lower limit for orders
The notified rules lower the threshold for circumstances where officers other than the Central or State Home Secretary or a Joint Secretary level officer can issue interception orders. Earlier, in “cases of emergency in remote areas” or “for operational reasons” when it was not possible for Home Secretaries to issue orders, the head of the authorized law enforcement or security agency or the second senior most officer not below Was appointed. The Inspector General of Police can issue rank orders.
Now, no officer below the rank of IGP at the state level or the head or second senior-most officer of an authorized agency at the central level can issue detention orders “in remote areas or for operational reasons”. The threshold has been lowered, removing the requirement for “contingent cases”.
What constitutes an “emergency case” depends on the executive’s interpretation, said Nikhil Narendran, partner at Trilegal, adding: “Public emergency could be a standard.”
These orders must be confirmed by the Home Secretary (Union or State) within seven working days from the date of issue. If not confirmed, the interception must be stopped immediately, intercepted messages cannot be used for any purpose, including evidence in court, and copies must be destroyed within two days. .
“There is no judicial remedy for persons affected by orders not confirmed by the Home Secretary,” Maheshwari said. “So it’s possible that an interception occurs, then is stopped, and the affected individuals never know. Notice and information, as may be possible in different circumstances, and judicial remedies are vital to any monitoring framework in a democracy.
All blocking orders must be sent to the relevant review committee within seven working days of being issued or confirmed.
The notified rules do not cover the demonstration and testing of lawful interception systems and monitoring facilities that the government may require telecom entities to install, which is different from Rule 419A.
The provision for imposing penalty on service providers or suspending/revoking their license for non-maintenance of confidentiality or unauthorized interception of such orders has been removed in the notified rules. Telecommunications entities will now be responsible for the actions of both their employees and their vendors that result in any unauthorized interception.
Ambiguity on covered entities
As is the case with the original Act, it is not clear whether telecommunications services, and thus telecommunications entities, include online communication services such as WhatsApp, Signal, FaceTime and possibly also email services such as Gmail and Outlook. While the then Communications Minister Ashwini Vaishnav, after the bill was passed in Parliament in December 2023, had said that online communication services were not included within the scope of the Act, she did not make this statement on the floor of either House, and the definitions within the Act did not include such services. are sufficiently vague to permit regulation. In the case of end-to-end encrypted services like WhatsApp and Signal, the Act and the interception rules have a significant impact.
Maheshwari said, “While the Minister had publicly stated that OTT services would not fall within the scope of the Act, this statement is not legally binding, and the definition of telecom services in the Act is broad enough to facilitate a range of interpretations.” Is.”
This ambiguity has been a significant point of confusion, even as TRAI’s open house discussed how the authority (a mechanism that replaces the existing system of licensing telecom entities) should work, between Jio and Airtel. Like had repeatedly disagreed with telecom unions. Like the Broadband India Forum which represents technology companies on whether services like WhatsApp need specific authorization from the government to operate in India.
The notified rules also empower the government to exempt certain telecom entities from complying with obligations related to interception. “Its scope remains unclear. How will the government use this exemption? Will this be determined by the size of the unit? Their technical ability? This needs to be clearly defined for predictability which is expected from every policy,” Maheshwari said.
How will the interception order be given?
Once the Home Secretary (or other authorized officer) issues the interception order, it will be sent to the authorized agency (the law enforcement agency carrying out the interception). The authorized agency will send the order prescribed by the Central Government “in writing or using other secure means of communication” to the DoT or the telecom entity. Orders can be physically delivered only by officers who are not less than sub-inspectors.
The DoT or telecom unit must inform the receipt of the blocking order within 2 hours.
The rules require confidentiality, “utmost confidentiality” and “utmost care and caution” to be maintained by the law enforcement agency, DoT and the telecom entity while dealing with interception orders. Only authorized nodal officers in each of these units are allowed to handle any matter related to interception.
The authorized agency will have to appoint two nodal officers of at least the rank of Superintendent of Police to send orders to the DoT nodal officer (two such officers in each service area) or the telecom entity (such as Airtel or Jio). ,
While every telecom unit is required to inform the Central Government about the details of two senior employees in each service area of its operations who will act as nodal officers to enforce interception orders, Maheshwari says this requirement is small. This may prove very difficult for the units. ,
As per the notified rules, nodal officers in DoT and telecom units are required to submit fortnightly reports on the 1st and 16th of every month. These reports should list the blocking orders received, reference numbers, date of issue or confirmation, date and time or receipt of the orders, and date and time of implementation of the orders.
